CrowdStrike Falcon

CrowdStrike provides endpoint security, threat intelligence, and cyberattack response services.

Securonix integrates with the CrowdStrike Falcon API, ingesting threat events such as account compromise, malware, phishing, credential theft, data exfiltration, and others. It then corelates them with events across the rest of the enterprise security infrastructure in order to identify and mitigate threats through automated/semi-automated response capabilities.

CrowdStrike Falcon API Event Service/Module Major Log/Event Types Related Threats Use Cases/Threat Packages Details
File Events File Write Events (Generic, PDF, TAR, Executable, ActiveX/OLE etc.), File Modification (EXE Rename/Deletion, File Delete/Open/Rename, Critical File Access etc.), File Sharing (Share Add/Delete, Share Security changes) Data Exfiltration, Malware DLP, Cyber Threat, Insider Threat File Events
User Events Signin Information, User Account Login Failures, User Account Creation/Deletion, User Logon/Logoff, User Session Created/Ended, UAC EXE/COM Elevation Account Misuse, Account Compromise, Malware/Phishing Account Misuse, Cyber Threat User Events
Web Activity Suspicious DNS request, Agent Connections, Manifest Download, Agent Events Malware, Phishing Cyber Threat Web Activity
OS Level Activity BITS Events, Configuration Changes, DLL Injections, Scheduled Task changes, Update installs, Snapshot deletion Account Misuse, Account Account Misuse, Cyber Threat OS Level Activity
Process Activity Flash/Java/Browser Thread Injections, Service Creation, Service Start/Stop events, Process Create/End/Termination/Self Deletion, Hosted Service Started/Stopped Account Misuse, Account Compromise, Malware/Phishing Account Misuse, Cyber Threat Process Activity
Unsigned Modules Thread Injection, LSASS Handle, Privileged Process Handle, Unsigned Module Loaded Malware, Ransomware, Phishing Cyber Threat Unsigned Modules
Hardware Actions USB Device Connected, Removable Media Volume Mounting, Snapshot Volume Mounting, Snapshot Creation, Snapshot File Opened Data Exfiltration DLP, Insider Threat Hardware Actions
Network IPv4/IPv6 network requests, Neighbor list queries, Local IP Address Modifications, DNS Requests, Promiscuous Binding Malware, Ransomware, Phishing Cyber Threat Network
Threat Alerts Ransomware File Open/File Access Pattern, Windows SAM File Dump from Unsigned Module, Pattern Handling Error, Error Events, Whitelisted Behavior detected, File Quarantined, Crash Notifications, Suspicious Registry/ASEP (Auto-Start Extensiblity Points) Events , User DEP Exceptions Account Misuse, Account Compromise, Malware/Phishing Account Misuse, Cyber Threat Threat Alerts
Firewall Firewall Rule Set/Delete, Option Changes Account Misuse, Account Compromise Account Misuse Firewall
DC Actions DC Online/Offline/Status Updates, DC USB Configuration Updates Account Misuse, Account Compromise, Malware/Phishing Account Misuse, Cyber Threat DC Actions
Information Gathering (GetInfo) File, PE Version, Script Control, Module, OS Version, Latency, Host, Command History, Group Identity Data Exfiltration, Account Misuse, Account Compromise, Malware/Phishing DLP, Cyber Threat, Insider Threat, Account Misuse Information Gathering (GetInfo)