When a security incident occurs, CrowdStrike Falcon provides detailed threat intelligence, behavioral analysis, and forensic data to help administrators investigate and respond quickly. This guide explains how to analyze security alerts, trace attack patterns, and take appropriate remediation steps using the Falcon Console. This is not a comprehensive guide
Step 1: Log Into the Falcon Console
- Open a browser and go to https://falcon.crowdstrike.com.
- Sign in using your admin credentials.
Step 2: Review Detections and Alerts
View Active Detections
- In the left-hand menu, navigate to Activity > Detections.
- Filter results by:
- Severity (Low, Medium, High, Critical)
- Timeframe (Last 24 hours, Last 7 days, Custom)
- Host Name (Investigate a specific endpoint)
Analyze a Detection Alert
- Click on a detection to open detailed information.
- Review the MITRE ATT&CK Tactics & Techniques used in the attack.
- Check the Process Tree to see how the attack progressed.
- Look at the Threat Graph to understand relationships between processes.
📌 Example: If a suspicious PowerShell script was executed, check which parent process initiated it and what actions were performed.
Step 3: Investigate the Affected Endpoint
View Host Details
- Navigate to Hosts > Host Management.
- Search for the affected host by Hostname or IP Address.
- Review:
- Sensor Health Status (Ensure the Falcon Sensor is running).
- Recent Activities (Processes, network connections, registry changes).
- Quarantine Status (Check if the system is isolated).
Perform a Live Investigation Using Real Time Response (RTR)
- Click on the affected host and select Real Time Response (RTR).
- Run diagnostic commands to gather more details:
- List running processes:
ps- Check network connections:
netstat -ano- Review scheduled tasks
schtasks /query /fo LIST- Identify suspicious activity and determine the scope of the attack.
Step 4: Contain and Remediate the Threat
Option 1: Quarantine the Host
- In Host Management, select the affected endpoint.
- Click Contain Host to isolate it from the network.
- This prevents further spread while investigation continues.
Option 2: Kill Malicious Processes
In Real Time Response (RTR), run the following command (Replace <PID> with the process ID of the malicious activity):
kill <PID>Option 3: Delete a Malicious File
Run the following command in RTR:
del "C:\path\to\malware.exe" This removes the malware from the system.
Step 5: Check for Additional Compromise Indicators
Hunt for Related Threats
- Navigate to Threat Intelligence > IOCs.
- Search for file hashes, domains, or IP addresses linked to the attack.
- Cross-check detections to see if other endpoints were affected.
Review Falcon OverWatch Threat Reports
- Go to OverWatch > Threat Hunting Reports.
- Look for campaign-based attacks and persistent threats.
- Take action on any additional endpoints showing suspicious activity.
Step 6: Apply Prevention Measures
Update Prevention Policies
- Go to Configuration > Prevention Policies.
- Tighten existing rules:
- Increase machine learning sensitivity.
- Restrict PowerShell and script execution.
- Enable USB Device Control if applicable.
Block Malicious IOCs
- Navigate to Threat Intelligence > Indicators of Compromise (IOCs).
- Click Add IOC and enter known malicious file hashes, domains, or IPs.
- Set action to Detect & Prevent to block future attacks.
Patch Vulnerabilities
- Use Falcon Spotlight to check for missing security patches.
- Apply necessary OS and software updates across all endpoints.
Best Practices for Security Incident Investigation
✅ Act Quickly – Investigate high-severity detections immediately.
✅ Use Real-Time Response (RTR) – Gain deeper visibility into compromised hosts.
✅ Contain First, Investigate Second – Prevent further damage by isolating threats.
✅ Enable Threat Hunting – Use Falcon OverWatch for proactive security monitoring.