Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities
Blog post from Crowdstrike
CrowdStrike has introduced Enhanced Network Visibility for macOS, offering advanced capabilities in sensor version 7.29 and later, designed to provide deeper insights and improved visibility into network traffic on macOS endpoints. This feature enhances process behavior modeling by integrating network traffic attributes, identifying application protocols, analyzing TLS traffic characteristics, and inspecting HTTP traffic. Utilizing Apple-native content filter APIs, it minimizes system impact while maximizing detection capabilities, allowing a targeted, efficient approach to network monitoring. The feature, which is opt-in, includes JA4 fingerprinting for distinguishing TLS connections and supports various protocols such as HTTP, TLS, SOCKS, and more, enabling threat hunters to leverage enhanced network capabilities for detecting and responding to threat actor activities.