Incident and Detection Monitoring _ Monitoring _ Endpoint Security _ Documentation _ Support and resources _ Falcon

Prévia do material em texto

<p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 1/36</p><p>Monitoramento de Incidentes e Detecção</p><p>Ultima atualização: 25 de abril de 2023</p><p>Visão geral</p><p>O console do Falcon fornece informações para ajudá-lo a entender a segurança geral da sua organização e tomar ações mais rápidas contra ameaças avançadas em</p><p>seus hosts.</p><p>Acompanhe seu CrowdScore para ver a probabilidade de sua organização estar sob ataque.</p><p>Monitore as detecções para entender os processos em arquivos ou comportamentos suspeitos individuais.</p><p>Priorizar incidentes para investigação. Uma abordagem mais abrangente para identificar possíveis ataques, os incidentes são compostos por detecções e</p><p>processos relacionados. Eles também incluem detecções contextuais não incluídas em Segurança de endpoint > Monitor > Detecções de endpoint .</p><p>Requisitos</p><p>Conteúdo:</p><p>Visão geral</p><p>Requisitos</p><p>Compreendendo as informações no aplicativo Atividade</p><p>Qual é a relação entre eventos, detecções, incidentes e seu CrowdScore?</p><p>Entendendo seu CrowdScore</p><p>Entendendo os incidentes</p><p>Entendendo as detecções</p><p>Estrutura de detecção de Falcon baseada em MITRE</p><p>Trabalhando através de um incidente</p><p>Triagem de incidentes</p><p>Editando incidentes</p><p>Atualização das detecções envolvidas em um incidente</p><p>Investigando um incidente através de diferentes pontos de vista</p><p>Guias de incidentes: Investigando e respondendo a incidentes</p><p>Trabalhando através de detecções móveis</p><p>Como visualizar detecções de celular</p><p>Modificando detecções móveis</p><p>Trabalhando por meio de uma detecção em Detecções de endpoint</p><p>Filtre, agrupe e classifique as detecções</p><p>Ícones objetivos</p><p>Visualizações do processo</p><p>Monitore detecções e prevenções personalizadas de IOA</p><p>Como as detecções são registradas</p><p>Atalhos de teclado de detecções</p><p>Atalhos de teclado de acessibilidade de detecções</p><p>Atalhos de teclado da árvore de processos</p><p>Revise os arquivos em quarentena</p><p>Liberar um arquivo</p><p>Desfazer um arquivo liberado</p><p>Baixar um arquivo</p><p>Perguntas frequentes sobre extração de arquivos</p><p>Excluir um arquivo</p><p>Revise as correções</p><p>Acessando Remediações</p><p>Revise as ações de correção realizadas em uma detecção</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 2/36</p><p>Assinatura: Falcon Insight XDR, Falcon Prevent necessário para prevenção</p><p>Suporte de sensor: todas as versões suportadas do sensor Falcon para macOS, Windows e Linux</p><p>Incidentes e Detecções em Atividade: Todas as versões suportadas do sensor Falcon para macOS, Windows e Linux</p><p>Detecções móveis no Investigate: versões 2020 e posteriores dos aplicativos CrowdStrike Falcon para iOS e Android</p><p>Requisitos do sistema: Nenhum</p><p>Funções: as funções Falcon Administrator, Falcon Security Lead, Falcon Investigator e Falcon Analyst têm permissão para gerenciar detecções e incidentes.</p><p>Para obter detalhes completos sobre as funções necessárias para executar ações específicas em detecções e incidentes, consulte Funções do Falcon Insight</p><p>.</p><p>Compreendendo as informações no aplicativo Atividade</p><p>Qual é a relação entre eventos, detecções, incidentes e seu CrowdScore?</p><p>O Falcon monitora a atividade em seu ambiente para identificar arquivos e comportamentos suspeitos e informá-lo sobre eles em Atividade . Todos os dados</p><p>coletados podem ser observados como eventos em Investigate . Quando uma coleção de eventos é considerada digna de nota, provavelmente por ser suspeita ou</p><p>maliciosa, o sensor aciona uma detecção . Ajuste as detecções que você vê por meio de suas configurações de política de prevenção. Os incidentes reúnem</p><p>detecções relacionadas, processos associados e as conexões entre eles para mostrar a atividade coordenada que você deve priorizar para investigação. Seu</p><p>CrowdScoreé criado a partir de seus incidentes de alta pontuação para apresentar a probabilidade atual de que sua organização está sob ataque.</p><p>Understanding your CrowdScore</p><p>Your Current CrowdScore on the Activity dashboard represents the likelihood that hostile activity is going on against your organization. Your CrowdScore is on a</p><p>scale of 0-100, and changes based on your current highest scoring incidents. The higher your CrowdScore, the greater the chance you’re facing a significant threat. If</p><p>you see your score increase by 20% or more, pay attention and investigate. It might be cause for concern or indicate your organization has pen testing underway.</p><p>Note: At this time, edits to incidents, such as changing status or adding tags, don’t influence your CrowdScore.</p><p>Understanding incidents</p><p>What are incidents?</p><p>Incidents are made of detections, associated processes, and the connections between them, which can include parent-child relationships, thread injections, and lateral</p><p>movement. Because attacks often consist of coordinated activity happening together on one or more hosts, incidents help you see important and relevant information</p><p>more quickly.</p><p>Incidents can include, or be entirely composed of, detections that aren’t shown in Endpoint detections. Though these contextual detections don’t meet a threshold of</p><p>significance for all environments on their own, the context of their relationship to the rest of the incident and how noteworthy they are to your organization mean they</p><p>might be key pieces of an attack.</p><p>Not all detections shown in Endpoint detections are involved in incidents.</p><p>How are incidents scored?</p><p>https://falcon.crowdstrike.com/documentation/74/users-and-roles#roles-for-falcon-insight</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 3/36</p><p>The CrowdScore system weighs the evidence within each incident, and assigns an incident score on a scale of 0.1-10. Higher scores represent greater confidence that</p><p>the activity involved indicates an attack.</p><p>CrowdScore incidents as XDR detections</p><p>You can investigate a CrowdScore incident in both the CrowdScore incidents view and the XDR detections view.</p><p>While investigating an incident in the XDR detection view, you can see the CrowdScore-related incident information in the context of all other available XDR data</p><p>across your data domains, including data that originates from the Falcon platform and data that originates from supported third parties.</p><p>CrowdScore incidents as XDR detections can be triaged, assigned, or investigated more deeply.</p><p>Important: Any action that you take on a CrowdScore incident in one context isn’t reflected in the other context. For example, if you change the status of</p><p>a CrowdScore incident in the XDR detection view, its status isn’t also changed in the CrowdScore incident view.</p><p>You can create a Falcon Fusion workflow based on CrowdScore incidents. However, the workflow trigger must be from the CrowdScore incident context, not the XDR</p><p>detection context. To create a workflow based on CrowdScore incidents, select a workflow trigger of New incident.</p><p>For more info about XDR detections, see Extended Detection and Response (XDR).</p><p>View a CrowdScore incident as an XDR detection</p><p>�. Go to Endpoint security > CrowdScore incidents.</p><p>�. In the list of incidents, click the incident that you want to view. The incident summary appears.</p><p>�. Click See full incident. The full incident details appear.</p><p>�. Click Go to XDR detection. The incident appears as an XDR detection, where you can take additional actions from the detection’s Actions menu:</p><p>Investigate events: Pivot to XDR search and view the associated events.</p><p>Go to CrowdScore incident: Pivot to the CrowdScore incident context.</p><p>Edit status: Change the detection’s status, assign the detection</p><p>to a user, or manage detection tags.</p><p>Add comment: Add a descriptive comment about the detection.</p><p>Note: You can also view CrowdScore incidents alongside XDR detections at Endpoint security > Monitor > XDR detections.</p><p>Understanding detections</p><p>What are detections?</p><p>The console provides information about suspicious files and behaviors in the form of individual detections. You will see detections on a range of activities from the</p><p>presence of a bad file (indicator of compromise (IOC)) to a nuanced collection of suspicious behaviors (indicator of attack (IOA)) occurring on one of your hosts.</p><p>How are detections triggered?</p><p>Most detections are triggered based on your prevention policy settings, which also control which detected activities are prevented if you have Falcon Prevent. Learn</p><p>more about the behind-the-scenes details of how Falcon determines when to alert you about detections in How detections are recorded.</p><p>MITRE-Based Falcon Detection Framework</p><p>CrowdStrike aligns with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix to label our detections. ATT&CK is a curated</p><p>knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.</p><p>ATT&CK is useful for understanding security risks against known adversary behavior, planning security improvements, and verifying defenses work as expected.</p><p>Tactic and technique details are provided for each Falcon detection to allow you to more fully understand security risks against known adversary behavior, plan for</p><p>security improvements, and verify your defenses work as expected. Our objective layer groups related tactics to make them easier to understand, remember, and</p><p>visualize in the console (see Objective icons).</p><p>The Falcon Detection Methods (FDM) matrix provides useful information about activities that don’t map directly to the ATT&CK matrix. The FDM tactics and</p><p>techniques highlight behavior we consider suspicious and malicious, and worth investigating. It’s not an exact parallel to ATT&CK, but that structure is used to match</p><p>workflows with the ATT&CK-aligned detections. Read more about objectives, tactics, and techniques in MITRE-Based Falcon Detection Framework.</p><p>https://falcon.crowdstrike.com/documentation/226/falcon-xdr</p><p>https://falcon.crowdstrike.com/crowdscore/incidents</p><p>https://falcon.crowdstrike.com/xdr/detections</p><p>https://falcon.crowdstrike.com/documentation/69/detections-monitoring#detectionsrecorded</p><p>https://falcon.crowdstrike.com/documentation/69/monitoring-detections#objectiveicons</p><p>https://falcon.crowdstrike.com/documentation/40/mitre-based-falcon-detection-framework</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 4/36</p><p>Working through an incident</p><p>Falcon console’s incident pages are designed to help you investigate, contain, and respond to attacks faster:</p><p>Incident notifications by email, Slack, PagerDuty, or webhook can let members of your organization know about new incidents when you aren't in the console</p><p>- see Falcon Notifications for more information on Falcon's notification options.</p><p>See incident scores and basic facts to triage incidents on CrowdScore incidents (Endpoint security > Monitor > CrowdScore incidents).</p><p>Assign, tag, and update the status of incidents in the Edit incident panel.</p><p>Use and customize your view of detailed incident views to understand the relationships between and timeline of detections and processes.</p><p>Open incident tabs within incident views to see more information about processes, hashes, and more. Use these tabs to pivot to other actions including</p><p>launching searches and performing remediation actions like host containment and performing Real Time Response.</p><p>Pivot to view an incident as an XDR detection that can be triaged, assigned, or investigated more deeply. View the incident within the context of all available</p><p>XDR data across your data domains, including data that originates from the Falcon platform and data that originates from supported third-party solutions.</p><p>For more info, see CrowdScore incidents as XDR detections.</p><p>Triaging incidents</p><p>From CrowdScore incidents (Endpoint security > Monitor > CrowdScore incidents), quickly gain context about the potential attack to understand how to prioritize</p><p>work on each incident.</p><p>Begin getting answers to immediate questions:</p><p>What is the incident’s current Score? The higher the score, the greater the CrowdScore system’s confidence that the incident deserves your attention.</p><p>Note: Scores for active incidents are not static, and will change with new activity.</p><p>What tactics and techniques are involved in its Detections? Has any of this activity been killed or blocked?</p><p>Detections in an incident are shown in priority order based on whether they are found by OverWatch or involve a kill or block action.</p><p>What Hosts and users does the incident involve?</p><p>Is the attack still Active, according to the Timeline? When did it start, and how long has it been going on?</p><p>Note: Incidents are defined as inactive after an hour passes without any new related activity.</p><p>Is the Ticket’s status New? Is someone on your team assigned to work the incident? Is the work’s status In progress, Closed, or Reopened? Are there</p><p>comments recorded?</p><p>Auto refresh option</p><p>The Auto refresh option gives you control over whether you automatically see new information as it comes in, or see it only when you manually refresh the page.</p><p>https://falcon.crowdstrike.com/documentation/143/falcon-notifications</p><p>https://falcon.crowdstrike.com/crowdscore/incidents</p><p>https://falcon.crowdstrike.com/crowdscore/incidents</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 5/36</p><p>Enable Auto refresh to stay logged into the console as long as you are on the Activity> Incidents page. New incidents and data will be updated and displayed</p><p>automatically.</p><p>Note: Depending on your sort order, automatic refreshes might shift the order of the incidents, and new incidents might appear on a different</p><p>page than the one you are currently viewing.</p><p>The refresh rates are:</p><p>New incidents: every 15 seconds</p><p>New detections within incidents and incident score changes: every 30 seconds</p><p>Disable Auto refresh (default) to have the page remain static. You will see a message when new incidents and data are available.</p><p>Sorting and filtering incidents</p><p>Sort the list to see the incidents you want. For example, see currently active incidents at the top of the list using Sort by last activity.</p><p>Use the filter options to adjust which incidents are displayed.</p><p>To see only the incidents with lateral movement, apply the Lateral Movement tag filter.</p><p>Seeing more quick info about an incident</p><p>Click within an incident row in CrowdScore incidents (Endpoint security > Monitor > CrowdScore incidents) to open the Incident summary preview.</p><p>https://falcon.crowdstrike.com/crowdscore/incidents</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 6/36</p><p>See basic information about the hosts involved and click the Network contain button to contain them quickly, if needed.</p><p>Scan the Incident timeline summary for information about each detection:</p><p>Click through to learn more about any tactic or technique</p><p>Look into the detection’s command line:</p><p>Expand abbreviated command lines</p><p>Copy each detection’s command line</p><p>Decode or encode the command line from or to base64 format</p><p>Editing incidents</p><p>Get organized by adding tags, assigning work, updating the incident status and more without leaving the main page.</p><p>Expand an incident’s menu and click Edit Incident.</p><p>In Edit Incident you can:</p><p>Update the Incident name; for example, make it match your ticket number.</p><p>Update the Description.</p><p>Change the incident’s Status to In progress, Closed, or Reopened.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 7/36</p><p>Assign the investigation to an analyst in the Assigned to dropdown list.</p><p>Important notes for Falcon Flight Control and multi-CID deployments:</p><p>To assign incidents, you must have access to the CID where the incident was triggered and a role for viewing and assigning incidents in that CID.</p><p>The list of assignable users includes anyone with access to the CID and a role with permissions for managing incidents.</p><p>For security purposes, to see a user in the assignee list, you must have access to the user’s home CID with role permissions that allow you to</p><p>view users in that CID.</p><p>Add Tags. Use default tags and add your own to call out an incident’s key details:</p><p>When closing an incident, apply the default tags, False positive, True positive, Ignored, and Testing, to track your conclusions and help the</p><p>CrowdScore system adapt and improve.</p><p>Add your own tags to associate your own ticket numbers or workflow stages.</p><p>Add a comment to be added to the Incident timeline summary.</p><p>Note: CrowdScore incidents can also be viewed as XDR detections. Any action that you take on a CrowdScore incident in one context isn’t reflected in the</p><p>other context. For example, if you change the status of a CrowdScore incident in the XDR detection view, its status isn’t also changed in the CrowdScore</p><p>incident view. For more info, see CrowdScore incidents as XDR detections.</p><p>Updating the detections involved in an incident</p><p>When you edit the status or assignee of an incident in CrowdScore incidents, you have the option to change the status and assignee of each detection involved. You</p><p>can also add comments about your updates. These updates will also appear in Endpoint detections.</p><p>�. In Edit incident, select Also edit status and assignee of all detections in this incident.</p><p>�. In Edit detections in this incident, fields are pre-populated, but you can edit and add comments as needed.</p><p>The Status and Assigned to fields for new and unassigned detections are populated to match the incident.</p><p>Detections that already have a status or assignee display their last edited time for visibility and are populated with their pre-existing values.</p><p>�. Click Update detections.</p><p>Your changes are saved, and will also appear in Endpoint detections.</p><p>https://falcon.crowdstrike.com/crowdscore/incidents</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 8/36</p><p>Investigating an incident through different views</p><p>Choose from four different incident views that will help you understand the scope of and relationships involved in the attack.</p><p>Expand an incident’s menu and select a view.</p><p>Summary view: helpful for scanning comments, tags, and who’s assigned, the summary shows a high-level account of what’s involved in the incident. It’s a</p><p>more focused view than expanding a row on the Activity > Incident page. You can also edit incidents here.</p><p>Table view: provides a straightforward view of all of the detections and processes involved in the incident. It’s similar to the Process Table view of detections.</p><p>Graph view: useful for exploring and understanding the relationship between the incident’s detections and processes. It’s a more dynamic version of the</p><p>Process Tree view of detections.</p><p>Timeline view: scan an incident’s key events in chronological order as a first pass to see what stands out before diving deeper with an event search. It</p><p>provides more comprehensive data and better filtering options than the Process Activity view of detections.</p><p>Filter incident by time</p><p>The Filter by time option allows you to see processes within a certain timeframe in the Graph, Table, and Events timeline views.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 9/36</p><p>Adjust what's shown in the views by dragging the ends or dragging your selection. This greys out the detections and processes outside of your selected timeframe.</p><p>Processes that were initiated prior to your selected timeframe will continue to be highlighted in the view as long as they are active.</p><p>Related processes that are outside of the incident’s official active period are also shown in incidents, and are always grey.</p><p>Legend options</p><p>Expand the Legend and use its options to highlight or grey-out various elements in the incident’s Graph, Table, and Events timeline views:</p><p>See the Hosts involved, and click a hostname to open its host details tab.</p><p>Expand lists of Processes, Contextual detections, and Detections. Click process or detections in these lists to to highlight them in the Graph view and open</p><p>their process details tabs.</p><p>Highlight connections on the Graph and Events timeline views. Click a connection to open its connection details tab.</p><p>Color-code the Graph view to show which Users are associated with the detections and processes.</p><p>Expand the list of Process actions types and click to highlight a type</p><p>Incident Graph view walkthrough</p><p>An incident’s Graph view shows you all of the detections and processes involved in the incident, plus the relationships between them.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 10/36</p><p>Scan the graph’s icons to see which detections were blocked or killed and which are contextual. Roll over any detection or process to see quick info about it.</p><p>Understand the parent-child relationships of the incident’s detections and processes.</p><p>Note: Grayed-out processes occurred outside of the selected timeframe or outside of the incident’s active time window.</p><p>See which detections and processes are connected by thread injections.</p><p>Parent-child connections and processes that deserve extra scrutiny are shaded to match the color of the incident. For example, when a process has a start</p><p>time after a detection was triggered on its parent, subsequent processes and detections are connected with shaded lines. These should be viewed with</p><p>suspicion, as they were created by a process after a detection occurred.</p><p>In incidents that include lateral movement, see the connections between the source host and target hosts.  Roll over a connection for more information about the</p><p>lateral movement involved. Click it to open its connection details tab. For Lateral Movement accomplished using remote process execution techniques, connections</p><p>are shown from the source host and the process initiated on the target.</p><p>For Lateral Movement accomplished through remote authentication, connections appear between the source and target hosts.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 11/36</p><p>Incident tabs: Investigating and responding to incidents</p><p>Incident tabs show you deeper incident information, let you take quick actions on processes and hosts, and provide opportunities to pivot to searches. They display</p><p>below all three incident views, letting you look into details without leaving your view of the incident as a whole.</p><p>Open multiple tabs to toggle between the info you need and close those you no longer need.</p><p>27/04/2023, 13:18</p><p>Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 12/36</p><p>Use the icons on the right side of the tabs menu to maximize, minimize, or close all tabs.</p><p>Customize the size of the tabs. Roll over the top of the tabs menu to reveal the drag and drop option to make your tabs bigger or smaller.</p><p>Process details tabs</p><p>Access</p><p>Open the Process details tab for any process or detection by clicking on a process in the:</p><p>Table view</p><p>Graph view</p><p>Legend</p><p>Events timeline</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 13/36</p><p>Quick actions</p><p>Click the Real Time Response quick Kill process or Prepare file for download button to start a kill or get command workflow.</p><p>Note: To perform this action, you need an RTR role and the affected host must be assigned to a response policy that allows the command. Read</p><p>more about Real Time Response policies and roles.</p><p>Launch an Investigate app Event search in a new browser tab</p><p>Key info and pivots</p><p>Process details</p><p>See when the process began to run, how long it ran, or if it’s still running.</p><p>Command line and file path</p><p>Copy the detection’s Command line</p><p>See whether the file is still running and copy the File path for investigation elsewhere</p><p>Executable hash</p><p>Copy the hash for investigation elsewhere</p><p>See hash info from Falcon Endpoint and Falcon Intel, if you have a Falcon Intel subscription. Hash info from Falcon Endpoint and Falcon Intel is displayed in</p><p>separate tabs. To see more details, click See more in indicator graph.</p><p>Launch a search of the hash in a new browser tab:</p><p>Investigate app Hash Search</p><p>VirusTotal</p><p>https://falcon.crowdstrike.com/documentation/71/real-time-response-and-network-containment#real-time-response</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 14/36</p><p>Google</p><p>See the Associated MD5</p><p>See hash info from available partner apps. Click the See more on [partner app] link to go to the app and see more details.</p><p>Host and user</p><p>See details about the associated host and user.</p><p>Process actions</p><p>Expand each process action type to see more info.</p><p>Click a domain or IP address link to view more info in a new tab:</p><p>See domain or IP address info from Falcon Endpoint and Falcon Intel, if you have a Falcon Intel subscription. Domain and IP address info from Falcon</p><p>Endpoint and Falcon Intel is displayed in separate tabs. To see more details, click See more in indicator graph.</p><p>See domain and IP info from available partner apps. Click the See more on [partner app] link to go to the app and see more details.</p><p>Detections</p><p>Click any tactic or technique to learn more.</p><p>Host tab</p><p>Access</p><p>Open a Host tab by clicking the host name or icon in the:</p><p>Graph view</p><p>Table view</p><p>Legend</p><p>Events timeline</p><p>Quick actions</p><p>Launch an Investigate app Host Search in a new browser tab</p><p>Click Connect to host to open a Real Time Response session</p><p>Change the host's network containment status</p><p>Key info and pivots</p><p>See essential details about the host such as its ID, OS, and IP Address.</p><p>Connection details tab</p><p>Access</p><p>Open the connect details tab for thread injections or lateral movement connections by clicking on a connection in the:</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 15/36</p><p>Graph view</p><p>Legend</p><p>Events timeline</p><p>Quick actions</p><p>Take action on the source host where the connection originated:</p><p>Launch an Investigate app Host search in a new browser tab.</p><p>Click Connect to host to start a real time response or use the Real Time Response quick Kill process or Prepare file for download button to start a kill or</p><p>get command workflow.</p><p>NOTE: To perform this action, you need an RTR role and the affected host must be assigned to a response policy that allows the command.</p><p>top</p><p>Key info and pivots</p><p>Hosts</p><p>See essential details about the hosts involved such as ID, OS, and IP Address.</p><p>Command line and file path</p><p>Copy the detection’s Command line</p><p>See whether the file is still running and copy the File path for investigation elsewhere</p><p>Executable hash</p><p>Copy the hash for investigation elsewhere</p><p>See hash info from Falcon Endpoint and Falcon Intel, if you have a Falcon Intel subscription. Hash info from Falcon Endpoint and Falcon Intel is displayed in</p><p>separate tabs. To see more details, click See more in indicator graph.</p><p>Launch a search of the hash in a new browser tab:</p><p>Investigate app Hash Search</p><p>VirusTota</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 16/36</p><p>Google</p><p>See the Associated MD5</p><p>See hash info from available partner apps. Click the See more on [partner app] link to go to the app and see more details.</p><p>Working through mobile detections</p><p>View detections from Android and iOS hosts in Mobile detections (Endpoint security > Monitor > Mobile detections).</p><p>You can perform these actions on mobile detections:</p><p>View detection details, such as the user and mobile host involved.</p><p>Update the detection status.</p><p>Assign the detection to a user for further investigation or resolution.</p><p>Add tags or comments to the detection.</p><p>You can also create custom alerts to send email notifications when specific detections are found. For more info, see Custom alerts.</p><p>Note: Mobile detections appear in the Falcon console for 90 days after they're generated. After 90 days, mobile detections aren’t guaranteed to be</p><p>retained.</p><p>Viewing mobile detections</p><p>The Mobile Detections page displays the list of detections found on Android and iOS devices. You can search or filter the list and view details for individual</p><p>detections.</p><p>�. Go to Mobile detections (Endpoint security > Monitor > Mobile detections).</p><p>�. Use the Search or filter menus to find specific types of detections. Type the search criteria or select the filter and then click Apply.</p><p>�. Click a detection to display the summary panel.</p><p>�. To view full details of a detection, select Actions > View details or click See full detection.</p><p>https://falcon.crowdstrike.com/mobile/detections</p><p>https://falcon.crowdstrike.com/investigate/events/app/eam2/cd_overview</p><p>https://falcon.crowdstrike.com/mobile/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 17/36</p><p>Modifying mobile detections</p><p>Update the status, assign a user, or add tags and comments to mobile detections.</p><p>�. Go to Mobile detections (Endpoint security > Monitor > Mobile detections).</p><p>�. Select one of these options:</p><p>Modify a single detection: Locate the detection and from the action menu, select Edit detection.</p><p>Tip: You can also modify a detection from the summary panel by using the Actions menu.</p><p>Bulk modify detections: Select the detections and click Edit.</p><p>�. Modify the detection as needed.</p><p>Use the Status and Assigned to menus to change the status or assign a user.</p><p>Enter a new tag or remove existing tags using the Detection tags field.</p><p>Enter a comment in the Add comment field.</p><p>�. Click Update detections.</p><p>https://falcon.crowdstrike.com/mobile/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 18/36</p><p>Working through a detection</p><p>in Endpoint detections</p><p>For detections on Windows, macOS, and Linux hosts, Falcon provides  information in the Activity App with viewing options to help you understand the actions an</p><p>adversary might be taking in your environment.</p><p>For the hosts in the cloud protected by Falcon Horizon, the Activity App displays indicators of misconfiguration (IOM) revealed by cloud security posture checks. The</p><p>info panel provides you with complete detection and visibility to all hosts, with a combination of agent-based and agentless solutions to combat security threats.</p><p>The Activity dashboard provides the information from a bird’s-eye view of your environment.</p><p>Review the Most recent detections area for a quick view of recent detections. Objective icons show the severity of the detection and whether the activity</p><p>was blocked, killed, or is an OverWatch alert.</p><p>Look at the Detections by Tactic graph to see the tactics identified in your environment over the past 30 days to help identify trends. Roll over the bars in</p><p>the graph to see quick details.</p><p>Filter, group, and sort detections</p><p>A typical workflow in the Activity app starts on the Endpoint detections page (Endpoint security > Monitor > Endpoint detections).</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>https://falcon.crowdstrike.com/dashboards-v2/dashboard/9D5413A9-50CB-4242-8DE4-F32C23534A3B</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 19/36</p><p>Zero in on the detections you want to see using Falcon console’s filtering and sorting capabilities.</p><p>At the top of the Detections page, filters make it easier to search for detections in the list. Use the popular filters displayed in the category columns shown or click</p><p>Type to filter to pick from all available categories. Add multiple filters to narrow down the scope of your list. Click the X to the right of any filter to remove it. Click the</p><p>X at the far right of the field to remove all filters.</p><p>Organize your filtered list of detections with the Grouped by and Sort by dropdown menus to more easily triage and resolve similar detections in bulk.</p><p>For example, go to the Detections page to look into the newest and most critical activity and discover any patterns emerging in the tactics observed:</p><p>To see only the latest detections, under Status, click New to filter the list.</p><p>To see the filtered detections grouped by the tactics involved in each, select Grouped by Tactic. To expand the list of individual detections, click the group.</p><p>To see the most prevalent tactic at the top of the list, use Sort by most detections.</p><p>View more details about a detection</p><p>Click any detection row - the Execution Details panel shows on the right and an expanded view of all processes involved in the detection shows in the table.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 20/36</p><p>In Execution Details, learn about the specific detection and click through to more information about tactic, technique, and objective used in each detected action.</p><p>Discover what prevention actions Falcon took, if any, and get details about the commands, executables, and files involved.</p><p>Under Network Operations and DNS Requests, click the RiskIQ icon next to IP Addresses and Domains to open the RiskIQ website in a new tab to gain full context of</p><p>a detection’s network-based indicators.</p><p>Under Vulnerabilities on Host, see information about how many vulnerabilities are present on a specific host. View your host’s risk posture at a high level alongside</p><p>detection info, including:</p><p>the number of critical and high vulnerabilities</p><p>recommended remediations</p><p>vulnerable products</p><p>the last time a host was patched</p><p>Click one of these items to see more info in Falcon Spotlight. To see this information, you need a subscription for Falcon Spotlight and either the Falcon Administrator</p><p>or Vulnerability Manager roles.</p><p>Under Cloud Security Posture, see info about how many critical-, high-, medium-, and low-severity misconfigurations are present on a specific cloud-based host. Click</p><p>one of these items to see more info on Falcon Horizon. To see this information, you need a subscription for Falcon Horizon and either the Horizon Admin, Horizon</p><p>Analyst, or Horizon Read Only Analyst roles.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 21/36</p><p>By default, Execution Details displays information about the final process in the detection; but you can click any process in the process view to see its details.</p><p>Falcon provides three process views to help you visualize a detection. Click the Full detection details icon in any detection row to expose the View as drop-down</p><p>menu in the Detections page’s upper right corner.</p><p>Select View as Process Tree, View as Process Table, or View as Process Activity to see different representations of the activities that make up the detection. See</p><p>Process views for more information.</p><p>Assigning detections and updating status</p><p>Use assignment and status to keep track of your organization's detections.</p><p>Detection assignment</p><p>Assign detections to individuals, claim the ones you’ll work on, or transfer your ownership of a detection to a colleague. Use the Assigned to filter column to see who</p><p>is working on what.</p><p>Important notes for Falcon Flight Control and multi-CID deployments:</p><p>To assign detections, you must have access to the CID where the detection was triggered and a role for viewing and assigning detections in that CID.</p><p>The list of assignable users includes anyone with access to the CID and a role with permissions for managing detections. When assigning detections from the</p><p>parent CID, the list of assignable users also includes parent-level users.</p><p>For security purposes, to see a user in the assignee list, you must have access to the user’s home CID with role permissions that allow you to view users in</p><p>that CID.</p><p>Detection status</p><p>Use detection Status to identify whether detections are currently being investigated and record the results of investigations. Reviewing detections with the status of</p><p>True Positive might reveal opportunities to shore up your environment’s defenses while False Positives can be helpful in guiding allowlist efforts. CrowdStrike assigns</p><p>these detection statuses:</p><p>New - Status initially assigned to all detections. Users can also reassign this status to detections as needed.</p><p>https://falcon.crowdstrike.com/documentation/69/monitoring-detections#processviews</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 22/36</p><p>New Activity - CrowdStrike-assigned status that indicates that a detection that had a resolved status (True Positive, False Positive, Ignored, or Closed) has</p><p>new activity that should be examined.</p><p>Assign these detection statuses as needed to support your organization’s detection investigations:</p><p>New</p><p>In Progress</p><p>True Positive</p><p>False Positive</p><p>Ignored</p><p>Closed</p><p>Reopened</p><p>Updating detection assignees and statuses</p><p>There are two ways to update detection assignees and statuses. You can update one or more detections from the Endpoint detections page or update the assignee or</p><p>status from within the details of any single detections</p><p>Updating one or more detections from Endpoint detections</p><p>�. On the Detections page, select the checkbox next to any detection or detections.</p><p>�. Click the Update & Assign link above the table.</p><p>�. In Update selected detection statuses, assign and/or set</p><p>the status.</p><p>�. Click Update.</p><p>Updating a detection’s assignee and status from its details</p><p>�. In Endpoint detections, click a detection to open its details.</p><p>�. In the detection’s details, click the current assignee or status.</p><p>�. In Update Detection Status,  assign and/or set the status.</p><p>�. Click Update.</p><p>Investigate and take action on a detection</p><p>Execution Details provides helpful features to research further and take action:</p><p>Review the guidance provided in the Specific to this Detection field</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 23/36</p><p>Detections with Cloud-based ML technique:</p><p>Most detections occur when a process runs, but cloud-based machine learning (ML) detections can also occur when the file is written to disk. You can tell which</p><p>cloud-based ML detections are detected on write because in “Specific to this detection” the description includes:  “This process wrote a suspicious file to disk. That</p><p>associated file meets the ML threshold. Review the file.”</p><p>Make sure to check details for the triggering file in Indicators of Interest. This differs from File Path and Executable SHA256, which show details of the file that wrote</p><p>the triggering file.</p><p>Screenshot of the Falcon console showing the triggering file in the Indicators of Interest.</p><p>Learning more about files and hashes</p><p>Use quick link icons to:</p><p>Launch a Google search for a file name</p><p>Launch hash searches in Google, VirusTotal, or Falcon Investigate</p><p>Configure your Prevention Hashes policy</p><p>To Review Quarantined Files that result from detections, click the eye icon.</p><p>Click Connect to a Host to take direct action through Real Time Response.</p><p>Click Network Contain to limit the host’s access to the network using Host Containment.</p><p>https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#custom-iocs</p><p>https://falcon.crowdstrike.com/documentation/69/detections-monitoring#reviewing-quarantined-files</p><p>https://falcon.crowdstrike.com/documentation/71/real-time-response-and-containment#real-time-response</p><p>https://falcon.crowdstrike.com/documentation/71/real-time-response-and-containment#host-containment</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 24/36</p><p>Reviewing remediation actions</p><p>The Actions Taken field includes a Remediation link when automated remediation has been performed on a detection. Click the link to go to the full remediation</p><p>details and timeline of every remediation action taken. Read more in Reviewing remediations.</p><p>Objective icons</p><p>Every detection in the Falcon console has an associate tactic/technique pair and an adversarial objective. Icons on the Detections Dashboard and Detections page</p><p>help you instantly get key information about each detection. You can also hover over an icon to see the objective names, severity, and whether the activity was</p><p>blocked or killed.</p><p>Severity colors</p><p>Colors help indicate the severity of a detection. For example, an orange web exploit represents a high severity web exploit. Colors make it easy to identify and</p><p>prioritize security events.</p><p>From left to right below: Informational, Low, Medium, High, Critical.</p><p>You can change the color scheme on the Users page. For more information, see Color Schemes.</p><p>Incident involvement</p><p>Detections that are part of an incident are recognized by layered icons, which can be combined with badges.</p><p>Clickable icons that open the incident they are involved in are available for these detections. Find them on the  right side of their rows on the Endpoint detections</p><p>page, and in each of these detection's details.</p><p>Detection badges</p><p>Badges on objective icons help you quickly triage detections without opening their summary panels. See the detection’s objective, severity, and if the activity was</p><p>blocked or killed - all in one icon. See the Action Taken field for specifics, like if the file was quarantined.</p><p>https://falcon.crowdstrike.com/documentation/64/falcon-console-user-guide#color-schemes</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 25/36</p><p>Icon Definition</p><p>A white badge indicates that a process was killed or an operation was blocked</p><p>A green badge indicates that a process was blocked</p><p>Objectives</p><p>Objective Icon Definition Associated MITRE Tactics</p><p>Gain Access</p><p>Gaining access to your endpoints is a key phase in an adversary’s attack strategy. A</p><p>common way to get in is to steal credentials, using digital or social engineering</p><p>methods.</p><p>Initial Access, Credential Access,</p><p>Privilege Escalation</p><p>Keep Access</p><p>After an adversary finds a way into your environment, they work on how to keep</p><p>access. Their goal is to maintain their foothold and evade detection, perhaps for</p><p>long periods, before they follow through on plans to steal and break things in your</p><p>environment.</p><p>Persistence, Defense Evasion</p><p>Explore</p><p>Once in, an adversary often explores the endpoint they gained access to and its</p><p>connected systems. They’ll poke around to discover local processes, files, and apps</p><p>that could be useful to them.</p><p>Discover, Lateral Movement</p><p>Contact</p><p>Controlled</p><p>Systems</p><p>Command and control techniques use ports, proxies, and protocols that are</p><p>commonly available and trusted, so it’s challenging to detect suspicious and</p><p>malicious use compared to harmless use.</p><p>Command and Control</p><p>Follow Through</p><p>Ultimately, an adversary is looking to steal and break things in your environment.</p><p>They do this by gathering data, stealing data, and running malicious code.</p><p>Collection, Exfiltration, Execution</p><p>Falcon</p><p>Detection</p><p>Methods</p><p>Falcon can detect and prevent activities that don’t map directly to the ATT&CK</p><p>matrix, so we created the Falcon Detection Methods (FDM) matrix. The FDM tactics</p><p>and techniques highlight behavior we consider suspicious, malicious, and worth</p><p>investigating.</p><p>Malware, Exploit, Post-Exploit,</p><p>Machine Learning, Custom</p><p>Intelligence, Falcon Overwatch,</p><p>Falcon Intel</p><p>Process views</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 26/36</p><p>There are three views available to look at processes that have been identified in a detection. To see a detection in the Process Tree view, click the Full Detection</p><p>Details icon next to a detection in the list to expose the View as dropdown list in the upper right corner of the Detections page.</p><p>If needed, click the dropdown menu at the upper right corner and select View as Process Tree (the console remembers your choice and opens in the last view you</p><p>used the next time you click the Full Detection Details button).</p><p>View as Process Tree</p><p>To see a detection in the Process Tree view, click the Full Detection Details icon next to that detection in the list. If needed, click the dropdown menu at the upper</p><p>right corner and select View as Process Tree (the console remembers your choice and opens in the last view you used the next time you click the Full Detection</p><p>Details button). If your browser zoom prevents you from seeing all items in the process tree, use the process table instead.</p><p>Each node in the Process Tree represents a process. In the example below, a root process spawned more Java executables, which eventually spawned PowerShell</p><p>executables. Hover over or click each node in the tree to view additional details.</p><p>https://falcon.crowdstrike.com/documentation/69/detections-monitoring#view-as-process-table</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 27/36</p><p>Navigation</p><p>To expand branches in the tree click the + icons. Click the - icons to hide branches.</p><p>To zoom in or out, press Z.</p><p>To switch the perspective between 3D and 2D or to fit the Process Tree to the screen, use the icons at the top of the page. For a full list of shortcuts,</p><p>see Detection Process Tree Keyboard Shortcuts.</p><p>Nodes</p><p>Each node in the Process Tree has an icon representing an objective or process. Each tactic is colored to indicate severity.</p><p>Red lines between nodes indicate an ancestor detect. For example, in the process tree below, the second PowerShell process has a start time after the initial detection</p><p>was triggered on its parent. Any subsequent nodes with connecting orange lines should be viewed with suspicion, as they were created by a process that generated a</p><p>detection.</p><p>The logos below a node indicate whether a process has metadata associated with it.</p><p>Click any node in the tree to reveal Execution Details for that process, which contains metadata about it including network operations, registry operations, disk</p><p>operations, and command line history.</p><p>Process Tree Icons</p><p>Icon Function</p><p>Expand or collapse child nodes</p><p>https://falcon.crowdstrike.com/documentation/69/detections-monitoring#keyboard-shortcuts</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 28/36</p><p>Icon Function</p><p>Expand or collapse a stack of nodes</p><p>Null root</p><p>Node with metadata</p><p>Node without metadata</p><p>Ancestor detection with metadata</p><p>Ancestor detection without metadata</p><p>Docker container</p><p>Null</p><p>Null ancestor detection</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 29/36</p><p>Icon Function</p><p>Null tactic and technique</p><p>Null tactic and technique (ancestor detection)</p><p>Loading failure</p><p>Note: CrowdStrike keeps detection data in the cloud for 90 days, after which some of the data gets purged from the database. Null icons indicate that</p><p>some of the data for a process has started to be nullified. It could be a missing tactic, label, metadata or any part of the information pertaining to that</p><p>process.</p><p>Process Tree Example</p><p>Let's walk through a more complex example to see how the Process Tree can help visualize an attack and aid us in understanding what happened.</p><p>Below, the Process Tree is displaying a spear-phishing attack that started with Outlook.</p><p>�. The first Known Malware node, shown below, tells us that the host user clicked a link in Outlook, which spawned Internet Explorer, which then spawned a tab</p><p>within Internet Explorer to run an exploit.</p><p>�. The green line indicates a thread injection from IE to notepad. When the exploit succeeded, the attacker migrated into notepad.exe to bypass blocklisting.</p><p>�. Hiding under notepad's memory space, the attacker wanted to get a better understanding of the attack target’s host and user details. They opened cmd.exe</p><p>and ran a PowerShell instance to dump credentials.</p><p>�. Finally, the adversary performed more reconnaissance using the commands whoami , systeminfo , and ping in PowerShell.</p><p>At this point, you can contain the host (if you have admin privileges), or assign the detection to another analyst, adding comments to ensure a smooth handoff during</p><p>triage.</p><p>View as Process Table</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 30/36</p><p>To see a detection in the Process Table view, click the Full Detection Details icon next to that detection in the list. If needed, click the dropdown menu at the upper</p><p>right corner and select View as Process Table (the console remembers your choice and opens in the last view you used the next time you click the Full Detection</p><p>Details button).</p><p>The Process Table provides a table view of the processes associated with a detection. The processes at the top of the table occurred first.</p><p>Click the the + and - icons to show and hide children in this view. Any changes to children or selection state are synced with the Process Tree view of the</p><p>detection.</p><p>Show and hide columns using the column selection button.</p><p>View as Process Activity</p><p>To see a detection in the Process Activity view, click the Full Detection Details icon next to that detection in the list. If needed, click the dropdown menu at the upper</p><p>right corner and select View as Process Activity (the console remembers your choice and opens in the last view you used the next time you click the Full Detection</p><p>Details button).</p><p>The Process Activity view provides a rows-and-columns style view of the events generated in a detection. Use the column selection button on the right to edit the</p><p>columns displayed.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 31/36</p><p>Monitor custom IOA detections and preventions</p><p>Detections and preventions triggered by custom IOA rules appear in the Activity app like other CrowdStrike detections. They are distinguished by the Tactic and</p><p>Technique of Custom Intelligence via Indicator of Attack. In the Execution Details of a custom IOA detection, the Custom IOA Rule field provides a link to the rule</p><p>that triggered the detection.</p><p>The four events associated with the four rule types are:</p><p>CustomIOABasicProcessDetectionInfoEvent (Process Creation)</p><p>CustomIOAFileWrittenDetectionInfoEvent (File Creation)</p><p>CustomIOANetworkConnectionDetectionInfoEvent (Network Connection)</p><p>CustomIOADomainNameDetectionInfoEvent (Domain Name)</p><p>Read more about the event types that trigger custom IOA detections in the Events Data Dictionary.</p><p>How detections are recorded</p><p>Terminology:</p><p>Agent ID (AID): Every sensor in your environment is uniquely identified by its Agent ID, or AID. If you have 5,000 sensors, you will have 5,000 unique AIDs.</p><p>AIDs are globally unique across all customer environments.</p><p>Customer ID (CID): Used to identify customer environments. Every environment has a unique CID.</p><p>Pattern ID: Every detection is associated with a pattern, and each pattern has a unique ID.</p><p>Falcon has rules in place so it doesn’t display redundant detections in the console or inundate users with more emails than needed:</p><p>Detections are not recorded or shown if they match an exclusion pattern.</p><p>The console displays up to 1,000 detections per day for a single Agent ID. If there are more than 1,000 detections for a host, it’s a clear indication that it</p><p>should be investigated.</p><p>Detections are sent at a rate of every five seconds or more for each Pattern ID + AID pair.</p><p>When a CID + AID + Pattern ID group is on the same process ID, it is compressed to one pattern hit.</p><p>Falcon sends one email per day for each detection. For example, if a detection has 100 pattern hits on it in the same day, only one email will be sent out to</p><p>each contact set up to receive detection alerts. If there are additional pattern hits the following day, contacts will receive another email.</p><p>Detections keyboard shortcuts</p><p>Detections accessibility keyboard shortcuts</p><p>https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#customioa</p><p>https://falcon.crowdstrike.com/documentation/26/events-data-dictionary</p><p>https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#file-exclusions</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources</p><p>| Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 32/36</p><p>Key Action</p><p>TAB</p><p>When in the main navigation or summary panel, moves through all nav items sequentially. In the Activity App, sequentially navigates to</p><p>each row by using every focusable element inside a row (buttons, links, and so on).</p><p>UP/DOWN arrow Navigates the main navigation or open a drop down list. In the Activity App, skip to previous/next row (as long as a row has focus).</p><p>RIGHT/LEFT arrow When in the main navigation, takes you into the sub-menu.</p><p>ENTER/SPACEBAR Opens/closes a detection or aggregation row, selects a process row or metadata button inside a process row.</p><p>Process tree keyboard shortcuts</p><p>Category Command Description</p><p>Selection Shift + Drag Makes a new rectangle selection.</p><p>Windows key + click (Windows)</p><p>Command + click (Mac)</p><p>Select multiple nodes by clicking each one.</p><p>Operation 'R' Remove all unselected nodes.</p><p>Navigation ARROW KEYS Navigates through the tree (does not lose a selection).</p><p>LEFT & RIGHT + 'S' Jump to first/last sibling.</p><p>'/' & '0' Loads children.</p><p>ENTER Shows or hides children.</p><p>'Z' Zooms in/out.</p><p>'F' Zooms to best fit.</p><p>'P' Toggles perspective.</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 33/36</p><p>Review quarantined files</p><p>When a detection involves a quarantined file, it's shown in the Detection Summary Panel of Endpoint detections:</p><p>�. In the Falcon console, go to Quarantined files (Endpoint security > Monitor > Quarantined files).</p><p>�. Use the filter bar at the top to filter the list of quarantined files. For example:</p><p>Status:Deleted</p><p>Filename:CSQ.exe</p><p>Release a file</p><p>When you release a file from quarantine, it's allowed to execute on that host. Releasing a file does not affect other hosts. To avoid triggering more preventions on</p><p>other hosts, add the file to your global allowlist.</p><p>Note: Files that appear in Endpoint security > Monitor > Remediation are also available in Endpoint security > Monitor > Quarantined files and updates</p><p>are reflected in both places.</p><p>�. In the Falcon console, open  Endpoint security > Monitor > Quarantined files.</p><p>�. Select the files you want to release.To release files in bulk, filter files by quarantined status and click Select All.</p><p>�. Click Release.</p><p>Note: Quarantined files from removable media are released to C:\ProgramData\CrowdStrike .</p><p>Tip: Filter by quarantined status and use the Select All checkbox to release files in bulk.</p><p>Undo a released file</p><p>When you undo a release, the Falcon sensor treats the file as malicious again. The next time the file attempts to execute, the sensor blocks and quarantines it again.</p><p>The sensor does not quarantine the file immediately.</p><p>�. In the Falcon console, go to Quarantined files (Endpoint security > Monitor > Quarantined files).</p><p>�. Select the released files you want to quarantine again.</p><p>�. Click Undo Release.</p><p>Download a file</p><p>Windows and macOS hosts</p><p>https://falcon.crowdstrike.com/activity/detections</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p><p>https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#custom-settings</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 34/36</p><p>You can download a file from the Falcon console for further investigation. This requires you to enable Upload quarantined files on the General settings page (Support</p><p>and resources > Resources and tools > General settings).</p><p>By default, file extraction is disabled.</p><p>�. In the Falcon console, go to Quarantined files (Endpoint security > Monitor > Quarantined files).</p><p>�. Near the file you want to download, click Download.</p><p>�. Provide the password  infected  when you unzip the downloaded file.</p><p>Note: Files that appear in Remediation are also available in Quarantined files, and updates are reflected in both places.</p><p>File extraction FAQs</p><p>Encryption: Extracted files are encrypted in transit and at rest</p><p>File size: Files up to 32 MB can be downloaded</p><p>Permissions: Users with the roles Falcon Admin and Falcon Security Lead can download extracted files</p><p>Operating systems: Windows and macOS</p><p>Delete a file</p><p>�. In the Falcon console, go to Quarantined files (Endpoint security > Monitor > Quarantined files).</p><p>�. Select the files you want to delete.</p><p>�. Click Delete.</p><p>Tip: Filter by quarantined status and use the Select All checkbox to delete files in bulk.</p><p>Review remediations</p><p>In Remediation, view the remediation actions Falcon has taken on detections. Refine the list of detections using filters, which allow you to focus on attributes</p><p>including Remediation type, Time, Severity, Tactic, and Technique.</p><p>The Advanced Remediation prevention policy setting must be enabled for Falcon to perform remediation actions.</p><p>Read more about the setting and the actions that Falcon can perform in Prevention Policy Settings.</p><p>Getting to Remediations</p><p>�. Go to Remediation (Endpoint security > Monitor > Remediation) to see all of the detections that have had automated remediation activity performed in the</p><p>last 90 days.</p><p>https://falcon.crowdstrike.com/configuration/general-settings</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>https://falcon.crowdstrike.com/documentation/209/prevention-policy-settings#advanced-remediation</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 35/36</p><p>Review the remediation actions performed on a detection</p><p>�. On the Remediation page (Endpoint security > Monitor > Remediation) page, click any detection to go to the full details of the remediation action performed.</p><p>The remediation page for a detection shows complete information about the remediation actions performed on a detection.</p><p>Go to full detection button: Open the detection that triggered the automated remediation in a new tab.</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>27/04/2023, 13:18 Incident and Detection Monitoring | Monitoring | Endpoint Security | Documentation | Support and resources | Falcon</p><p>https://falcon.crowdstrike.com/documentation/69/incident-and-detection-monitoring 36/36</p><p>Hosts tab: Basic information about the hosts where the remediation was performed, and a link to go to its full details in Host Management.</p><p>Vulnerabilities tab: A quick overview of vulnerability information about the hosts involved in the detection, and a link to go to more details in Spotlight</p><p>(requires Falcon Spotlight).</p><p>Detection information: Essential details about the detection, including whether the process was killed or blocked, Description, and Command line, if</p><p>applicable.</p><p>Remediation timeline: A complete list of all remediation actions.</p><p>Click the copy icon to copy the details of a remediation.</p><p>These actions might appear:</p><p>File quarantined</p><p>Process killed</p><p>Registry value deleted</p><p>Log de auditoria: mostra as ações realizadas pelos usuários do Falcon da sua organização</p><p>Atualizando o status de quarentena de um arquivo</p><p>Atualize o status de quarentena dos arquivos em quarentena como parte da correção automatizada de uma detecção.</p><p>�. Vá para Correção ( Segurança de endpoint > Monitor > Correção ).</p><p>�. Clique em uma detecção para acessar suas ações de correção.</p><p>�. Na coluna Status da quarentena , atualize o status de quarentena de um arquivo.</p><p>Observação: os arquivos</p><p>que aparecem em Remediação também estão disponíveis em Arquivos em quarentena e as atualizações são refletidas em ambos</p><p>os locais.</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>https://falcon.crowdstrike.com/activity-v2/remediations</p><p>https://falcon.crowdstrike.com/activity/quarantined-files</p>