Deploying EDR Agent with CrowdStrike

When to Use

Use this skill when:

• Deploying CrowdStrike Falcon sensors to Windows, macOS, or Linux endpoints
• Configuring Falcon prevention and detection policies for different endpoint groups
• Integrating CrowdStrike telemetry with SIEM (Splunk, Elastic, Sentinel) for correlated detection
• Troubleshooting sensor connectivity, performance, or detection issues

Do not use this skill for deploying other EDR solutions (Carbon Black, SentinelOne) or for Falcon cloud workload protection (use cloud-specific deployment guides).

Prerequisites

• CrowdStrike Falcon console access with Falcon Administrator role
• Customer ID (CID) and Falcon sensor installer package
• Administrative/root access on target endpoints
• Network access: endpoints must reach CrowdStrike cloud (ts01-b.cloudsink.net on port 443)
• Deployment tool: SCCM, Intune, GPO, Ansible, or manual installation

Workflow

Step 1: Obtain Falcon Sensor Installer and CID

1. Log into Falcon Console: https://falcon.crowdstrike.com
2. Navigate: Host setup and management → Sensor downloads
3. Download the appropriate installer:
   - Windows: WindowsSensor_<version>.exe
   - macOS: FalconSensorMacOS_<version>.pkg
   - Linux: falcon-sensor_<version>_amd64.deb / .rpm
4. Copy the Customer ID (CID) from the Sensor downloads page
   - CID format: <32-char-hex>-<2-char-checksum>

Step 2: Deploy Falcon Sensor - Windows

Silent installation via command line:

WindowsSensor_7.18.17106.exe /install /quiet /norestart CID=<YOUR_CID>

SCCM deployment:

1. Create an Application in SCCM
2. Deployment type: Script Installer
3. Install command: WindowsSensor_7.18.17106.exe /install /quiet /norestart CID=<CID>
4. Detection method: Registry key exists
   - HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default
5. Deploy to target collection
6. Deployment purpose: Required (for mandatory installation)

Microsoft Intune deployment:

1. Navigate: Devices → Windows → Configuration profiles
2. Create Win32 app deployment
3. Upload .intunewin package (wrapped sensor installer)
4. Install command: WindowsSensor_7.18.17106.exe /install /quiet /norestart CID=<CID>
5. Detection rule: File exists C:\Windows\System32\drivers\CrowdStrike\csagent.sys
6. Assign to device group

GPO deployment:

# Create startup script that checks for existing installation
$sensorPath = "C:\Windows\System32\drivers\CrowdStrike\csagent.sys"
if (-not (Test-Path $sensorPath)) {
    Start-Process -FilePath "\\fileserver\CrowdStrike\WindowsSensor.exe" `
      -ArgumentList "/install /quiet /norestart CID=<CID>" -Wait
}

Step 3: Deploy Falcon Sensor - Linux

# Debian/Ubuntu
sudo dpkg -i falcon-sensor_7.18.0-17106_amd64.deb
sudo /opt/CrowdStrike/falconctl -s -f --cid=<YOUR_CID>
sudo systemctl start falcon-sensor
sudo systemctl enable falcon-sensor

# RHEL/CentOS
sudo yum install falcon-sensor-7.18.0-17106.el8.x86_64.rpm
sudo /opt/CrowdStrike/falconctl -s -f --cid=<YOUR_CID>
sudo systemctl start falcon-sensor
sudo systemctl enable falcon-sensor

# Verify sensor is running and connected
sudo /opt/CrowdStrike/falconctl -g --rfm-state
# Expected output: rfm-state=false (sensor is communicating with cloud)

Step 4: Deploy Falcon Sensor - macOS

# Install sensor package
sudo installer -pkg FalconSensorMacOS_7.18.pkg -target /

# Set CID
sudo /Applications/Falcon.app/Contents/Resources/falconctl license <YOUR_CID>

# Grant Full Disk Access and System Extension via MDM profile
# Required for macOS Ventura+ (manual approval or MDM PPPC profile)
# MDM payload: com.crowdstrike.falcon.Agent → SystemExtension + Full Disk Access

# Verify sensor status
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

Step 5: Configure Prevention Policies

In Falcon Console, navigate to Configuration → Prevention Policies:

Recommended prevention policy settings:

Machine Learning:
  - Cloud ML: Aggressive (extra protection, may increase false positives)
  - Sensor ML: Moderate
  - Adware & PUP: Moderate

Behavioral Protection:
  - On Write: Enabled (detect malware on file creation)
  - On Sensor ML: Enabled
  - Interpreter-Only: Enabled (detect script-based attacks)

Exploit Mitigation:
  - Exploit behavior protection: Enabled
  - Memory scanning: Enabled (detects in-memory attacks)
  - Code injection: Enabled

Ransomware:
  - Ransomware protection: Enabled
  - Shadow copy protection: Enabled
  - MBR protection: Enabled

Create separate policies for:

• Workstations (aggressive settings)
• Servers (moderate settings to avoid false positives on server workloads)
• Critical infrastructure (maximum protection with exception lists)

Step 6: Configure Response Policies

Real-Time Response:
  - Enable RTR for all sensor groups
  - Configure RTR admin vs. RTR responder roles
  - Enable script execution (for IR teams)
  - Enable file extraction (for forensics)

Network Containment:
  - Pre-authorize containment for specific host groups
  - Configure containment exclusions (allow management traffic)

Automated Response:
  - Enable automated remediation for high-confidence detections
  - Configure kill process action for ransomware detections
  - Enable quarantine for malware file detections

Step 7: Validate Deployment

# Windows: Check Falcon sensor status
sc query csagent
# Expected: RUNNING

# Check sensor version
reg query "HKLM\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" /v AgentVersion

# Verify cloud connectivity
# In Falcon Console: Host Management → Hosts → search for hostname
# Status should show "Online" with last seen timestamp < 5 minutes

Test detection capability:

# CrowdStrike provides test detection samples
# Download CsTestDetect.exe from Falcon Console → Host setup
# Run on endpoint to generate a test detection
.\CsTestDetect.exe
# Verify detection appears in Falcon Console within 60 seconds

Step 8: SIEM Integration

# Falcon SIEM Connector (Streaming API)
# Configure in Falcon Console: Support → API Clients and Keys

# Create API client with scope: Event Streams → Read
# Use falcon-siem-connector or Falcon Data Replicator (FDR)

# Splunk integration:
# Install CrowdStrike Falcon Event Streams Technical Add-on from Splunkbase
# Configure: Settings → Data inputs → CrowdStrike Falcon Event Streams
# Enter API Client ID and Secret
# Index: crowdstrike_events

# Elastic integration:
# Use Elastic Agent with CrowdStrike module
# Configure: Fleet → Agent policies → Add integration → CrowdStrike

Key Concepts

Tools & Systems

• CrowdStrike Falcon Console: Cloud-hosted management platform for all Falcon modules
• Falcon SIEM Connector: Streams detection and audit events to SIEM platforms
• Falcon Data Replicator (FDR): Streams raw endpoint telemetry to S3/cloud storage for hunting
• CrowdStrike Falcon API (OAuth2): RESTful API for automation, integration, and custom workflows
• PSFalcon: PowerShell module for CrowdStrike Falcon API automation

Common Pitfalls

• Missing CID during installation: Sensor installs but never connects to Falcon cloud. Always pass CID during install, not after.
• Proxy not configured: In environments with web proxies, configure proxy during installation: /install /quiet CID=<CID> APP_PROXYNAME=proxy.corp.com APP_PROXYPORT=8080.
• macOS System Extension blocked: macOS requires explicit approval for kernel/system extensions. Use MDM to pre-approve CrowdStrike extensions before deployment.
• Conflicting security products: Running multiple EDR/AV products causes performance issues and false positives. Coordinate exclusions or remove legacy AV before Falcon deployment.
• Sensor version pinning: Falcon auto-updates sensors by default. Pin sensor versions in the console for change-controlled environments before testing new versions.