Home  >  APT29  >  Results  >  CrowdStrike  >  Configuration

Crowdstrike Configuration

Product Versions

  • Product Version: Windows 5.21.10306.0
  • Product SKU: “Falcon Endpoint Protection Premium”, which includes the following modules:
    • Falcon Overwatch
    • Falcon Insight
    • Falcon X
    • Falcon Prevent
    • Falcon Discover
    • Falcon Device Control

Description

CrowdStrike Falcon delivers cloud-native endpoint security for Windows, macOS and Linux. It provides advanced detection and prevention functionality through its next-gen AV (Falcon Prevent), EDR (Falcon Insight) and Falcon Device Control modules, proactive human threat hunting (Falcon OverWatch), IT hygiene (Falcon Discover), vulnerability management (Falcon Spotlight), and integrated threat intelligence (Falcon X).  Falcon’s cloud-native architecture significantly reduces deployment time and management costs, and also benefits from crowdsourcing of threat information from millions of machines it protects in more than 170 countries and the analysis of trillions of security-related events per week originating from these systems.  All capabilities are delivered through a single lightweight agent, reducing resource utilization and overhead. 

CrowdStrike Falcon's cloud-native architecture leverages both smart sensor technology and CrowdStrike’s proprietary Threat Graph, a purpose-built distributed graph database in the cloud, to enable rapid detection, prevention, and response to all types of threats. CrowdStrike Falcon uses behavioral Indicators of Attack (IOA) and machine learning technologies to detect and prevent malicious behavior at various stages of the attack lifecycle. 

The OverWatch managed threat hunting service consists of a global team of elite threat hunters whose job it is to be both the last line of defense to find a previously undetected intrusion, as well as to help customers understand and prioritize the threat information provided by Falcon and help them to stop a breach.  OverWatch feeds discovered intelligence back into the product in the form of IOAs that describe newly discovered attack techniques, ensuring that any future occurrences of the newly discovered tradecraft will be automatically and immediately detected. This human-computer interaction forms a virtuous cycle that continuously improves the product to stay ahead of the adversary.

The CrowdStrike Falcon management interface has adopted the MITRE ATT&CK framework to provide a uniform and widely adopted language for describing suspicious and malicious behaviors it has detected or prevented. 

Product Configuration

  • Prevention Policy
    • Sensor Capabilities:
      • ENABLED Unknown Detection-Related Executables
      • ENABLED Unknown Executables
      • DISABLED Notify End Users
    • Sensor Visibility: All Enabled
    • ML Sliders: All detection set to “Extra-Aggressive”
    • All Prevention disabled
    • Quarantine disabled