How Falcon Overwatch Works with You When a Breach Attempt is Discovered


If Falcon Overwatch identifies malicious activity in your environment, it will create an alert in the product and also proactively contact you. This approach ensures proper prioritization of these urgent alerts.

Read Video Transcript

How Falcon Overwatch Works with You When a Breach Attempt is Discovered

So the customer can experience Overwatch in about three different ways. One way is through their traditional processes they’ve built around checking the Falcon UI for detections. Overwatch has the ability to push detections to a customer’s UI. It will say Falcon Overwatch detection on there.

As well, they’re able to push more malware-related things. If we opportunistically discover more run-of-the-mill malware, the team will go ahead and push that to the customer’s UI. It will show up as known malware. So sometimes, there is a little bit of– there is some workflows generated and some actionable content in the UI that does come from Overwatch even though it may not directly call it out.

Whenever you see Falcon Overwatch detection in the UI, it will be accompanied by an email notification. And the email notification is the second area you can experience Overwatch. The emails will generally be probably something that customers aren’t used to seeing from a managed service provider. They aren’t going to be– they aren’t simply going to call out the alert name and tell you the priority, and then that’s about it, and essentially, good luck.

What these emails contain are what we discovered, why we discovered it, what we think it is. Even if we’re not sure if it’s commodity, or it’s targeted, or if it’s ransomware, or something in between, we’ll tell you exactly what we think it is or don’t think it is. Sometimes, we’ll even tell customers, hey, this does not seem legitimate. We’ve looked at your environment. We’ve baselined it. This is abnormal, even for your administrators.

So the email notifications will contain as much context as we can possibly provide. Sometimes, we’ll pull open source intelligence to point to, perhaps, an open source tool that are used by pen testers, for example.

But at the very least, in the case of an intrusion, things actually become very straightforward. We’re going to tell you there is an intrusion. We’re going to tell you who we think it is and what we think they’re after. We’re going to tell you how far they got. We’re going to tell you how many accounts we think are compromised, and what systems that we can see have been compromised, and the method they’re using to laterally move.

So within the first notification– again, this can come in the first 30 to 60 minutes– if there is a real intrusion that could lead to a mega breach, you will have a notification that it’s extremely actionable and it’s almost an intrusion or an incident response time line, or it’s a very quick incident response triage or scoping. So again, with traditional IR processes and in a traditional SOC or in a cert, it can take days and days to collect data to learn about the intrusion and then to build the coveted timeline.

And we’re able to provide it– again, with the continuous telemetry from the Falcon Host sensor, we’re able to provide that within minutes. And we’re able to fuse it and actually communicate it to the customers. And it’s an ongoing thing. So there’s the initial notification of an intrusion, but then there’s the ongoing partnership to mutually discover, mutually analyze what else the actor is doing on that network.

The third way you can experience Overwatch is through the support process. We like to use the technical support channel, so, to handle all inbound requests, whether it’s detection related– something you see in your UI, and you want to know a bit more about detection– or if you’re actually experiencing technical support issues in the traditional sense.

Overwatch is very engaged with our support team. There’s a very strong relationship there. And oftentimes– most of the time, whenever there’s a detection-related question, or if there’s a question on how a customer can query data in EAM or in the Investigations app, those questions are directly answered by Overwatch analysts, simply because there’s an acknowledgement in the company that the Overwatch analysts, the Overwatch hunters are the subject matter experts of the platform and of the platform’s data.

So they’re able to very quickly answer questions with our own internal best practices and provide that through the support channels to help out. But we like to identify the three areas of Overwatch output as hunt, investigate, and advise. So ultimately, you can experience Overwatch in a variety of ways. But the pure intent that we’re trying to perform here is to help you stop the mega breach.


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center