Receive tons of Crowdstrike alter messages

Situation: We received many New detection such as Action taken: Endpoint detection, process would have been blocked if related prevention policy setting was enabled. Sensor hostname: ANDREW02 Endpoint detection URL: https://falcon.us-2.crowdstrike.com/activity/detections/detail/6fa1575720ae43248d15e104d0e69a80/738776163848 Endpoint detection status: New File path: \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\ig-1.exe Last behavior timestamp: 2023-02-03T14:26:18Z Sensor platform: Windows OS version: Windows 11 Behavior objective: Falcon Detection Method Local IP address: 192.168.1.149 Severity: Informational User ID: S-1-5-21-876873567-1263676363-868425949-5726 User name: Andrew Behavior timestamp: 2023-02-03T14:26:18Z See in Falcon. Do we need to do anything to stop this alert?

Resolutioin 1: The detection is for an Informational detection which is the lowest confidence event as to being malicious. You are seeing these because your settings for Sensor Anti-malware in your prevention policy is set to the following:

Detect is set to Extra Aggressive which triggers the detection and the Alert Prevention is set to Aggressive which does not act on Informational detections

You can either lower your detect to Aggressive to not detect informational events or you can increase your Prevention to Extra Aggressive to act on the informational detections.

Resolution 2: We have identified the reason for the email alerts on Informational detections. These are being generated due to the Fusion Workflows you currently have configured. https://falcon.us-2.crowdstrike.com/workflow/fusion Please disable or modify these workflows to stop the emails being generated on your account.

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com

Leave a Reply