EXCLUSIONS

Question 1

How to write an effective file exclusion rule using glob syntax

Answer 1

• When setting path, start with root folder in full path. Do not include drive letter, device, hard disk vol or leading asterisks or backslashes
• Program Files (x86)\MySoftware*
  **Excludes everything in the folder but not subfolders
• Program Files (x86)\MySoftware**
  **Excludes everything in the folder, including subfolders
• Program Files (x86)\MySoftware\SampleSoftware.exe
  **Excludes SampleSoftware.exe if it’s in
• ProgramFiles(x86)\MySoftware\Users*\Desktop\RunMe.exe **Excludes RunMe.exe within any user Desktop folders
• **\RunMe.exe – (The exception) Globally excludes RunMe.exe in any location

Question 2

How do you apply pattern exclusions to groups?

Answer 2

2 ways:

-Disable detection on a host

-Can set up a File Exclusion Pattern – prevents detections from appearing for specific file names, paths and extensions

Question 3

How to manage exclusion files?

Answer 3

Choose “all hosts” or “Groups of hosts”

Select Precedence
**Precedence of exclusion rules enacted on hosts/group of hosts

Question 4

What does using the Glob Syntax provide when creating exclusions?

Answer 4

• Glob syntax allows you to create exclusion patterns to easily exclude files and folders. Glob syntax supports standard ASCII characters – all alphabetical characters are not case-sensitive

Question 5

What are the 3 Levels of Exclusion patterns?

Answer 5

3 levels of exclusion patterns:

-ML Exclusions

-IOA Exclusions

-Sensor Visibility Exclusions

Question 6

Which exclusion pattern stops ML detections and preventions and/or uploads to CS for a trusted file path

Answer 6

• ML Exclusions

Question 7

Which exclusion pattern stops seeing detections and allow activity for specified IOAs

Answer 7

-IOA Exclusions

Question 8

Which exclusion pattern creates a sensor visibility exclusion to reduce performance issues in a trusted file path by stopping all sensor visibility for that path .

Answer 8

-Sensor Visibility Exclusions

Question 9

How to enable exclusion rules?

Answer 9

To enable exclusion rule on host/groups of hosts
-Falcon console > Host Management > Prevention Policy assign to host name

Question 10

When coming across a detection you know is legitimate, what needs to be done?

Answer 10

-Setup an allowlist or put it in an exclusion

Question 11

What file executables should be avoided for windows systems when configuring Sensor Visibility exclusions?

Answer 11

-cmd.exe
-command.exe
-PowerShell.exe
-C:\Windows\System32*

Question 12

What is an indicator of attack (IOA)?

Answer 12

-A logical rule designed to identify and block malicious intent regardless of malware or exploit

Question 13

How to review any created exclusions?

Answer 13

-Falcon menu>endpoint security>configure>exclusions

Question 14

What 3 part process in Falcon needs to take place when deploy sensors to monitor your detections?

Answer 14

-Test a subset of hosts on the prevention policy

-Identify any applications that have produced a false positive

-Allowlist the false positives

Question 15

When doing any type of allowlisting what things need to be identified?

Answer 15

-Tactic

-Technique

Question 16

How to allowlist a false positive?

Answer 16

Falcon main menu> endpoint security> monitor>endpoint detections>click on a detection that needs to be allowedlisted>scroll down on left side of screen and locate IOC management section> clikc IOC management icon>input description and filename>select host groups to apply or select all hosts> select platform type>select allow, do not detect from the action dropdown> click add hashes

Question 17

How long does an allowlist take to be applied to an online machine?

Answer 17

-10-15 minutes

Question 18

How to allowlist a ML detection?

Answer 18

Falcon main menu> endpoint security> monitor>endpoint detections> select a tactic> select a technique>select group dropdown> select grouped by triggering file> select group by host in same dropdown (determines what may need to be excluded or helps narrow down false positives)

Question 19

When should you apply ML exclusions?

Answer 19

-When there is a number of detections associated with a certain application or binary

Question 20

How to create a ML Exclusion?

Answer 20

Falcon main menu> endpoint security>monitor> endpoint detections>click the identified triggering file If not ther click the search bar and type triggering file & select the file you want to manage> select the grouping drop down and select Grouped by Hash> select grouped by command line in same dropdown (shows the triggering file path)>copy the file path>select grouped by host in same dropdown> contact host and see if there is an alternative file path that doesn’t trigger detections if NOT, then add to an exclusion

Question 21

What do machine learning exclusions prevent?

Answer 21

-Stops ML detections and preventions for the specified file path

falcon main menu>endpoint security>configure> exclusions>make sure your in machine learning exclusions tab>create exclusion>select all hosts or group of hosts>next> select detections and preventions checkbox under the excluded from section>paste file path in exclusion pattern text area> click test pattern to make sure its written/ pasted correctly>create exclusion>

Question 22

How to create an IOA exclusion

Answer 22

-Falcon menu>endpoint security>monitor>endpoint detections>click on a detection that needs to be allowlisted>make sure that the tactic and technique is NOT machine learning>determine that the program is a legit binary operating in your environment>scroll down left side of the screen and locate the command line and file path sections>scroll back up and click create IOA exclusion>click host groups and select groups to be targeted>input name and description>next>create exclusion>

Question 23

How can an IOA detection be identified?

Answer 23

-If the tactic and technique do NOT mention ML

Question 24

What’s ineligible for a self-Service IOA exclusion?

Answer 24

-Overwatch detections

-Custom IOA detections

-Small set of internal detection types

Question 25

What preventions should you reach out to customer support for?

Answer 25

-Forced ASLR bypass preventions

-forced DEP preventions

-Heap spray preallocation preventions

Question 26

What does an IOA exclusion use to suppress an IOA detection?

Answer 26

-Uses IOA name, image filename, and command line fields as methods to suppress an IOA detection

Question 27

What do sensor visibility Exclusions provide?

Answer 27

-Improves performance impact for excluded processes
**not an allowlisting tool

Question 28

Why is it important to keep exclusions minimal and narrow in scope?

Answer 28

-To minimize the loss of visibility and protection

Question 29

What are the characteristics of sensor visibility excursions?

Answer 29

-Supported on all platforms

-Reduce overhead by bypassing ALL detections and preventions

-Sensors skip the processing of most system activities triggered by the excluded processes or in paths

-Win and Mac hosts: process executions that match the SVE file exclusion criteria get reported via the syntheticprocessrollup2 event

Question 30

What is self- service allowlisting?

Answer 30

-Lets you decide which exclusions to setup for any false positives
*falcon admin and detections exception manager role required

Question 31

Identifying the type of tactic and technique used can help you in the selection of the appropriate self-service allowlisting option

Answer 31

-True

Question 32

Why should you take caution with Sensor vulnerability exclusions?

Answer 32

-Any processes that match file exclusion criteria will no longer generate the vast majority of events that would be seen otherwise

Question 33

What is machine learning (ML)?

Answer 33

-Real-time blocking against high-confidence known malware and unknown executables. Based on a combination of antivirus detection and file properties extracted at the time of execution.

Question 34

What is best practice for Sensor Visibility exclusions

Answer 34

-Should be narrow as possible

Question 35

What will no longer be captured if Sensor vulnerability exclusions are enabled?

Answer 35

-SHA 256 digest will no longer be captured

Question 36

What OS can an IOA exclusion be created for?

Answer 36

-Mac
-Windows
-Linux

Question 37

What file executables should be avoided for linux systems when configuring Sensor Visibility exclusions?

Answer 37

-Bash
-/sbin
-/bin
/usr/bin

Question 38

You can allowlist by hash via the IOC management page

Answer 38

-True

Question 39

What monitoring and triage detection features are only supported on Windows and Mac?

Answer 39

-Cloud ML and Cloud DoW- based detections

Question 40

What is the total number of hashes per OS platform?

Answer 40

-90,000

Question 41

When is an IOA alert generated?

Answer 41

-For a behavioral detection

Question 42

What monitoring and triage detection features are supported on all platforms?

Answer 42

-Cloud ML -based detections

-Sensor ML-based detections

-IOA-based detections

Question 43

Which exclusion should be used with extreme caution and only for performance-related concerns

Answer 43

-Sensor visibility exclusions (SVE)

Question 44

What monitoring and triage detection features are only supported on Windows only?

Answer 44

-On-sensor ML and on-sensor Dow-based detections

Question 45

What is an allowlist?

Answer 45

-A list of items that are allowed access to a system or protocol – a basic access control mechanism

Question 46

How to set up an allowlist?

Answer 46

-By hash via IOC management
-using file/path via Machine Learning Exclusions (MLE)