Attack Chain

1. Initial Access: An attacker gains initial access to a host through various means, such as exploiting a vulnerability or using stolen credentials.
2. Malware Deployment: The attacker deploys malware onto the compromised host. This could be achieved through techniques like phishing or exploiting software vulnerabilities.
3. Execution: The malware executes on the host, initiating malicious activities. This may involve running malicious scripts or binaries.
4. Persistence: The malware establishes persistence on the host to maintain access even after a reboot. This can be achieved by creating scheduled tasks or modifying registry keys.
5. Lateral Movement: The attacker attempts to move laterally to other hosts on the network. This can involve using techniques like pass-the-hash or exploiting network vulnerabilities.
6. Command and Control: The malware establishes communication with a command and control (C2) server to receive instructions and exfiltrate data.
7. Privilege Escalation: The attacker attempts to escalate privileges to gain higher-level access to the system.
8. Impact: The attacker achieves their objective, such as stealing sensitive data or disrupting system operations.

Impact

A successful attack resulting in multiple EDR alerts can lead to significant disruption and data loss. Depending on the attacker’s objectives, this could include the exfiltration of sensitive data, ransomware deployment, or system downtime. The compromise of multiple hosts can indicate a widespread and coordinated attack, potentially affecting a large number of users and systems. Organizations may experience financial losses due to incident response costs, legal liabilities, and reputational damage.

Recommendation

• Deploy the Sigma rule Multiple External EDR Alerts by Host to your SIEM and tune for your environment.
• Enable logging for CrowdStrike, SentinelOne, and M365 Defender to ensure the Sigma rule can ingest the appropriate logs, as outlined in the rule’s query.
• Prioritize investigation of hosts identified by the rule with high alert counts or diverse alert severities to minimize potential damage.
• Review and exclude known benign activities from triggering the rule, as detailed in the false positive analysis section of the rule documentation.
• Correlate alert data with other logs (process creation, network connections, file modifications) to provide better context for detected hosts.
• Block the C2 domains/IP addresses if they are found to be related to the alerts from the affected hosts.

Attack Chain

1. Adversary exploits cross-domain gaps across endpoint, identity, network, and cloud environments.
2. Attack spans across different tools and environments, creating fragmented investigation scenarios for security teams.
3. Legacy SIEMs impose a “data tax” for full ingestion, resulting in slower detection.
4. Siloed tools create blind spots and disconnected workflows, hindering effective response.
5. Falcon Onum ingests data, filters noise, enriches telemetry, and routes data in real-time to reduce storage costs.
6. High-signal data is prioritized and routed to Falcon Next-Gen SIEM for active investigations.
7. Remaining data is efficiently archived to cost-effective external data stores like Amazon S3 via Athena.
8. Security teams can then investigate across the disparate data sources through federated search, operationalizing threat intelligence at scale.

Impact

The lack of integrated security tools leads to slower detection and delayed incident response, making it harder for SOC teams to keep pace with modern threats. Organizations face increased operational costs due to duplicated data and the need for extensive data ingestion. By integrating third-party EDR solutions, CrowdStrike aims to provide faster detection, more efficient investigations, and a stronger foundation for AI-driven security operations.

Recommendation

• Deploy Falcon Next-Gen SIEM and configure it to ingest Microsoft Defender telemetry to unify detection, investigation, and response without changing endpoint deployments.
• Leverage Falcon Onum to filter and enrich data in real-time, reducing noise and storage costs, as mentioned in the Overview.
• Utilize federated search capabilities to investigate across live, network, and archived data sources (Falcon LogScale, ExtraHop, Amazon S3 via Athena) as described in the Attack Chain.
• Explore the Third-Party Indicator Management feature to ingest, enrich, and manage external indicators of compromise.

Attack Chain

1. Adversary gains initial access to a target environment through various means, potentially bypassing existing endpoint security measures.
2. Microsoft Defender detects suspicious activity on an endpoint and generates telemetry data.
3. Falcon Next-Gen SIEM ingests the Microsoft Defender telemetry data.
4. Falcon Onum filters, enriches, and routes the telemetry data, reducing noise and improving data fidelity.
5. Falcon Next-Gen SIEM analyzes the processed data, correlating it with other security event data.
6. AI-powered threat detection identifies potentially malicious activity based on the combined data.
7. Security analysts investigate the detected activity within the Falcon Next-Gen SIEM console, leveraging federated search capabilities to access additional data sources if needed.
8. Based on the investigation, analysts initiate response actions through Falcon Fusion SOAR.

Impact

The integration of third-party EDR solutions like Microsoft Defender into CrowdStrike Falcon Next-Gen SIEM aims to reduce the time to detect and respond to threats. By unifying security data and workflows, organizations can eliminate blind spots, improve data fidelity, and accelerate investigations. Successful attacks can lead to data breaches, system compromise, and financial losses. The number of affected organizations and the specific financial impact will depend on the effectiveness of the integrated security measures.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM and tune them according to your environment to detect suspicious activity correlated across multiple data sources.
• Enable and configure Microsoft Defender to generate detailed telemetry data, which can then be ingested into Falcon Next-Gen SIEM for enhanced analysis.
• Utilize Falcon Onum to filter, enrich, and route telemetry data to improve data fidelity and reduce storage costs, as mentioned in the overview.
• Leverage the federated search capabilities of Falcon Next-Gen SIEM to investigate threats across live, network, and archived data sources without costly re-ingestion, as described in the overview.
• Implement third-party indicator management to operationalize threat intelligence at scale by ingesting, enriching, scoring, and managing external indicators of compromise.

Attack Chain

This threat brief focuses on the integration of security tools rather than a specific attack chain. However, the value of the integration is to defend against a variety of attack chains, a generalized example follows:

1. Initial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability. (T1566, T1190)
2. Execution: The attacker executes malicious code on the endpoint. (T1059)
3. Persistence: The attacker establishes persistence to maintain access to the compromised system. (T1547)
4. Lateral Movement: The attacker moves laterally within the network to access additional systems. (T1021)
5. Credential Access: The attacker attempts to steal credentials to escalate privileges and access sensitive data. (T1003)
6. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised systems. (T1041)
7. Impact: The attacker achieves their objective, such as data theft, system disruption, or ransomware deployment. (T1486)

Impact

The integration of Microsoft Defender with CrowdStrike Falcon Next-Gen SIEM aims to reduce the impact of successful attacks. Without unified detection, organizations may experience delayed detection, slower response times, increased operational costs, and potential data breaches. The number of potential victims and sectors targeted is broad, as this integration applies to any organization using both Microsoft Defender and CrowdStrike. Success of an attack despite these tools leads to data breaches, financial losses, and reputational damage.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious processes indicative of post-exploitation activity.
• Investigate systems generating process creation events flagged by the rules in this brief (process_creation logging).
• Review Falcon Onum settings to ensure proper filtering and routing of Microsoft Defender telemetry to optimize data fidelity and reduce storage costs (Falcon Onum documentation).
• Utilize federated search capabilities to investigate across live, network, and archived data sources, including Falcon LogScale, ExtraHop, and Amazon S3 (Falcon Next-Gen SIEM documentation).

Attack Chain

This brief focuses on SIEM integration rather than a specific attack chain, but here’s a generalized scenario where this integration could improve detection:

1. Initial Access: An attacker gains initial access to an endpoint via phishing or exploitation of a vulnerability.
2. Execution: The attacker executes malicious code on the endpoint using a tool like PowerShell or a custom script.
3. Persistence: The attacker establishes persistence by creating a scheduled task or modifying registry keys.
4. Lateral Movement: The attacker attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting SMB vulnerabilities.
5. Command and Control: The attacker establishes a command and control (C2) channel to communicate with the compromised system.
6. Data Exfiltration: The attacker identifies and exfiltrates sensitive data from the compromised network.
7. Impact: The attacker achieves their objective, such as data theft or ransomware deployment.

In this scenario, Microsoft Defender would detect initial malicious activity. Falcon Next-Gen SIEM would ingest and analyze Defender telemetry, correlating it with other data sources to provide a more complete picture of the attack and accelerate response.

Impact

Successful attacks can lead to data breaches, financial losses, and reputational damage. Organizations can experience slower detection and delayed response due to fragmented security systems. The integration of Microsoft Defender telemetry into Falcon Next-Gen SIEM aims to address these challenges by unifying detection, investigation, and response, without altering existing endpoint deployments. By leveraging Falcon Onum, organizations can improve data fidelity, lower infrastructure costs, and strengthen the foundation for AI-driven security operations across the entire ecosystem.

Recommendation

• Utilize Falcon Next-Gen SIEM to ingest and analyze Microsoft Defender telemetry for enhanced threat detection and response.
• Implement Falcon Onum for real-time data pipeline management to reduce noise, enrich data, and optimize data routing, as described in the overview.
• Leverage the federated search capabilities of Falcon Next-Gen SIEM to investigate across live, network, and archived data sources without costly re-ingestion.

Attack Chain

This threat brief outlines the integration of third-party EDR solutions into the CrowdStrike Falcon Next-Gen SIEM. There is not an actual attack chain to describe, but rather a product enhancement. The purpose of the integration is to increase SOC visibility. This enhancement does not represent a specific attack campaign, but rather the mitigation of potential attacks by unifying telemetry.

Impact

The successful implementation of CrowdStrike’s Falcon Next-Gen SIEM with third-party EDR support aims to reduce the time to detect and respond to threats across diverse environments. The integration seeks to break down data silos and provide a unified view of security events, potentially impacting organizations of all sizes and sectors. Without such integration, organizations may face slower detection times, increased operational costs due to data duplication, and a fragmented security posture. The specific number of organizations potentially impacted is currently not available.

Recommendation

• Leverage Falcon Onum’s real-time data pipeline capabilities to reduce noise and optimize telemetry before it reaches downstream systems, as mentioned in the overview.
• Utilize the federated search capabilities to investigate across live, network, and archived data sources, including Falcon LogScale, ExtraHop, and Amazon S3 via Athena, without costly re-ingestion or duplication.
• Explore the integration of Microsoft Defender telemetry into Falcon Next-Gen SIEM to unify detection, investigation, and response without changing endpoint deployments.

Attack Chain

Given that the document describes a product integration and not a specific attack, the attack chain below represents a theoretical scenario where the integration of Falcon Next-Gen SIEM with Microsoft Defender helps to detect and respond to an attack:

1. Initial Access: An attacker gains initial access to a system via a phishing email (T1566.001) containing a malicious attachment.
2. Execution: The user opens the attachment, executing a malicious payload that bypasses initial security measures.
3. Persistence: The malware establishes persistence by creating a scheduled task or modifying registry keys to ensure it runs after a system reboot.
4. Lateral Movement: The attacker uses compromised credentials to move laterally to other systems on the network, escalating privileges as needed.
5. Command and Control: The attacker establishes a command and control (C2) channel to remotely control the compromised systems and exfiltrate sensitive data.
6. Data Exfiltration: The attacker exfiltrates sensitive data from the compromised systems to an external server.
7. Detection & Response: Falcon Next-Gen SIEM, integrated with Microsoft Defender, detects anomalous behavior and alerts security analysts.
8. Remediation: Security analysts use Falcon Next-Gen SIEM to investigate the incident, contain the affected systems, and remediate the threat.

Impact

If the integration between Falcon Next-Gen SIEM and Microsoft Defender is not in place or is misconfigured, organizations face slower detection, delayed response, and a SOC struggling to keep pace with modern threats. This can lead to successful data breaches, financial losses, reputational damage, and regulatory fines. The integration aims to mitigate these risks by providing a unified platform for detecting, investigating, and responding to threats across heterogeneous environments.

Recommendation

• Evaluate the integration of Falcon Next-Gen SIEM with Microsoft Defender to unify detection, investigation, and response across your environment, as described in the overview.
• Leverage Falcon Onum’s real-time data pipeline capabilities to filter, enrich, and route data, reducing noise and improving the fidelity of telemetry for AI models and detection workflows, as described in the overview.
• Utilize Falcon Next-Gen SIEM’s federated search capabilities to investigate across live, network, and archived data sources without costly re-ingestion or duplication, as described in the overview.