Endpoint Detection & Response

CrowdStrike is a prominent provider of Endpoint Detection and Response (EDR) solutions. The CrowdStrike Falcon platform offers a range of features and capabilities that help organizations detect, investigate, and respond to security incidents on endpoints. Some key features of CrowdStrike EDR include:

  1. Endpoint Visibility: CrowdStrike EDR provides comprehensive visibility into endpoints across the organization. It collects and analyzes endpoint telemetry data, such as process activity, network connections, and system events, allowing security teams to gain real-time insights into endpoint behavior.
  2. Threat Detection and Prevention: The platform leverages advanced threat intelligence and behavioral analytics to detect and prevent known and unknown threats. It uses machine learning algorithms and behavioral indicators to identify malicious activities, including malware, fileless attacks, and suspicious behavior.
  3. Real-time Response and Remediation: CrowdStrike EDR enables security teams to respond swiftly to threats. It offers real-time response capabilities to contain and remediate incidents directly from the management console. Security teams can isolate compromised endpoints, terminate malicious processes, or remove malicious files remotely.
  4. Investigation and Forensics: The platform provides rich forensic data and investigation capabilities. Security analysts can conduct in-depth investigations, review historical endpoint activity, and visualize attack chains to understand the scope and impact of an incident. This helps with threat hunting, root cause analysis, and evidence collection for incident response.
  5. Threat Hunting: CrowdStrike EDR facilitates proactive threat hunting by empowering security teams to search for indicators of compromise (IoCs) and perform custom queries across endpoints. It supports both manual and automated hunting techniques, allowing security analysts to identify hidden threats and persistent adversaries.
  6. Endpoint Protection Platform (EPP) Integration: CrowdStrike EDR integrates seamlessly with CrowdStrike’s EPP solution, providing comprehensive endpoint protection capabilities. The combined solution offers proactive prevention measures, such as machine learning-based antivirus, anti-malware, and host-based intrusion prevention system (HIPS) capabilities.
  7. Cloud-based Architecture: CrowdStrike Falcon is a cloud-native platform, which enables rapid deployment, scalability, and easy management. It leverages the power of cloud computing to collect, analyze, and store endpoint telemetry data, facilitating real-time threat detection and response.
  8. Threat Intelligence and IOC Enrichment: CrowdStrike EDR benefits from CrowdStrike’s global threat intelligence, which provides up-to-date information on the latest threats, adversary techniques, and IoCs. The platform enriches detection and response capabilities by integrating with external threat intelligence feeds and leveraging IoC context to prioritize and investigate potential threats.

These features collectively provide organizations with robust endpoint protection, detection, response, and threat hunting capabilities. CrowdStrike EDR aims to help organizations effectively defend against advanced threats and swiftly respond to security incidents, enhancing their overall security posture.

CrowdStrike Enterprise Deployment

Falcon Console


To see if the agent is running

sc query csagent

Run a test detection to see what it looks like

choice /m crowdstrike_sample_detection

Mac OS

To verify the sensor is running

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats


Installing the sensor

  1. Get a snapshot as a restore point
  2. SFTP the download from CrowdStrike
  3.  sudo dpkg -i falcon-sensor_6.48.0-14504_amd64.deb 
    • If you get a dependency error, then sudo apt-get -f install
    • Try again, sudo dpkg -i falcon-sensor_6.48.0-14504_amd64.deb 
  4. Get the Customer ID (aka CID) from CrowdStrike and use it in the following command
  5. sudo /opt/CrowdStrike/falconctl -s --cid=0123ABCDEFC54321ABCDEEF01133700D-A1
  6.  sudo service falcon-sensor start

Verify the sensor is running

u5er@ip-10-1-2-34:~$ ps -e | grep falcon-sensor
29444 ?        00:00:12 falcon-sensor