Crowdstrike EDR process correlation user guide
Automatic Process Context Stitching for Network Detections
Table of Contents
Overview
EDR Process Correlation is Vectra AI's breakthrough capability that automatically identifies which process on an endpoint triggered suspicious network behavior detected by Vectra. This feature eliminates the manual correlation gap between Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) systems.
What is EDR Process Correlation?
When Vectra AI identifies suspicious network behavior, it automatically:
Queries CrowdStrike Falcon telemetry for the specific host
Analyzes process activity during the detection window
Identifies the most probable process responsible
Surfaces complete process context directly within the Vectra detection
Result: Instant answers instead of 15-30 minutes of manual investigation.
What Problem Does This Solve?
The Investigation Gap
Without EDR Process Correlation:
Analyst receives Vectra network detection
Identifies affected host
Opens CrowdStrike console
Searches for processes around detection timeframe
Correlates network timestamps with process activity
Validates which process is responsible
Average time: 15-30 minutes per detection
With EDR Process Correlation:
Analyst receives Vectra detection with process already identified
Reviews enriched context inline
Clicks directly into CrowdStrike if deeper investigation needed
Average time: 30-60 seconds
The Missing Link
Network Detection (NDR) excels at spotting suspicious behaviors: C2 communication, reconnaissance, lateral movement, data exfiltration
Endpoint Detection (EDR) captures process-level detail: what executed, command lines, parent processes
The Gap: Without automatic correlation, analysts must manually bridge these systems
EDR Process Correlation eliminates this gap entirely.
Benefits
For Security Analysts
95% reduction in investigation time - from 15-30 minutes to 30-60 seconds
Immediate context - see the complete process story without tool switching
Instant threat validation - command line details expose true intent
One-click pivots - jump directly to full CrowdStrike forensic timeline
For SOC Operations
Faster Mean Time to Response (MTTR) - accelerate every investigative step
Reduced alert fatigue - instant context means confident decisions
Scale investigations - handle more detections with the same team
No custom correlation logic - eliminates brittle SIEM/SOAR workflows
For the Organization
Reduced attacker dwell time - faster detection to containment
Better security posture - comprehensive visibility across network and endpoint
Operational efficiency - maximize existing security investments
Attack surface understanding - complete cross-domain picture from the start
Prerequisites
Required Permissions in CrowdStrike
Your CrowdStrike API client must have these permissions:
Hosts Read (Required for host context)
Provides CrowdStrike device context
Links to CrowdStrike console
Improves device identification
Host Write (Required for containment)
Enables manual or automated response actions
Required for Host Lockdown feature
NGSIEM Write (Required for EDR Process Correlation to submit queries)
Enables automatic process stitching
Write permissions: POST queries to CrowdStrike NGSIEM (no data written to NGSIEM)
NGSIEM Read (Required for EDR Process Correlation to retrieve results)
Enables automatic process stitching
Read permissions: GET query results from NGSIEM
CrowdStrike Environment Selection
Select the correct CrowdStrike URL based on your console access:
Configuration
Step 1: Create CrowdStrike API Client
Navigate to API Clients
In your Falcon console, go to: Support and resources > Resources and tools > API clients and keys
Create New API Client
Click "Create API client"
Provide a descriptive name (e.g., "Vectra AI Integration")
Add an optional description
Configure Permissions Set the following permissions:
ScopeReadWriteHosts
✓
✓
NGSIEM
✓
✓
Hosts Read: CrowdStrike device context and console linking
Host Write: Manual or automated response actions (Host Lockdown)
NGSIEM Read/Write: EDR process integration functionality
Save Credentials
Click "Create"
CRITICAL: Record the Client ID and Client Secret immediately
This is the only time the secret will be visible
If lost, you must create a new API client
Step 2: Configure Vectra Integration
Navigate to EDR Connections
In Vectra, go to: Settings > EDR Connections
Edit the CrowdStrike settings area
Enable Integration
Toggle the integration to "On"
Enter Connection Details
CrowdStrike URL: Select the appropriate URL from the dropdown (see table above)
Client ID: Paste the Client ID from Step 1
Client Secret: Paste the Client Secret from Step 1
SSL Certificate Verification
Proxy Configuration (if applicable)
If you have a proxy configured in Data Sources > Network > Brain Setup > Proxy:
Enable Host Lockdown (optional)
Save Configuration
Click "Save"
Vectra will validate the connection and permissions
Step 3: Verify Configuration
After saving, verify that:
CrowdStrike-managed hosts appear with enhanced context in Vectra
Host details display CrowdStrike information (OS, sensor ID, last seen)
Process correlation data appears in new detections
Links to CrowdStrike console are functional
How It Works
Automatic Process Correlation Workflow
When Vectra AI identifies suspicious network behavior:
Correlation Methodology
Vectra uses IP-based correlation with signal-strength prioritization:
Primary correlation: LocalAddressIP4 from CrowdStrike matches Vectra detection host IP
Signal strength: Unique destination counts identify the most likely culprit process
Why IP-based? More reliable than Agent ID (AID) mapping, which can become stale due to sensor reinstalls or database lag
Example: If multiple processes are active during the detection window, Vectra prioritizes the process with the strongest network signal matching the suspicious behavior pattern.
Using the Feature
Viewing Process Context in Detections
When you open a Vectra detection that has EDR Process Correlation: CrowdStrike Context Panel
You'll see a dedicated "CrowdStrike Context" section with:
Probable Process:
Process name (e.g.,
MicrosoftEdgeUpdate.exe)
Process Creation Time:
Exact timestamp for timeline correlation (e.g.,
2025-11-29T03:58:42Z)
Command Line:
Full command line arguments expose true intent
Example:
"C:\ProgramData\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" --connect vault-tech.org:443 --interval 300 --retry infinite
SHA256:
File hash for threat intelligence correlation
Enables immediate reputation checks
File Path:
Complete file system location
Example:
\Device\HarddiskVolume2\ProgramData\Microsoft\EdgeUpdate\
Account Name:
Execution context and privilege level
Example:
NT AUTHORITY\SYSTEM
Parent Process:
What spawned this process
Example:
services.exe (PID: 668)indicates Windows service registration
Interpreting Process Context
The command line is often the most revealing indicator. Consider this example:
Analysis:
Masquerading: Mimics legitimate Microsoft updater
Command line reveals: C2 beacon with 5-minute check-in intervals
Persistence: Infinite retry attempts
Privilege: SYSTEM account = maximum privileges
Parent: services.exe = registered as Windows service
This transforms: "potentially suspicious network traffic" into "confirmed persistent threat requiring immediate containment"
Show More Processes
Click "Show More Processes" to see all process activity during the detection window.
Use case: Understand the complete attack progression
Example output:
msedge.exe- Initial access via phishing clickcurl.exe- Reconnaissance:curl.exe -Ihttps://vault-tech.org--connect-timeout 5Attacker validates C2 reachability before committing to persistence
certutil.exe- SSL validation to verify C2 infrastructureRather than typical abuse for downloads, validates certificate chain
MicrosoftEdgeUpdate.exe- Persistent C2 tunnel with 5-minute beaconsOnly after confirming infrastructure validity
Key insight: The attack progression shows sophisticated operational security rather than opportunistic malware.
One-Click CrowdStrike Pivot
Click "Investigate Host in CrowdStrike" to:
Open directly into the full host timeline within Falcon
Extend the timeframe to see processes before/after detection window
Access complete forensic context
No manual host lookups or AID searches required
Use case: When you need:
Processes days before the detection
Evidence of attacker returning with different tools
Complete timeline for incident report
Enterprise-Wide Threat Hunting
Click "Run Query in CrowdStrike" to get a pre-built, sophisticated Falcon NGSIEM query.
What you get:
Expert-level query in seconds: This query would take an experienced analyst 10-15 minutes to construct manually.
Enterprise hunting: Remove the host filter or modify other elements of the pre-populated query to search across your entire environment:
Any other endpoints connecting to the same C2 domain
Any systems running the same malicious hash
Similar command line patterns indicating related campaigns
Full campaign scope and lateral movement paths
Advanced Capabilities
Automated Response Integration
Vectra 360 Response integrates with CrowdStrike to trigger host containment directly from the Vectra platform.
Modes:
Automatic: Containment triggered when privilege, threat, and certainty score thresholds are exceeded
Manual: Analyst clicks "Lock Host" button in CrowdStrike widget
Benefits:
No tool switching required
No multi-step response playbooks
Consistent, fast, and reliable response
Architects get maintainable response flows without brittle custom logic
Configuration: Settings > EDR Integrations > Host Lockdown
CrowdStrike Next-Gen SIEM Integration
Vectra AI streams network metadata and AI-enriched telemetry directly into CrowdStrike Falcon Next Gen SIEM.
Capabilities:
Cross-domain analysis: endpoint, identity, cloud, and network
Lightning-fast query engine for investigations
One-click pivot from Vectra detection into SIEM
Consolidated evidence without juggling log systems
Analyst workflow:
Receive Vectra detection
Pivot into Falcon Next Gen SIEM
Run deeper investigations with network + endpoint + identity context
Visualize attack patterns across domains
Vectra AI MCP Server
The Model Context Protocol (MCP) Server acts as a unified compute and context engine.
What it does:
Unifies signals from NDR and EDR into one structured, in-memory context layer
Eliminates cross-system round-trips
Reduces lookup latency
Enables natural language queries across security platforms
Synthesizes complex attack timelines automatically
Benefits:
Analysts get complete context in one place
Automated agents can query unified data
Lower MTTR through faster investigation performance
Consistent context across all interactions
Use case example: "Show me all the detections for this host and correlate them with the CrowdStrike process timeline"
MCP retrieves both NDR and EDR context
Synthesizes timeline automatically
No manual pivoting or correlation required
Troubleshooting
No Process Context Appearing
Symptoms: Vectra detections don't show CrowdStrike process context
Checks:
Verify CrowdStrike integration is enabled (Settings > EDR Connections)
Confirm NGSIEM Read/Write permissions are configured in CrowdStrike API client
Check that the affected host is running CrowdStrike Falcon sensor
Verify network connectivity from Vectra Brain to CrowdStrike API endpoint
Review Vectra logs for API query errors
Common causes:
API permissions insufficient (missing NGSIEM scope)
CrowdStrike sensor not installed/reporting on affected host
Network/firewall blocking API communication
Proxy misconfiguration
Host Lockdown Not Working
Symptoms: Cannot lock host from Vectra interface
Checks:
Verify "Host Write" permission is enabled in CrowdStrike API client
Confirm "Host Lockdown Enabled" is checked in Vectra Settings > EDR Connections
Check that CrowdStrike sensor is active and reporting on the host
Verify host status in CrowdStrike (must not already be contained)
Stale or Incorrect Process Context
Symptoms: Process information seems outdated or doesn't match current state
Possible causes:
Sensor reinstall: CrowdStrike Agent ID (AID) changed, causing mapping lag
EDR Process Correlation uses IP-based correlation to mitigate this
Database sync delay: Recent sensor changes not yet reflected
Host IP changed: Network reconfiguration affects correlation
Resolution:
Wait a few minutes for database synchronization
Verify current host IP matches Vectra detection
Check CrowdStrike console for sensor status
Links to CrowdStrike Not Working
Symptoms: Click "Investigate Host in CrowdStrike" doesn't open console
Checks:
Verify you have access to the CrowdStrike console
Confirm correct CrowdStrike URL is configured in Vectra Settings
Check browser popup blockers
Test direct access to CrowdStrike console
API Rate Limiting
Symptoms: Process correlation intermittently unavailable
Resolution:
CrowdStrike API has rate limits
Contact CrowdStrike support to review/adjust limits
Consider batching or throttling if querying high volumes
Best Practices
Investigation Workflow
Start with process context - Review the probable process and command line inline
Assess threat level - Use command line details to determine true intent
Check attack progression - Click "Show More Processes" to see full attack chain
Pivot when needed - Use "Investigate Host in CrowdStrike" for deep forensics
Hunt enterprise-wide - Use "Run Query in CrowdStrike" to find related activity
Respond decisively - Use Host Lockdown when threat is confirmed
Maximizing Value
Train analysts on interpreting command line context - this is often the most revealing indicator
Build response playbooks around automatic process correlation data
Integrate with SOAR - Use enriched process context in automated workflows
Regular API client review - Ensure permissions remain current as CrowdStrike evolves
Monitor query performance - Track API response times and adjust if needed
Security Considerations
Protect API credentials - Store Client ID and Secret securely
Audit API client usage - Review CrowdStrike API logs periodically
Least privilege - Only grant required permissions
Rotate credentials - Periodically regenerate API client credentials
Monitor integration health - Alert on integration failures or degraded performance
Additional Resources
Related Documentation
Understanding Vectra Detect Host Naming - How Vectra identifies and tracks hosts
EDR Host Lockdown Information - Detailed guide on automated response capabilities
Optimizing Vectra for use with VPN clients - Network considerations
CrowdStrike Documentation
CrowdStrike OAuth2-Based APIs: https://falcon.crowdstrike.com/documentation/page/a2a7fc0e/crowdstrike-oauth2-based-apis
Vectra Resources
Vectra + CrowdStrike Partnership: https://www.vectra.ai/partners/crowdstrike
Summary
EDR Process Correlation transforms network detections from "something suspicious happened" into "here's exactly what caused it, why it's malicious, and how to stop it."
Key takeaways:
95% time savings - from 15-30 minutes to 30-60 seconds per detection
Automatic correlation - no manual tool switching or SIEM logic required
Complete context - process, command line, hash, parent, privilege level
Instant threat validation - command line reveals true intent
Enterprise hunting - pre-built queries for finding related activity
Integrated response - one-click containment without leaving Vectra
By bridging the gap between network visibility and endpoint telemetry, EDR Process Correlation gives security teams the speed and context they need to stop attacks before they cause damage.
Last updated
Was this helpful?