See all projects
CrowdStrike
Productionalize a full Falcon Enterprise tenant—deploying sensors, configuring host policies, and managing response end-to-end.
Domains
Security Architecture and Engineering
Security Operations
Asset Security
Tooling
CrowdStrike
Year
2025
Purpose and Scope
This project stands up—and still runs—a live Falcon tenant with functional integrations and agents deployed across my personal Windows and macOS devices. I built it to pressure-test Falcon in a mixed-OS environment and familiarize myself with the full endpoint security lifecycle: sensor provisioning, policy configuration, and threat monitoring & response. Because the tenant remains in daily use, every control is battle-tested and continuously refined, serving as an always-on sandbox that mirrors an enterprise XDR stack from first boot to closed incident.
Approach and Build
I built out the environment in four sprints that mirror a real-world rollout. First, I stood up a clean tenant, generated install tokens, and scripted sensor provisioning across Windows and macOS hosts. Next, I layered policy configuration—baselines for all devices, stricter profiles for high-value boxes—covering detection, prevention, firewall, and peripheral control. With visibility and guardrails in place, I shifted to threat monitoring and hunting, streaming logs into Next-Gen SIEM and pivoting with FQL to validate detections. Finally, I built incident-response and refinement loops: playbooks auto-open tickets, push Slack alerts, and feed lessons back into custom IOAs and policy tweaks.
Lessons Learned
Running Falcon on my own laptops and desktops—no enterprise budget, just curiosity—taught me what sticks in real life. Start with clear visibility targets; know exactly which data you need before tuning anything. Dial policies up one notch at a time so you fix gaps without locking yourself out. Keep FQL queries tight and purposeful; clarity beats cleverness when you’re the only analyst on call. Craft a few custom IOAs—they catch the home-grown oddities canned feeds miss. And always loop findings back into policy, even in a hobby lab; that habit scales anywhere.
