Send observables to EDR

  • Release version: Xanadu
  • Updated October 22, 2024
  • 1 minute to read

    • Send observables to the EDR security tool.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Threat Intel Library icon.
    3. Go to Observables > All Observables.
    4. Open any observable record.
    5. Select Send to EDR.
      The Send to EDR Implementations modal screen is displayed.
    6. Select the required implementation from the list.
      Send observable to CrowdStrike - Implementation
    7. Click Next.
    8. Select the run time details such as the Action Type and Description of the implementation.
      Send observable to CrowdStrike - Runtime details
      The available options for the CrowdStrike during implementation run time details are:
      • No Action (Save the indicator for future use, but take no action): In the Observable form view, the threat severity of the observable is optional for CrowdStrike Falcon EDR.
      • Detect (Enable detections for the indicator at record's threat severity): In the Observable form view, the threat severity is mandatory for CrowdStrike Falcon EDR. The threat severity of the observable shouldn’t be empty for that selected observable.
    9. Click Submit.
      The selected action is executed and an information message is displayed that Observable Send to EDR execution has started.
      Note:
      • Once the execution is initiated or completed, a work notes is posted on the activity stream of the form view.
      • Send to EDR action is also available on the observables list under Artifacts tab for a case record. For more information, see Add artifacts to case(s) or case task(s).