CCFR-201b CrowdStrike Certified Falcon Responder Questions and Answers

Falcon Detection Method

MITRE Tactic

Indicator of Attack (IOA)

Prevention Policy Level

Identifying future threats using predictive AI models.

Applying an investigative approach across historical timed buckets of telemetry to find past activity.

Terminating a malicious process as it starts to execute.

Recovering files that were encrypted by a ransomware attack.

An interactive user login via RDP.

A Windows Service or a process launched by the Service Control Manager.

A web browser download initiated by the end user.

A script executed directly from a removable USB drive.

Detections broken down by Tactic.

A breakdown of Agent Versions across the fleet.

The top 10 hosts with the most detections.

The organization’s current CrowdScore trend.

Filename-based allowlist

Hash-based allowlist

Path-based allowlist

Command-line allowlist

Contact Controlled Systems

Lateral Movement

Gain Access

Follow Through

It allows for the automated decryption of files affected by ransomware.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

It enables the sensor to block kernel-level drivers from unknown publishers.

It provides a real-time count of the total number of files on the endpoint.

Severity

CrowdScore

Time

Triggering File

Execution is prevented, but detection alerts are suppressed

Execution is allowed on all hosts, including all other Falcon customers

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

Execution is allowed on all hosts that fall under the organization's CID

7 days

14 days

30 days

90 days

It contains an internal value not useful for an investigation

It contains the TargetProcessld_decimal value of the child process

It contains the Sensorld_decimal value for related events

It contains the TargetProcessld_decimal of the parent process

Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy

Reduce false positives of behavioral detections from IOA based detections only

Reduce false positives of behavioral detections from IOA based detections based on a file hash

Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Triggering File

Hardware BIOS Version

Local Subnet Mask

Sensor Update Policy Name

The total CPU usage of the parent process.

The command-line arguments used during the task creation.

The Agent ID (AID) of the host where the detection fired.

The physical location of the endpoint in the office.

On the public CrowdStrike blog.

In the Support page under the Docs section.

By clicking the 'About' button in the user profile.

In the training videos on the main Dashboard.

Process Termination

File Quarantine

Process Restart

Network Isolation

Malware Action

Impact

Intelligence-Based Match

Script-Based Execution

45 Days

30 Days

Quarantined files are never deleted from the host

90 Days

Event Search

Executive Summary dashboard

Host Search

Installation Tokens

SHA256

MD5

File Type

Filename

Process Information

Port Information

IP Lookup Information

Threat Actor Information

An adversary uses an automated script to bruteforce S3 bucket permissions.

An adversary uses a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment.

An adversary executes an API call to terminate all running EC2 instances in a region.

An adversary deploys a crypto-miner inside a compromised Docker container.

No executions are allowed for 14 days after release

It is allowed to execute on all hosts

It is deleted

It will not generate future machine learning detections on the associated host

Timestamp

Event Name

PID (Process ID)

CPU Temperature

Username

Hostname

Process ID

Time Range

A global intelligence report about a new adversary.

A specific detection that occurred on a particular host.

The main settings menu of the Falcon console.

The help documentation in the Support portal.

Operating System

File Signature

Command Line

Sensor Version

Investigate > Activity Dashboard

Endpoint Security > Monitor > Activity Dashboard

Configuration > General > Activity Dashboard

Support > Analytics > Activity Dashboard

The External IP and the Username of the logged-in user.

The Agent ID (AID) and the Target Process ID (TargetProcessId_decimal).

The MAC Address of the host and the SHA256 hash of the file.

The Policy ID and the timestamp of the first event.

Credential Access through memory scraping

Collection of sensitive data for exfiltration

Initial Access via a drive-by download

Discovery of local network shares and services

User Search

Host Search

Hash Search

IP Search

Activity

Investigate

Configuration

Dashboards

The standard Process ID (PID) assigned by the Windows operating system.

A sensor-assigned decimal number that is unique for each process across time and hosts.

The memory address where the process’s executable is loaded.

The total number of seconds the process has been running.

Windows\Quarantine

Windows\System32\Drivers\CrowdStrike\Quarantine

Windows\System32\

Windows\temp\Drivers\CrowdStrike\Quarantine

.zip, password: crowdstrike

.7-zip, password: infected

.rar, password: malware

.exe, no password

Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)

Select Full Detection Details from the detection

Right-click the process and select "Follow Process Chain"

Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Theprocess explorer opens and the detection is removed from the console

The process explorer opens and you're able to view the processes and process relationships

The process explorer opens and the detection copies to the clipboard

The process explorer opens and the Event Search query is run for the detection

SHA256 and TargetProcessld_decimal

SHA256 and ParentProcessld_decimal

aid and ParentProcessld_decimal

aid and TargetProcessld_decimal

It provides a summary of all alerts over a selected time period.

It can be filtered by host name or severity.

Clicking on a ProcessID value within the report pivots to a pre-populated Event Search.

The report can be exported to a CSV file.

Analyzing historical logs from the past 90 days to find missed threats.

Investigating incoming telemetry in real time or on a near real-time basis to catch active threats.

Scanning every file on a hard drive once per week for dormant viruses.

Manually updating the Falcon sensor on every machine in the fleet.

A brand new detection has been triggered on a host that was recently added to the network.

A detection that was previously moved to a resolved status has generated new telemetry and activity.

A user has logged into a machine for the first time since the sensor was installed.

The Falcon Overwatch team has manually verified that the detection is an active threat.

No Action

Allow

Ignore

Always Block

IP Addresses

Remote or Network Logon Activity

Remote Access Graph

Hash Executions

Process Timeline

Host Timeline

User Timeline

Network Timeline

browser_type

index

cpu_usage_percent

monitor_mode

Severity

Event Types

User Name

Detection ID

User logons after the detection

Executions of schtasks.exe after the detection

Scheduled tasks registered prior to the detection

Pivot to a Hash search for taskeng.exe

Process related events can be filtered to display specific event types

Suspicious processes are color-coded based on their frequency and legitimacy over time

Processes responsible for spikes in CPU performance are displayed overtime

A visual representation of Parent-Child and Sibling process relationships is provided

Selecting a Rule Type (e.g., Process Creation).

Specifying the Severity level of the resulting detection.

Assigning a specific host group to the IOA rule at the time of creation.

Providing a unique name for the rule.

Do nothing, as this file is common and well known

From detection, click the VT Hash button to pivot to VirusTotal to investigate further

From detection, use API manager to create a custom blocklist

From detection, submit to FalconX for deep dive analysis

500

750

1000

1200