GROUP CREATION

Question 1

Determine the appropriate group assignment for endpoints. How does this impact the application of policies?

Answer 1

Two types of group assignment for endpoints:

• Dynamic Host Groups
• Static Host Groups
  **Defined Manually

Question 2

What types of policies can be assigned when creating Groups?

Answer 2

• Prevention Policies
• Sensor Update Policies
• USB Device Policies
• Response Policies
• Network Containment Policy
• Mobile Policies

Question 3

Define precedence when referring to group policies

Answer 3

• determines which policy’s configuration settings are applied to a host when the host is a member of more than one policy

Question 4

How do Dynamic Host Groups impact the application of policies?

Answer 4

-When the hosts match assignment rule for a dynamic group, its automatically added to the group. When a host no longer matches the assignment rule for the group, it’s automatically removed.

Question 5

How do Static Host Groups impact the application of policies?

Answer 5

-Static groups are useful for hosts in static environments, such as QA or testing, or for when dynamic group filters are insufficient.

Question 6

What attributes are Dynamic Host Groups created by?

Answer 6

-Empty upon initial creation. Define filters based on attributes such as grouping tags, IP/CIDR range, OS Version, Active Directory OU, or host name prefix or suffix.

Question 7

What is the limit for how many Static Host Groups can be added at a time?

Answer 7

-There is a limit of adding 1,000 hosts to a static group at a time.

Question 8

How do you add hosts to a static group?

Answer 8

Can add hosts to a static group using any of the methods:
- Select hosts using filters in Falcon console
- Manually entering hosts in Falcon console
- Upload a text file containing a list of hosts

Question 9

When creating Static Host Groups you can add hosts by…

Answer 9

-Hostname or Host ID (AID)
**selection can NOT be changed later

Question 10

Where are polices configured

Answer 10

Falcon Console > Configuration

Question 11

What policy describes what kind of activity isn’t allowed on a host?

Answer 11

-Prevention Policies

Question 12

Which policy describes configuring USB devices, review device control dashboards, and USB violations?

Answer 12

-USB Device Policy

Question 13

How are policies assigned?

Answer 13

-Policies are assigned to hosts within Host Groups
**Available prevention settings vary by platform

Question 14

When configuring a USB Device policy, what are the policy configuration options?

Answer 14

Policy Options (3):
-Monitor and Enforce
-Monitor Only
-Off

Question 15

Certain activity will trigger detections and preventions on hosts that have a prevention policy configured, where can you monitor these actions?

Answer 15

Falcon Console > Activities Application

Question 16

Describe workflows

Answer 16

Workflows help streamline analyst operations by creating automatic actions that precisely define actions you want Falcon to perform in response to incidents, detections, policies, cloud security findings, and updates made by users.

Question 17

Describe the capabilities in creating workflows

Answer 17

• Can send out Slack notifications based on cloud container image assessment findings
• Generate ServiceNow incident tickets when high severity vulnerabilities are detected
• Run RTR scripts to manage affected hosts when incidents are reported

-Use Triggers (Falcon detects a Vulnerability)

• Set Conditions (Vulnerability has a severity of “Critical”)

-Actions (create a ServiceNow Incident)

-Else/Else If Statements: Use Conditional statements to set up multiple workflow branches

-And Statements: Group multiple conditions within a single workflow branch

-Parallel actions and conditions: Create independent branches of actions and conditions within a single workflow

-Sequential Actions: Add Actions to be performed in a specific order within a workflow branch

Question 18

Define policies with different precedence’s to resolve conflicts.

Answer 18

When faced with conflict, Falcon Cloud will apply the policy with the higher precedence

Question 19

Explain what happens to a host that is not part of any groups or the groups it belongs to has no policy assigned?

Answer 19

The host is automatically assigned to the default policy

Question 20

Do all OS operate off the same policies?

Answer 20

No. Different Prevention policies for different Operating Systems

Question 21

Can host groups be assigned one or more policies?

Answer 21

-Yes
**The policy with the highest order precedence (1) gets applied

Question 22

Can a single host belong to one or more host groups?

Answer 22

-Yes. A single host can fall within multiple groups with each of those groups targeting different policies

**Allows the scalability to be as simple or complex as needed

Question 23

What happens with Dynamic Groups when a new sensor is installed?

Answer 23

-With dynamic groups, a newly-installed sensor inherits relevant groups and applies policy with highest precedence to the host

**provides host with its initial policy settings.

Question 24

If a hosts policy changes, what also changes?

Answer 24

-The setting applied to the host also changes. Changing aspects of the host can change its group and therefore change its active policy.

Question 25

What is the highest-ranking precedence that can be applied to host

Answer 25

-1 is the highest precedence

Question 26

On a host, which policy gets applied?

Answer 26

-The policy with the highest-ranking precedence is applied and active (1 is the highest precedence)

**If something changes with that high-ranking policy, then the next highest-ranking policy gets applied and becomes active.

Question 27

What do host groups allow you to do?

Answer 27

-assign policy settings
-upgrade schedules
-file exclusions

Question 27

Define a dynamic host group?

Answer 27

-Hosts defined by attributes that when matched are added and removed automatically
**most flexible and recommended to use in most cases

Question 28

Define a static host group?

Answer 28

Hosts added and removed manually
**can be added by adding a list of hostnames or selecting a list of names in the Falcon Console

Question 29

How to create a dynamic host group?

Answer 29

Host setup and Management>manage endpoints> Host groups> add new group> name and description>select group type (Dynamic)>add group

Click edit to assign rule filters>input criteria in filter bar> save

Question 30

How to configure a static host group?

Answer 30

Host setup and Management>manage endpoints> Host groups> add new group> name and description>select group type (static)>add group> add hosts

Click checkbox to select hosts> add>add host> done

Question 31

Once a host is added to a group…

Answer 31

It cannot be changed

Question 32

What circumstances can impact the hosts in a dynamic group?

Answer 32

-Policy precedence
-Changing aspects of the host
-unplanned changes to a host

Question 33

What is the timelapse between when you create a dynamic rule and when it gets applied to hosts

Answer 33

40 mins

Question 33

What is the timelapse between when you create a dynamic rule and when it gets applied to hosts

Answer 33

40 mins

Question 34

Why is it recommended to use Dynamic host groups vs static groups?

Answer 34

using static groups can result in:

-hosts changing security settings if the hostname is changed
-host duplication in the falcon console

Question 35

Can a host group be part of more than one assigned policy?

Answer 35

-No. After a host group is assigned a policy, that host group no longer appears in the list available groups

Question 36

How to assign a host group to a prevention policy?

Answer 36

Falcon main menu> endpoint security>configure> prevention policies>edit>assigned host groups tab> add groups to policy> select groups> click add groups to policy

Question 37

How to assign a host group to a sensor update policy?

Answer 37

Falcon main menu> host setup and management> deploy>host sensor policies edit>assigned host groups tab> add groups to policy> select groups> click add groups to policy

Question 38

How to ensure the proper settings are applied and that the active policy is verified?

Answer 38

-Check the host group
-check individual host

Question 39

How to review a groups policy precedence?

Answer 39

Falcon main menu>endpoint security>configure> prevention polices>view