CrowdStrike Falcon integration
You can integrate CrowdStrike Falcon with Sophos Central so that it sends data to Sophos for analysis.
This page gives you an overview of the integration.
CrowdStrike Falcon product overview
CrowdStrike Falcon is a cloud-native endpoint protection platform that harnesses the power of real-time threat intelligence. Using its proprietary graph technology, it offers speedy detection and response, ensuring endpoints remain secure even against sophisticated attacks.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
WinRMLateralMovementSquiblydooWmicXSLFileMalwareProcessObfCertutilCmdMshtaDownloadCustomIOCDomainInformationalVolumeShadowSnapshotDeletedA file written to the file-system meets the machine learning-based on-sensor AV protection's medium confidence threshold for malicious files.A file written to the file-system surpassed a lowest-confidence adware detection threshold.A file classified as Adware/PUP based on its SHA256 hash was written to the file-system.IOCPolicySHA256CriticalIntelDomainMediumMsiexecUnusualArgsThis file is classified as Adware/PUP based on its SHA256 hash.
Alerts ingested in full
We ingest security alerts from the CrowdStrike Falcon Platform via the API endpoints:
US-1 “api.crowdstrike.com”US-2 “api.us-2.crowdstrike.com”US-GOV-1 “api.laggar.gcw.crowdstrike.com”EU-1 “api.eu-1.crowdstrike.com”
Filtering
We filter messages as follows:
- We ALLOW only messages in the correct format.
- We DENY messages that aren't in the correct format and don't DROP the data.
Sample threat mappings
Alert type is defined as follows:
If the field behaviours.display_name is empty, use the value of behaviours.description. Otherwise, use the value of behaviours.display_name.
Sample mappings:
{CertutilRemoteFileCopythreatId: T1553.004threatName: Install Root Certificate}
{WinRMLateralMovementthreatId: TA0008 threatName: Lateral Movement}
{MaliciousInjection threatId: TA0002 threatName: Execution}