HOST MANAGEMENT Flashcards
How might filtering be used in the Host Management Page?
- Use Filter Bar at the top to search for a specific host
-Click Default Filters to view a more targeted list
-Choose columns that appear on Host Management page by clicking column selection button on right side of screen.
- Use filters to filter down to a specific type of host or category, then assign those hosts to dynamic or static groups accordingly
How to disable detections for a host?
- Click Disable Detections
**Helpful for users that want to set up hosts to test detections in Falcon Console
Explain the effect of disabling detections on a host
- Feature only suppresses detections for the host. Feature does not disable sensor or interfere with sensor’s ability to protect the host.
- Sensor continues to operate normally except detections for host do not appear in Activity > Detections feed
- Activity related to hosts is still factored into Activity > Incidents
-Configurations for prevention policy, prevention hash rules, exclusion rules, etc that are applied to a host are still processed normally
Explain the impact of reduced functionality mode (RFM).
RFM: Safe mode for the sensor that prevents compatibility issues if the host’s kernel is uncertified.
- Sensors in RFM temporarily unhook from some kernel elements – without those elements, some detection patterns and a small # of preventions will not be triggered
How to find hosts in RFM?
-Falcon Console> Dashboards> Executive Summary lists a count of sensors in RFM
-Falcon Console> Investigate can see SensorHeartBeat events generated by sensor, contains value SensorStateBitMap_Decimal – use value to see if sensor is in RFM.
-Endpoint Activity Monitoring (EAM) queries to report list of hosts in RFM
How to find inactive sensors
- Accounts Overview dashboard – review accounts last logged in more than 2 weeks ago. Click a bar in the chart to open a table of accounts that successfully logged in within that time frame.
**Users with Falcon Admin role can clean up inactive or duplicate hosts by deleting them.
How long are inactive sensors retained in order to define an organization’s data backup plan?
- Inactive endpoints will automatically removed from the CrowdStrike cloud console after 45 days of inactivity
Which reports are used when reporting on information relating to a host?
- Scheduled Reports
Explain the importance of understanding a company’s insight data retention timeframe
-Falcon Insights
**Tools to better evaluate the risks and threats to which network is exposed, enhancing the organizational security posture
-Lack of data retention
**Cannot look back in time to investigate incase of incident
What are some examples of Host Management groups created based off filters?
Can create Host Management groups based off filters such as:
-Platform
-OS
-OU
-Site
-Type
-Containment Status
-Grouping Tags
Explain what effect the Falcon console takes when disabling detections on a host
Falcon Console Impact:
-Detections for host are removed from console immediately
**No new detections will display in console going forward unless detections are enabled
Explain what effect the API takes when disabling detections on a host
API Impact:
-DetectionSummaryEvent stops being sent to the Streaming API for that host
Explain what effect the Event Search takes when disabling detections on a host
Event Search Impact:
-After disabling detections, data for all existing detections prior to disabling detections will still be in Event Search
Why might RFM be used on a Windows host?
Windows:
-RFM happens around security updates
**if security updates are applied within the first 48 hours machines will go into RFM
What is the difference between a Windows and Linux host entering RFM?
Windows and Linux sensors can enter RFM, but RFM behaves differently on each platform:
-Windows sensor enters RFM, it still actively monitors your system, reports events, and triggers detections, but at a reduced capacity
-Linux is full STOP
