CrowdStrike

This documentation explains Intezer's alert triage, response, and hunting solution for CrowdStrike. 

You can get clear recommendations for response on every alert in CrowdStrike Falcon, by having Intezer investigate and triage alerts for you. Here you can learn more about Intezer automates alert triage, reduces false positives, classifies threats, extracts IOCs, and prioritizes response.

• How Intezer works with CrowdStrike
• Intezer and CrowdStrike Integration Benefits
• Setting up the connection for CrowdStrike alerts

• Automated Alert Remediation

• Setting up Intezer's Live Endpoint Scanner

Get a quick overview of how Intezer's solution for CrowdStrike works in this quick 4-minute video:

How Intezer works with CrowdStrike

1. CrowdStrike detects malicious activity on an endpoint and creates an alert.
2. Intezer fetches the relevant artifacts (files, URLs, processes, memory image) from the endpoint through CrowdStrike for analysis and triage.
3. Intezer provides analysis results and clear recommendations for every alert in CrowdStrike, so your team knows what to do next.
4. From Intezer’s analysis result in CrowdStrike, you get verdict, malware family information, additional context, and a link to Intezer’s full investigation so you can review, and get IOCs, or related threat-hunting queries.
5. Additional indicators can be added to the CrowdStrike blacklist or with a custom detection rule from Intezer to alert and perform an automated response the next time those indicators are seen.
6. Scan a suspicious endpoint or proactively hunt for traces of advanced in-memory threats (such as fileless and packed malware, malicious code injections, or any unrecognized code) by using Intezer’s Live Endpoint Scanner as a script from inside CrowdStrike.
7. Threat hunting queries can be extracted from Intezer and used with CrowdStrike to hunt for additional indicators across the environment.

Intezer and CrowdStrike Integration Benefits

• Triage for every alert and time saving with a unified, automated workflow.
• Transparent analysis and additional context about scanned artifacts including attribution, malware families, indicators of compromise (IOCs), and TTPs mapped to MITRE ATT&CK®.
• Rapid verdicts of both malicious and benign artifacts classified using Intezer’s proprietary genetic analysis solution.
• Hunt for traces of advanced in-memory threats such as fileless and packed malware, malicious code injections, or any unrecognized code by running Intezer’s Live Endpoint Scanner as a script from inside CrowdStrike.
• Out-of-the-box detection content and queries for threat hunting provide immediate time-to-value.

Set up the connection

1. Get your token from CrowdStrike with the following scopes:
   • Detections:
     • Read - query new detection.
     • Write - add a comment containing Intezer enrichment.
   • Hosts:
     • Read - checking the host OS type, checking if the host is online, and avoiding requesting real-time-response (RTR) for offline endpoints.
   • Real-time-response:
     • Read and Write - fetching files from the endpoint. Both read and write permission are mandatory to allow this capability.
   • Alerts:
     • Read - query new incidents.
     • Write - add a comment containing Intezer enrichment.
   • Flight Control (MSSPs only):
     • Read - query all children id (CID) that will be used by the API
2. Enter your CrowdStrike client ID and client secret into the connect sources page.

Here's a 1 minute video that shows you how to extract the required tokens from CrowdStrike:

Automated Alert Remediation

Intezer’s auto alert remediation is a feature that automatically closes false positive alerts in your EDR instance based on Intezer’s verdict. The purpose is to reduce false positives and save valuable time for your team, helping you focus on alerts that require deeper investigation.

How does it work?

Any alert that EDR deems to be risky or malicious but Intezer issues a “Trusted” verdict after deeper analysis is considered a “false positive” by Intezer.

All false positive alerts that fall into your pre-configured types (see the section below) are then auto-remediated by Intezer. For these alerts, Intezer changes the initial Detection Status to “False Positive”.

What type of alerts are auto-remediated?

Based on a pre-defined configuration, you select the alert classifications that you would like to apply auto-remediation

How to get started?

Contact us at support@intezer.com with the classifications you would like to auto-remediate. We recommend starting with low-severity classifications such as “Informational" and "Low”.
In the future, this configuration will be accessible via your Intezer dashboard.

CrowdStrike classifications that can be configured:

• Informational
• Low
• Medium
• High
• Critical

Example of a False Positive Alert:

A comment will be added to the detection in your CS console:

Set up Intezer's Live Endpoint Scanner

1. Follow the setup guide: Set Up Live Endpoint Scanner Script in Your EDR
2. To allow automatic Live Endpoint Scanner to be triggered by Intezer, contact Intezer's support