GB
/
GBP
Image
Filter Events

Investigating with Falcon Forensics - FHT 280

WGAC-CRO-FHT280

Crowdstrike Training Courses Certification

Schedule

See all Courses

Description

This course is for threat hunters or anyone who will utilize Falcon Forensics to collect forensic information and use that information to perform investigations.

The course utilizes Falcon Forensics within the Investigate application to perform basic investigations using various dashboards.

Learners will learn about the forensic data collected, basic Splunk syntax and searches related to investigations.

To obtain the maximum benefit from this class, you should meet the following requirements:

  • Comprehend course curriculum presented in English
  • Complete FHT 180: Falcon Forensics Fundamentals
  • Have an intermediate knowledge of cybersecurity incident investigation and the incident lifecycle
  • Have a working knowledge of Windows forensic artifacts including amcache/ shimcache/prefetch, registry, event logs, scheduled tasks/jobs, users/groups, etc.
  • Perform basic operations on a personal computer
  • Be familiar with the Microsoft Windows environment

Students who complete this course should be able to:

  • Identify the information collected and artifacts created when running Falcon Forensics
  • Navigate the Falcon Forensics dashboards
  • Recall the Event Data Dictionary and sourcetypes
  • Identify interesting items in the Quick Wins dashboard
  • Use the Host Timeline dashboard to effectively narrow in on a specific timeline and host
  • Investigate interesting information in the Host Info dashboard
  • Investigate using Splunk queries

WELCOME

  • Who we are
  • Who you are
  • Administrative items
  • Course overview/agenda

INTRODUCTION TO FALCON FORENSICS

  • Using Falcon Forensics to conduct forensic investigations
  • How Falcon Forensics works
  • Information that Falcon Foresnics collects
  • Artifacts created when running Falcon Forensics

DEPLOY FALCON FORENSICS

  • Items necessary for deployment
  • Basic steps to deploy the binary to specific hosts
  • Alternative methods of deployment

INVESTIGATE WITH DASHBOARDS

  • Navigating the Falcon Forensics dashboards
  • Using the Quick Wins dashboard to identify interesting items
  • Pivoting to a Splunk query from a dashboard panel
  • Exporting data from a panel
  • Using the Host Timeline dashboard to view a specific timeline and host
  • Using the Host Info dashboard to investigate interesting information

INVESTIGATE WITH SPLUNK SEARCHES

  • Introduction to Splunk and how to use it
  • Investigating using Splunk queries
  • Using Splunk macros in an investigation
  • Using advanced Splunk search commands
We use cookies to understand how you use our site and to improve your experience. To learn more, click here. Read our revised Privacy Policy and Terms and Conditions.