CUSTOM IOA RULES Flashcards
What do custom IOA Rules provide?
**IOAs protect environments from malicious behaviors.
- Custom IOA rules use a supported subset of regex syntax to dictate what activity will trigger a custom IOA detection and whether or not activity will be blocked or killed.
Create custom IOA Rules to monitor behavior that isn’t fundamentally malicious
**Each custom IOA rule is applied as a part of a rule group
Create the Rule Group:
-Falcon Console > Configuration > Custom IOA Rule Groups > Create Rule Group > Input rule group name > Click Add Group
Adding a Custom IOA Rule (new):
-Falcon Console > Configuration > Custom IOA Rule Groups > Rule Group Details > Click Rule Group Details > Click Add New Rule (add details/type/action/severity)
Enable rule and rule group:
-Check syntax – validate regex entered
-Monitor,Detect, Block Execution, Kill Process
**Can do action on File creation, Process Creation, Network Connection, or Domain Name
Assign the rule group to a prevention policy
What roles are required to enable custom IOA rules?
Roles:
-Custom IOAs Manager Role/Falcon Admin
What requirements are required to enable custom IOA rules?
Requirements:
-Subscription: Available in Falcon Insight
-customers with Falcon Insight & Falcon Prevent can also enable Block and Kill Actions.
Why would you want to add custom IOA’s to prevention policies?
-Add custom IOAs to prevention policies to gain visibility into activity that is not detected or prevented by Falcon, including those that are not fundamentally malicious
What are the steps to configure an IOA rule?
Steps:
1. Create a new rule group
2. Add custom IOA rule to the rule group
3. Enable rule and rule group
4. Assign rule group to a prevention policy
What are IOA rules?
- Rules are created within rule groups, which are added to prevention policies.
-Can create a collection of any number of the same or different rule types within a rule group.
