When a security incident occurs, CrowdStrike Falcon provides detailed threat intelligence, behavioral analysis, and forensic data to help administrators **investigate and respond quickly**. This guide explains how to **analyze security alerts, trace attack patterns, and take appropriate remediation steps** using the **Falcon Console**. This is not a comprehensive guide
---Step 1: Log Into the Falcon Console
- - Open a browser and go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant).
- Sign in using your **admin credentials**.
Step 2: Review Detections and Alerts
View Active Detections
- - In the **left-hand menu**, navigate to **Activity** > **Detections**.
- Filter results by:
- Severity (Low, Medium, High, Critical)
- Timeframe (Last 24 hours, Last 7 days, Custom)
- Host Name (Investigate a specific endpoint)
- - Click on a detection to open detailed information.
- Review the **MITRE ATT&CK Tactics & Techniques** used in the attack.
- Check the **Process Tree** to see how the attack progressed.
- Look at the **Threat Graph** to understand relationships between processes.
📌 **Example:** If a suspicious PowerShell script was executed, check which parent process initiated it and what actions were performed.
---Step 3: Investigate the Affected Endpoint
View Host Details
- - Navigate to **Hosts** > **Host Management**.
- Search for the affected host by **Hostname or IP Address**.
- Review:
- Sensor Health Status (Ensure the Falcon Sensor is running).
- Recent Activities (Processes, network connections, registry changes).
- Quarantine Status (Check if the system is isolated).
- - Click on the affected host and select **Real Time Response (RTR)**.
- Run diagnostic commands to gather more details:
- List running processes:
ps- - **Check network connections:**
netstat -ano- - **Review scheduled tasks**
schtasks /query /fo LIST- - Identify suspicious activity and determine the scope of the attack.
Step 4: Contain and Remediate the Threat
Option 1: Quarantine the Host
- - In **Host Management**, select the affected endpoint.
- Click **Contain Host** to **isolate it from the network**.
- This prevents further spread while investigation continues.
In **Real Time Response (RTR)**, run the following command (Replace
- -
kill Run the following command in RTR:
del "C:\\path\\to\\malware.exe" This removes the malware from the system.
- -
Step 5: Check for Additional Compromise Indicators
Hunt for Related Threats
- - Navigate to **Threat Intelligence** > **IOCs**.
- Search for **file hashes, domains, or IP addresses** linked to the attack.
- Cross-check detections to see if **other endpoints were affected**.
- - Go to **OverWatch** > **Threat Hunting Reports**.
- Look for **campaign-based attacks** and **persistent threats**.
- Take action on **any additional endpoints showing suspicious activity**.
Step 6: Apply Prevention Measures
Update Prevention Policies
- - Go to **Configuration** > **Prevention Policies**.
- **Tighten existing rules**:
- Increase machine learning sensitivity.
- Restrict PowerShell and script execution.
- Enable USB Device Control if applicable.
- - Navigate to **Threat Intelligence** > **Indicators of Compromise (IOCs)**.
- Click **Add IOC** and enter known **malicious file hashes, domains, or IPs**.
- Set action to **Detect & Prevent** to block future attacks.
- - Use **Falcon Spotlight** to check for missing security patches.
- Apply necessary OS and software updates across all endpoints.
Best Practices for Security Incident Investigation
✅ **Act Quickly** – Investigate high-severity detections immediately.
✅ **Use Real-Time Response (RTR)** – Gain deeper visibility into compromised hosts.
✅ **Contain First, Investigate Second** – Prevent further damage by isolating threats.
✅ **Enable Threat Hunting** – Use **Falcon OverWatch** for proactive security monitoring.