Context Enrichment with CrowdStrike
Introduction
Cyberattacks are constantly increasing in sophistication and severity, and organizations are typically responding by increasing the number of security tools within their arsenal to combat such threats.
As their security stack grows, it results in too many interfaces to navigate across and a security solution that is too complex to utilize effectively.
In this scenario, when a tool identifies a threat, you’ll need to jump to a whole other interface to augment the investigation with additional intelligence.
With the CrowdStrike Falcon® platform, it solves the problem by being able to enrich existing data with additional threat intelligence from outside vendors all within the Falcon user interface and simplifies the security workflow.
This provides a unified console experience that enhances existing Falcon data based on the context of the security artifact and will significantly reduce the time spent triaging and remediating alerts.
Video
CrowdStrike Store
The CrowdStrike Store allows you to maximize your investment in the Falcon platform by discovering, deploying, and managing new certified third-party applications and add-ons to solve different security and compliance use cases.
One method of viewing the enriched intelligence data is to use the Global Search at the top of the page.
The global search can search through many aspects of the Falcon platform, such as actors, detections, documentation, and incidents. We can also search directly for IOCs, such as file hashes, IP addresses, or domains.
The intelligence data presented depends on the application, but we can see that OPSWAT has information such as a Metascan Score and a history timeline.
This diversified scanning engine can provide additional context on the nature of the threat. We can also use the “See more at OPSWAT” link to pivot directly to OPSWAT’s site which will provide us with additional data directly from their site.
CrowdStrike is also able to seamlessly provide context on artifacts identified within incidents. Incidents are a list of alerts driven by its Crowdscore, which combines disparate security detections into a single alert. This allows us to prioritize critical incidents and reduces noise of inconsequential detections.
Alongside Falcon Intelligence data, DomainTools has over 30 years of intelligence experience with domain registries.
It looks like they have rated the domain with an Overall Risk Score of 100, which is extremely high. DomainTools also breaks out the phishing, malware, and spam scores into individual components providing us with additional context.
Conclusion
As we can see, CrowdStrike Falcon® with Context Enrichment enables security teams to reduce the time necessary for triaging and remediating incidents.
The seamless integration simplifies the workflows by bringing in rich data from other vendors directly into the Falcon console user interface, allowing for rapid investigation of sophisticated incidents without having to jump through multiple security tools.
