Want to Become a CrowdStrike Falcon® Pro?
Welcome back to our series, “Behind the Scenes of Immersive One”! The following is a conversation with BenMcCarthy, Lead Cybersecurity Engineer for Immersive One, and RebeccaSchimmoeller, Lead Product Marketing Manager. Today, we’re sharing insight into our new CrowdStrike exercises. “The worst time to realize you’re shaky with a process tree or a CQL query is when a high-severity alert hits at 2:00AM, and your manager is breathing down your neck. You don’t want to be fumbling around the interface—you want to be executing. We built these labs so that by the time the real threat shows up, you aren’t even thinking about the tooling, you’re just reacting.” Rebecca: That’s a heavy start, Ben! Glad I’ve had my coffee. But, you’re right. That kind of anxiety is real for everyone in the SOC. We all know the stats on dwell time, and we all know that the tools—even ones as powerful as CrowdStrike—are only as fast as the person driving them. We’ve just dropped a massive hands-on labs collection for CrowdStrike users. But I want to be clear for the analysts reading this: building this kind of natural instinct is all about gaining a tactical edge. You execute in a crisis, and your name’s on the promotion list. Ben: Exactly. If you’re an analyst, you don't need another slide deck on what EDR is. You need hands-on-keyboard time. You need to feel the friction of a live environment to become a superhero for your org in the middle of a crisis. We designed this sequence to take you from the basics of host management all the way to hunting a live APT. It’s about building the muscle memory so that your response is instinctive. Rebecca: Great segway! Let’s get into the "under the hood" stuff because that’s what’s so cool about what you’ve delivered for this live integration with CrowdStrike. What are the high-value workflows analysts will learn to master by doing the exercises? Ben: We don't gatekeep the good stuff. We start with the foundation—Host Management and Prevention Policies—because if your configuration is weak, your defense is weak. And then we move into the "hunter" phase. This is where you’re triaging real alerts and investigating malicious activity through process trees. You aren't just looking at a static image of a threat; you’re navigating the Falcon console to see how that threat is actually moving. Rebecca: That’s where the investigation becomes a hunt. I’m particularly interested in the NG-SIEM part of the collection. We know that log telemetry is where the real stories are told, but it can be intimidating if you aren't comfortable with the syntax. Ben: Absolutely, yeah. We’ve dedicated a whole section to the Next-Gen SIEM and hunting with CQL. If you want to be the person who finds the signal in the noise before anyone else, you have to be fluent in CrowdStrike Query Language. We give you the reps to query logs and hunt for threats so that by the time you hit the final lab—the APT scenario—you’re ready to synthesize everything. You’re using the host management, the policies, the triage, and the SIEM to shut down a simulated sophisticated adversary in real-time. Rebecca: It’s basically a flight simulator for a full-scale intrusion. But I can already hear some Falcon users reading this asking: "Why don't I see this in my dashboard yet?" The answer is, my friends, because this collection isn’t a general release for Immersive—it’s a bit VIP, right, Ben? Ben: Right. Because of our partnership with CrowdStrike, this collection is only available to existing CrowdStrike customers. So if your org uses Falcon and you don’t see these labs in Immersive One, it’s just a matter of permissions. There’s no extra cost. We just need your Manager to let us know so we can flip the switch. Rebecca: If that’s you, it’s a great excuse to have a conversation with your team lead, showing them you’re eager to gain proficiency in the stack your org has already invested in. It makes your boss look good too. It won’t hurt when you become a more lethal defender either! Ben: Honestly, this is why I love building these kits. It’s a win-win. The Manager just needs to reach out to their Customer Success person at Immersive to confirm the CrowdStrike setup. Once that’s done, the exercises are available to the whole team. Rebecca: I’d love to see comments in the Community about this release once folks get in there and start digging into the CQL queries and the APT workflows. Ben: Right? I can’t wait for someone to chat me up at our next Community event. It’s always cool to hear how different people approach the same investigation. But right, this is cybersecurity, so there’s a crucial operational reality at stake: Proficiency is the only thing that actually reduces dwell time. You don't want to be the person second-guessing your search syntax while the clock is ticking in the background. You want to be the one who already has the query ready to go because you’ve run it a dozen times in the simulation. Final Thought Don’t wait for a real breach to find out where your workflow is slow. Get in there now, or get the access from your Immersive Customer Success rep, and be the person who knows exactly what to do the second the screen turns red. Ready to drop into Falcon? Log in to Immersive One to get started. [Access Collection]
