How to Generate Your First Detection

Introduction

In this document and video, you’ll see how to generate your first detection.  You will also see how Falcon adds context to alerts, empowering the security admin to take appropriate corrective action.

Video

Prerequisites

Windows system with falcon sensor installed.

Generating a Test Alert

To generate an alert open cmd.exe clicking on the windows icon or hitting the windows button on your keyboard. Then type “cmd.”

CMD prompt detection command

In the Command Prompt window type

In the Command Prompt window, type the following commands:

“Sc query csagent”

You should see a that the Falcon Agent is installed and running

Next type:

“choice /m crowdstrike_sample_detection”

Type “Y”

The Falcon User Interface

In the Falcon UI a new alert appears in the Activity App. 

Frist Test Detection

This alert is rated as “Low” and also has a Falcon icon associated with it.  This indicates that Falcon OverWatch has flagged this activity as suspicious.  Had this not been a test detection, it would have been accompanied by an email from the OverWatch team with additional detail.  

Click on the alert expands the detection for additional details

Expanded detection alert

This additional detail is important to determine if a seemingly routine command is associated with everyday activity or part of a larger, malicious attack.  Click on each node and watch the execution details pane on the right update to provide information on each executable in the process tree.

Conclusion

CrowdStrike Falcon goes above and beyond to provide relevant information so that our customers have more information at their fingertips to quickly and effectively make important security decisions.  

More resources

 

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial