Scribd
Upload
28 views5 pages

Document

This document is a Level 1 SOC Playbook for handling alerts from Falco and CrowdStrike, detailing alert types, triage steps, severity classification, and response actions. It provides guidelines for verifying alert authenticity, conducting initial investigations, and determining the scope of incidents. Additionally, it includes escalation criteria, a false positive checklist, and documentation requirements for analysts.

Uploaded by

jisemof813
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
28 views5 pages

Document

This document is a Level 1 SOC Playbook for handling alerts from Falco and CrowdStrike, detailing alert types, triage steps, severity classification, and response actions. It provides guidelines for verifying alert authenticity, conducting initial investigations, and determining the scope of incidents. Additionally, it includes escalation criteria, a false positive checklist, and documentation requirements for analysts.

Uploaded by

jisemof813
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

# **Level 1 SOC Playbook for Falco & CrowdStrike Alerts**

**Version:** 1.0

**Last Updated:** [Insert Date]

## **1. Alert Overview**

**Key Fields for Documentation:**

| **Field** | **Description**
|

| **Alert Name** | [E.g., “Malware Detected”, “Unauthorized Process


Execution”] |

| **Source Tool** | Falco / CrowdStrike


|

| **Severity** | Critical / High / Medium / Low


|

| **MITRE ATT&CK Tactic** | [E.g., Execution, Persistence, Lateral Movement]


|

| **MITRE ATT&CK Technique** | [E.g., T1059 (Command-Line Interface),


T1543 (Create/Modify System Process)] |

## **2. Alert Triage Steps**

### **Level 1 Analyst Actions**

1. **Verify Alert Authenticity**

- Check CrowdStrike Falcon Console/Falco logs for additional context.


- Cross-reference with SIEM (e.g., Splunk, Elastic) for correlated events.

2. **Initial Investigation**

- **Host Details**: Collect hostname, IP, user, and process details.

- **Process Tree**: Review parent/child processes (CrowdStrike: `Process


Tree`; Falco: `proc.pname`).

- **File Hashes**: Check SHA-256 hashes in CrowdStrike (`File Hash` tab).

- **Network Connections**: Look for suspicious IPs/domains (CrowdStrike:


`Network Connections`).

3. **Determine Scope**

- Is the activity isolated or widespread?

- Check if the host is critical (e.g., domain controller, database server).

## **3. Severity Classification**

| **Severity** | **Criteria** |

| **Critical** | Active ransomware, lateral movement, or data exfiltration.


|

| **High** | Unauthorized privilege escalation, suspicious malware


execution. |

| **Medium** | Uncommon process execution (e.g., PowerShell in non-admin


context). |

| **Low** | Known false positives (e.g., benign scripting).


|

## **4. Common Alert Types & Response**


### **A. CrowdStrike Alerts**

#### **Alert Type 1: Malware Detection**

- **Indicators**: Malicious file hash, signature match.

- **Response**:

1. Quarantine the host using CrowdStrike (`Contain Host`).

2. Initiate full disk scan.

3. Escalate to Level 2 if file is unknown/zero-day.

#### **Alert Type 2: Suspicious Process Execution**

- **Indicators**: `cmd.exe` spawning `powershell.exe`, anomalous script


execution.

- **Response**:

1. Terminate the process via CrowdStrike (`Remote Remediation`).

2. Check for persistence mechanisms (scheduled tasks, registry keys).

### **B. Falco Alerts**

#### **Alert Type 1: Unauthorized Container Activity**

- **Indicators**: Privileged container execution, shell spawned in container.

- **Response**:

1. Isolate the container/pod.

2. Review Kubernetes audit logs for pod creation/deletion.

#### **Alert Type 2: Fileless Attack Detection**

- **Indicators**: Memory execution, unsigned DLL injection.

- **Response**:

1. Capture memory dump for analysis.

2. Escalate to Level 2 for forensic review.


## **5. Escalation Criteria**

Escalate to Level 2/Threat Hunting Team if:

- Alert is confirmed as true positive with high impact.

- Unfamiliar TTPs (Tactics, Techniques, Procedures).

- Evidence of lateral movement or data exfiltration.

## **6. False Positive Checklist**

- Verify if the process/file is whitelisted (e.g., internal tools).

- Check if the activity aligns with scheduled maintenance/scripts.

- Review Falco/CrowdStrike exceptions list.

## **7. Documentation & Reporting**

1. Log all actions in the SIEM/Ticketing System (e.g., ServiceNow).

2. Update the playbook with new findings or false positives.

## **8. Appendices**

### **A. CrowdStrike Quick Commands**

- `Get-FalconHost -Filter “hostname:’HOSTNAME’”`

- `Get-FalconDetection -Filter “status:’new’”`

### **B. Falco Query Examples**

- Search for privileged containers:


```bash

Falco -r rules/falco_rules.yaml -e “container.image contains ‘privileged’”

```

## **9. Revision History**

| **Version** | **Date** | **Changes** |

|-------------|----------------|-------------------------------------------|

| 1.0 | [Date] | Initial release |

**Notes for Analysts:**

- Always follow organizational incident response policies.

- When in doubt, escalate!

---

You might also like