CrowdStrike Network Containment Integration

Description

CrowdStrike Falcon provides endpoint detection and response (EDR) capabilities that enable continuous and comprehensive visibility into what is happening on your endpoints in real-time.
Falcon can isolate endpoints through a feature called Network Containment.
- Users can initiate containment of CrowdStrike devices that are participants in a security detection.
- Network Containment prevents devices from establishing connections to other devices on your network
- Affected endpoints are unable to communicate with outside systems or risk lateral movement.
- These contained endpoints can still send and receive information from the CrowdStrike cloud, but the endpoint remains contained even if the connection to the cloud is severed or the endpoint is rebooted.
By integrating with the ExtraHop system, users can automatically contain endpoints that meet certain conditions and thresholds found in ExtraHop detections.
The details of every network containment are stored within the ExtraHop system for further analysis and auditing.
The integration tracks the list of high-risk offender devices where the CrowdStrike sensor was not found, and therefore the device could not be contained.

Requirements

You must have:

ExtraHop Reveal(x) version 8.0 or later and a user account with Unlimited privileges
CrowdStrike Falcon module and a user account that has the Falcon Administrator role

Contents

CrowdStrike Network Containment Integration

Description

CrowdStrike Falcon provides endpoint detection and response (EDR) capabilities that enable continuous and comprehensive visibility into what is happening on your endpoints in real-time.
Falcon can isolate endpoints through a feature called Network Containment.
- Users can initiate containment of CrowdStrike devices that are participants in a security detection.
- Network Containment prevents devices from establishing connections to other devices on your network
- Affected endpoints are unable to communicate with outside systems or risk lateral movement.
- These contained endpoints can still send and receive information from the CrowdStrike cloud, but the endpoint remains contained even if the connection to the cloud is severed or the endpoint is rebooted.
By integrating with the ExtraHop system, users can automatically contain endpoints that meet certain conditions and thresholds found in ExtraHop detections.
The details of every network containment are stored within the ExtraHop system for further analysis and auditing.
The integration tracks the list of high-risk offender devices where the CrowdStrike sensor was not found, and therefore the device could not be contained.

Requirements

You must have:

ExtraHop Reveal(x) version 8.0 or later and a user account with Unlimited privileges
CrowdStrike Falcon module and a user account that has the Falcon Administrator role

Contents

This integration enables users to automatically contain endpoints in CrowdStrike Falcon based on conditions and thresholds found in ExtraHop detections