MISC Flashcards
What is the Falcon Sensor
A lightweight agent you install on each device – when a device has a Falcon sensor installed, we call that device a “host”.
What does a Falcon Sensor do?
Each sensor detects and prevents malicious activity on a host, according to policies that you’ll configure later.
Whats are the differences between IOA vs IOC?
IOA involves multiple actions over time. IOA = real time, procative
IOC digital evidence that a cyber incident has occurred.
**Intelligence is gathered by security teams in response to speculations of a network breach or during scheduled security audits.
What are the differences between EDR vs NGAV?
EDR is detecting after an incident has occurred (IOC/IOA).
NGAV tries to prevent an action from compromising the endpoint.
**AV systems that solely rely on IOC or signature based methods don’t get the job done. Endpoint Detection systems that rely on IOA (Indicators of Attack) are good, as they alert to suspicious activities before a compromise can occur.
Can a host that is not part of a group, get a policy?
A host that is NOT in a group CANNOT get assigned a policy
How many prevention policies can be created at a time?
Can have 100 custom prevention policies
How many hosts can be issued tags at a time?
Can add tags to up to 1000 hosts at a time
How many hosts can be added to a static host group at a time?
Can add up to 1,000 hosts to a static host group at a time
How to access the Sensor Policy Daily Report
Investigate > Sensors > Sensor Policy Daily Report
**Shows update policies/all policies
**Updated Daily
What does Sensor ML do?
Sensor ML – Identifies/analyzes unknown exe (hosts offline or online)
What does Cloud ML do?
Cloud ML – Real time malware detection/prevention (Hosts online)
How to see which hosts are in RFM?
Executive Summary > Sensors > Sensor Health (see all hosts in RFM)
**Can also go to Investigate (sensor heartbeat events), if value is 2, sensor is in RFM. If value is 0, sensor is not in RFM
Define an asset?
Asset: Any hardware or virtual machine – a laptop or server
Define confidence?
Confidence: Likelihood that an unmanaged or unsupported asset is a corporate asset rather than an asset that does not belong to you but is simply nearby (smartphone)
How to disable detections?
Host Management > Host > Disable
How to check which sensor version is loaded onto a host?
Shows up under host management/sensor health
Define a managed asset?
Asset that has Falcon sensor installed, also called a host
Define a unmanaged asset?
Asset that CAN have Falcon sensor installed, but does not
Define an unsupported asset?
Unsupported Asset: Asset that can’t have a Falcon sensor installed, like a printer
what are the steps to Onboard a customer with the Falcon Console
- Setup Users
- Implementation Planning and configuration requirements
- Configure SSO
**Optional - Configure Alerts
- Create Phase 1 Prevention Policies
- Create Sensor Update Policies
- Configure MDM Profiles
**Used to deploy Mac Sensors
**optional - Configure OAuth2 for API’s
**Optional - Install Sensors
- Setup Host Groups
- Assign Policies to Host Groups
- Monitor and Triage Detections
- Advance Prevention Policies
- Access Support
Premium support content in the support portal is only available to which customers?
-Express
-Essential
-Elite
What can you find in the support portal?
-Tech based alerts based on your cloud URL
-Product-based release notes
-Chat
-Upcoming events and webinars
-Service level agreement
How to access the support portal?
-Falcon menu>support and resources
