What is the CrowdStrike Falcon Platform

CrowdStrike contains various product modules that connect to a single SaaS environment. Endpoint Security Solutions are enacted on the endpoint by a single agent, known as the CrowdStrike Falcon Sensor. The Falcon Platform is broken out into Endpoint Security Solutions, Security IT & Operations, Threat Intelligence, Cloud Security Solutions, and Identity Protection Solutions. More information about these products is below:

Endpoint Security Solutions

• Falcon Insight - Endpoint Detection and Response (EDR)
  • Outpace the adversary with comprehensive visibility into what is happening on your endpoints, extended across all key data sources through integrated XDR. See the details of even the most sophisticated threats, with complete cross-domain context to rapidly investigate threats and inform quick, confident action.
• Falcon Prevent - Next-Generation Antivirus (NGAV)
  • Stop attacks with the power of cutting-edge artificial intelligence (AI) and machine learning (ML) - from commodity malware to fileless and zero-day attacks. Our elite threat intelligence, industry-first indicators of attack, script control, and advanced memory scanning detect and block malicious behaviors earlier in the kill chain.
• CrowdStrike Falcon Device Control - USB Device Control
  • Enhance visibility of USB device use and activity to monitor, proactively hunt, and investigate data loss incidents through comprehensive user activity context, deep file visibility, and automatic source code identification.
• Falcon Firewall Management - Host Firewall Control
  • Defend against network threats and gain instant visibility to enhance protection and inform action.
• Falcon for Mobile - Mobile Endpoint Detection and Response
  • Defend your business against mobile threats by extending EDR and XDR to Android and iOS devices.
• Falcon Forensics - Forensic Data Analysis
  • Automate point-in-time and historic forensic data collection while augmenting analyst expertise with comprehensive dashboards and full threat context for robust forensic incident analysis.

Security & IT Operations

• CrowdStrike Falcon Discover
  • Provides insight into your endpoint environment. This allows administrators to view real-time and historical application and asset inventory information.
• CrowdStrike Falcon OverWatch
  • Provides an around-the-clock managed threat hunting and email notification from the Falcon OverWatch team, alerting administrators within moments of an indicator that there is an emerging threat.
• CrowdStrike Falcon Spotlight
  • Offers vulnerability management by leveraging the Falcon Sensor to deliver Microsoft patch information or active vulnerabilities for devices with Falcon installed, and for nearby devices on the network.

Threat Intelligence

• CrowdStrike Falcon Search Engine
  • CrowdStrike Falcon MalQuery is an advanced, cloud-native malware research tool that enables security professionals and researchers to quickly search a massive dataset of malware samples, validating potential risks and stay ahead of would-be attackers. At the core of Falcon MalQuery is a multi-petabyte collection of over 3.5 billion files, indexed by patent-pending technology.
• CrowdStrike Falcon Sandbox
  • Allows for controlled malware execution to provide detailed reports of threats that have been seen within your environment and gather additional data on threat actors worldwide.
• CrowdStrike Falcon Intelligence
  • Automatically investigate incidents and accelerate alert triage and response. Built into the Falcon platform, it is operational in seconds.

Cloud Security Solutions

• Falcon Cloud Workload Protection - For AWS, Azure, and GCP
  • Falcon Cloud Security delivers comprehensive breach protection for workloads, containers, and Kubernetes enabling organizations to build, run, and secure cloud-native applications with speed and confidence.
• Falcon Horizon - Cloud Security Posture Management (CSPM)
  • Falcon Cloud Security delivers continuous agentless discovery and visibility of cloud-native assets from the host to the cloud, providing valuable context and insights into the overall security posture and the actions required to prevent potential security incidents.
• Container Security
  • Containers have changed how applications are built, tested, and utilized, enabling applications to be deployed and scaled to any environment instantly. As container adoption increases, they emerge as a new attack surface that lacks visibility and exposes organizations.

Identity Protection Solutions

• Falcon Identity Threat Detection (ITD)
  • CrowdStrike Falcon Identity Threat Detection - Provides deep visibility into identity-based incidents and anomalies across a complex hybrid identity landscape, comparing live traffic against behavior baselines and policies to detect attacks and lateral movement in real time.
  • CrowdStrike Falcon Identity Threat Protection - Using a single sensor and unified threat interface with attack correlation across endpoints, workloads, and identity, Falcon Identity Threat Protection stops identity-driven breaches in real time.

Dell and CrowdStrike may include CrowdStrike with the purchase of your Dell device, or you may purchase a volume flex bundle. For more information about what CrowdStrike products are included, reference the list of Volume Flex Bundles or On-The-Box (OTB) Offers.

Volume Flex Bundles

• Falcon Pro
  • Falcon Prevent
  • Falcon Control and Respond
  • CrowdStrike Standard Support
• Falcon Enterprise
  • Falcon Prevent
  • Falcon Insight XDR/EDR
  • CrowdStrike Standard Support
• Falcon Elite
  • Falcon Prevent
  • Falcon Insight XDR/EDR
  • Falcon Discover
  • Falcon Identity Protection
  • CrowdStrike Standard Support
• Optional Falcon Modules or Services
  • Falcon Intelligence
  • Falcon Device Control
  • Falcon Firewall Management
  • Falcon OverWatch
  • CrowdStrike Essential Support

On-The-Box (OTB) Offers

• Falcon Endpoint Protection Pro OTB
  • Falcon Prevent
  • Falcon Control and Respond
  • Falcon Device Control
  • CrowdStrike Essential Support
• Falcon Endpoint Protection Enterprise OTB
  • Falcon Prevent
  • Falcon Insight XDR/EDR
  • Falcon Device Control
  • Falcon Threat Graph
  • CrowdStrike Essential Support
• Falcon Endpoint Protection Pro and Dell Secured Component Verification on Cloud (SCV on Cloud) Endpoint Bundle OTB
  • Falcon Prevent
  • Falcon Control and Respond
  • Falcon Device Control
  • CrowdStrike Essential Support
  • Dell Secured Component Verification on Cloud (SCV on Cloud)

• Optional Falcon Modules or Services
  • Falcon Control and Respond
  • Falcon Intelligence
  • Falcon Insight XDR/EDR
  • Falcon Firewall Management
  • Falcon OverWatch
  • Falcon Discover
  • Falcon Identity Protection
  • Falcon Threat Graph

CrowdStrike is an agent-based sensor that can be installed on Windows, Mac, or Linux operating systems for desktop or server platforms. These platforms rely on a cloud-hosted SaaS Solution, to manage policies, control reporting data, manage, and respond to threats.

CrowdStrike can work offline or online to analyze files as they attempt to run on the endpoint. This is done using:

• Predefined Prevention Hashes
• Behavioral Indicator of Attacks
• Known Malware
• Exploit Mitigation

Click the appropriate method for more information.

Predefined Prevention Hashes

Predefined Prevention hashes are lists of SHA256 hashes that are known to be good or bad. The hashes that are defined may be marked as Never Block or Always Block.

SHA256 hashes defined as Never Block may be a list of items that have come from a previous anti-virus solution for internal Line of Business applications. Importing a list of predefined prevention hashes for internal applications is the quickest method to allowlist known good files in your environment.

SHA256 hashes defined as Always Block may be a list of known malicious hashes that your environment has seen in the past, or that are provided to you by a trusted third party.

Prevent hashes are not required to be uploaded in batches, and manually defined SHA256 hashes can be set. When singular or multiple hashes are provided, any detail on those hashes is requested from the CrowdStrike back-end. Ancillary information (such as file names, vendor information, file version numbers) for those hashes (if they are present in your environment on any devices) are populated based on information from your environment.

Behavioral Indicator of Attacks

Any item defined as an attack (based on its behavior) is typically indicated as such based on the Machine Learning values. This can be set for either the Sensor or the Cloud. CrowdStrike’s Falcon platform leverages a two-step process for identifying threats with its Machine Learning model. This is done initially on the local endpoint for immediate response to a potential threat on the endpoint. This threat is then sent to the cloud for a secondary analysis. Based on the prevention policies defined for the device, additional action may be required by the endpoint if the cloud analysis differs from the local sensor’s analysis of the threat.

More Indicators are being added constantly into the product to strengthen the detection of threats and potentially unwanted programs.

Known Malware

CrowdStrike’s centralized intelligence offers a wide array of information about threats and threat actors that work globally. This list is leveraged to build in protections against threats that have already been identified.

Exploit Mitigation

Various vulnerabilities may be active within an environment at any time. If a critical patch has not yet been released for a known vulnerability that affects an environment, CrowdStrike monitors for exploits against that vulnerability and will prevent and protect against malicious behaviors using those exploits.

An invite from falcon@crowdstrike.com contains an activation link for the CrowdStrike Falcon Console that is good for 72 hours. After 72 hours, you will be prompted to resend a new activation link to your account by a banner at the top of the page:

Customers who have purchased CrowdStrike through Dell may get support by contacting Dell Data Security ProSupport. For more information, reference How to Get Support for CrowdStrike.

CrowdStrike Falcon Console requires an RFC 6238 Time-Based One-Time Password (TOTP) client for two-factor authentication (2FA) access.

For information about setup, reference How to Configure Two-Factor Authentication (2FA) for the CrowdStrike Falcon Console.

CrowdStrike is supported on various Windows, Mac, and Linux operating systems in both Desktop and Server platforms. All devices will communicate to the CrowdStrike Falcon Console by HTTPS over port 443.

For a complete list of requirements, reference CrowdStrike Falcon Sensor System Requirements.

For a walkthrough on the download process, reference How to Download the CrowdStrike Falcon Sensor.

Administrators may be added to the CrowdStrike Falcon Console as needed. For more information, reference How to Add CrowdStrike Falcon Console Administrators.

A maintenance token may be used to protect software from unauthorized removal and tampering. For more information, reference How to Manage the CrowdStrike Falcon Sensor Maintenance Token.

CrowdStrike Falcon Sensor can be installed on:

• Windows by user interface (UI) or command-line interface (CLI)
• Mac by Terminal
• Linux by Terminal

For a walkthrough on the installation process, reference How to Install CrowdStrike Falcon Sensor.

CrowdStrike uses the customer identification (CID) to associate the CrowdStrike Falcon Sensor to the proper CrowdStrike Falcon Console during installation.

The CID is located within the CrowdStrike Falcon Console (https://falcon.crowdstrike.com) by selecting Host setup and management and then Sensor Downloads.

For more information, reference How to Obtain the CrowdStrike Customer Identification.

The CrowdStrike Falcon Sensor version may be required to:

• Validate system requirements
• Identify known issues
• Understand process changes

Since no product UI is available, the version must be identified by command-line (Windows) or Terminal (Mac and Linux).

For a walkthrough on these commands, reference How to Identify the CrowdStrike Falcon Sensor Version.

A secure hash algorithm (SHA)-256 may be used in CrowdStrike Falcon Sensor exclusions. For more information, reference How to Identify a File's SHA-256 Hash for Security Applications.

Basic operational logs are stored in:

• Windows
  • Microsoft’s Event Viewer application
    • Application logs
    • System logs
• Mac
  • System log
• Linux
  • Varies based on distribution, generally these are present within the distro’s primary "log" location.
    • /var/log/messages
    • /var/log/syslog
    • /var/log/rsyslog
    • /var/log/daemon

For more information, reference How to Collect CrowdStrike Falcon Sensor Logs.

CrowdStrike Falcon Sensor can be removed on:

• Windows by user interface (UI) or command-line interface (CLI)
• Mac by Terminal
• Linux by Terminal

For more information, reference How to Uninstall CrowdStrike Falcon Sensor.

CrowdStrike Falcon Sensor Uninstall Tool is available to download within the CrowdStrike Falcon Console. For more information, reference How to Download the CrowdStrike Falcon Sensor Windows Uninstall Tool.

Yes! Though it is not typically recommended to run multiple anti-virus solutions, CrowdStrike is tested with multiple anti-virus vendors and found to layer without causing end-user issues. Exclusions are not typically necessary for CrowdStrike with additional anti-virus applications.

If issues arise, exclusions can be added to CrowdStrike Falcon Console (https://falcon.crowdstrike.com) by selecting Configuration and then File Exclusions. Exclusions for these additional anti-virus applications come from the third-party anti-virus vendor.

Many Windows compatibility issues that are seen with CrowdStrike and third-party applications can be resolved by modifying how CrowdStrike operates in User Mode.

1. Log in to the CrowdStrike Falcon Console.
2. Click the Endpoint Security and then select Prevention Policies.

3. Click the Edit icon on the appropriate policy group.

4. Click Sensor Visibility Enhanced Visibility.

5. Turn off Additional User Mode Data.

6. Click to Save the policy changes.