X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Automate Threat Intel with Falcon X

Introduction

This document and video will demonstrate Falcon X and the benefits of automating threat intelligence.

Video

Prerequisites

  • Subscription: Falcon Prevent, Falcon X

Automated File Submission

Falcon X is designed to automatically provide detailed malware analysis that is integrated as part of the alert to help analysts save time and make effective security decisions.

Below, we see a Falcon prevention event that also resulted in a quarantined file.

Intel detection

As we scroll down in the details pane, we see that the quarantined file was also sent to the sandbox for analysis.  That happened automatically with no intervention from the administrator.

detect quaratined

 

Malware Analysis

We immediately see useful context from the Falcon X analysis directly in the UI.  In addition to the summary risk assessment, you have the option to download both strict and broad Indicators of Compromise (IOCs).  You can also open the complete sandbox report. It provides additional analysis details including the threat level and score. There are three options to drill further into the report:  Report Summary, Network Activity, and Advanced Analysis.

 

Under Report Summary, you can view the more details risk assessment and get information on  related malware in the “Malquery” section. This information comes from CrowdStrike’s extensive malware database and can help you understand if this attack is part of a larger initiative.  You can understand if you have been the target of similar attacks in the past. If not, you can use that information to get proactive in protecting against those other files in the future.

report assessment

Actionable Intelligence

From the Falcon UI, you have the option to download IOC’s related to the analyzed malware.  Those could include things like known bad domains or IP addresses. That information can be used with other security tools to block access to known bad sites via firewalls, web content filters or IPS devices.

download ioc

For malware with actor attribution, there is the option to open the complete actor profile and better understand who is attacking your organization. The actor profile contains additional IOC’s for the actor including known Command and Control servers and IPs.  In many cases, you will also see a list of commonly exploited vulnerabilities. This information can help you ensure your environment is patched and protected from a targeted bad actor attack.

actor vulnerabilities

Conclusion

Falcon X fully automates the analysis process, incorporates threat intelligence, and yields actionable intelligence information.  It provides greater context so that security analysts can be faster and more effective as they learn from attacks and strive to protect the larger organization.

More resources

 

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial