GB
/
GBP
Image
Filter Events

Investigating and Querying Event Data with Falcon EDR - FHT 202

WGAC-CRO-FHT202

Crowdstrike Training Courses Certification

Schedule

See all Courses

Description

This course is intended for roles who use Falcon Insight to detect, investigate and respond to incidents using proactive investigation techniques. It is appropriate for those who use CrowdStrike® Falcon to find evidence of incidents that did not raise alerts by other means. Positions might include hunt team members, security analyst, SOC analyst, security engineer, IT security operations manager, security administrator, endpoint security administrator and channel sales engineers. 

1-day program

To obtain the maximum benefit from this class, you should meet the following requirements:

  • Comprehend curriculum presented in English
  • Have intermediate knowledge of cybersecurity incident investigation and the incident lifecycle
  • Completion of the FHT100-level course material in CrowdStrike University
  • Completion of FHT 201 or be familiar with Falcon and detection analysis
  • Be familiar with the Microsoft Windows environment

Students who complete this course should be able to:

  • Simulate attacker activity
  • Perform proactive search queries in Falcon using the automated queries and reports
  • Understand basic Splunk query syntax
  • Discover new events using custom queries
  • Describe integration and automation workflow using Falcon Connect

INTRODUCTION

  • Who we are
  • Who you are
  • Administrative items
  • Course overview/agenda

FHT 202 KEY LEARNING CONCEPTS

  • General analytical process
  • Appliction refresher
  • Detection workflow

REAL WORLD SCENARIOS

  • Student exercises
  • Web Shell Attack
  • Privilege Escalation

EVENT SEARCHING – AUTOMATED QUERIES

  • Host Search
  • Hash Search
  • User Search
  • Source IP Search
  • Bulk Hash Search
  • Bulk Domain Search
  • Activity queries

Bulk Destination IP search

Linux Sensor Report

Mac Sensor Report

  • Timeline queries

Host timeline

Process timeline

  • Hunting and visibility reports

Hunting reports

Visibility reports

  • Sensor reports
  • Audit reports
  • Student exercises

Host timeline

Process timeline

Social engineering

Detections/ransomware detections

Performing a hash search

PowerShell-related detection

PowerShell hunting reports

False positives

Encoded Powershell commands

REPORTING

  • Detections
  • Executive Summary Dashboard
  • Detection Activity Dashboard
  • Detection Resolution Dashboard
  • Detection Resolution Dashboard
  • Exporting process data
  • Process table
  • Process activity
  • PNG
  • Student exercises

Credential theft

NGAV detections

PROACTIVE INVESTIGATION METHODS

  • Bulk IP Search
  • Bulk Domain Search
  • Student exercises

IP and domain searching

Pivoting

Investigate a complex phishing attack

Additional scenarios as time allows

We use cookies to understand how you use our site and to improve your experience. To learn more, click here. Read our revised Privacy Policy and Terms and Conditions.