Field notes – CrowdStrike email detection
August 24, 2023At a high level
- If a threat is detected in email does Crowdstrike respond first?
- Crowdstrike does not provide email filtering or email scanning capabilities, if a user opens a file locally that spawns a malicious process we will detect it.
- If a threat is detected with network traffic does Crowdstrike respond first?
- The Falcon sensor detects and defends against attacks occurring on disk and in memory.
- The platform continuously watches for suspicious processes, events, and activities, wherever they reside.
- Falcon also provides advanced prevention capabilities like custom allowing and blocking, malware blocking, exploit blocking, and IOA-based prevention (Indicators of Attack).
- Data gathered by the sensor is then transmitted continuously from the sensor to CrowdStrike’s Advanced Threat Intelligence Cloud, where CrowdStrike analyzes and draws links between events across the entire Falcon sensor community.
- These behavioral patterns are detected in real time using CrowdStrike’s Threat Graph data model, allowing analysts to detect new attacks, whether the attacks use malware or not.