Please enable JavaScript.
Coggle requires JavaScript to display documents.
FALCON ADMINISTRATOR - Coggle Diagram
FALCON ADMINISTRATOR
INSTALLATION
Manual:
- Host setup and management -> sensor downloads
- enter Customed ID CID during setup
- verify: sq query csagent
AUTO
- SCCM: installer.exe /install /quiet /norestart /CID=<CID>
Windows
- Windows Defender must be disabled
Services installed and running:
- LMHosts
- Network Store Interface (NSI)
- Windows Base Filtering Engine (BFE)
- Windows Power Service (sometimes labeled Power)
if proxy in use then also WinHTTP AutoProxy
Windows Server 2016 and 2019
- disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true)
uname -r -> get Linux version
LINUX
- Ubuntu: sudo dpkg -I <installer package>
- RHEL, CentOS: sudo yum install <installer package>
- SLES: sudo zypper install <installer package>
register:
sudo /opt/crowdstrike/falconctl -s --cid=<CID>start sensor:
sudo systemctl start falcon-sensor or sudo service falcon-sensor startcheck if it's running
ps -e | grep falcon-sensorProxy config
Configure proxy: sudo /opt/CrowdStrike/falconctl -s --aph=<proxy host> --app=<proxy port>
Confirm config: sudo /opt/CrowdStrike/falconctl -g --aph --app
Enable proxy: sudo /opt/CrowdStrike/falconctl -s --apd=FALSE
Disable proxy: sudo /opt/CrowdStrike/falconctl -s --apd=TRUERestart sensor:
- systemctl restart falcon-sensor or service falcon-sensor start*
MAC - elevated privileges required
- sudo installer -verboseR -package <installer package> -target /
sudo /Applications/Falcon.App/Contents/Resources/falconctl license <CID>
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats
Check privacy and security settings in case of issues
Sensor uninstalling and Updates
- DO IT via GROUP+POLICY
- Via Add/Remove programs
- Via CSUninstall Tool csuninstalltool MAINTENANCE_TOKEN=<token> /quiet
- Or put CS uninstall tool onto host and lanuch: run "c:\temp\csuninstalltool.exe"
VALIDATE: HKML\system\crowdstrike and c:\windows\system32\drivers\CrowdStrike
- LINUX/UBUNTU:sudo apt-get purge falcon-sensor
- RHEL: sudo yum remove falcon-sensor
- SLES: sudo zypper remove falcon-sensor
- MACos: sudo /licbrary/cs/falconctl uninstall --maintenance-token <token>
Update Throttling
- limit amount of hosts updated in the same time (network bandwidth)
Support and Resources -> General Settings
Network requirements:
TLS 1.2
- Outbound 443/SSL to CS FQDNs
- Disable SSL inspection (SSL cert pinning)
EU-1:
ts01-lanner-lion.cloudsink.net
lfodown01-lanner-lion.cloudsink.net
If sensor is unable to esablish network commiunication, it will try again in 10 minutes. If fails again, it will uninstall itself
-
Linux Deployment options
- linux endpoints: Falcon sensor
- linux endpoint running containers: DeamonSet on cluster
- containers running on managed service: Falcon container sensor
Installations tokens- OFF by default
- max 50
-to prevent unauthorized install / uninstall or temper installation agent
- command --provisioning-token <token>
- token lifetime: 30,90 days, 1 year or never expire
- audit logs will show who took tokens
Troubleshooting
- command line an correct CID
- supported OS
- Does host trusts CS CA certificate?
- Network / proxy / Firewall / internet access
- local required services
- local logs %LOCALAPPDATA%\TEMP
ReducedFunctionalityMode RFM
- safe mode, limited logging
- unsupported kernel updates
- ready dashboard report to see hosts in RFM
- is enabled for kernel updates to ensure stability of updates
Windows
- CS will go intio RFM mode if Windows updates will be installed during 48 hours after CS installation
- CS will not go into RFM if updates will installed after 48 hours of installation
LINUX
- CS will go into RFM when non supported or incompatible linux kernel
- if you update kernel withing 10 days after CS installation
-
SSO
- SP - Service Provider (CS)
- IdP - Identity Provider (Azure)
- In Full SSO mode all users are immediately enabled
- In OnBoarding mode 2FA is used and account needs to be activated via activation link
ALERT types
- Detection and Incident Email alerts (support and resources - > general settings)
- Fusion SOAR alerts (more precise alerts, customized) -> via workflows
- Scheduled search - based on predefined templates (investigate - scheduled search).
Content Update Policies
Content update deployment
- General Availability (GA - recommended): (GA) is a phased rollout after a successful deployment to hosts in early access
- General Availability+4: GA+4 hours
- Early Access: fully tested by CrowdStrike and is considered stable and ready for production.
- Paused (not recommended)
Paused updates (not recommended) and it's risks
- Sensor Operations channel paused -> sensors won't receive sensor configuration updates, impact OSes and application compatibility and may lead to (RFM) Windows / Linux.
- Rapid Response - Allowlisting and Blocklisting pased -> sensors won’t receive allowlisting and blocklisting updates generated by CrowdStrike threat researchers and analysts.
- Vulnerability Management paused -> sensors won’t receive updated vulnerability definitions and data.
- System Critical channel CANNOT BE PAUSED
Channel Files (policies?)
Instruction manuals for sensors. Tell sensors how to work, including whiteslists and blacklists, updated settings for policies. Categories:
- System critical content updates (core) - for ongoing system operation stability
- Sensor operation updates (compatibility information to avoid RFM, info about Windows/Linux kernel updates)
- Vulnerability management: provide vulnerability definitions and data
- Rapid response (AllowListing and BlackListing channel files) - false positive/false negative mitigation updates for IOA and ML
- Rapid Response behavioral IOAs: provides behavioral IOAs, telemetry, detection and prevention logic to sensor
- Customer initiated channel files: customer policies updates for modules made via API or CS console
-
Implementation
- Option1: CS only
- Option2: CS + with current AV (shirt term)
- Option3: CS + current AV ( long term) - not recommended
IOA & IOC
-
-
IOC Management - Custom IOCs
Indicator Of Compromise
- Sensor-based actions
- can assign severity to detections
- can add TAGs
-
Quarantined Files - for 30 days
- Windows \Windows\systems32\drivers\CrowdStrike\Quarantine
- MacOS /Library/Application Support/CrowdStrike/Falcon/Quarantine
-
AVOID creating exlusions for CRITIAL
- Windows: cmd.exe, command.exe, powershell.exe, c:\windows\system32*
- Lunux: /sbin, /bin/, usrs/bin
- interpreters: JAVA, PYTHON, RUBY
-
HOST Management
SENSOR Group tagging
- Windos: during installation: cmd GROUPING_TAGS="HR,PROD". Later via registry only
- MACOS: falconctl grouping-tags set "tag"
- LINUX: falconctl -s --tags="tag"
-
Hosts Groups:
- Static - by hostname or ID (max 1000 recommended)
- Dynamic - by attributes (recommended opton)
-
POLICIES
Policy Types
Prevention Policies
- Define what will trigger detection and prevention on my hosts
- Level of Detection must be higher than level of Prvention
-
-
-
-
-
Initial Deployment
No AV/EDR in current ENV => Choose PHASE 2 MODERATE
- bit more protective /aggressive policy
- should use for 30 days
- start introducing your IOA
- good to start with (moderate level)
YOU HAVE AV/EDR => Choose PHASE 1 Monitor only phase
- less aggressve than PH2
initail deployment
- use for minimum of time
- then migrate to PH2 => PH 3
- be there in 30 days
PHASE 3 OPTIMAL
- optimal level of protection - most mature
- target level of protection
- be there in 90 days
In each phase, tune False Positives (FP) and create Whitelisting (WL)
-
USERS
User Roles:
- Falcon Admin
- Prevention Policy Admin
- Falcon console guest
- Dashboard Admin
- Desktop Support Analyst
- Workflow Author
- HelpDeks Analyst
RealTimeResponder Roles RTR
- ReadOnly Analyst (ready only)
- Active Responder (some custom scripts + GET commands)
- Administrator (custom scripts, upload files, run commands)
RTR
- Response policy must allow RTR
-
-
