This document and video will provide an overview of the CrowdStrike store and demonstrate how it can add value for customers and prospects.
The CrowdStrike Store is available as an app in the Falcon UI. It enables existing customers to discover, try, buy and deploy trusted partner applications and add-ons that extend their existing investment in the Falcon platform. By leveraging existing CrowdStrike agents and event telemetry, customers can address new challenges without wasting more time and resources to deploy additional agents. This approach also helps customers reduce security risk by leveraging applications that are pre-built, tested and certified by CrowdStrike.
What is in the CrowdStrike Store?
To access the store, find the store app in the menu on the left side of the CrowdStrike UI.
Once you are on the store, you will see three different types of offerings.
Highlighted partners – For these partners, the integrations are developed and ready to use. Leveraging the existing CrowdStrike event data, customers can quickly realize the value of these additional security solutions.
CrowdStrike apps – The store also provides access to research, understand and enable additional CrowdStrike provided apps. These apps can be found in the section just beneath the highlighted partners. Customers who are already entitled to a given app will see it labeled as “Active”, while additional applications will include an option to “Try It Now”.
Partner offerings – Below the CrowdStrike apps, you will find another section of partner offerings. These solutions can also leverage the powerful Falcon API’s to maximize the value of the existing CrowdStrike agent and event data.
How do customers use the CrowdStrike Store?
For each partner and application, the store provides an overview as well as details including category, supported platforms, a demonstration video and documentation. For the highlighted partners and CrowdStrike apps, you can chose to “Try It Now” directly from the store.
After reviewing the terms, you will receive an email regarding next steps. During the brief activation stage, the status in the store will be reflected accordingly as “Setting Up Trial”.
Once the activation is complete, the status of the app in the UI will change to “Active”.
For partner integrations, you can then begin using the new application and understand how CrowdStrike’s event data quickly enables other security solutions to provide immediate time to value.
For CrowdStrike products, the new modules will be enabled and accessible in the same, easy to use, cloud delivered management UI. Trial customers will have access to full feature functionality across their entire population of managed systems.
The CrowdStrike Store is an ecosystem that lets you extend the capabilities of the Falcon platform with a host of ready-to-go partner apps and add-ons to solve security challenges. Through the Falcon UI, you have the ability to investigate and understand new integrations and CrowdStrike products with immediate access to request a trial, watch demonstrations and review documentation. Visit the CrowdStrike Store to try a new application today.
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch
How to Contain an Infected System
Hi, there. My name’s Peter Ingebrigtsen. And today, we’ve logged into the falcon.crowdstrike.com, or the Falcon User Interface.
And what we’re going to do is take a look at some of our systems and recognize that some of them are either currently under attack or recently been under attack, and may have been compromised. And we’d like to contain that system until we can further get to it, get our hands on it, and get a little bit more information out of it, or just prevent it from doing any more damage than it’s already done.
In order to do that, you need to be on your Detections app. You can do that by going to the radar here on the left-hand side. If you’re not already, or if your user interface doesn’t open that when you first log in, head there. And then just select the Recent Detections.
When that opens, you’ll notice that you can filter by any number of criteria, but we’re looking at some of the more recent events or situations that are going on. And you’ll notice that the same single machine has noticed a lot of different scenarios with privilege escalation or web exploits. And these severities are high to critical.
And we’d like to log in there, maybe do a little something, take a little closer look, and see if there’s something we should do. Obviously, we should do something. And as we start to dig through here, we see that there’s a lot of detection patterns, whether that be known malware, credential theft, or web exploits. We can see in the process tree a lot of different commands that were issued that look at that privilege escalation that we noticed earlier– or start to set that up.
So, we know that there’s something bad going on, and we’d like to take action right away. So, what we want to do is network contain this machine. But what I want to show you, as well, is that as we do this– I’m going to go to the machine itself. And I’d like to start a continuous ping so that you can watch the behavior and how long it takes to respond to this network containment.
Now, while we contain this– or take this machine off the network– we don’t kill the connection to the CrowdStrike Cloud. So, that as we get our hands on it– we clean it up, we feel comfortable putting it back on to the network– we can still operate or control that machine through the user interface that we have here.
The other thing I’d like to do is start a large download, so that we initiate with a single TCP connection– and there happens to be one in process– as opposed to the ping, where there may be multiple TCP resets or individual TCP threads going every time. So that you can see that as we contain this machine, it literally just knocks it off the network.
Forgive my screen, but I’ve changed the resolution for YouTube and for appearance purposes.
But as I come in here– and this will be right at the middle of the screen– this actually says Device Actions. And I’d like to contain it.
Now, as we do that, we have some options to make some notes. Contained by Peter. Multiple threats observed. Whatever notes you’d like to make– and then select Contain.
Now, the second we do this, on the left-hand side, you’ll see how quickly it takes for that to respond. So, immediately, almost in real time, you see a network failure on the download, and the ping test– or the continuous ping fail. So, we can close that.
Now, let’s say we’re a couple days later, this machine’s cleaned up, ready to go, and be put back in the network. You can go ahead and lift the network containment, again, from the user interface. We still have that connection to the machine, even though all the other network connections have been terminated.
So, as we do that, all good. Uncontain. And you’ll notice that almost immediately that ping starts to fire right back up again.
So, network containment is a powerful tool that we can use if we see something immediately taking action or if we see something recently in the past, and we’d like to get that machine off the network– almost quarantine it– so that it can’t do any more damage.
So, this has been network containment of network devices in the Falcon Sensor User Interface platform. Thanks again for watching.