FALCON REPORTS Flashcards
What information is contained in a Machine Learning Prevention Monitoring Report?
-Shows malware that would have been blocked in your environment based on different ML Prevention Settings
What information is in the Falcon UI Audit Trail Report
-List of Analyst Login Activity, Falcon UI Audit Trail
-Analyst log on activity/access granting
What information is in the API Audit Trail?
-API Audit Trail Report: List of actions taken via Falcon OAuth2 based APIs, list of API Actions
What information is in the Prevention Policy Debug Report?
-Report used to confirm prevention policy settings were applied to a host. Use to debug issues with prevention settings not being set.
What information a Linux Sensor Report will provide?
-Provides a list of Firewall Commands issued from the command line, Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
What information does a Mac Sensor Report provide?
-Chart of the MAC OS Versions as well as a variety of queries related to potentially suspicious activity on MAC Hosts
What information can be found in hunting reports?
-Hunting Reports: Various built-in reports and queries of potentially suspicious activity on hosts such as executables running from the recycle bin or temporary directories
What information is shown in the Remote Logon Activity Report?
-Provides a list of users and the count of times they remotely logged on to hosts based on terminal or network server logons
What information is shown on the Remote Access Graph Report?
-Shows a graph of the nodes and the users connecting to the nodes.
What information is shown on the Geo Location Activity Report?
-Users connecting to countries map (can include IP’s and Exclude Destination IP’s, and include Destination Ports and Exclude Dest Ports)
What information can be found in Visibility Reports?
-Logon Activities, Remote Access Graph, Remote/Network Logon Activities, and Geo Location Activity
What is a custom alert rule?
Custom Alert Rule:
- Configure email alerts using predefined templates so you’re notified about specific activity in environment. When alert runs/finds results – sends email to specified recipients instead of generating a new detection.
What information is in the Prevention Policy Audit Trail?
-The audit trail for all policies
Who can view the custom alerts page?
Role required:
-Falcon Admin
-Falcon Security Lead
-Falcon Investigator
-Falcon Analyst
-Falcon Analyst (Read Only)
What predefined templates could a custom Falcon report be generated for?
- Sensor entering RFM,
-Real Time Response Session Initiation
-Mobile host Detections
-Analyst contained a host
-Analyst repeatedly fails login
-OS security Settings
What triggers a custom alert?
-Custom_Alert: Trigger when UserName=* failed to log on to ComputerName =* more than 3 times in one hour span for cid=* from Account Type=* using logon type=*
What does Preview Results do prior to scheduling the alert?
-Preview results helps you see what your results are found before your schedule the alert.
**Adjust search parameters as needed until satisfied with activity being found
What are the 3 steps to creating a Falcon Report?
-Choose the template
-Preview the search results
-Schedule the alert
How to configure a custom alert?
-Investigate> custom alerts> Preview Alert next to template you’d like to configure> input search criteria> run search>Configure Alert> input Email Recipients/Email Subject/Severity/Alert Email Body> select if you’d like a preview of alert results included in email**multiple email addresses, separate them with commas>
Schedule Alert
How many custom alerts can be scheduled for an environment at one time?
-Up to 50 custom alerts can be scheduled at one time
Where can scheduled alerts be edited, disabled, or re-enabled?
-Schedule Alerts application
When creating multiple alerts…
-Enter multiple search parameters in one Custom Alert instead of creating many similar alerts
**Duplicate alerts are not allowed
What information is in the Prevention Hashes Ignore Report?
What are 3 types of alerts?
-Detection and incident email alerts, notification workflow alerts, custom alerts
How to access the custom alerts in falcon?
Investigate> custom alerts> alerts
Which alert lets you setup email alerts based on predefined templates that cover a wide range of topics?
-Custom Alerts
How to access Notification workflow alerts in Falcon?
Host setup and management> Automated workflows> fusion workflows
Notification workflows allow you to?
-Customize falcon notifications
-Define what falcon will send notifications about
-Define which individuals and channels it will send them to
When are detection email alerts sent?
Emails are sent once per day for:
-Detection at medium severity
-Incident at 1.0 and above
How to setup detection and incident email alerts?
Falcon Menu> support and resources>resources and tools>general settings>scroll down to manage list for detection and incident email section>enter email to send notifications to>Enter>
Where can scheduled alerts be edited, disabled, or re-enabled?
-Under Scheduled Alerts
