FALCON REPORTS

Question 1

What information is contained in a Machine Learning Prevention Monitoring Report?

Answer 1

-Shows malware that would have been blocked in your environment based on different ML Prevention Settings

Question 2

What information is in the Falcon UI Audit Trail Report

Answer 2

-List of Analyst Login Activity, Falcon UI Audit Trail

-Analyst log on activity/access granting

Question 3

What information is in the API Audit Trail?

Answer 3

-API Audit Trail Report: List of actions taken via Falcon OAuth2 based APIs, list of API Actions

Question 4

What information is in the Prevention Policy Debug Report?

Answer 4

-Report used to confirm prevention policy settings were applied to a host. Use to debug issues with prevention settings not being set.

Question 5

What information a Linux Sensor Report will provide?

Answer 5

-Provides a list of Firewall Commands issued from the command line, Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage

Question 6

What information does a Mac Sensor Report provide?

Answer 6

-Chart of the MAC OS Versions as well as a variety of queries related to potentially suspicious activity on MAC Hosts

Question 7

What information can be found in hunting reports?

Answer 7

-Hunting Reports: Various built-in reports and queries of potentially suspicious activity on hosts such as executables running from the recycle bin or temporary directories

Question 8

What information is shown in the Remote Logon Activity Report?

Answer 8

-Provides a list of users and the count of times they remotely logged on to hosts based on terminal or network server logons

Question 9

What information is shown on the Remote Access Graph Report?

Answer 9

-Shows a graph of the nodes and the users connecting to the nodes.

Question 10

What information is shown on the Geo Location Activity Report?

Answer 10

-Users connecting to countries map (can include IP’s and Exclude Destination IP’s, and include Destination Ports and Exclude Dest Ports)

Question 11

What information can be found in Visibility Reports?

Answer 11

-Logon Activities, Remote Access Graph, Remote/Network Logon Activities, and Geo Location Activity

Question 12

What is a custom alert rule?

Answer 12

Custom Alert Rule:

• Configure email alerts using predefined templates so you’re notified about specific activity in environment. When alert runs/finds results – sends email to specified recipients instead of generating a new detection.

Question 13

What information is in the Prevention Policy Audit Trail?

Answer 13

-The audit trail for all policies

Question 14

Who can view the custom alerts page?

Answer 14

Role required:

-Falcon Admin
-Falcon Security Lead
-Falcon Investigator
-Falcon Analyst
-Falcon Analyst (Read Only)

Question 15

What predefined templates could a custom Falcon report be generated for?

Answer 15

• Sensor entering RFM,
  -Real Time Response Session Initiation
  -Mobile host Detections
  -Analyst contained a host
  -Analyst repeatedly fails login
  -OS security Settings

Question 16

What triggers a custom alert?

Answer 16

-Custom_Alert: Trigger when UserName=* failed to log on to ComputerName =* more than 3 times in one hour span for cid=* from Account Type=* using logon type=*

Question 17

What does Preview Results do prior to scheduling the alert?

Answer 17

-Preview results helps you see what your results are found before your schedule the alert.

**Adjust search parameters as needed until satisfied with activity being found

Question 18

What are the 3 steps to creating a Falcon Report?

Answer 18

-Choose the template
-Preview the search results
-Schedule the alert

Question 19

How to configure a custom alert?

Answer 19

-Investigate> custom alerts> Preview Alert next to template you’d like to configure> input search criteria> run search>Configure Alert> input Email Recipients/Email Subject/Severity/Alert Email Body> select if you’d like a preview of alert results included in email**multiple email addresses, separate them with commas>
Schedule Alert

Question 20

How many custom alerts can be scheduled for an environment at one time?

Answer 20

-Up to 50 custom alerts can be scheduled at one time

Question 21

Where can scheduled alerts be edited, disabled, or re-enabled?

Answer 21

-Schedule Alerts application

Question 22

When creating multiple alerts…

Answer 22

-Enter multiple search parameters in one Custom Alert instead of creating many similar alerts

**Duplicate alerts are not allowed

Question 23

What information is in the Prevention Hashes Ignore Report?

Question 24

What are 3 types of alerts?

Answer 24

-Detection and incident email alerts, notification workflow alerts, custom alerts

Question 25

How to access the custom alerts in falcon?

Answer 25

Investigate> custom alerts> alerts

Question 26

Which alert lets you setup email alerts based on predefined templates that cover a wide range of topics?

Answer 26

-Custom Alerts

Question 27

How to access Notification workflow alerts in Falcon?

Answer 27

Host setup and management> Automated workflows> fusion workflows

Question 28

Notification workflows allow you to?

Answer 28

-Customize falcon notifications
-Define what falcon will send notifications about
-Define which individuals and channels it will send them to

Question 29

When are detection email alerts sent?

Answer 29

Emails are sent once per day for:

-Detection at medium severity

-Incident at 1.0 and above

Question 30

How to setup detection and incident email alerts?

Answer 30

Falcon Menu> support and resources>resources and tools>general settings>scroll down to manage list for detection and incident email section>enter email to send notifications to>Enter>

Question 31

Where can scheduled alerts be edited, disabled, or re-enabled?

Answer 31

-Under Scheduled Alerts