📖 About this Domain
The Investigation domain focuses on core analyst workflows within the Falcon platform. It covers triaging detections, analyzing process trees, and using event data to understand the full attack lifecycle. This is about moving from an alert to a comprehensive incident understanding.
🎓 What You Will Learn
- Learn to dissect detection details, including MITRE ATT&CK tactics, techniques, and severity levels.
- Learn to navigate the process timeline graph to trace adversary execution flow and command-line activity.
- Learn to query raw endpoint data using Event Search and basic Splunk Processing Language (SPL) syntax.
- Learn to pivot between detections, host details, and user information to correlate related security events.
🛠️ Skills You Will Build
- Build proficiency in scoping incidents by analyzing process data, network connections, and file modifications.
- Build the ability to construct targeted SPL queries for threat hunting and IOC searching.
- Build skills in alert triage to rapidly identify true positives and escalate high-fidelity detections.
- Build the capability to reconstruct an attack narrative by linking disparate event data points within the Falcon UI.
💡 Top Tips to Prepare
- Practice navigating the process tree for various detection types to master visual analysis of execution chains.
- Memorize common SPL commands like `search`, `stats`, `table`, and `where` for effective event searching.
- Understand how to pivot from a hash or IP address in a detection to a global search across all endpoints.
- Focus on the relationship between a high-level detection and the underlying raw event data that generated it.
📖 About this Domain
The Visibility and Detections domain covers how the Falcon sensor provides deep visibility into endpoint processes, network connections, and file writes. It explores how the Falcon platform leverages this telemetry to generate and manage detections. This is central to understanding threat activity within the console.
🎓 What You Will Learn
- Navigate the Investigate app to query raw endpoint event data using Splunk Search Processing Language (SPL).
- Differentiate between various detection types, including Indicators of Attack (IOAs), machine learning (ML) detections, and custom IOCs.
- Analyze the process tree and associated event data within a detection's details to understand the full attack narrative.
- Manage the detection lifecycle by assigning ownership and updating detection statuses within the Falcon console.
🛠️ Skills You Will Build
- Perform proactive threat hunting by building complex queries in the Investigate app to search for suspicious endpoint activity.
- Triage new detections efficiently by analyzing process trees and event details to determine severity and validity.
- Scope the impact of a detection by examining related host events, network connections, and file modifications.
- Deconstruct detection logic to understand why an alert was triggered by the Falcon platform's analytics engine.
💡 Top Tips to Prepare
- Practice building queries in Event Search, focusing on common event types like ProcessRollup2 and NetworkConnectIP4.
- Familiarize yourself with every component of the detection details page, especially the process tree and MITRE ATT&CK mapping.
- Memorize the detection workflow and the specific meaning of each status, such as True Positive versus False Positive.
- Clearly distinguish between behavior-based Indicators of Attack (IOAs) and static Indicators of Compromise (IOCs).
📖 About this Domain
This domain covers the configuration and management of endpoint protection within the CrowdStrike Falcon console. It focuses on prevention policies, Falcon sensor deployment, and host grouping to enforce security controls across the enterprise.
🎓 What You Will Learn
- You will learn to create, clone, and assign prevention policies for Windows, macOS, and Linux hosts.
- You will learn the methods for Falcon sensor deployment and the configuration of sensor update policies.
- You will learn to implement static and dynamic host groups for targeted policy application.
- You will learn how to configure Machine Learning (ML) and Indicator of Attack (IOA) exclusions to manage false positives.
🛠️ Skills You Will Build
- You will build the skill to tune prevention policy settings to align with organizational security posture.
- You will build the skill to manage the Falcon sensor lifecycle, from installation to version control.
- You will build the skill to architect a scalable host grouping strategy for efficient policy management.
- You will build the skill to analyze detection events and apply precise exclusions without creating security gaps.
💡 Top Tips to Prepare
- Master the prevention policy precedence logic to predict which policy will apply to a host.
- Understand the criteria and syntax used for creating dynamic host groups based on host attributes.
- Memorize the different sensor update options, including N-1 versioning and automatic updates.
- Differentiate between the various exclusion types and their specific use cases in the Falcon UI.
📖 About this Domain
This domain introduces the core architecture of the CrowdStrike Falcon platform. It covers the interaction between the lightweight Falcon sensor, the cloud-native backend, and the Threat Graph. Understanding these foundational components is essential for a Falcon administrator.
🎓 What You Will Learn
- You will learn the Falcon platform's architecture, including the role of the sensor, the cloud, and the Threat Graph.
- You will learn the process for deploying the Falcon sensor and managing sensor versions via update policies.
- You will learn to manage endpoints by creating and utilizing static and dynamic host groups.
- You will learn to navigate the Falcon console, including key applications like Activity, Investigate, and Host Management.
🛠️ Skills You Will Build
- You will build the skill to navigate the Falcon UI to find host details, detections, and policy settings.
- You will build the ability to deploy the Falcon sensor and verify its connection to the CrowdStrike cloud.
- You will build proficiency in configuring and assigning prevention, sensor update, and response policies to host groups.
- You will build the skill to organize hosts using grouping and tagging for efficient policy enforcement.
💡 Top Tips to Prepare
- Gain hands-on experience navigating the Falcon console, specifically the Host Management and Configuration apps.
- Understand the hierarchy and inheritance model for applying policies to different host groups.
- Memorize the key differences between static and dynamic host groups and their use cases.
- Review the functions of core components like the lightweight agent and the Threat Graph, as they are frequently tested.
📖 About this Domain
This domain covers the use of Falcon platform tools for post-detection actions. It focuses on containing active threats and remediating compromised hosts. Core functions include network containment, file quarantine, and Real Time Response (RTR).
🎓 What You Will Learn
- Learn to apply network containment to an endpoint to stop lateral movement and isolate the threat.
- Learn to quarantine malicious files associated with a detection to neutralize the payload.
- Learn to initiate a Real Time Response session to gain shell access for deep remediation.
- Learn to configure response policies to manage containment and RTR capabilities for host groups.
🛠️ Skills You Will Build
- Build the skill to execute network containment on a host directly from a detection or host record.
- Build proficiency in using RTR commands to terminate malicious processes and delete persistence mechanisms.
- Build the ability to leverage RTR to run custom scripts for automated remediation tasks on an endpoint.
- Build the skill to manage response actions at scale by correctly configuring and applying response policies.
💡 Top Tips to Prepare
- Practice core RTR commands like get, put, runscript, and kill to understand their syntax and output.
- Understand the operational difference and impact between containing a host and quarantining a file.
- Memorize the navigation path to enable RTR and network containment within a Response policy.
- For practice detections, map out the exact sequence of response actions you would take in the Falcon UI.
