EDR - CrowdStrike Private Tenant User Guide

This page provides general information about OIT-provided private CrowdStrike tenants and the responsibilities that come with managing one. To get a private tenant created, or to install CrowdStrike from the generic tenant, reference the Crowdstrike for Unix and Linux servers page

If you have a CrowdStrike account, you can access the official Falcon Console User Guide. CU Boulder CrowdStrike accounts are housed on the US 2 cloud; ensure that you are using the domain “falcon.us-2.crowdstrike.com/…” when navigating to CrowdStrike resources.

Overview

Private tenants give ITPs the ability to manage EDR and vulnerability scanning on their devices. The use of CrowdStrike Falcon or another approved EDR solution is required by the Secure Computing Standards. ITPs using a private tenant must follow the guidelines listed in the Shared Responsibility Acknowledgement form to maintain compliance with the Secure Computing Standards.

Supported Browsers

As of July 2024, the CrowdStrike console is supported on the latest stable versions of:

  • Google Chrome
  • Microsoft Edge (Chromium)

Ensure that you have the most up-to-date version of a supported browser installed.

Accessing the Falcon Console

CU Boulder tenants are housed on the CrowdStrike Falcon US 2 cloud. 

  1. Login to the console here: https://falcon.us-2.crowdstrike.com
  2. Enter your login credentials and set up a two-factor authentication token.

Navigating the Falcon Console

Once you are logged in you can access the console menu with the button in the top left corner. You can also open the console menu with the keyboard shortcut Ctrl + / on Windows or Command + / on Mac.

crowdstrike user guide 1

The Docs page can be found in the drop-down menu from the buttons in the top right corner of the console.

Crowdstrike user guide - docs

Select Docs to browse the Falcon documentation library.

Installing Sensors

In the console menu, navigate to Host setup and management > Deploy > Sensor Downloads to browse the list of sensor installers. Your customer ID (CID) will be listed on the right side of the page. 

Follow these instructions for installing the Falcon sensor for Linix using the CLI:

  1. Download the Falcon sensor installer from Host setup and management > Deploy > Sensor Downloads
  2. Copy your Customer ID Checksum (CID), displayed on Sensor Downloads
  3. Run the installer, substituting <installer_filename> with your installer's file name (Installing the sensor requires sudo privileges)
    • Ubuntu: sudo dpkg -i <installer_filename>
    • RHEL, CentOS, Amazon Linux: sudo yum install <installer_filename>
    • SLES: sudo zypper install <installer_filename>
  4. Set your CID on the sensor, substituting <CID> with your CID
    • All OSes: sudo /opt/CrowdStrike/falconctl -s --cid=<CID>
  5. Start the sensor manually.
    • Hosts with SysVinit: sudo service falcon-sensor start
    • Hosts with Systemd: sudo systemctl start falcon-sensor

After the installation has been completed, you can verify that a host has been onboarded into your private tenant by navigating to Host setup and management > Manage endpoints > Host management. Or you can search for the CrowdStrike Falcon process on your machine’s CLI with the command:

ps -e | grep falcon-sensor 

Reference the Sensor Deployment and Maintenance section in the Falcon documentation library for guidance during your deployment.

If you are deploying CrowdStrike to a cloud environment, navigate to Cloud security > Settings > Account registration to register an account or a Kubernetes cluster. Search the Falcon documentation library for more information about the type of deployment you want to do.

Reviewing EDR and Vulnerability Data

ITPs using CrowdStrike private tenants are expected to review CrowdStrike’s findings and remediate vulnerabilities in accordance with the campus Vulnerability Management Standard.

The homepage for viewing EDR detections can be found by navigating to Endpoint security > Activity dashboard.

Crowdstrike activity dashboard

If there are any new detections, you can click on the number to be taken to the endpoint detections page. This page can be found in the console menu under Endpoint security > Endpoint detections. ITPs should monitor the endpoint detections page and process detections.

The OIT Security office will be automatically alerted when High- or Critical-rated detections are found. You can alert the security office of any other detections when necessary by contacting (link sends email)security@colorado.edu. More information about managing endpoint detections is available in the Falcon documents library.

The homepage for viewing vulnerabilities can be found by navigating to Exposure management > Vulnerability management > Dashboards.

Vulnerabilities homepage

The default vulnerability management dashboard is “Overview (ExPRT rating).” The ExPRT rating is CrowdStrike’s artificial intelligence model for rating and prioritizing vulnerabilities. Additional dashboards can be created to fit your team’s needs.

Crowdstrike - additional dashboards

Under Exposure management > Vulnerability management > Vulnerabilities you can find a list of all vulnerabilities. Filters can be applied to focus on certain aspects of the vulnerabilities, and each vulnerability has a recommended remediation.

List of vulnerabilities

Reference the Falcon Exposure Management documentation when managing vulnerabilities on your devices.