Crowdstrike is an industry-leading EDR solution that is a must-have for any size enterprise. There are many features within Crowdstrike, and it can seem daunting to keep up with the weekly enhancements made to the Falcon platform. This article will uncover some of the most beneficial features to use on a day-to-day basis, along with some tips to streamline your endpoint security posture.
The Docs section is usually the first place to start when first learning how to utilize Crowdstrike. It does a great job of outlining system requirements, best practices for policy enforcement rules, and walkthroughs for enabling specific features or troubleshooting. The followings Docs are highly recommended:
- Startup and Scale-Up
- Falcon User Guide
- Sensor requirements (depending on OS)
- Policies docs for detection, prevention, and sensors
- Users and Roles
- Events Data Dictionary
- Falcon Notifications
Touching on Falcon Notifications, it is strongly encouraged that these are enabled to increase overall visibility and accountability amongst thought responsible in your environment. Crowdstrike makes this easy by providing several different ways to receive notifications.
By navigating to Investigate, IP Search, Sensors Tab, and Sensor Health, you are displayed with a plethora of data surrounding Sensors' status. This dashboard is unbelievably valuable as it covers the following topics:
- Sensor Heartbeat
- Sensors in RFM (Reduced Functionality Mode)
- Sensor Support Status
- Inactive Sensors
- Duplicate Sensors
- Sensor Protection Status
Each of the above topics provides users with the ability to dive into the specific details about each machine and quickly export .CSV or .PDF files for quick remediation. These charts must be utilized every week to always ensure maximum coverage over your endpoints at all times.
RTR (real-time responder) is a unique feature that allows admins to remotely access managed machines directly (even if the host is network contained). Some of the use cases for RTR may include:
- Running malware scans
- Collecting forensics data
- Running diagnostics
- Removing malicious files
- Display a system message
- Restart/Shutdown a machine
- Check local activity logs
Crowdstrike has streamlined responses by providing real-time responders with a direct gateway into infected hosts. Best of all, this ability is separated by its custom role and auditing logs within the Falcon platform, thus ensuring control over who can utilize it and keep track of what actions have been performed.
Taking a step deeper, Incidents are generated to provide a granular understanding of specific detections linked to malicious activity. Incidents give the analyst a timeline view of what happened with certain detections or series of detections, including the following attributes:
Isolation of a host from the network.
Graphical overview of the incident.
Breakdown of run periods.
Pull files right from the incident.
Incidents enable security teams to get the complete picture of all processes running on a system and interact with them. Whether it is network events or registry actions, the Incidents tab in Crowdstrike is a critical tool for investigating and isolating possible threats.
By hovering to the right of any dashboard title in Crowdstrike, you can select to save a particular page as a bookmark. These bookmarks are displayed on the main Falcon screen for easy access. This feature comes in handy when trying to find information quickly that is used daily. Many useful dashboards (including the sensor health dashboard above) are buried several pages deep within the platform.
In this article, the features mentioned above are only the tip of the iceberg when it pertains to the full functionality that Crowdstrike provides. For more in-depth information about EDR solutions in general, check out what Cybrary has to offer around what to look for in an EDR, as well as some fundamentals that will give your enterprise the security advantage it needs to stay ahead of the curve.