Smart SOAR Integration

A feature-rich integration with CrowdStrike Falcon makes D3 the perfect command center for intaking events, detonating malicious files, and orchestrating actions across endpoints. D3’s automation-powered playbooks, MITRE ATT&CK framework, and deep investigative capabilities bring effective and repeatable workflows to all endpoint events.

Crowdstrike Falcon Endpoint Protection Integration

Integration features

Orchestrate more than 25 actions in Crowdstrike Falcon from D3
Automate enrichment of events with threat intelligence from Falcon X and other sources
Correlate events against the MITRE ATT&CK matrix to reveal adversarial intent
Detonate suspicious files in CrowdStrike Falcon Sandbox

Key Use Case

#1: Compromised Endpoint Remediation

When a compromised endpoint is detected, D3 enriches the alert with threat intelligence from Falcon X and other sources to get a risk score. If the file is not conclusively known to be malicious, D3 then queries the compromised endpoint via Falcon Endpoint Protection to download the file, where it can then be detonated in Falcon Sandbox for analysis. If the file is determined to be malicious, D3 can then query other endpoints to find any other instances of the file. Having now identified the full extent of the compromise, the analyst can use D3 to orchestrate actions across the affected endpoints, such as to remove the file, block the hash, kill processes, or quarantine the endpoint.

Crowdstrike Falcon Endpoint Protection Integration

#2: Kill-Chain-Based Enrichment and Response

When D3 ingests an event from Falcon, it correlates against MITRE ATT&CK to determine the adversarial techniques. D3 then collects other relevant endpoint events based on parameters such as the general timeframe of the attack. D3 parses those endpoint events to find and categorize correlated IOCs, techniques, and tactics. D3 then maps these data points across the MITRE ATT&CK framework to build out the kill chain of the larger attack that these pieces represent.

Crowdstrike Falcon Endpoint Protection Integration

Meet Our Friends

Our Connected SOAR Security Alliance brings hundreds of vendors together, allowing customers to benefit from our deep industry relationships and fully vendor-agnostic, independent SOAR platform.

X Crowdstrike Falcon Endpoint Protection Integration

Get Started with D3 Security

One platform to stop alert overwhelm. Transform how your security team works, by focusing its resources on real threats.