How to Leverage Scheduled Searches
Introduction
Falcon Insight provides customers with extensive visibility into the events taking place on endpoints and workloads. While triggered detections are an important part of endpoint security, CrowdStrike also provides the ability to search the raw event data. In addition, scheduled searches can be used to automate the recurrence of those searches and trigger various notifications.
Video
Detailed Event Searches
From the main menu, the “Event Search” is available under the “Investigate” app. Based on the Splunk query language, customers can hunt for events based on any number of attributes including host, file, process, application and user.
This sample query hunts for the use of different reconnaissance tools run by the local system account. After selecting the time range, the search returns zero results for the past 24 hours. With scheduled searches, this query can be configured to run regularly to identify any future events.
Creating Scheduled Searches
To save a search, the first step is to enter a name and description.
The following prompts set the frequency along with a start and stop date for the query.
CrowdStrike also provides the ability to trigger notifications based on the results of the scheduled search. In this case, an email will be sent to the analyst. The options below can be used to configure if the email is sent each time the query runs or only when it yields results.
Finally, there is an option to configure multiple notifications or “Schedule search”.
Managing Scheduled Searches
After saving, the list of all scheduled searches is presented including management features and the option to create additional scheduled searches.
This page is also available from the main falcon menu under “Investigate”. The Results/Searches column summaries of how each query has performed to date.
The menu includes options to edit, deactivate and delete searches. “See history” will present a list of the results to date including a download function.
Other Notification Options
In addition to email, there are other notification options available including Slack messages, Teams messages and PagerDuty notifications. Each saved search also can have multiple notifications as needed. Queries that are likely to yield more results are potentially good use cases for the webhook notification. Webhooks are a simple way to send near real-time data from the Falcon platform to third party applications like a SIEM. There is also the option to schedule a search without configuring a notification. Even without triggering an email or message, the search will run and the results will be available for reference as needed.
Closing
CrowdStrike’s Falcon Insight provides unparalleled EDR visibility along with the flexibility to query that event data. With scheduled searches, those queries can be automated with the option to configure a variety of workflows and notifications to best meet the needs of busy security analysts.
More resources
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products