Table of Contents
Introduction
Falcon Insight is CrowdStrike’s EDR solution. Falcon Insight monitors endpoint activity and captures events and details that are critical to swiftly and effectively conduct investigations and forensic analysis. In addition to delivering automatic detection of attacker activity, it provides real time and historical visibility into endpoint activities. This enables security teams to do proactive threat hunting, investigation and incident response tasks, stopping potential breaches before the organization is compromised. CrowdStrike’s cloud-based architecture allows customers to get their answers in seconds without putting any stress on their endpoints.
Always On, Connected to the Cloud
With Falcon Insight, the Falcon Agent is always recording and streaming events to the cloud. Falcon Insight eliminates silent failure by providing the highest level of real-time monitoring capabilities that span across detection, response, and forensics. This ensures nothing is missed, leaving attackers with no place to hide.
High Fidelity Event Data
Falcon Insight collects a rich set of raw endpoint telemetry that describes the processes and activities that have happened on an endpoint in great detail. The level of visibility provided by Falcon Insight fills in all the gaps left by legacy security vendors and allows security teams to perform proactive threat hunting. Falcon Insight includes an Investigate feature that enables Splunk like search capability to quickly and efficiently hunt through your event data.
As an example, we’ll search for usage of common recon commands in our environment using the below query. In the resulting table we can see the full context of how the recon commands were used and who it was run by.
event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=at.exe)
| table ComputerName UserName FileName CommandLine
For more example queries refer to the Hunting and Investigation Support guide.
Detections and Indicators of Attack
Pairing full endpoint visibility with indicators of attack (IOAs), Falcon Insight behavioral analytics allows it to analyze events in real time and to automatically detect traces of suspicious behavior. Falcon Insight displays attacks in an easy-to-read process tree. This provides full attack details and puts them in context for faster and easier investigations.
The example below includes an interactive process tree with full context of the events that occurred.
This second example shows the command line arguments used by the suspicious powershell process.
Conclusion
Falcon Insight provides a level of visibility which reduces dwell time by eliminating silent failures and automatically detecting attackers which in turn accelerates time to remediation. Since the Falcon Insight event data is streamed to the cloud, complexity and management overhead is eliminated, allowing security teams to perform more thorough investigations.
More resources
Leave a Reply