Introduction
The cybersecurity landscape is evolving at an unprecedented pace. Attackers are becoming more sophisticated, leveraging automation and AI to scale their operations. For defenders, relying solely on manual triage and traditional signature-based detection is no longer sufficient. The volume of alerts is overwhelming, and the "signal-to-noise" ratio is often too low to effectively prioritize threats.
CrowdStrike has introduced Automated Leads, a new capability within the Falcon platform designed to address this critical gap. By leveraging advanced AI and machine learning, Automated Leads correlates disparate telemetry to surface high-fidelity detections, effectively acting as a force multiplier for SOC analysts. This isn't just about faster alerts; it's about providing the context and narrative necessary to understand the attack chain immediately.
Technical Analysis
Affected Products & Platforms: This capability is integrated into the CrowdStrike Falcon® platform. Specifically, it enhances the functionality of:
- Falcon Insight (EDR)
- Falcon Complete (MDR)
- Falcon Overwatch (Managed Threat Hunting)
Underlying Technology: Automated Leads utilizes the CrowdStrike Security Cloud and its proprietary graph data model. It analyzes millions of events per second, applying behavioral analysis to identify patterns indicative of malicious activity.
How It Works (Defender Perspective): Traditional alerting often focuses on singular events—a single suspicious process execution or a registry change. Automated Leads changes the paradigm by connecting the dots across the entire attack lifecycle:
- Telemetry Aggregation: The system ingests endpoint, identity, and cloud workload telemetry.
- Graph Analysis: It builds a behavioral graph, linking processes, network connections, and file modifications.
- Lead Generation: When a series of low-fidelity events align to form a known attack pattern (e.g., reconnaissance followed by execution and lateral movement), the system generates an "Automated Lead."
- Contextual Enrichment: Each Lead includes a detailed breakdown of the attack chain, the "who, what, where, and when," reducing the time analysts spend on investigation.
Exploitation Status: This is a defensive capability enhancement. However, it is designed to detect active exploitation patterns used by nation-state actors and eCrime syndicates, including those leveraging zero-days and living-off-the-land (LotL) techniques.
Detection & Response
While Automated Leads is a vendor-side capability, defenders can optimize their environment to benefit from such AI-driven detection by ensuring proper telemetry ingestion and by hunting for the specific behavioral patterns these tools are designed to highlight. Below are detection mechanisms and hunt queries to validate telemetry coverage and identify behaviors typical of sophisticated attacks that Automated Leads aims to correlate.
━━━ DETECTION CONTENT ━━━
SIGMA Rules:
---
title: Potential Command and Control via PowerShell
description: Detects PowerShell processes establishing network connections, a common behavior in automated attack chains used by eCrime actors.
id: 8b0a4e1a-fc3c-4b5e-9e1a-2b3c4d5e6f7a
status: experimental
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Initiated: true
condition: selection
falsepositives:
- legitimate administrative scripts using network modules
level: medium
---
title: Suspicious Child Process of MS Office
description: Detects Microsoft Office applications spawning child processes like PowerShell or CMD, often associated with macro-based malware delivery.
id: 9c1b5f2b-0d4e-5c6f-0f1b-3c4d5e6f7a8b
status: experimental
references:
- https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate macro usage for business automation
level: high
**KQL (Microsoft Sentinel / Defender):**
// Hunt for correlations between suspicious process creation and network connections
// mimicking the logic of automated lead generation
let SuspiciousProcesses =
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe")
| where ProcessCommandLine matches regex @"(?:-(?:c|e|enc|command)\s+""[^"]+"") or ProcessCommandLine contains "http";
let NetworkConnections =
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe");
SuspiciousProcesses
| join kind=inner NetworkConnections on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
**Velociraptor VQL:**
-- Hunt for processes with unsigned binaries or suspicious parents
-- indicating potential execution chains that Automated Leads would flag
SELECT
Pid,
Ppid,
Name,
Exe,
CommandLine,
Username,
StartTime
FROM pslist()
WHERE NOT Signed
OR Exe =~ "C:\Windows\Temp\.*"
OR CommandLine =~ "-enc "
-- Group by parent to see potential chains
| group Ppid
**Remediation Script (PowerShell):**
*Note: As Automated Leads is a platform feature, remediation involves ensuring agents are up-to-date and policies are configured correctly. This script checks the Falcon Sensor status.*
# Check CrowdStrike Falcon Sensor Status
Write-Host "Checking CrowdStrike Falcon Sensor connectivity and version..." -ForegroundColor Cyan
# Check for the running service
$service = Get-Service -Name "CSFalconService" -ErrorAction SilentlyContinue
if ($service.Status -eq "Running") {
Write-Host "[SUCCESS] CrowdStrike Sensor service is running." -ForegroundColor Green
# Check sensor version (Requires access to the sensor directory)
$sensorPath = "C:\Program Files\CrowdStrike\CSFalconService"
if (Test-Path $sensorPath) {
$versionInfo = Get-Item "$sensorPath\CSFalconService.exe" -ErrorAction SilentlyContinue
if ($versionInfo) {
Write-Host "Sensor Version: $($versionInfo.VersionInfo.FileVersion)" -ForegroundColor Yellow
# Check connectivity to CrowdStrike Cloud (Generic check)
try {
$testConnection = Test-NetConnection -ComputerName "api.crowdstrike.com" -Port 443 -InformationLevel Quiet -WarningAction SilentlyContinue
if ($testConnection) {
Write-Host "[SUCCESS] Connectivity to CrowdStrike Cloud confirmed." -ForegroundColor Green
} else {
Write-Host "[WARNING] Unable to reach CrowdStrike Cloud on port 443." -ForegroundColor Red
}
} catch {
Write-Host "[WARNING] Connectivity check failed." -ForegroundColor Red
}
}
}
} else {
Write-Host "[ERROR] CrowdStrike Sensor service is not running or not installed." -ForegroundColor Red
}
Remediation
To leverage Automated Leads effectively, organizations must ensure:
- Sensor Hygiene: All endpoints must have the latest CrowdStrike Falcon sensor installed to ensure full telemetry visibility. Verify that no sensors are offline or reporting "Reduced Functionality Mode."
- Telemetry Configuration: Ensure that streaming policies are enabled for all relevant data types (Process rolls, Network writes, Registry modifications). Without this data, the AI lacks the context needed to generate Leads.
- Alert Tuning: Review the "Exclusions" and "Suppression" lists. Overly broad exclusions can prevent the generation of valid Automated Leads.
- Analyst Training: SOC analysts should be trained on the specific format of Automated Leads. Understanding the "Why" behind the Lead is crucial for effective triage and response.
Category
soc-mdr
Tags
crowdstrike, automated-leads, edr, threat-detection, soc-automation, ai-security
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.