Back

Crowdstrike

EDR

Read Docs
Read Datasheet
OVERVIEW

Malware‑infected devices are a major launchpad for identity‑based attacks because infostealer malware often slips past traditional endpoint defenses. SpyCloud’s integration with CrowdStrike Falcon EDR fills this visibility gap by delivering definitive alerts when identity data exfiltrated by malware is available in the criminal underground. By combining SpyCloud’s high‑fidelity data with Crowdstrike Falcon, your SOC team can detect, contain, and remediate compromised endpoints earlier in the attack lifecycle.

BENEFITS
  • Accelerate Response
    Reduce MTTD and MTTR by acting on malware‑infected devices before identity theft or ransomware can escalate.
  • Enhance Detection
    Detect infostealer malware and identity exposures that evade traditional EDR, extending you team’s visibility.
  • Prevent Lateral Movement
    Automatically isolate compromised endpoints to limit malicious activity and block common ransomware entry points.
  • Flexible Workflows
    Route alerts to Slack, Jira, or email and integrate with incident response tooling to fit your organizational processes.
SEE IT IN ACTION
SCREENSHOTS
Detected user asset cybersecurity malware protection diagram, SpyCloud Compass, threat detection, and response flow.
HOW IT WORKS
  • Detect Identity‑Sourced Malware Signals
    SpyCloud monitors recaptured darknet data for stolen identity artifacts (e.g., plaintext credentials, session cookies/tokens) tied to devices in your Falcon environment.
  • Correlate with Falcon Endpoints
    Enriched identity data rom SpyCloud is mapped to host metadata (hostname, device ID, user) within Falcon so you can understand which device and user are impacted.
  • Alert and Enrich SOC Workflows
    Alerts are generated and routed into your tracking and response channels to give SOC teams high‑confidence signals tied to identity exposures.
  • Contain and Remediate
    Use Falcon’s containment capabilities to isolate compromised endpoints, initiate remote memory dumps, revoke sessions, reset exposed credentials, and trigger broader incident response playbooks.
  • Report and Measure
    Track metrics like compromised devices, matched identity artifacts, isolation timelines, and remediation actions to validate detection efficacy and improve SOC processes.
Key Capabilities
  • Daily Compromise Reports
    See lists of compromised endpoints and recaptured identity artifacts (including hostnames, usernames, IP addresses, and infection details) matched to your environment.
  • Customizable Containment
    Define rules to automatically isolate infected devices or funnel events through manual review before quarantine. Your response, your rules.
  • Remote Memory Dump Support
    Trigger memory dumps on suspect endpoints from within Falcon using device ID and receive confirmation upon completion.
  • Adjustable Time Window
    Filter and search malware exposure data by date range to surface the most relevant recent events.