HOST MANAGEMENT Flashcards
How might filtering be used in the Host Management Page?
- Use Filter Bar at the top to search for a specific host
-Click Default Filters to view a more targeted list
-Choose columns that appear on Host Management page by clicking column selection button on right side of screen.
- Use filters to filter down to a specific type of host or category, then assign those hosts to dynamic or static groups accordingly
How to disable detections for a host?
- Click Disable Detections
**Helpful for users that want to set up hosts to test detections in Falcon Console
Explain the effect of disabling detections on a host
- Feature only suppresses detections for the host. Feature does not disable sensor or interfere with sensor’s ability to protect the host.
- Sensor continues to operate normally except detections for host do not appear in Activity > Detections feed
- Activity related to hosts is still factored into Activity > Incidents
-Configurations for prevention policy, prevention hash rules, exclusion rules, etc that are applied to a host are still processed normally
Explain the impact of reduced functionality mode (RFM).
RFM: Safe mode for the sensor that prevents compatibility issues if the host’s kernel is uncertified.
- Sensors in RFM temporarily unhook from some kernel elements – without those elements, some detection patterns and a small # of preventions will not be triggered
How to find hosts in RFM?
-Falcon Console> Dashboards> Executive Summary lists a count of sensors in RFM
-Falcon Console> Investigate can see SensorHeartBeat events generated by sensor, contains value SensorStateBitMap_Decimal – use value to see if sensor is in RFM.
-Endpoint Activity Monitoring (EAM) queries to report list of hosts in RFM
How to find inactive sensors
- Accounts Overview dashboard – review accounts last logged in more than 2 weeks ago. Click a bar in the chart to open a table of accounts that successfully logged in within that time frame.
**Users with Falcon Admin role can clean up inactive or duplicate hosts by deleting them.
How long are inactive sensors retained in order to define an organization’s data backup plan?
- Inactive endpoints will automatically removed from the CrowdStrike cloud console after 45 days of inactivity
Which reports are used when reporting on information relating to a host?
- Scheduled Reports
Explain the importance of understanding a company’s insight data retention timeframe
-Falcon Insights
**Tools to better evaluate the risks and threats to which network is exposed, enhancing the organizational security posture
-Lack of data retention
**Cannot look back in time to investigate incase of incident
What are some examples of Host Management groups created based off filters?
Can create Host Management groups based off filters such as:
-Platform
-OS
-OU
-Site
-Type
-Containment Status
-Grouping Tags
Explain what effect the Falcon console takes when disabling detections on a host
Falcon Console Impact:
-Detections for host are removed from console immediately
**No new detections will display in console going forward unless detections are enabled
Explain what effect the API takes when disabling detections on a host
API Impact:
-DetectionSummaryEvent stops being sent to the Streaming API for that host
Explain what effect the Event Search takes when disabling detections on a host
Event Search Impact:
-After disabling detections, data for all existing detections prior to disabling detections will still be in Event Search
Why might RFM be used on a Windows host?
Windows:
-RFM happens around security updates
**if security updates are applied within the first 48 hours machines will go into RFM
What is the difference between a Windows and Linux host entering RFM?
Windows and Linux sensors can enter RFM, but RFM behaves differently on each platform:
-Windows sensor enters RFM, it still actively monitors your system, reports events, and triggers detections, but at a reduced capacity
-Linux is full STOP
What use value does the host have to have to show the sensor is in RFM?
-If value is 2, sensor is in RFM
What use value does the host have to have to show the sensor is NOT in RFM?
- If value is 0, sensor is not in RFM
Use EAM query to verify that sensors have….
Use EAM query to verify sensors have:
-Current OS Feature Manager (OSFM) certification file
Where are OSFM certification files located on the host?
If you’d prefer to verify file version on host:
-OSFM cert files are located in CrowdStrike Directory> SystemRoot> CrowdStrike etc.
How are inactive hosts identified?
- Inactive hosts are identified by their “Last Seen” time
When does a host become inactive?
-Host becomes inactive when its sensor doesn’t send a heartbeat back to the cloud for 2 minutes
Why are Scheduled Reports significant?
–Provides automatic, recurring updates of data that matters the most to you.
-Download and share scheduled reports, and receive a notification each time a new report is available.
-Can get a weekly summary of hosts in environment, count of hosts with critical vulnerabilities.
-Monthly snapshot of Executive Summary dashboard
What roles are required to generate Scheduled Reports?
Roles required:
-Scheduled Report Administrator
-Falcon Administrator and Intel Admin
-Scheduled Report Analyst
**All other roles can create scheduled reports, view/manage scheduled reports, and download/delete reports generated from scheduled reports.
What are the capabilities that Scheduled Reports generates?
-Schedule automated generation of Private/Shared/Preset Dashboards
**Can also schedule reports with data from Host Management page.
-Can select a start/end date for reports
** A date to begin running scheduled report and a date to stop running report.
-Can run reports daily, weekly, or monthly
-Can send new generated report notifications to individual users by email or to groups of users through Slack, PagerDuty, Microsoft Teams, or Webhook.
-Can use dashboards to view – active sensor count, cloud sensor hourly usage average, hourly cloud usage, sensor usage by cloud, and cloud workload hours for a specified time period.
Why might RFM be used for a Linux host?
Linux
-RFM happens w/ unsupported or incompatible kernel versions
**if kernel is updated within the first 10 days machines will go into RFM
How does a Linux host in RFM return to full functionality?
-Update the kernel when a new one is released to stay on supported Linux OS and kernels
How does a Windows host in RFM return to full functionality?
-Security updates will not affect your machines applied to machines after 48 hours
**CS certifies compatibility and releases it through the cloud
How does a Windows host in RFM return to full functionality?
-Security updates will not affect your machines applied to machines after 48 hours
**CS certifies compatibility and releases it through the cloud
What CS cloud version are most US customers connected to?
-US-1
** ts01-b.cloudsink.netlfodown01-b.cloudsink.net
What CS cloud version are EU customers connected to?
-EU-1
**ts01-lanner-lion.cloudsink.netlfodown01-lanner-lion.cloudsink.net
What CS cloud version are most GOV/SLED customers connected to?
-US-GOV-1
** ts01-laggar-gcw.cloudsink.netlfodown01-laggar-gcw.cloudsink.net
What CS cloud version are US customers connected to as a secondary?
-US-2
** ts01-gyr-maverick.cloudsink.netlfodown01-gyr-maverick.cloudsink.net
