CrowdStrike: CCFA questions and answers
Falcon Console Guest - answer-User MGN:
- View Documentation and your own user profile.
- View Support Portal
User MGN: Falcon Administrator - answer-User MGN:
- Access all functionality in the console with the exception of some RTR functionality.
Workflow Author - answer-User MGN:
- Create and edit workflows.
- Re-execute failed workflows.
- This role requires at least one other role to be able to access the falcon console.
- Cannot include RTR actions unless also assigned the RTR Administrator Role.
Dashboard Admin - answer-User MGN:
- Create, edit, manage and delete dashboards.
- This role requires at least one other role to be able to access the falcon console.
Prevention Policy Manager - answer-User MGN:
- Create, edit and delete prevention policies.
- This role can also view dashboards, host management, detections, file exclusions &
sensor update policy.
Desktop Support Analyst - answer-User MGN:
- Install sensor, troubleshoot, view manuals.
- Access docs about products functions and restrictions.
Help Desk Analyst - answer-User MGN:
- View Detections, host management, installation tokens, prevention policies, file
exclusions, sensor update policies & dashboards.
PREVENT ROLES: Falcon Administrator - answer-PREVENT ROLES:
- Access all functionality in console with exception of some RTR functionality and custom
IOAs.
PREVENT ROLES: Falcon Security Lead - answer-PREVENT ROLES:
- Manage detections, manage quarantined files, contain hosts, view exclusions.
- Search for events, reset user credentials & 2FA.
- View data about assets, accounts and applications in Discover.
PREVENT ROLES: Falcon Analyst - answer-PREVENT ROLES:
- Manage detections and quarantined files.
- View Exclusions and Host Management.
- View Firewall Rules, rule groups, policies and audit logs.
,PREVENT ROLES: Falcon Analyst - Read Only - answer-PREVENT ROLES:
- View detections and exclusions and search events.
- View all Identity Protection info.
- View firewall rules, rule groups, policies and audit logs.
PREVENT ROLES: Quarantine Manager - answer-PREVENT ROLES:
- View, release and manage quarantined files.
PREVENT ROLES: Endpoint Manager - answer-PREVENT ROLES:
- Manage sensor deployment and maintain sensor configuration and update policies.
- Create, edit and delete host groups and firewall rules.
PREVENT ROLES: Detections Exceptions Manager - answer-PREVENT ROLES:
- Add, edit and manage custom IOCs, ML Exclusions, IOA Exclusions and Sensor Visibility
Exclusions.
PREVENT ROLES: Remediation Manager - answer-PREVENT ROLES:
- View and manage remediation actions taken by the Falcon console.
Capabilities and Limitations: RTR READ ONLY ANALYST - answer-Capabilities and
Limitations:
+ Can run a core set of read-only response commands to perform reconnaissance.
- Cannot extract files, modify the device, or run certain scripts.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ACTIVE RESPONDER - answer-Capabilities and
Limitations:
+ More access than RTR Read Only Analyst.
+ Can extract files using get command, can run commands that modify the device and
run certain custom scripts.
- Cannot create custom scripts, cannot upload files to hosts using put command and
cannot directly run executables using the run command.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ADMINISTRATOR - answer-Capabilities and Limitations:
+ Can do everything the RESPONDER can do.
+ Plus create custom scripts, upload files to hosts using put, and directly run
executables using run.
+ There are no limitations to this role.
Create, edit, delete a new user:
How do you Add a user? (How do you traverse through the UI to add a user) - answer-*
ADMINISTRATIVE role for your Falcon subscription, such as FALCON ADMINISTRATOR is
required *
- Host setup and management > Falcon users > User management.
- Click Add User in the upper right of the window.
- Enter users email address, first name, last name.
,- Select one or more roles.
- Click Add User
Create, edit, delete a new user:
How do you add a Delete? (How do you traverse through the UI to Delete a user) -
answer-* ADMINISTRATIVE role for your Falcon subscription, such as FALCON
ADMINISTRATOR is required *
- Host setup and management > Falcon users > User management.
- Find the desired user.
- Click three-dot menu.
- Select Delete User.
- At confirmation, select Delete.
You can also delete a user from the three-dot menu inside the User details.
Create, edit, delete a new user:
How do you Edit a user? (How do you traverse through the UI to Edit a user) - answer--
Edit username
- Edit Roles
- Reset 2FA
- Reset Password
A Falcon Administrator can make all changes to a user.
A Falcon Security Lead can reset 2FA and password but cannot change the user or assign
roles.
Single Sign On - answer-If SSO isn't enabled in your environment, CrowdStrike sends an
automated email to the user, prompting them to create a Falcon password and configure
2FA. If SSO is enabled, CrowdStrike doesn't send an automated email to the user.
If you're planning to enable single sign-on (SSO), the email address must match the
information in your Identity Provider.
SENSOR DEPLOYMENT (Windows OS)
Required Services installed and running - answer-Sensor Deployment:
- LM Hosts
- Network Store Interface (NSI)
- Windows Base Filtering Engine (BFE)
- Windows Power Services (Power)
* LMHosts may be disabled if TCP/IP NetBios Helper is disabled*
SENSOR DEPLOYMENT (Windows OS):
using a proxy - Requirements
, using Web Proxy Automatic Discover (WPAD) - Requirements - answer-SENSOR
DEPLOYMENT:
- WinHTTP AutoProxy must be running.
- DHCP Client must be running.
SENSOR DEPLOYMENT (Windows OS):
Registry Key Configuration - answer-SENSOR DEPLOYMENT:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\type
- Value must be '0x00000020'
*This is the defaulted Microsoft setting for this key.
- answer-SENSOR DEPLOYMENT (Windows OS)
SENSOR DEPLOYMENT (Windows OS):
Log File Location - answer-SENSOR DEPLOYMENT:
%LOCALAPPDATA%\temp\
SENSOR DEPLOYMENT (Windows OS):
Networking Protocols - answer-SENSOR DEPLOYMENT:
Falcon on commercial cloud:
- TLS 1.0 or later
Falcon on GovCloud:
- TLS 1.1 or later
*CrowdStrike cloud DOES NOT support connecting via SSL.
Falcon uses TLS 1.2 on Win7 and WinServer 2008 R2 to communicate with the
CrowdStrike cloud.
If TLS 1.2 has been disabled, Falcon will negotiate TLS 1.1 or TLS 1.0
Falcon Commercial customers in US-1, US-2, EU-1 must have TLS 1.2 support enabled in
Operating Systems, Web Browsers and HTTP Clients to prevent interruption of service
and protection.
SENSOR DEPLOYMENT (MAC OS):
Falcon Console Guest - answer-User MGN:
- View Documentation and your own user profile.
- View Support Portal
User MGN: Falcon Administrator - answer-User MGN:
- Access all functionality in the console with the exception of some RTR functionality.
Workflow Author - answer-User MGN:
- Create and edit workflows.
- Re-execute failed workflows.
- This role requires at least one other role to be able to access the falcon console.
- Cannot include RTR actions unless also assigned the RTR Administrator Role.
Dashboard Admin - answer-User MGN:
- Create, edit, manage and delete dashboards.
- This role requires at least one other role to be able to access the falcon console.
Prevention Policy Manager - answer-User MGN:
- Create, edit and delete prevention policies.
- This role can also view dashboards, host management, detections, file exclusions &
sensor update policy.
Desktop Support Analyst - answer-User MGN:
- Install sensor, troubleshoot, view manuals.
- Access docs about products functions and restrictions.
Help Desk Analyst - answer-User MGN:
- View Detections, host management, installation tokens, prevention policies, file
exclusions, sensor update policies & dashboards.
PREVENT ROLES: Falcon Administrator - answer-PREVENT ROLES:
- Access all functionality in console with exception of some RTR functionality and custom
IOAs.
PREVENT ROLES: Falcon Security Lead - answer-PREVENT ROLES:
- Manage detections, manage quarantined files, contain hosts, view exclusions.
- Search for events, reset user credentials & 2FA.
- View data about assets, accounts and applications in Discover.
PREVENT ROLES: Falcon Analyst - answer-PREVENT ROLES:
- Manage detections and quarantined files.
- View Exclusions and Host Management.
- View Firewall Rules, rule groups, policies and audit logs.
,PREVENT ROLES: Falcon Analyst - Read Only - answer-PREVENT ROLES:
- View detections and exclusions and search events.
- View all Identity Protection info.
- View firewall rules, rule groups, policies and audit logs.
PREVENT ROLES: Quarantine Manager - answer-PREVENT ROLES:
- View, release and manage quarantined files.
PREVENT ROLES: Endpoint Manager - answer-PREVENT ROLES:
- Manage sensor deployment and maintain sensor configuration and update policies.
- Create, edit and delete host groups and firewall rules.
PREVENT ROLES: Detections Exceptions Manager - answer-PREVENT ROLES:
- Add, edit and manage custom IOCs, ML Exclusions, IOA Exclusions and Sensor Visibility
Exclusions.
PREVENT ROLES: Remediation Manager - answer-PREVENT ROLES:
- View and manage remediation actions taken by the Falcon console.
Capabilities and Limitations: RTR READ ONLY ANALYST - answer-Capabilities and
Limitations:
+ Can run a core set of read-only response commands to perform reconnaissance.
- Cannot extract files, modify the device, or run certain scripts.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ACTIVE RESPONDER - answer-Capabilities and
Limitations:
+ More access than RTR Read Only Analyst.
+ Can extract files using get command, can run commands that modify the device and
run certain custom scripts.
- Cannot create custom scripts, cannot upload files to hosts using put command and
cannot directly run executables using the run command.
- No access to "Edit and RunScript" tab.
Capabilities and Limitations: RTR ADMINISTRATOR - answer-Capabilities and Limitations:
+ Can do everything the RESPONDER can do.
+ Plus create custom scripts, upload files to hosts using put, and directly run
executables using run.
+ There are no limitations to this role.
Create, edit, delete a new user:
How do you Add a user? (How do you traverse through the UI to add a user) - answer-*
ADMINISTRATIVE role for your Falcon subscription, such as FALCON ADMINISTRATOR is
required *
- Host setup and management > Falcon users > User management.
- Click Add User in the upper right of the window.
- Enter users email address, first name, last name.
,- Select one or more roles.
- Click Add User
Create, edit, delete a new user:
How do you add a Delete? (How do you traverse through the UI to Delete a user) -
answer-* ADMINISTRATIVE role for your Falcon subscription, such as FALCON
ADMINISTRATOR is required *
- Host setup and management > Falcon users > User management.
- Find the desired user.
- Click three-dot menu.
- Select Delete User.
- At confirmation, select Delete.
You can also delete a user from the three-dot menu inside the User details.
Create, edit, delete a new user:
How do you Edit a user? (How do you traverse through the UI to Edit a user) - answer--
Edit username
- Edit Roles
- Reset 2FA
- Reset Password
A Falcon Administrator can make all changes to a user.
A Falcon Security Lead can reset 2FA and password but cannot change the user or assign
roles.
Single Sign On - answer-If SSO isn't enabled in your environment, CrowdStrike sends an
automated email to the user, prompting them to create a Falcon password and configure
2FA. If SSO is enabled, CrowdStrike doesn't send an automated email to the user.
If you're planning to enable single sign-on (SSO), the email address must match the
information in your Identity Provider.
SENSOR DEPLOYMENT (Windows OS)
Required Services installed and running - answer-Sensor Deployment:
- LM Hosts
- Network Store Interface (NSI)
- Windows Base Filtering Engine (BFE)
- Windows Power Services (Power)
* LMHosts may be disabled if TCP/IP NetBios Helper is disabled*
SENSOR DEPLOYMENT (Windows OS):
using a proxy - Requirements
, using Web Proxy Automatic Discover (WPAD) - Requirements - answer-SENSOR
DEPLOYMENT:
- WinHTTP AutoProxy must be running.
- DHCP Client must be running.
SENSOR DEPLOYMENT (Windows OS):
Registry Key Configuration - answer-SENSOR DEPLOYMENT:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\type
- Value must be '0x00000020'
*This is the defaulted Microsoft setting for this key.
- answer-SENSOR DEPLOYMENT (Windows OS)
SENSOR DEPLOYMENT (Windows OS):
Log File Location - answer-SENSOR DEPLOYMENT:
%LOCALAPPDATA%\temp\
SENSOR DEPLOYMENT (Windows OS):
Networking Protocols - answer-SENSOR DEPLOYMENT:
Falcon on commercial cloud:
- TLS 1.0 or later
Falcon on GovCloud:
- TLS 1.1 or later
*CrowdStrike cloud DOES NOT support connecting via SSL.
Falcon uses TLS 1.2 on Win7 and WinServer 2008 R2 to communicate with the
CrowdStrike cloud.
If TLS 1.2 has been disabled, Falcon will negotiate TLS 1.1 or TLS 1.0
Falcon Commercial customers in US-1, US-2, EU-1 must have TLS 1.2 support enabled in
Operating Systems, Web Browsers and HTTP Clients to prevent interruption of service
and protection.
SENSOR DEPLOYMENT (MAC OS):
