CrowdStrike + Intezer: Automation for Alert Triage and Threat Hunting

Intezer’s solution for CrowdStrike is powerful enough to function as a virtual Tier 1, allowing you to remove false positives and get clear recommendations for every alert.

Table of Contents

1. How Automated Alert Triage Works
2. Benefits of Intezer as a Virtual Tier 1
3. How Manual Incident Triage Limits Investigations
4. Intezer’s Integration Benefits
5. How It Works: Step by Step
6. Solution Use Cases
7. Reducing Alert Fatigue for SOC/IR Teams to Improve MTTR

One of the biggest pain points of cyber security teams is alert fatigue – trying to keep up with a tedious, never-ending stream of alerts to triage. In today’s reality, security teams can spend a large amount of their valuable time on confirming alerts instead of investigating real incidents. Or if they can’t keep up with the large amount of alerts, teams have to spend a large amount of their budget to outsource Tier1 functions to a Managed Detection and Response (MDR) provider. Now, integrating Intezer with CrowdStrike for endpoint security alert triage allows you to automate tasks and get clear recommendations on every alert, without burning out your team or eating up your budget.

To tackle the alert fatigue security teams experience and help improve MTTR (mean time to respond), Intezer’s integration with CrowdStrike combines these best of breed solutions. This allows teams to leverage technology to automatically triage incidents, provide detailed verdicts, and get clear recommendations for response.

How Automated Alert Triage Works

When an alert is generated in CrowdStrike, the associated artifacts (file, process, memory image) are automatically sent to Intezer for deep analysis and investigation, down to the code level. Intezer’s triage results are returned in the CrowdStrike console, with a verdict classifying the threat (or telling you it’s a false positive) with clear recommendations. For threats, deep context is provided for a better and faster response, with a link to Intezer’s full investigation results and extracted detection opportunities for threat hunting. By replacing manual processes with machine-speed detection and deep malware analysis, security teams can respond to incidents with greater speed and confidence.

Get a quick preview of how Intezer works with CrowdStrike in this 4-minute video:

Advantages of Using Intezer as a Virtual Tier 1 with CrowdStrike

• Clear recommendations and analysis results on every alert, automatically.
• Identified false positives, with increased accuracy and validation of suspicious incidents around threat analysis.
• Reduced response time for critical security investigations.
• Retention of past investigations for future events and campaigns.
• Simplified rule extraction from Intezer for threat hunting.

How Manual Incident Triage Limits Investigations

As the cybersecurity skills gap continues to widen, organizations face challenges in hiring and retaining skilled security professionals. The deluge of alerts from security tooling and the tedious nature of the Tier 1 analyst position makes burnout one of the leading contributors to the shortage of security talent. Security teams look to automation to help alleviate some of the repetitive tasks of incident triage to focus their limited resources on the highest impact and most critical incidents, increasing throughput and reducing the time to respond.

Intezer + CrowdStrike Integration Benefits

• Triage for every alert and time savings with a unified, automated workflow.
• Transparent analysis and additional context about scanned artifacts including attribution, malware families, indicators of compromise (IOCs), and TTPs mapped to MITRE ATT&CK®.
• Rapid verdicts of both malicious and benign artifacts classified using Intezer’s proprietary genetic analysis solution.
• Hunt for traces of advanced in-memory threats such as fileless and packed malware, malicious code injections, or any unrecognized code by running Intezer’s Live Endpoint Scanner as a script from inside CrowdStrike.
• Out-of-the-box detection content and queries for threat hunting provide immediate time-to-value.

How It Works, Step by Step

1. CrowdStrike detects malicious activity on an endpoint and creates an alert.
2. Intezer fetches the relevant artifacts (file, process, memory image) from the endpoint through CrowdStrike for analysis.
3. Intezer provides analysis results and clear recommendations for every alert in CrowdStrike, so your team knows what to do next.
4. From Intezer’s analysis result in CrowdStrike, you get verdict, malware family information, additional context, and a link to Intezer’s full investigation if you need to get IOCs and threat hunting queries.
5. Additional indicators can be added to the CrowdStrike blacklist or with a custom detection rule from Intezer to alert and perform an automated response next time those indicators are seen.
6. Scan a suspicious endpoint or proactively hunt for traces of advanced in-memory threats (such as fileless and packed malware, malicious code injections, or any unrecognized code) by using Intezer’s Live Endpoint Scanner as a script from inside CrowdStrike.
7. Threat hunting queries can be extracted from Intezer and used with CrowdStrike to hunt for additional indicators across the environment.

Solution Use Cases

• Alert Triage – With automated triage and analysis 24/7, Intezer can determine and confirm whether an alert is a true positive which requires remediation, a suspicious alert requiring further investigation, or simply a false positive. Alongside clear recommendations, Intezer provides teams with a verdict, malware family information, context about IOCs/TTPs, and a link to Intezer’s full investigation for every alert. You can see an example for a High Severity alert in CrowdStrike here:
  

• Incident Response – Get clear recommendations and extracted IOCs to quickly find additional infections and remediate. You can automatically run Intezer’s Endpoint Scanner directly from the Crowdstrike dashboard, which conducts a deep endpoint forensic analysis by scanning every loaded process/module in memory for traces of malicious code.
• Curated Threat Hunting – Intezer provides out-of-the-box detection content for threat hunting, and threat hunting queries that can be extracted to use in CrowdStrike.

“Too many teams face challenges hiring and retaining skilled security professionals, but they can feel empowered by introducing more automation into their workflows for alert triage, response, and threat hunting with Intezer’s integration that combines seamlessly with CrowdStrike’s platform.” — Itai Tevet, CEO and Founder, Intezer

Reducing CrowdStrike Alert Fatigue to Improve MTTR

When security teams are overwhelmed with alerts and experiencing alert fatigue, integrating automation into your alert triage and response process is key to reducing the mean time to respond (MTTR) to an incident.

Want to try out Intezer’s automated solution for automating triage, response, and hunting with CrowdStrike? Sign up free to see how it works for yourself.

If you’re an Intezer customer, use your CrowdStrike API key to activate the integration now.

Intezer

Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.