CrowdStrike: CCFA
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/182
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
183 Terms
Falcon Console Guest
User MGN:
- View Documentation and your own user profile.
- View Support Portal
User MGN: Falcon Administrator
User MGN:
- Access all functionality in the console with the exception of some RTR functionality.
Workflow Author
User MGN:
- Create and edit workflows.
- Re-execute failed workflows.
- This role requires at least one other role to be able to access the falcon console.
- Cannot include RTR actions unless also assigned the RTR Administrator Role.
Dashboard Admin
User MGN:
- Create, edit, manage and delete dashboards.
- This role requires at least one other role to be able to access the falcon console.
Prevention Policy Manager
User MGN:
- Create, edit and delete prevention policies.
- This role can also view dashboards, host management, detections, file exclusions & sensor update policy.
Desktop Support Analyst
User MGN:
- Install sensor, troubleshoot, view manuals.
- Access docs about products functions and restrictions.
Help Desk Analyst
User MGN:
- View Detections, host management, installation tokens, prevention policies, file exclusions, sensor update policies & dashboards.
PREVENT ROLES: Falcon Administrator
PREVENT ROLES:
- Access all functionality in console with exception of some RTR functionality and custom IOAs.
PREVENT ROLES: Falcon Security Lead
PREVENT ROLES:
- Manage detections, manage quarantined files, contain hosts, view exclusions.
- Search for events, reset user credentials & 2FA.
- View data about assets, accounts and applications in Discover.
PREVENT ROLES: Falcon Analyst
PREVENT ROLES:
- Manage detections and quarantined files.
- View Exclusions and Host Management.
- View Firewall Rules, rule groups, policies and audit logs.
PREVENT ROLES: Falcon Analyst - Read Only
PREVENT ROLES:
- View detections and exclusions and search events.
- View all Identity Protection info.
- View firewall rules, rule groups, policies and audit logs.
PREVENT ROLES: Quarantine Manager
PREVENT ROLES:
- View, release and manage quarantined files.
PREVENT ROLES: Endpoint Manager
PREVENT ROLES:
- Manage sensor deployment and maintain sensor configuration and update policies.
- Create, edit and delete host groups and firewall rules.
PREVENT ROLES: Detections Exceptions Manager
PREVENT ROLES:
- Add, edit and manage custom IOCs, ML Exclusions, IOA Exclusions and Sensor Visibility Exclusions.
PREVENT ROLES: Remediation Manager
PREVENT ROLES:
- View and manage remediation actions taken by the Falcon console.
Capabilities and Limitations: RTR READ ONLY ANALYST
Capabilities and Limitations:
+ Can run a core set of read-only response commands to perform reconnaissance.
- Cannot extract files, modify the device, or run certain scripts.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ACTIVE RESPONDER
Capabilities and Limitations:
+ More access than RTR Read Only Analyst.
+ Can extract files using get command, can run commands that modify the device and run certain custom scripts.
- Cannot create custom scripts, cannot upload files to hosts using put command and cannot directly run executables using the run command.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ADMINISTRATOR
Capabilities and Limitations:
+ Can do everything the RESPONDER can do.
+ Plus create custom scripts, upload files to hosts using put, and directly run executables using run.
+ There are no limitations to this role.
Create, edit, delete a new user:
How do you Add a user? (How do you traverse through the UI to add a user)
ADMINISTRATIVE role for your Falcon subscription, such as FALCON ADMINISTRATOR is required
- Host setup and management > Falcon users > User management.
- Click Add User in the upper right of the window.
- Enter users email address, first name, last name.
- Select one or more roles.
- Click Add User
Create, edit, delete a new user:
How do you add a Delete? (How do you traverse through the UI to Delete a user)
ADMINISTRATIVE role for your Falcon subscription, such as FALCON ADMINISTRATOR is required
- Host setup and management > Falcon users > User management.
- Find the desired user.
- Click three-dot menu.
- Select Delete User.
- At confirmation, select Delete.
You can also delete a user from the three-dot menu inside the User details.
Create, edit, delete a new user:
How do you Edit a user? (How do you traverse through the UI to Edit a user)
- Edit username
- Edit Roles
- Reset 2FA
- Reset Password
A Falcon Administrator can make all changes to a user.
A Falcon Security Lead can reset 2FA and password but cannot change the user or assign roles.
Single Sign On
If SSO isn't enabled in your environment, CrowdStrike sends an automated email to the user, prompting them to create a Falcon password and configure 2FA. If SSO is enabled, CrowdStrike doesn't send an automated email to the user.
If you're planning to enable single sign-on (SSO), the email address must match the information in your Identity Provider.
SENSOR DEPLOYMENT (Windows OS)
Required Services installed and running
Sensor Deployment:
- LM Hosts
- Network Store Interface (NSI)
- Windows Base Filtering Engine (BFE)
- Windows Power Services (Power)
LMHosts may be disabled if TCP/IP NetBios Helper is disabled
SENSOR DEPLOYMENT (Windows OS):
using a proxy - Requirements
using Web Proxy Automatic Discover (WPAD) - Requirements
SENSOR DEPLOYMENT:
- WinHTTP AutoProxy must be running.
- DHCP Client must be running.
SENSOR DEPLOYMENT (Windows OS):
Registry Key Configuration
SENSOR DEPLOYMENT:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\type
- Value must be '0x00000020'
*This is the defaulted Microsoft setting for this key.
SENSOR DEPLOYMENT (Windows OS)
SENSOR DEPLOYMENT (Windows OS):
Log File Location
SENSOR DEPLOYMENT:
%LOCALAPPDATA%\temp\
SENSOR DEPLOYMENT (Windows OS):
Networking Protocols
SENSOR DEPLOYMENT:
Falcon on commercial cloud:
- TLS 1.0 or later
Falcon on GovCloud:
- TLS 1.1 or later
*CrowdStrike cloud DOES NOT support connecting via SSL.
Falcon uses TLS 1.2 on Win7 and WinServer 2008 R2 to communicate with the CrowdStrike cloud.
If TLS 1.2 has been disabled, Falcon will negotiate TLS 1.1 or TLS 1.0
Falcon Commercial customers in US-1, US-2, EU-1 must have TLS 1.2 support enabled in Operating Systems, Web Browsers and HTTP Clients to prevent interruption of service and protection.
SENSOR DEPLOYMENT (MAC OS):
Requirements
SENSOR DEPLOYMENT:
Must have elevated privileges to install the sensor.
No other services required.
SENSOR DEPLOYMENT (Linux OS):
Requirements
SENSOR DEPLOYMENT:
To determine Linux Kernel Information:
uname -r
Use the relevant support documentation for the kernel version installed.
If installed on a kernel version not shown in the documentation, it WILL install, but will run in a REDUCED FUNCTIONALITY MODE (RFM).
Sensor will continue to run in this mode until the sensor is updated to support the kernel version.
Linux RFM only sends heartbeats. Nothing else.
SENSOR DEPLOYMENT:
NETWORKING REQUIREMENTS ALL OS
'Requires TLS 1.2'
Sensor needs to be able to connect to the CrowdStrike cloud during install.
If connection cannot be established during install, it will attempt again 'after 10 minutes'.
If it fails again, the sensor will 'uninstall from the system'.
May need to AllowList TLS traffic from the following URLs:
US-1: ts01-b.cloudsink.net
lfodown01-b.cloudsink.net
US-2: ts01-gyr-maverick.cloudsink.net
lfodown01-gyr-maverick.cloudsink.net
Falcon for GovCloud: ts01-laggar-gcw.cloudsink.net
lfodown01-laggar-gcw.cloudsink.net
EU Cloud: ts01-lanner-lion.cloudsink.net
lfodown01-lanner-lion.cloudsink.net
If the network requires allowlisting by IP address rather than Fully Qualified Domain Name (FQDN):
https://falcon.crowdstrike.com/documentation/65/cloud-ip-addresses
Some network configurations that use Deep Packet Inspection can interfere with certificate validation.
- Disable Deep Packet Inspection
- Sometimes known as HTTPS Interception / TLS Interception / SSL Inspection
- Common sources of this issue are anti-virus, firewalls and proxies.
For Hosts using Proxies:
- WinHTTP AutoProxy
- DHCP Client (if using Web Proxy Automatic Discovery WPAD through DHCP)
SENSOR DEPLOYMENT: (MOBILE)
Requirements
SENSOR DEPLOYMENT:
Android 9+
IOS 13+
(Latest version)
PREVENTION POLICIES:
Location in UI (How to traverse to location)
Endpoint Security > Configuration > Prevention Policies
Hosts will always inherit the default Prevention policy - unless it has been assigned another policy.
PREVENTION POLICIES:
New Customers - Phase
PREVENTION POLICIES:
- A phased approach to Prevention policy implementation is recommended.
- Windows & Mac (3 phases) / Linux (2 phases)
- All systems are different however and this is not set in stone.
PREVENTION POLICIES:
PHASE 1
PREVENTION POLICIES:
- Initial policy suitable for a rapid-deployment scenario along side a pre-existing Anti-Virus and/or HIPS suite.
- Run for the absolute minimum time.
- Identification of false positives and perform allow listing.
- Detection only policy is typical.
PREVENTION POLICIES:
PHASE 2
PREVENTION POLICIES:
- An interim policy offering solid protection.
- Increase the ML detections and preventions.
- Identification of further false positives and perform allow listing.
PREVENTION POLICIES:
PHASE 3
PREVENTION POLICIES:
- Where you need to end up.
- Recommended for all OS: 'Detections = Aggressive. Preventions = Moderate+'
SENSOR UPDATE POLICIES
Host setup and Management > Deploy > Sensor Update Policies
Hosts will inherit the default Sensor Update Policy unless they've been assigned to a different Update Policy.
Sensor update policy can control updates for hosts.
Hosts can either update to the latest versions, be assigned a specific version or have updates disabled.
*You can revert a sensor to a previous version but only a version released in the last '180 days'.
180-day support window, therefore strongly recommend to test and update to the latest sensor version ASAP.
Install Falcon on Windows:
Install Requirements
Install Falcon on *
Host Setup and Management > Sensor Downloads
- Download Sensor install file
- Customer ID Checksum
Install Falcon on Windows:
USING THE GUI
Install Falcon on *
Launch the sensor installer > Enter CID > Accept EULA
Follow Instructions
Install Falcon on Windows:
USING COMMAND LINE
Install Falcon on*
WindowsSensor.exe /install /quiet /norestart CID=
/quiet = no prompts or UI elements shown during install
/norestart = makes sure host does not reboot during install
Install Falcon on Windows:
SENSOR TAGS
Install Falcon on *
WindowsSensor.exe /install /quiet /norestart CID=
Tags separated by commas.
Tags can be edited via the registry.
Check the tags in Host Setup and Management > Host Management > Filter = "Grouping Tags"
Install Falcon on Windows:
PROXY CONFIGURATION
Install Falcon on *
WindowsSensor.exe /install /quiet /norestart CID=
or define a PAC file and use:
WindowsSensor.exe /install /quiet /norestart CID=
Force the sensor from making any proxy connection attempts:
'PROXYDISABLE=1' - added to commands
Install Falcon on Windows:
PREPARING VM or MASTER TEMPLATE FOR CLONING
Install Falcon on *
- Prepare VM image
- Install the sensor using the "WindowsSensor.exe /install /quiet /norestart CID=
- Wait a few minutes after installation
- Shut down VM
- Use virtualization platform to create template
When preparing a VM or master template for cloning you MUST wait several minutes after install before saving the VM / Cloning the image.
The sensor is base installed and further features are downloaded and installed afterwards.
'Do not install a normal install onto a template - It will create a shared AID, and show all hosts as one host'
Install Falcon on Windows:
VIRTUAL DESKTOP INFRASTRUCTURE
Install Falcon on *
Include the 'VDI=1' command argument.
Sensors will run from a shared, read only OS image
AID will be assigned based on hosts FQDN
Regularly update your VDI Master Image to use latest sensor
Install Falcon on Windows:
VERIFY INSTALL
Install Falcon on *
sc query csagent
It should show:
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
Host setup and Management > Host Management - Should show a new host is installed / online
Install Falcon on MAC:
PREREQUISITES
Install Falcon on *
- Authorization for the Falcon system extension
- Configuration for the Falcon network filter extension
- Full Disk Access (FDA) to Falcon
- Authorization for the CrowdStrike kernel extension
Install Falcon on MAC:
INSTALL REQUIREMENTS
Install Falcon on *
Host Setup and Management > Sensor Downloads
- Sensor install file
- Customer ID Checksum
Recommended installation method: Using an MDM to sync profiles
Install Falcon on MAC:
INSTALL
Install Falcon on *
- Double click the .pkg file
or
- sudo installer -verboseR -package
- Enter administrator credentials
- Run falconctl command
- sudo /Applications/Falcon.app/Contents/Resources/falconctl license
Install Falcon on MAC:
SENSOR GROUPING TAGS
Install Falcon on *
View the current tags:
sudo/Applications/Falcon.app/Contents/Resources/falconctl grouping-tags get
Set new tags:
sudo/Applications/Falcon.app/Contents/Resources/falconctl grouping-tags set" Washington/DC_USA,Production"
sudo/Applications/Falcon.app/Contents/Resources/falconctl unload
sudo/Applications/Falcon.app/Contents/Resources/falconctl load
Install Falcon on MAC:
INSTALL THAT REQUIRES INSTALLATION TOKEN
Install Falcon on *
sudo/Applications/Falcon.app/Contents/Resources/falconctl license
Install Falcon on MAC:
INSTALL ON VIRTUAL MACHINE TEMPLATE
Install Falcon on *
- Install normally
- Stop the sensor
sudo/Applications/Falcon.app/Contents/Resources/falconctl unload --maintenance-token
Enter token
or
sudo/Applications/Falcon.app/Contents/Resources/falconctl unload
- Remove files associated with AID
sudo rm/Library/ApplicationSupport/CrowdStrike/Falcon/registry.base
sudo rm /Library/Application Support/CrowdStrike/Falcon/registry.tdb
- Shut down VM
- Use Virtualization software to convert to template
Install Falcon on MAC:
VERIFY INSTALL
Install Falcon on *
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
Install Falcon on Linux:
PREREQUISITES
Install Falcon on *
falcon-kernel-check
Ensures falcon sensor will be fully operational on a host by verifying host kernels are compatible.
Intended to be run before the sensor is installed.
If incompatible, the sensor MAY still install on a host but will be in Reduced Functionality Mode (RFM).
Install Falcon on Linux:
INSTALL
Install Falcon on *
Hosts setup and Managment > Sensor Donwloads > Linux Download
For Ubuntu:
sudo dpkg -i
For RedHat, CentOS, Amazon Linux:
sudo yum install
For SLES:
sudo zypper install
Install Falcon on Linux:
SET UP A CID
Install Falcon on *
sudo /opt/crowdstrike/falconctl -s --cid=
Start sensor:
[systemvinit] sudo service falcon-sensor start
[Systemd] sudo systemctl start falcon-sensor
Confirm:
ps -e | grep falcon-sensor
Install Falcon on Linux:
SENSOR GROUPING TAGS
Install Falcon on *
Add tags:
sudo /opt/CrowdStrike/falconctl -s --tags="Washington/DC_USA,Production"
Remove tags:
sudo /opt/CrowdStrike/falconctl -d -f --tags
Restart Sensor:
systemctl restart falcon-sensor
or
service falcon-sensor start
Install Falcon on Linux:
PROXY CONFIGURATION
Install Falcon on *
Configure proxy:
sudo /opt/CrowdStrike/falconctl -s --aph=
=Confirm config:
=sudo /opt/CrowdStrike/falconctl -g --aph --app
=Enable proxy:
=sudo /opt/CrowdStrike/falconctl -s --apd=FALSE
=Disable proxy:
=sudo /opt/CrowdStrike/falconctl -s --apd=TRUE
Install Falcon on Linux:
PREPARING LINUX FOR CLONING
Install Falcon on *
- Remove the "master" hosts Agent ID (AID)
sudo /opt/crowdstrike/falconctl -d -f --aid
- Create clones or VMs based on this image.
Install Falcon on Linux:
VERIFY INSTALL
Install Falcon on *
ps -e | grep falconsensor
Uninstall a sensor on Windows:
ONLINE HOST
Uninstall a sensor on *
Control panel > Uninstall a program > Typical Uninstall
or
- Download CsUninstallTool from Host setup and Management > Sensor Downloads > Tool Downloads
- Enter uninstall token from Host setup and Management > Host Management > Select Host > Reveal Maintenance Token
- Run the CSUnistall tool via GUI and follow instructions or use following command:
'CsUninstallTool.exe /quiet'
After successful uninstall the following should be gone:
- C:\windows\system32\drivers\crowdstrike
- REG KEY: HKLM\System\CrowdStrike
Uninstall a sensor on Windows:
OFFLINE HOST
Uninstall a sensor on *
Get maintenance token from Host Management > Reveal Maintenance Token
or
Get bulk maintenance token from Sensor Update Policy
- Download the CsUninstallTool
- 'CsUninstallTool.exe MAINTENANCE_TOKEN=
Uninstall a sensor on MAC:
Requirements/Steps
Uninstall a sensor on *
Move the host to a sensor update policy with Uninstall and maintenance protection turned off:
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall
or
Get Maintenance Token from Host Management Page OR Sensor Update Policy Page:
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token
Enter token when prompted.
Uninstall a sensor on Linux:
Uninstall a sensor on *
Ubuntu:
sudo apt-get purge falcon-sensor
RedHat, CentOS, Amazon Linux:
sudo yum remove falcon-sensor
SLES:
sudo zypper remove falcon-sensor
Troubleshooting - Windows:
CONNECTIVITY
Troubleshooting on * OS:
Confirmn connectivity with falcon cloud
netstat -f
Look for TCP xxx.xxx.xxx.xxx:xxx ec2-54-67-96-255.us.west-1.compute.amazonaw.com:https ESTABLISHED
Examine IP address of FQDN and cross ref with IP address in the Falcon Host Sensor Deployment guide
telnet ts01-b.cloudsink.net 443
Troubleshooting - Windows:
RESOLVING COMMUNICATION ISSUES
Troubleshooting on * OS:
- Allowlist crowdstrike endpoints
- Ensure Port 443 is open for CS endpoints
- US-1 (Most Customers): 'ts01-b.cloudsink.net, lfodown01-b.cloudsink.net'
- US-2: 'ts01-gyr-maverick.cloudsink.net, lfodown01-gyr-maverick.cloudsink.net'
- GOV: 'ts01-laggar-gcw.cloudsink.net, lfodown01-laggar-gcw.cloudsink.net'
- EU Cloud: 'ts01-lanner-lion.cloudsink.net, lfodown01-lanner-lion.cloudsink.net'
- if Cloud IP addresses are needed refer to sensor deployment guide.
- Cerificate pinning or SSL inspection 'must be disabled'
- If it cannot be disabled, 'falcon traffic must be whitelisted from SSL inspection'
To verify SSL is not blocking traffic:
openssl s_client-connect ts01-b.cloudsink.net:443
Troubleshooting - Windows:
PROXY
Troubleshooting on * OS:
If using a proxy, confirm proxy settings in log files
'%LOCALAPPDATA%\temp\'
Troubleshooting - Windows:
INSTALLATION LOGS
Troubleshooting on * OS:
Check installation logs
'%LOCALAPPDATA%\temp\'
Look for logs starting with crowdstrike
Check for timings near installation time
Review
Look for:
- Signs not ran as admin
- Check CID is accurate
- Check for Windows BFE not present, not running or is damaged
- GUID of previous install cant be removed
Look for error codes:
0x80004004 - Comms problem between CS Cloud and Host.
Troubleshooting - Windows:
OS ISSUES
Troubleshooting on * OS:
- Verify OS is supported
Falcon not supported on server 2008.
Falcon IS supported on server 2008 R2 with service pack 1. 64bit only.
- Check Services
WinHTTP AutoProxy: needed if sensor is going through proxy
Windows Power Service (Power)
Windows Base Filtering Engine (BFE)
Network Store Interface (NSI)
DHCP Client - and if using Web Proxy Automatic Discovery, WPAD via DHCP
LM HOSTS - (Check for NetBios Helper)
- Check following registry key:
HKEY_Local_machine\System\CurrentControlSet\services\dnscache\
Type must be: '0x000000020'
Troubleshooting - Windows:
SSL / TLS
Troubleshooting on * OS:
- Check SSL and TLS settings
TLS v 1.2 / SSL v3
- Look for reg changes at:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Option 1: Export registry branch in .txt format and contact CrowdStrike
Option 2: Edit your settings
HOST MANAGEMENT:
Primary On-Screen Filters
HOST MANAGEMENT:
Filters can be select by simply clicking on available on screen filter options.
On Screen filters can be changed using the "= tick cross" filter menu button on the toolbar.
- Platform
- OS Version
- OU
- Site
- Type
- Containment Status
- Grouping Tags
Apply Filters using the filter bar.
Auto-Complete is available.
All available filters are shown when filter bar is selected.
These filters are case sensitive:
- Architecture
- CPUID
- Cloud Service Provider
- Cloud service zone/group
- Domain
- Grouping tags
- Manufacturer
- Model
- RFM
- Serial Number
HOST MANAGEMENT:
Disable Detections for a Host
HOST MANAGEMENT:
- Select a host in Host Management
- Open side panel
- Select Disable Detections button
- Read the warning and confirm the decision.
HOST MANAGEMENT:
Disabling detections for a host effects
HOST MANAGEMENT:
- Stops detections from being generated
- Removes all existing detections from the Falcon UI
- Prevents this data being restored at a later date.
- Once its removed, its gone.
Does stop the sensor from protecting the host, applying policies etc.
Simply does not show detection info in the UI.
HOST MANAGEMENT:
WINDOWS - Explain the impact of reduced functionality mode (RFM) and why it might be caused
# RFM:
RFM is the SAFE MODE that "prevents compatibility issues if the kernel is uncertified".
RFM is "MOST COMMON during Windows Updates".
# RFM FUNCTIONALITY
The sensor still "monitors the system, reports events & triggers detections" but at a reduced capacity.
Sensors in RFM temporarily unhook from some kernel elements.
Some detection patterns and a small number of preventions will not be triggered.
# CAUSE
Windows Updates.
They can alter the kernel, causing a brief delay while the new kernel is certified to work with the sensor.
CrowdStrike certifies updates 48 hours after release.
RFM only happens if updates are applied within first 48 hours of release.
HOST MANAGEMENT:
LINUX - Explain the impact of reduced functionality mode (RFM) and why it might be caused
# RFM
Linux sensors in RFM do VERY LITTLE.
They "DO NOT have detections or process execution events".
They continue to send sensor heartbeats to the cloud to indicate the sensor is installed on the host.
# CAUSE
Linux kernel is an unsupported version.
HOST MANAGEMENT:
MAC
This OS does not have RFM
Find Hosts in RFM:
HOST MANAGEMENT PAGE
Find Hosts in RFM: What Location?
Apply a filter to show hosts in RFM.
You can also see RFM status on a specific hosts information panel.
If a host is in RFM or its status is unknown, a baner is shown at the top of the info panel.
Find Hosts in RFM:
EXECUTIVE SUMMARY DASHBOARD
Find Hosts in RFM: What Location?
Dashboards and Reports > Dashboards > Legacy Dashboards > Executive Summary
Lists a count of sensors in RFM.
Click the number shown to find out more.
Find Hosts in RFM:
SENSOR HEALTH REPORT
Find Hosts in RFM: What Location?
Host setup and Management > Manage Endpoints > Sensor Health
Only provides an overview of the number of devices in RFM.
Find Hosts in RFM:
FROM INVESTIGATE
Find Hosts in RFM: What Location?
Hosts generate a "SensorHeartbeat" event which contains "SensorStateBitMap_decimal"
If the value is 2 = Sensor in RFM.
If the value is 0 = Sensor is not in RFM.
Find Hosts in RFM:
FROM COMMAND LINE (LINUX)
Find Hosts in RFM:
/opt/CrowdStrike/falconctl -g --rfm-state
Find inactive Sensors
Host setup and Management > Manage Endpoints > Inactive Sensors
Select Company, Time Range
Recall how long inactive sensors are retained to define your data backup plan
Hosts remove themselves from the UI after "45 days" of not checking in to the cloud.
Determine which reports to use when reporting on information relating to a host:
Host Overview
Determine which reports to use when reporting on information relating to a host:
Host setup and Management > Manage Endpoints > Hosts Dashboard
Determine which reports to use when reporting on information relating to a host:
Investigate
Determine which reports to use when reporting on information relating to a host:
Investigate > Search > Hosts
Investigate > Timelines > Hosts
Investigate > Hunt > Various Reports
Determine which reports to use when reporting on information relating to a host:
Prevention Policy Debug Report
Determine which reports to use when reporting on information relating to a host:
Use this report to confirm that prevention policy settings were applied to a host.
Determine which reports to use when reporting on information relating to a host:
Linux Sensors Report
Determine which reports to use when reporting on information relating to a host:
Provides a list of Firewall Commands issued from the command line, Hosts by Kernel Version, Shells spawned by Root Wget/Curl usage.
Determine which reports to use when reporting on information relating to a host:
Mac Sensors Report
Determine which reports to use when reporting on information relating to a host:
Provides a chart of the Mac OS versions as well as a variety of queries related to potential suspicious activity on Macs.
Determine which reports to use when reporting on information relating to a host:
Hunting Reports
Determine which reports to use when reporting on information relating to a host:
Investigate > Hunt
Provides various built-in reports and queries of potentially suspicious activity on hosts such as executables running from the recycle bin or temporary directories.
Explain the importance of understanding your company's Falcon insight data retention timeframe
- Default "EAM retention is 7 days".
- Detections are removed after "90 days".
- Quarantined files are deleted from the host after "30 days"
- Quarantined files are deleted from the CrowdStrike cloud after "90 days"
If you are looking for information relating to an event outside of these timeframes then you will not get it.
You must be aware of time frames and ensure you are capturing the data before it ages out.
Once aged out, its gone.
EAM Retention period can be adjusted but is an subscription extra and needs to be discussed with SA/PM Team.
Deleting a host:
What Happens?
When deleting a host, the sensor IS NOT uninstalled or deactivated.
Hosts are moved to Host setup and Management > Manage Endpoints > Host Management > Trash.
'Hosts in Trash continue to send events and enforce policies'.
Deleting a host:
How to traverse through the UI
Host Management > Select Host > Delete Button > Confirm.
or
Host information panel > Delete button > Confirm.
- All 'existing detections generated before deletion remain visible' in the console.
- 'NEW detections are NOT shown' in Endpoint Security.
- If the host has an active sensor, 'events are still sent to the Cloud and available via EAM / Investigate'.
- 'Prevention Policies ontinue to work' as configured and receive policy updates.
Restoring A Host
Host Management > Trash icon > Select Host > Restore.
- When restored, 'detection reporting resumes'.
- Detections are only shown from BEFORE deletion and AFTER restore.
GROUP CREATION:
Determine appropriate group assignment for endpoint and understand how this impacts the application of policies
GROUP CREATION:
Hosts are added to Host Groups.
Prevention & Update Policies are applied to Host Groups.
Grouping can be done statically / dynamically.
Hosts within a certain geographic area or office / department is a common approach to grouping hosts.
Hosts can be dynamically allocated based on Operating System, OS Built etc.
Workstations and critical servers are typically placed in seperate groups with different policies applied.
Describe Policy Types, components, application and workflow:
Prevention Policy
GROUP CREATION:
Used to apply detection and prevention rules to host groups.
Controls how Falcon reacts to events.
Settings can be enabled or disabled based on requirement.
Anti-Malware detections / Preventions are applied based on an agressiveness scale.
Detection scale must be higher or equal to prevention scale. CANNOT BE OTHER WAY AROUND.
Endpoint Security > Configure > Prevention Policies
Create Host Group > Add Hosts > Create Prevention Policy > Add Host Group
Describe Policy Types, components, application and workflow:
Sensor Update Policy
'Auto Latest, Auto N-1, Auto N-2, static versions going back 6 months & Sensor Version Updates OFF'.
Host setup and Management > Deploy > Sensor Update Policies
Create Host Group > Add Hosts > Create Update Policy > Add Host Group
Response Policy
Host setup and Management > Response and Containment > Response Policies
Used to apply settings that dictate what can be performed during RTR sessions.
Includes ability to run custom scripts and the use of "high risk" commands such as get, put and run.
Containment Policy
Host setup and Management > Response and Containment > Containment Policies
Used when a host is network contained.
Includes rules for excluded IP addresses to allow machines to remotely access a contained host.
Define precedence, groups and best practice:
Precedence
Multiple policies can be created with varying settings or configurations.
Precedence determines which policy is applied to a host group.
Policy 1 has higher precedence than Policy 2.
The default policy has the lowest precedence and acts as a safety catch.
Use the Edit Precedence Toggle on the relevant policy pages to adjust precedence.
Define precedence, groups and best practice:
Groups
Groups can be created via Host setup and Management > Manage Endpoints > Host Groups
Add new group > Name > Description > Dynamic / Static assignment > Add group.
'Dynamic':
Hosts are automatically based on a pattern or filter.
Can be as simple as based on the OS platform.
Can be based on hostname patterns ("DESKTOP*") will add all hosts starting with "DESKTOP"
When hosts no longer match the pattern they are automatically removed.
"DYNAMIC is recommended in most cases".
'Static':
Hosts must be manually added to the group via Host Name or Host ID.
There is a 'limit of adding 1000 hosts' to a static host group at a time.