Accelerate Detection, Prioritization and Remediation of Endpoint Security Threats with CrowdStrike Falcon and DFLabs

Back to all articles

endpoint security threats

One of the core factors in stopping a breach and preventing cyber attacks is how fast an incident is detected and prioritized. DFLabs’ integration with CrowdStrike Falcon aims to help organizations accelerate the detection, prioritization and remediation of an incident before an attacker has the chance to accomplish their goals.

The Problem

As adversaries are evolving in their tactics and techniques to a new level of sophistication, traditional endpoint protection solutions are becoming less effective. Previous solutions rely heavily on static signature analysis and fail to protect organizations from these sophisticated security threats.

Newly evolving cyber threats are headed towards and equipped for a modern environment, which is becoming more mobile as organizations are moving their operations to the cloud. These traditional endpoint security solutions cannot provide the level of visibility necessary to protect all their assets and are lacking the need for reliable, real-time threat intelligence capabilities. These inefficiencies are leaving organizations in a constant reactive state with little to no hope of getting ahead of their attackers.

So how can security programs within organizations overcome these problems and take a more proactive approach to gain full visibility across their organization, whether in the cloud, on premise or hybrid environments, as well as capture critical details for threat hunting and forensic investigations?

The DFLabs and CrowdStrike Falcon Solution

CrowdStrike technology provides instant visibility and protection across an organization’s environment and can help prevent endpoint attacks either on or off the network. By unifying next-generation anti-virus and industry leading endpoint protection capabilities, organizations can feel more confident in their protection strategies in the cloud or on-prem.

The DFLabs and CrowdStrike solution utilizes CrowdStrike’s next-gen endpoint protection suite to gather vital information about an organization’s asset during a potential incident. By querying CrowdStrike for previous observations, security teams have historical data to better prioritize an event.

DFLabs’ Security Orchestration, Automation and Response (SOAR) platform, IncMan SOAR, can leverage the endpoint information obtained from CrowdStrike and incorporate its environment-wide visibility to make automated decisions and containment actions, even before being assigned to an analyst, thus dramatically reducing the dwell time.

About CrowdStrike Falcon

CrowdStrike is the leader in cloud-delivered, next-generation endpoint protection. CrowdStrike has revolutionized endpoint protection by being the first and only company to unify next-generation antivirus, endpoint detection and response (EDR), and a 24/7 managed hunting service — all delivered via a single lightweight agent.

CrowdStrike Falcon solves the inefficiencies of traditional endpoint security tools by delivering complete endpoint visibility across your organization. Insight continuously monitors all endpoint activity and analyzes the data in real time to automatically identify threat activity, enabling it to both detect and prevent advanced threats as they happen. All endpoint activity is also streamed to the CrowdStrike Falcon platform so that security teams can rapidly investigate incidents, respond to alerts and proactively hunt for new threats.

Use Case

Now let’s look at a simple use case to see the solution in action.

An alert from a Web Application Firewall is received for a new vulnerability. Upon the receipt of the alert IncMan SOAR automatically begins to gather intelligence from CrowdStrike on the IP address and file received. CrowdStrike is queried to see if the IP address or file hash had been observed within the environment over a predefined period of time. Once the intelligence is gathered, IncMan comes to two separate conditional actions.

If CrowdStrike indicates that either the IP address or file hash has been previously observed or the IP address or file hash has a negative reputation score, IncMan will automatically block the IP address and ban the hash. Once the containment actions have been taken, IncMan will query system information from the victim machine and kick off a vulnerability scan.

If the scan reports that there are vulnerabilities present on the victim machine, the incident is upgraded to a Priority 1 and a notification is sent to security team with the full vulnerability scan report for patching and remediation tasks.



The speed of detection and prioritization of alerts is one of the most crucial steps in the incident response lifecycle. The integration between DFLabs and CrowdStrike allows organizations to minimize the time to detect and prioritize critical incidents by automating the enrichment and triage of all events. With CrowdStike’s advanced detection technology and DFLabs robust automation capabilities, organizations can implement the steps necessary to prevent an adversary from accomplishing their goals, while providing better utilization of their security staff.

For more information about this security tool integration or others, contact us and get a full insight into our IncMan SOAR solution.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo