CLOUD CONNECTOR
CrowdStrike Falcon
CrowdStrike provides endpoint security, threat intelligence, and cyberattack response services.
Securonix integrates with the CrowdStrike Falcon API, ingesting threat events such as account compromise, malware, phishing, credential theft, data exfiltration, and others. It then corelates them with events across the rest of the enterprise security infrastructure in order to identify and mitigate threats through automated/semi-automated response capabilities.
| CrowdStrike Falcon API Event Service/Module | Major Log/Event Types | Related Threats | Use Cases/Threat Packages | Details |
|---|---|---|---|---|
| File Events | File Write Events (Generic, PDF, TAR, Executable, ActiveX/OLE etc.), File Modification (EXE Rename/Deletion, File Delete/Open/Rename, Critical File Access etc.), File Sharing (Share Add/Delete, Share Security changes) | Data Exfiltration, Malware | DLP, Cyber Threat, Insider Threat | File Events |
| User Events | Signin Information, User Account Login Failures, User Account Creation/Deletion, User Logon/Logoff, User Session Created/Ended, UAC EXE/COM Elevation | Account Misuse, Account Compromise, Malware/Phishing | Account Misuse, Cyber Threat | User Events |
| Web Activity | Suspicious DNS request, Agent Connections, Manifest Download, Agent Events | Malware, Phishing | Cyber Threat | Web Activity |
| OS Level Activity | BITS Events, Configuration Changes, DLL Injections, Scheduled Task changes, Update installs, Snapshot deletion | Account Misuse, Account | Account Misuse, Cyber Threat | OS Level Activity |
| Process Activity | Flash/Java/Browser Thread Injections, Service Creation, Service Start/Stop events, Process Create/End/Termination/Self Deletion, Hosted Service Started/Stopped | Account Misuse, Account Compromise, Malware/Phishing | Account Misuse, Cyber Threat | Process Activity |
| Unsigned Modules | Thread Injection, LSASS Handle, Privileged Process Handle, Unsigned Module Loaded | Malware, Ransomware, Phishing | Cyber Threat | Unsigned Modules |
| Hardware Actions | USB Device Connected, Removable Media Volume Mounting, Snapshot Volume Mounting, Snapshot Creation, Snapshot File Opened | Data Exfiltration | DLP, Insider Threat | Hardware Actions |
| Network | IPv4/IPv6 network requests, Neighbor list queries, Local IP Address Modifications, DNS Requests, Promiscuous Binding | Malware, Ransomware, Phishing | Cyber Threat | Network |
| Threat Alerts | Ransomware File Open/File Access Pattern, Windows SAM File Dump from Unsigned Module, Pattern Handling Error, Error Events, Whitelisted Behavior detected, File Quarantined, Crash Notifications, Suspicious Registry/ASEP (Auto-Start Extensiblity Points) Events , User DEP Exceptions | Account Misuse, Account Compromise, Malware/Phishing | Account Misuse, Cyber Threat | Threat Alerts |
| Firewall | Firewall Rule Set/Delete, Option Changes | Account Misuse, Account Compromise | Account Misuse | Firewall |
| DC Actions | DC Online/Offline/Status Updates, DC USB Configuration Updates | Account Misuse, Account Compromise, Malware/Phishing | Account Misuse, Cyber Threat | DC Actions |
| Information Gathering (GetInfo) | File, PE Version, Script Control, Module, OS Version, Latency, Host, Command History, Group Identity | Data Exfiltration, Account Misuse, Account Compromise, Malware/Phishing | DLP, Cyber Threat, Insider Threat, Account Misuse | Information Gathering (GetInfo) |