CCFR

Which is not a type of detection?

Behavioral

Which of the following is an example of a MITRE technique?

-Process injection

During your investigation of a detection, you discover that the triggering file was launched from TASKENG.EXE what does this mean?

The triggering file is part of a scheduled task being executed

How does a NetwokConnectIP4 event link to its responsible process?

-Via its ContextProcessID_decimal field

What type of events are shown in a Process Timeline?

All Cloudable process-related events in a given timeframe

What is an "UNmanaged Neighbor" found in a host search?

A local endpoint that does not have a sensor installed

What happens when a file is quarantined?

It is compressed, password protected, and moved to the quarantine folder on the endpoint

Use MITRE ATT&CK information within Falcon to provide context to a detection

- (CrowdStrike Objectives)
* (MITRE Tactics)
- Gain Access
* Initial Access
* Credential Access
* Privilege Escalation
- Keep Access
* Persistance
* Defense Evasion
- Explore
* Discover
* Lateral Movement
- Contact Controlled Systems
* Command and Control
- Follow Through
* Collection
* Exfiltration
* Execution
* Impact
- Example: Trying to <Keep Access> by <Defense Evasion> using <Process Injection>.
- https://falcon.crowdstrike.com/documentation/40/mitre-based-falcon-detections-framework

Explain what information the MITRE ATT&CK framework provides

- Reflects the phases of an adversary's lifecycle, the platforms they are known to attack and specific methods they use. Used to understand your
security risk against known adversary behavior (helps you plan for security improvement)
- https://falcon.crowdstrike.com/documentation/40/mitre-based-falcon-detections-framework

Recommend courses of action based on the analysis of information provided within Falcon

- IOC Management
- Exclusions (Machine Learning Exclusion, IOA Exclusion, or Sensor Visibility Exclusion)
- Remediation
- Containment

Explain what general information is on the Detections dashboard

- Falcon Console > Activity App > Dashboard
- Filters that can be applied when creating a detection dashboard
* Current CrowdScore
* New Detections
* SHA-based detections
* Prevented malware by host
* OverWatch detections by day
* Total hunting leads generated
* Total hunting leads investigated
* CrowdScore over time
* Most recent detections
* Detections by Tactic

Explain what information is in the Activity > Detections page

- Endpoint Security > Monitor > Endpoint Detections
- Search bar with various filter that can applied
- Filter (Predefined)
* Severity
* Tactic
* Technique
* Time
* Status
* Triggering File
* Assigned To
- Grouping Detections
* No Grouping (Default)
* Grouped by Host
* Grouped by Grouping Tags
* Grouped by Objective
* Grouped by Tactic
* Grouped by Technique
* Grouped by Technique ID
* Grouped by IOA Name
* Grouped by Severity
* Grouped by Hash
* Grouped by Command Line
* Grouped by Triggering File
- Sorting Options
* Sort by newest detect time
* Sort by oldest detect time
* Sort by last update
- Detection Details
* Severity
* Tactic & Technique
* Detect Time
* Host
* User Name
* Assigned To
* Status

Describe the different sources of detections within the Falcon platform

- Cloud-based ML
- Sensor-based ML
- Presence of a bad file: Indicator of Compromise (IOC)
- Collection of suspicious behaviors: Indicator of Attack (IOA)

Interpret the data contained in Host Search results

- Default search goes back 2 hours
- Host Info
- Cloud Instance Info (AWS, Azure and GCP metadata)
- BIOS Information
- Detect History (last 7 days)
- Unresolved Detections (last 7 days)
- Local and External IPs (last 7 days)
- Managed Neighbors (Last 24 hrs)
- Unmanaged Neighbors (Last 24 hrs)
- User Logon Activities (last 7 days)
- Unique ASEP Keys Updated, Unique ASEP Values Updated, Unique Executables Written, Unique Injected Threads,
- Unique DLL Injections, Unique Browser-Injected Threads, Injected Threads From Unsigned Modules, Java Injected Threads
- Processes and Services
* Process Executions
* Running Services (started during selected time range)
- Command Line and Admin Tools
* Command History
* Admin Tools
* Powershell Activities
- Suspicious File Activity
* Rar / Zip File Written
* Scripts Written
* Executable Activities
* Files Written to Removable Media
- Registry, Tasks, and Firewall
* Manual Registry Additions
* Scheduled Tasks Registered
* Firewall Rules Set
- Networking
* Network Connections
* DNS Requests
* Network Listening
* External Network Connections
* Anomalous External Connectivity / DNS Requests from MSTSC Process
* Anomalous Connectivity from Standard Processes

Interpret the data contained in Hash Search results

- Identifies any other endpoints where hash has been seen
- Default search goes back 24 hours
- PE (Portable Executable) File Info
- Hash Written History (SHA256-only)
- Module Load History
- Process Execution History
- Unique ASEP Values Updated, Unique ASEP Keys Updated, Unique Executables Written, Unique Executables Deleted, Unique Domains Looked Up, Unique
Destination IP(s)
- Process Executions

Demonstrate how to pivot from a detection to a Process Timeline

- Host Search > Process ID > Process Timeline

Explain what contextual event data is available in a detection (IP/DNS/Disk/etc.)

- Indicators, Network Operations, Disk Operations, DNS Requests, Registry Operations, Process Operations

Explain how detection filtering and grouping might be used

- Zero in on the detections you want to see using Falcon console's filtering and sorting capabilities. At the top of the Detections page,
filters make it easier to search for detections in the list. Use the popular filters displayed in the category columns shown or click Type to
filter to pick from all available categories. Add multiple filters to narrow down the scope of your list. Click the X to the right of any filter
to remove it. Click the X at the far right of the field to remove all filters.Organize your filtered list of detections with the Grouped by and
Sort by dropdown menus to more easily triage and resolve similar detections in bulk.
- For example, go to the Detections page to look into the newest and most critical activity and discover any patterns emerging in the tactics
observed:
* To see only the latest detections, under Status, click New to filter the list.
* To see the filtered detections grouped by the tactics involved in each, select Grouped by Tactic. To expand the list of individual
detections, click the group. To see the most prevalent tactic at the top of the list, use Sort by most detections.

Explain when to use built-in OSINT tools

- Investigate IOCs

Explain the difference between Global vs. Local Prevalence

- Global is commonality across CS Cloud, Local is commonality across CID

Explain what Full Detection Details will provide

- Execution Details, Machine Learning Exclusions, Comments & Log Entries, File Details, Quarantined Files, User Details, Host Details, AV
Detections, elated Intelligence, Network Operations, Disk Operations, DNS Requests, Registry Operations, Process Operations

Explain how to get to Full Detection Details

- Detections > Full Detection Details icon

Explain what type of data the View As Process Tree, View As Process Table and View As Process Activity provide

- Process Activity
* Event type, Time, Process, Attributes (Local IP, Remote IP, Remote Port)

Explain the purpose of assigning a detection to an analyst

- Assign detections to individuals, claim the ones you'll work on, or transfer your ownership of a detection to a colleague. Use the Assigned to
filter column to see who is working on what.

Triage a non-Falcon Indicator of Compromise (IOC) in the Falcon UI

- TechniqueID
- IOA Name

Describe what the different policies (Block, Block and Hide Detection, Detect Only, Allow, No Action) do

- Block: Add the indicator to your blocklist and show it as a detection.
- Block, hide detection: Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections. Discover this
activity by searching for the indicator value in Investigate.
- Detect only: Show the indicator as a detection and take no other action.
- Allow: Add the indicator to your allowlist and do not detect it.
- No Action: Save the indicator for future use but take no action.

Explain the effects of allowlisting and blocklisting

- Custom IOCs can be used to add false positive detections to your allowlist, or to add applications to your blocklist to prevent their
execution in your environment. Machine learning exclusions take precedence over hash-based blocklists.

Explain the effects of machine learning exclusion rules

- For trusted file paths, stop all ML-based detections and preventions, or stop files from being uploaded to the CrowdStrike cloud.
- Minimal sensor event data collected
- Uses "GLOB" syntax
Example: "Users\JohnDoe\AppDirectory\"

Explain the effects of Sensor Visibility exclusions

- For trusted file paths that you want to exclude from sensor monitoring, minimize sensor event collection, and stop all associated detections
and preventions. Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be
recorded, detected, or prevented.
- Reserved for improving host performance

Explain the effects of IOA exclusions

- Stop all behavioral detections and preventions for an IOA that's based on a CrowdStrike-generated detection.

State the retention period for quarantined files

- File retention:
* Quarantined files are deleted from the host after 30 days. You can release files to prevent them from being deleted. For more info,
see Releasing a file.
* Quarantined files are deleted from the CrowdStrike cloud after 90 days.
- Quarantined File Storage
* Windows: Windows\System32\Drivers\CrowdStrike\Quarantine
* Mac: Library/CS/Quarantine

Describe what happens when you release a quarantined file

- File is allowed to execute on just that host

Download a quarantined file

- By default, file extraction is disabled. In the Falcon console, go to Quarantined files (Endpoint security > Monitor > Quarantined files).
Near the file you want to download, click Download.
- Provide the password infected when you unzip the downloaded file.
Encryption: Extracted files are encrypted in transit and at rest

Perform an Event Search from a detection and refine a search using event actions

- Detection > Event Search > Event Actions

Explain what event actions do

- Event Actions are workflows which provide pivots from process data within Event Search
- Draw Process Explorer, Pivot - Host Search, etc.)
- Each event type has different event actions

Explain key event types

- Field Name
* Description
> Example value
- aid
* The sensor ID. This value is unique to each installation of a Falcon sensor. When a sensor is updated or reinstalled, the host gets a
new aid. In those situations, a single host could have multiple aid values over time.
> "a26a23c103cb4c9s5c39aa09effa5662"
- aip
* The sensor's IP, as seen from the CrowdStrike cloud. This is typically the public IP of the sensor. This helps determine the location
of a computer, depending on your network.
> "#.##.#.###"
- ComputerName
* The name of the host.
> "my-host-name"
- ContextProcessId_decimal
* The unique ID of a process that was spawned by another process (in decimal, non-hex format). For example, if Process 1 spawns Process
2, the TargetProcessId of Process 1 will match the ContextProcessId of Process 2.
> "43037327673"
- ContextThreadId_decimal
* UTID of thread originating this event.
> "131329676802677966"
- ContextTimeStamp_decimal
* The time at which an event occurred on the system, as seen by the sensor (in decimal, non-hex format). Not to be confused with
timestamp which is the time the event was received by the cloud.
> "130929452316004441"
- event_platform
* The platform on which the sensor is running.
> "Win"/"Mac"/"Lin"
- event_simpleName
* The name of the event.
> "SuspiciousDnsRequest"
- FileName
* The name of the file.
> "my_file.docx"
- FilePath
* The full path of the file, including the file name.
> "\Device\HarddiskVolume1\sds2\1043\asdj64.exe"
- TargetProcessId_decimal
* The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it represents the ID of
the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that performed
thread injection in an InjectedThread event.
> "167558096500"
- timestamp
* Timestamp when the event was received by the CrowdStrike cloud. Not to be confused with the time the event was generated locally on
the system. timestamp is epoch formatted. To make timestamps reader-friendly, add the search parameter | eval timestamp=timestamp/1000 |
convert ctime(timestamp)
> 1508334994001
- _time
* Timestamp of the moment that the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was
generated locally on the system. This is the timestamp of the event from the cloud's point of view. This value can be converted to any
time format and can be used for calculations.
> "10/19/2017 18:10:29.396"
- TreeId_decimal
* If this event is part of a detection tree, the tree ID it is part of.
> "42958187116"

Explain what information a process Timeline will provide

- All cloudable process-related events in a given timeframe
- Host Info, Process Info, Event Details

Explain what information a Host Timeline will provide

- Default search goes back 24 hours
- Host Info
* Host Name, Local IP, External IP, Version, Device Type, Manufacturer, Model, Domain, Site Name, Agent Version, aid, Last Seen (UTC)

Describe the process relationship (Target/Parent/Context)

- TargetProcessId_decimal: The unique ID of a target process (in decimal, non-hex format). This field exists in almost all events, and it
represents the ID of the process that is responsible for the activity of the event in focus. For example, the TargetProcessId of a process that
performed thread injection in an InjectedThread event.
- ParentProcessId_decimal: The decimal representation of the parent process.
- ContextProcessId_decimal: The unique ID of a process that was spawned by another process (in decimal, non-hex format). For example, if Process
1 spawns Process 2, the TargetProcessId of Process 1 will match the ContextProcessId of Process 2.
* https://fc-wiki.cs.sys/display/~dioannidis/EAM+Key+Data+fields

Retrieve the information required to generate a Process Timeline

- Click on Process ID from Host Search

Demonstrate how to get to a Process Explorer from a Event Search

- Event Actions > Draw Process Explorer

Find quarantined files

- Endpoint security > Monitor > Quarantined files (using Filename and Hostname fields)

Explain what information is in the Detection Activity Report

- Detect Date
- Company
- Detect ID
- Severity
- Objective
- Tactic
- Technique
- Disposition
- Scenario
- Status
- Hostname
- User Name
- Parent Process ID
- Process ID
- File Name

Describe what information is in the Detection Activity Dashboard

- Falcon Console > Dashboards App > Legacy Dashboards > Detection Activity
- Information Displayed
* Detection Count by Objective
* Device Count by Objective
* Detection Count by Severity
* Device Count by Severity
* Detections by Country
* Hosts with most Detections
* Users with most Detections
* Files with most Detections
* Detections by Objective, Tactic, and Technique
* Detections by Severity
* Detections by Host

Describe what information is in the Executive Summary Dashboard

- Falcon Console > Dashboards App > Legacy Dashboards > Executive Summary
- Information Displayed
* Active Sensors
* Active Sensors Count within
* Detections by Objective
* Detections by Tactic
* Detections by Severity
* Top 10 Hosts with most Detections (last 30 days)
* Top 10 Users with most Detections (last 30 days)
* Top 10 Files with most Detections (last 30 days)
* Active Sensors (Last 24 Hours, Includes Pay-As-You-Go Hosts)
* FH User Logons (Last 24 Hours)
* Active Sensors

Describe what information is in the Detection Resolution Dashboard

- Falcon Console > Dashboards App > Preset Dashboards > Detections Resolution
- Information Displayed
* Detections by Current Status
* Detections worked by Analysts
* Unresolved by objectives
* True positives by objective
* FPs/Ignored by Objective
* Unresolved by Tactic
* True Positives by Tactic
* FPs/Ignored by Tactic
* Unresolved by Tactic
* True Positives by Tactic
* FPs/Ignored by Tactic
* Unresolved by Severity
* True Positives by Severity
* FPs/Ignored by Severity
* Detection Resolution Activities
* Top 100 detection resolution history

Explain what information a User Search provides

- Default search goes back 24 hours
- User Logon Activities (Windows-only), Process Executions, Admin Tool Usage, File Written (Rar/Zip, Jar, Dump, OLE, OOXML, PDF, RTF)
Use User Search to search for user activity across all Windows and Mac hosts in your environment. Due to differences in these platforms, some
items might not be available for both Windows and Mac. Results in this report are filtered if:
* The user logging on is one of the well-known security identifiers. (see Microsoft's documentation)
* The logon session is NOT an interactive session or a service account.
* Though the results are filtered, the raw events for these logons are still captured in Event Search
- Searchable user activity includes:
* Logon Activities (last 30 days)
* Detect History (last 30 days)
* Unresolved Detects (last 7 days)
* Process Executions
* Admin Tool Usage
* Files written (JAR, OLE, OOXML, PDF, RAR,RTF, ZIP, dumps)

Explain what information a IP Search provides

- IP Search Summary, Processes that connected to specified IPs, Source IP Host Info
- Search for host information by IP. Source IP search allows you to use wildcards (for example, 192*).

Explain what information a Hash Executions (Search) provides

- Use Hash Search to search for events by hash across all Windows and Mac hosts in your environment. Due to differences in these platforms, some
items might not be available for both Windows and Mac.
- Searchable hash information includes:
* Hash Written History (SHA256-only)
* Module Load History
* Process Execution History
* Detect History (last 14 days)
* Unresolved Detects (last 7 days)
* Process Executions
- You can export the data to a PDF by clicking the Export PDF button on the right side of the screen.

Explain what information a Hash Search provides

- PE File Info, Process Blocked History, Hash Written History (SHA256-only), Module Load History, Process Execution History, Process Executions
- Use Hash Search to search for events by hash across all Windows and Mac hosts in your environment. Due to differences in these platforms, some
items might not be available for both Windows and Mac.
- Searchable hash information includes:
* Hash Written History (SHA256-only)
* Module Load History
* Process Execution History
* Detect History (last 14 days)
* Unresolved Detects (last 7 days)
* Process Executions
- You can export the data to a PDF by clicking the Export PDF button on the right side of the screen.

Explain what information a Bulk Domain Search provides

- Domain Lookup Summary, Processes that looked up specified Domain(s)
- Search for detect and process execution history involving a domain or list of domains. Bulk Domain Search allows you to use wildcards (for
example, evildoma*).