Crowdstrike provides in-depth visibility into your technology infrastructure and operations. Because it is focused on improving your overall cybersecurity, the tool provides visibility into nearly every aspect of your operations - it can be overwhelming upon first glance. We encourage you to use this document to help you get acquainted with the tool.
Below is a link to the Onboarding Guide with check-boxes for you to verify that you have complete each of the steps:
When the initial CID is set up for a district, an account for the primary contact will be created and they will receive an email from CrowdStrike for initial access. A response to this email needs to happen within 48 hours. Be prepared to...
This 40 minute video will help you to get started with the CrowdStrike interface:
Crowdstrike uses a single sensor for each server. Sensors will be upgraded automatically and are unique for each operating system. They can be accessed through the CrowdStrike dashboard. Go to Host setup and management > Deploy > Sensor downloads
Items you may want to consider prior to Sensor deployment:
Watch the Vulnerability Management video
FGA (Fine Grained Access) is currently only applicable for segregating LEA’s into only being able to view their own data when it applies to Host Groups, Host Management, and Real Time Response (RTR). This means that LEA’s will still be able to view vulnerabilities, graphs, reports, etc. that contain information from across the entire CID. This level of access is subject to change as CrowdStrike refines FGA, but as it stands currently, FGA is limited.
For ISDs that would prefer to completely separate each LEA within CrowdStrike, the best solution for this is to purchase a child/sub CID of the ISD for the individual LEA. The same policies and configuration for the ISD/RESA CID will be set up within the LEA child CID by the CrowdStrike provisioning team.
CrowdStrike’s recommendation is those with MDR to avoid changing the policies applied to host groups. If a policy needs to be adjusted for whatever reason, you need to contact your Falcon Complete team first. If you make adjustments to a policy without their knowing, your breach prevention warranty provided by the Complete team will be void.
If you have EDR or XDR it is recommended that you contact the MiSecure team for assistance. Information will be available here on the MichIT wiki regarding recommended policy settings.
Should there be an incident in your CID that requires the intervention of the Falcon Complete team, they will only call from the following number: +1-737-212-9729
It is important that you & your team add that contact information to your phones, as we have gotten a few reports that cell providers are incorrectly marking that number as spam. It is also recommended that you allow that number to bypass any Do Not Disturb settings on your phone.
ISD/LEA’s purchasing EDR licensing will be receiving a CID with their EDR licensing. We recommend that CID is placed under the ISD’s CID, so that detection data flows upwards to the ISD CID then to the MiSecure CID.
For the least privileged roles, there are a few read/view-only roles, where the user can not modify any settings. Those would be the
For users that need control and action abilities with the CID, CrowdStrike provisioning has been setting up initial users with the following roles
These roles above work well without having to grant the all-powerful Falcon Administrator role.
CrowdStrike does allow you to create additional roles and their recommendation is to clone an existing role and add or remove the necessary permissions to fit your needs.
Lastly, for specific roles to be cautious about assigning, the Real Time Responder roles have the ability to access the client directly via the Real Time Responder console built within the Falcon UI. The Real Time Responder console is only accessible to the roles below and should only be granted as necessary and with training to prevent issues on servers and workstations. It is recommended that you remove this role when it is no longer needed.
Reduced Functionality Mode occurs when the Windows/macOS/Linux workstation/server is updated to the most current updates from the vendor, before CrowdStrike has had a chance to verify and approve those updates for systems with the CrowdStrike Sensor installed. Commonly, you will see this happen with machines that update immediately on Microsoft’s Patch Tuesday, the host details will show the machine in RFM. CrowdStrike generally approves all Microsoft updates within 48 hours, and macOS and Linux within 10 days.
You don’t have to take any actions to fix or correct machines in RFM. As the most recent updates for all 3 OS’s are approved by CrowdStrike, you will see the machines come out of RFM.