Triaging Crowdstrike Alerts with Radiant Security

What is Crowdstrike?

CrowdStrike is the maker of an endpoint detection and response (EDR) solution that has skyrocketed in popularity in recent years, becoming a true household name among security professionals. While many EDR solutions rely on on-premises infrastructure or legacy systems, CrowdStrike’s cloud-based platform offers unparalleled flexibility, scalability, and real-time threat visibility.

What is Radiant Security?

Radiant Security is the maker of an AI-powered SOC co-pilot, which is a virtual assistant for the SOC that enables the SOC analysts to leverage the power of AI to streamline and automate analyst workflows like alert triage and incident investigation. This dramatically boosts SOC analyst productivity, detects significantly more real attacks by deeply investigating every incident, and drastically reduces response times.

Crowdstrike + Radiant Security: The “1+1=3” Story

The value of combining CrowdStrike with Radiant Security’s AI-powered SOC Co-pilot is simple: use the industry leading EDR to detect more attacks, and Radiant’s co-pilot to triage and investigate the alerts at scale. This means every alert generated by Crowdstrike gets the full, white-glove treatment—nothing slips through the cracks. The combination of these two solutions helps supercharge your SOC’s handling of endpoint threats. 

Why Triaging Crowdstrike Alerts is Important

Alert triage is the unsung hero of effective security operations—this is especially true when dealing with EDR alerts like those from Crowdstrike because they focus on one of the most critical attack vectors, endpoint devices. Triage serves as the critical gateway that ensures an organization’s cybersecurity team is not overwhelmed by the deluge of alerts and can focus its efforts where they matter most. Effective triage enables the SOC to swiftly assess the credibility and severity of each alert, distinguishing between false alarms and genuine threats. This prioritization ensures that valuable time and resources are allocated to addressing the most critical security incidents promptly. In essence, triage is the linchpin that transforms a potentially chaotic flood of alerts into a well-organized response, ultimately safeguarding an organization’s digital assets, reputation, and operational continuity in an increasingly hostile cyber landscape.

Figure 1 – Crowdstrike alerts that have been automatically triaged as either benign or malicious. 

How Radiant Automates Triage for Crowdstrike Alerts

Radiant uses an AI-engine to automate the manual, time-consuming process of triaging Crowdstrikes’s EDR alerts.To accomplish this, Radiant uses a proprietary AI engine that analyzes each incoming security alert, and then dynamically selects and executes dozens to hundreds of tests to determine maliciousness. Unlike security orchestration automation and response (SOAR) solutions, Radiant does not use static, pre-programed playbooks. Instead the engine is designed to replicate the Q&A process a human would use to triage an alert; each investigation is different based on what is uncovered and any new piece of information unearthed may spawn additional tests or lead to an immediate conclusion.

Figure 2 – A Crowdstrike alert that has been triaged and found to be malicious.

The Benefits of Using AI to Triage CrowdStrike Alerts

In most organizations triaging endpoint alerts represents a significant portion of the work to be done, to the point where it may even require dedicated staff. Using AI to assist in performing this drudgery can pay dividends for SOC productivity and efficacy.  Some benefits of using AI to perform alert triage include:

Increased SOC Capacity

Unfortunately, the status quo in SOCs is that many alerts are left untriaged. How is this possible? Most SOCs simply don’t have enough analysts to properly review every alert so they filter out or deprioritize alerts that they think have the least chance of being real and impactful. This is true even if you outsource L1 triage to an MDR. The side effect of filtering and deprioritization is blindspots where attacks can slip through the cracks. By employing AI to automate alert triage, every single alert can be deeply scrutinized. This shines a spotlight into those blindspots where attacks could have lurked. 

Removing Alert Fatigue

When security analysts look at the same alerts over and over—for days, months, or even years on end—they tend to be desensitized to them. This is especially true in the case where a SOC has L1 analysts who are dedicated to only reviewing alerts from a specific vendor. With AI, a machine is reviewing these security alerts and it does not become bored, disinterested, or otherwise fatigued. This means the first alert and the millionth alert will have the same quality of review.

Upleveling Analyst Work

Analysts are just like the rest of us—they want meaning in their day-to-day work. They want to tackle new and interesting problems, learn new skills, and grow in their career. By performing alert triage with AI, analysts can shift much of their day-to-day activities from tedium to impactful projects that provide an opportunity for self development. This in turn can work wonders for a SOC’s morale, retention, and even help attract new talent. 

Audit Trail

With a machine at the helm, it can create an audit trail for every alert, which shows the alert was reviewed, why it was deemed malicious or benign, what tests were conducted, what the results of those tests were, and more. This track record can be shown to an auditor to demonstrate how alerts are being handled and to provide peace of mind to security leaders that triage is being performed according to security best practices.

Figure 3 – An audit trail of all activity performed by Radiant during triage as well as the results of each inspection.

Integrating Crowdstrike and Radiant

Setting up Radiant Security to triage Crowdstrike alerts is accomplished via API integration and is simple enough that it can be completed in minutes. Radiant customers will configure it to leverage an API to obtain endpoint telemetry and security alerts from Crowdstrike’s Falcon Data Replicator (FDR). The telemetry will be used by Radiant for continuous learning (i.e. understanding how the environment normally operates), and the alerts will be triaged as they are generated. Radiant also connects directly back to Crowdstrike’s EDR solution over APIs for the purpose of taking corrective actions as part of response workflows.

Figure 4 – a diagram showing an overview of the Crowdstrike and Radiant Security Integration.


Harnessing the combined power of Radiant Security’s AI-powered SOC Co-pilot to triage CrowdStrike security alerts is a game-changer for today’s SOCs. By automating the triage process, it ensures that cybersecurity teams are always one step ahead, responding swiftly and accurately to genuine threats while minimizing the noise of false alarms. 

Want to learn more about Radiant Security? Visit our website at

Want to see it in action?  Visit our live product tour.