Best Practice: CrowdStrike Falcon / Remediate incident

Statement of Best Practice

• Provide guidance for the handling of TeamDynamix tickets generated by CrowdStrike Falcon

Contact

• Information Security Office

Entities Affected by Best Practice

• Academic Director of Technology and Technical Support Representatives

Environment

• 10374: TeamDynamix (TDX)
• 1184990: Endpoint Detection and Response (EDR) - CrowdStrike Falcon 
  • CrowdStrike

Associated Procedure

• The CrowdStrike operational group will make determinations on each incident and assign it to a TSR group for remediation if necessary. This process will create a ticket in TeamDynamix and assign it to the applicable group
• If more information is needed, the originating incident cant be viewed at https://miamioh.edu/falcon

1. Remediate the issue noted in the ticket through normal means (reimage or removal of malicious software)
2. Close out the ticket in TeamDynamix
3. Log in to CrowdStrike and close the incident
   • Note:  There may be multiple incidents for the same trigger depending on lag time between detection and remediation. Close all of the incidents for the host you remediated
   1. Go to https://miamioh.edu/falcon
   2. Click the hamburger menu in the upper left-hand corner and select Endpoint Security -> Endpoint Detections
   3. Click in the Search bar, select Assigned To, and then select your team's email address
   4. Click to expand the detections for the machine you have remediated, and then click on the detection you want to close
   5. In the detection window that opens, click on the Change Detection Status box (it may display "New", "In progress", or "Reopened")
   6. Change the Set Status drop-down to Closed and then click Update