GROUP CREATION Flashcards
Determine the appropriate group assignment for endpoints. How does this impact the application of policies?
Two types of group assignment for endpoints:
- Dynamic Host Groups
- Static Host Groups
**Defined Manually
What types of policies can be assigned when creating Groups?
- Prevention Policies
- Sensor Update Policies
- USB Device Policies
- Response Policies
- Network Containment Policy
- Mobile Policies
Define precedence when referring to group policies
- determines which policy’s configuration settings are applied to a host when the host is a member of more than one policy
How do Dynamic Host Groups impact the application of policies?
-When the hosts match assignment rule for a dynamic group, its automatically added to the group. When a host no longer matches the assignment rule for the group, it’s automatically removed.
How do Static Host Groups impact the application of policies?
-Static groups are useful for hosts in static environments, such as QA or testing, or for when dynamic group filters are insufficient.
What attributes are Dynamic Host Groups created by?
-Empty upon initial creation. Define filters based on attributes such as grouping tags, IP/CIDR range, OS Version, Active Directory OU, or host name prefix or suffix.
What is the limit for how many Static Host Groups can be added at a time?
-There is a limit of adding 1,000 hosts to a static group at a time.
How do you add hosts to a static group?
Can add hosts to a static group using any of the methods:
- Select hosts using filters in Falcon console
- Manually entering hosts in Falcon console
- Upload a text file containing a list of hosts
When creating Static Host Groups you can add hosts by…
-Hostname or Host ID (AID)
**selection can NOT be changed later
Where are polices configured
Falcon Console > Configuration
What policy describes what kind of activity isn’t allowed on a host?
-Prevention Policies
Which policy describes configuring USB devices, review device control dashboards, and USB violations?
-USB Device Policy
How are policies assigned?
-Policies are assigned to hosts within Host Groups
**Available prevention settings vary by platform
When configuring a USB Device policy, what are the policy configuration options?
Policy Options (3):
-Monitor and Enforce
-Monitor Only
-Off
Certain activity will trigger detections and preventions on hosts that have a prevention policy configured, where can you monitor these actions?
Falcon Console > Activities Application
Describe workflows
Workflows help streamline analyst operations by creating automatic actions that precisely define actions you want Falcon to perform in response to incidents, detections, policies, cloud security findings, and updates made by users.
Describe the capabilities in creating workflows
- Can send out Slack notifications based on cloud container image assessment findings
- Generate ServiceNow incident tickets when high severity vulnerabilities are detected
- Run RTR scripts to manage affected hosts when incidents are reported
-Use Triggers (Falcon detects a Vulnerability)
- Set Conditions (Vulnerability has a severity of “Critical”)
-Actions (create a ServiceNow Incident)
-Else/Else If Statements: Use Conditional statements to set up multiple workflow branches
-And Statements: Group multiple conditions within a single workflow branch
-Parallel actions and conditions: Create independent branches of actions and conditions within a single workflow
-Sequential Actions: Add Actions to be performed in a specific order within a workflow branch
Define policies with different precedence’s to resolve conflicts.
When faced with conflict, Falcon Cloud will apply the policy with the higher precedence
Explain what happens to a host that is not part of any groups or the groups it belongs to has no policy assigned?
The host is automatically assigned to the default policy
Do all OS operate off the same policies?
No. Different Prevention policies for different Operating Systems
Can host groups be assigned one or more policies?
-Yes
**The policy with the highest order precedence (1) gets applied
Can a single host belong to one or more host groups?
-Yes. A single host can fall within multiple groups with each of those groups targeting different policies
**Allows the scalability to be as simple or complex as needed
What happens with Dynamic Groups when a new sensor is installed?
-With dynamic groups, a newly-installed sensor inherits relevant groups and applies policy with highest precedence to the host
**provides host with its initial policy settings.
If a hosts policy changes, what also changes?
-The setting applied to the host also changes. Changing aspects of the host can change its group and therefore change its active policy.
What is the highest-ranking precedence that can be applied to host
-1 is the highest precedence
On a host, which policy gets applied?
-The policy with the highest-ranking precedence is applied and active (1 is the highest precedence)
**If something changes with that high-ranking policy, then the next highest-ranking policy gets applied and becomes active.
What do host groups allow you to do?
-assign policy settings
-upgrade schedules
-file exclusions
Define a dynamic host group?
-Hosts defined by attributes that when matched are added and removed automatically
**most flexible and recommended to use in most cases
Define a static host group?
Hosts added and removed manually
**can be added by adding a list of hostnames or selecting a list of names in the Falcon Console
How to create a dynamic host group?
Host setup and Management>manage endpoints> Host groups> add new group> name and description>select group type (Dynamic)>add group
Click edit to assign rule filters>input criteria in filter bar> save
How to configure a static host group?
Host setup and Management>manage endpoints> Host groups> add new group> name and description>select group type (static)>add group> add hosts
Click checkbox to select hosts> add>add host> done
Once a host is added to a group…
It cannot be changed
What circumstances can impact the hosts in a dynamic group?
-Policy precedence
-Changing aspects of the host
-unplanned changes to a host
What is the timelapse between when you create a dynamic rule and when it gets applied to hosts
40 mins
What is the timelapse between when you create a dynamic rule and when it gets applied to hosts
40 mins
Why is it recommended to use Dynamic host groups vs static groups?
using static groups can result in:
-hosts changing security settings if the hostname is changed
-host duplication in the falcon console
Can a host group be part of more than one assigned policy?
-No. After a host group is assigned a policy, that host group no longer appears in the list available groups
How to assign a host group to a prevention policy?
Falcon main menu> endpoint security>configure> prevention policies>edit>assigned host groups tab> add groups to policy> select groups> click add groups to policy
How to assign a host group to a sensor update policy?
Falcon main menu> host setup and management> deploy>host sensor policies edit>assigned host groups tab> add groups to policy> select groups> click add groups to policy
How to ensure the proper settings are applied and that the active policy is verified?
-Check the host group
-check individual host
How to review a groups policy precedence?
Falcon main menu>endpoint security>configure> prevention polices>view
