IOC MANAGEMENT Flashcards
How to configure a custom IOC?
-Falcon Console > Configuration > Detections Management > IOC Management – full list of custom IOCs appears
Refine list of results as needed:
-Apply filters:
-Click filter at top of list, or click More Filters to see additional
filtering options
-Select or clear the filter-specific metadata options and then
click Apply
-Search by Keyword:
-Click Search Indicators
-Type keyword, and then click “Apply”
-Specify which columns are visible:
-Click Toggle table columns
-Select checkboxes for columns you want to see
-Click any indicator to see additional details
Custom IOC
- Add your own IOC to gain visibility, while adding false positives to allowlist and adding executables to blocklist for a tailored environment
- When you successfully add a value for a custom IOA and test, confirmation appears in the UI
- If you add an exclusion to the rule, an error indicating that the test string no longer matches is shown
-When adding custom IOC’s….
-Manually specify IOC metadata values
-Import file that contains IOC’s and metadata values
**Can be useful for importing previously exported IOC’s that contain metadata
When you successfully add a value for a custom IOA and test, what happens next?
-A confirmation appears in the UI
If you add an exclusion to a rule, what will happen?
-An error indicating that the test string no longer matches is shown
Custom IOC’s can be used to add…
- False positive detections to your allowlist
-Applications to blocklist (prevent executions in your environment)
What actions will the sensor take when it encounters an indicator on a host?
-Block (Add indicator to blocklist and show detection)
-Block, Hide Detection (Block and detect indicator, hide it from Activity > Detections.
-Detect Only (Show indicator as a detection and take no other action)
-Allow (Add indicator to allowlist and do not detect it)
-No Action (Save indicator for future use but take no action)
If you want Falcon to observe custom IOC’s, what MUST happen first?
-Upload indicators and specify action to the sensor
**will take if indicators are observed on hosts
If you assign a block action to a hash, what also needs to happen?
-Must also enable Custom Blocking Prevention policies
**Blocks any processes matching hashes that you add to a custom IOC’s with a Block Action
What roles can view custom IOC/ audit logs
-Falcon Analyst
-Falcon Analyst Read Only
-Falcon Security Lead
-Falcon Investigator
What roles can add/manage custom IOC
Falcon Admin, Detection Exception Manager
What indicates when an IOC was last detected executing in an environment?
-Last seen on Value indicates whether an IOC was last detected executing in environments
How can you view indicators or refine results?
-View indicators or refine results through:
Sorting
Filtering
Searching by keyword or Specifying which columns are visible.
