Skip to main content

General Documents

Onboard Incidents from CrowdStrike Endpoint Detection

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence, Endpoint

Cyware Products Used:

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

Third-Party Integrations Used:

  • Crowdstrike EDR: To retrieve newly triggered alerts.

  • VirusTotal: Enrichment of the IOCs observed from Crowdstrike EDR alerts.

Problem Statement

Legacy endpoint solutions, such as antivirus, cannot keep up with the cyber threats of the present and leave you with blind spots that put your organization at risk. Endpoint security solutions record the activities and events taking place on endpoints and all workloads, providing security teams with the visibility they need to uncover incidents that would otherwise remain invisible. However, security teams require the right balance of automated response and expert human oversight to determine if the endpoint alerts are false positives or actual incidents that require investigation.

Solution

To solve this problem and automatically detect endpoint security alerts, Cyware Fusion Center uses the Onboard Alerts/Incidents from the Crowdstrike Endpoint Security Platform playbook.

When adversaries gain access through a device, they can then move throughout the organization, accessing high-value assets or conducting malicious activity, such as stealing data, intellectual property, or sensitive information. The CrowdStrike EDR solution collects and correlates malicious activities from endpoints and triggers an alert in the Crowdstrike EDR application. The Onboard Incidents from the Crowdstrike Endpoint Security Alerts playbook use the alert triggered by Crowdstrike EDR as the starting point to automate the detection and response process.

Onboard_Incidents_from_CrowdStrike_Endpoint_Detection.svg

How do we solve this problem?

  1. Retrieve the list of Incidents: The Onboard Incidents from the Crowdstrike Endpoint Security Alerts playbook retrieve the latest alerts triggered in the Crowdstrike EDR application in the past 24 hours.

  2. Filter New Detections: The playbook filters only new detection alerts and proceeds to retrieve more details about the detection. If there are no new detections, the playbook stops and terminates the process.

  3. Retrieve Detection Details: Using the identified detection ID, the playbook retrieves additional details about the detection. The details include IOC types and IOC values including hashes.

  4. Enrichment: The playbook extracts the detected IOCs and enriches them using the VirusTotal application. You can also configure a preferred tool for enrichment. See Data Enrichment and Threat Intelligence.

  5. Create CFTR Incident: After enrichment, the playbooks create an incident in CFTR using the details retrieve from the detection and enrichment. The details include hostname, IP address, attack behaviors, affected device ID, sitename, mac address, severity, confidence score, and more.

    1. Assigns a business unit to the incident based on the client impacted.

    2. Assigns an appropriate user group and user to investigate the incident.

    3. Updates VirusTotal score to the identified IOCs.

  6. Filter False positives: With the help of the VirusTotal score, the playbook filters false positives and true positives.

    1. If the IOCs are found as false positives, then the status of the incident is updated and closed.

    2. If the IOCs are found as true positives, then the details of the incident are updated in CFTR.

  7. Response: The playbook creates an action to block the malicious IOCs on the Crowdstrike EDR application.

  8. Ready for Investigation: The true positive incidents are available on CFTR to be taken over by Analysts for manual investigations and closure.

Benefits

Respond Quickly and Accurately

The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.

Streamline Incident Onboarding Process

Security teams can automatically gather data from EDR solutions, perform enrichment and automatically generate incidents for investigation. This streamlines the process by removing the need for a human to notice the relevant security data, identify it as a security incident, and manually set up an incident in the system.

Faster Detection and Response Times

Cyberattacks can cause severe damage to the data and intellectual property of an organization. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.