CrowdStrike Falcon

Applies to: CrowdStrike Falcon Antivirus

Overview

CrowdStrike Falcon's next-gen antivirus protects against all types of attacks from commodity malware to sophisticated attacks with one solution — even when offline.

EventTracker helps to monitor events from CrowdStrike Falcon. Its dashboard, alerts, and reports will help you to find detailed information on all events. Alerts determine and stop the attack and suspicious activities in real-time, and dashboards help to analyse all the security-related events in a single console.
Using the knowledge pack for 'CrowdStrike Falcon' you will be able to understand the overall security posture of your environment. Using the EventTracker's report we can review all detection updates by CrowdStrike Falcon. EventTracker enhances investigation by performing CrowdStrike Falcon’s events and information flow data in both real-time and on a historical basis.

You will find suspicious user activities such as user authentication without 2FA, authentication activity by blacklisted geolocations, total authenticated users, usernames, emails, and IP addresses, user logged in using 2FA, etc.

Also, we have provided the different dashboards for threat detection which will help you to hunt the malicious activities in your business environment, where you can analyse group detections, blocked detections, and analyse detection trends by type. Panels also display a detailed analysis of detected malware and help quickly identify hosts with the most detected malware, quarantined files, and malicious software and activities.
Using the saved searches, you can investigate malicious behaviour across the endpoints for detailed information.

Using the EventTracker’s alerts component we can create & tune alerts/alarms for critical events like- detection summary event, file quarantined will allow analysts to focus more on remediation and response efforts.
Using EventTracker’s reports we can audit sensitive data to see who did what, when, where, and how, to satisfy audits for multiple industry regulatory requirements.

EventTracker knowledge pack for CrowdStrike Falcon allows you to monitor the following components.

Security – File Quarantined, Detection Summary Event, Authentication without 2FA, Threat detected, etc.
Operation – Authentication details.
Compliance – Document Access, AV Scan results.

Security

Alerts

CrowdStrike Falcon - File Quarantined – This alert is triggered when any suspicious file is quarantined by CrowdStrike Falcon.
CrowdStrike Falcon - Detection Summary Event – This alert is triggered when any suspicious activity is detected by CrowdStrike Falco or malware-related event triggers in CrowdStike Falcon.

Reports

CrowdStrike Falcon – Threat detected- This report gives information regarding the various threat detection in the CrowdStrike Falcon. Reports contain computer name, destination hostname, destination username, parent file name, parent pathname, message, the action is taken and other useful information for further analysis to drill down the incidents.
CrowdStrike Falcon - File Quarantined – This report provides detailed information on the quarantined files by CrowdStrike Falcon. The report contains information about action, parent file path, parent file name, destination username, destination hostname, quarantine file hash value, quarantined filename, quarantined file path, and other useful information for further analysis to drill down the incidents.

Operation

Reports

CrowdStrike Falcon – Authentication details- This report gives information about the CrowdStrike Falcon AV authentication-related events. Reports contain a destination hostname, destination username, authentication types, destination IP addresses, usernames, and other details that can be used for further investigation.

Compliance

Reports

CrowdStrike Falcon – Document Access- This report gives information about the document accessed by the user in CrowdStrike Falcon. The report contains a destination username, hostname, accessed filename, accessed file path, and other useful information.
CrowdStrike Falcon – AV Scan Results- This report gives information about the CrowdStrike Falcon AV scan results details. Reports contain a destination hostname, destination username, filename, file pathname, file hash, results and scan engine name, and other details that can be used for further investigation.

Scope

The configuration details are consistent with EventTracker version 9.2 and later, and CrowdStrike Falcon.

Documentation:

To configure CrowdStrike Falcon to send logs to EventTracker, refer the How to Guide.

For more information please refer the Integration guide.