EDR setup: CrowdStrike

Once EDR on a workstation and/or server is set-up, monitoring starts automatically and the level of protection evolves gradually. Here's what you need to know.

EDR deployment phases

The EDR ramps up in three successive phases over approximately one month, under the supervision of our cybersecurity engineers.

✅ No action is required on your part, unless otherwise requested.

🛠️ Phase 1 – Detection (observation mode)

• The EDR works like an intelligent antivirus, without disrupting activity.

• EDR monitors system activity (files, processes, connections, etc.), i.e. it already collects all the desired logs.

• However, it only blocks critical threats (ransomware, major malware).

🛡️ Phase 2 – Enhanced prevention

• The first preventive actions are put in place, and certain suspicious activities begin to be blocked automatically.

  • If necessary, exclusion rules are added to ensure compatibility with your business software.

• The quarantine engine is activated, which may cause conflicts with the existing antivirus software.

  • 💡 This is why CrowdStrike's Falcon Sensor may not appear in some fleet management tools, such as Windows Security, before this phase is activated.

  • For customers with Windows Defender, this module is automatically disabled.

🔒 Phase 3 – Optimal protection

• EDR blocks all activities deemed malicious in real time. The security level is now at its maximum, the IT system is proactively protected.

• 💡 The gradual ramp-up phases only apply to the EDR module and not to the other modules, which are automatically at maximum detection capacity.

2. Monitored assets are automatically reported in the Stoïk Protect console

🖥️ Average time: 5 to 10 minutes after installation

All protected terminals, known as monitored assets or hosts, automatically appear in the "End-Point" > "Monitored Assets" tab of the Stoïk Protect console.