ATTACK FRAMEWORKS
  • Use MITRE ATT&CK information within Falcon to provide context to a detection
  • Explain what information the MITRE ATT&CK framework provides
DETECTION ANALYSIS
  • Recommend courses of action based on the analysis of information provided within the Falcon platform
  • Explain what general information is on the Detections dashboard
  • Explain what information is in the Activity > Detections page
  • Describe the different sources of detections within the Falcon platform
  • Interpret the data contained in Host Search results
  • Interpret the data contained in Hash Search results
  • Demonstrate how to pivot from a detection to a Process Timeline
  • Explain what contextual event data is available in a detection (IP/DNS/Disk/etc.)
  • Explain how detection filtering and grouping might be used
  • Explain when to use built-in OSINT tools
  • Explain the difference between Global vs. Local Prevalence
  • Explain what Full Detection Details will provide
  • Explain how to get to Full Detection Details
  • Analyze process relationships using the information contained in the Full Detection Details
  • Explain what type of data the View As Process Tree, View As Process Table and View As Process Activity
  • provide
  • Explain how to identify managed/unmanaged Neighbors for an endpoint during a Host Search
  • Explain the purpose of assigning a detection to an analyst
  • Triage a non-Falcon Indicator of Compromise (IOC) in the Falcon UI
  • Describe what the different policies (Block, Block and Hide Detection, Detect Only, Allow, No Action) do
  • Explain the effects of allowlisting and blocklisting
  • Explain the effects of machine learning exclusion rules
  • Explain the effects of Sensor Visibility exclusions
  • Explain the effects of IOA exclusions
  • State the retention period for quarantined files
  • Describe what happens when you release a quarantined file
  • Download a quarantined file
  • Based on a detection, determine which investigate tools, e.g., host, hash, etc., to use based on best practices
EVENT SEARCH
  • Perform an Event Search from a detection and refine a search using event actions
  • Explain what event actions do
  • Explain key event types
  • 1 Describe general use cases for event searching
  • 2 Perform a basic keyword search
  • 3 Use Splunk syntax to refine your search (using fields such as ComputerName, event_simpleName, etc.)
  • 4 Use interesting fields to refine your search
  • 5 From the Statistics tab, use the left click filters to refine your search
  • 6 Describe the process relationship of (Target/Parent/Context)
  • 7 Explain how the rename command is used in a query related to associated event data, such as parent/target/
  • context relationships
  • 8 Explain what the “table” command does and demonstrate how it can be used for formatting output
  • 9 Explain what the “stats count by” command does and demonstrate how it can be used for statistical analysis
  • 10 Explain what the “join” command does and how it can be used to join disparate queries
  • 11 Explain key event data types
  • 12 Export search results
  • 13 Convert and format Unix times to UTC-readable time
HUNTING ANALYTICS
  • Explain what information a process Timeline will provide
  • Explain what information a Host Timeline will provide
  • Describe the process relationship (Target/Parent/Context)
  • Analyze and recognize suspicious overt malicious behaviors
  • Demonstrate knowledge of target systems (asset inventory and who would target those assets)
  • Evaluate information for reliability, validity and relevance for use in the process of elimination
  • Identify alternative analytical interpretations to minimize and reduce false positives.
  • Decode and understand PowerShell/CMD activity
  • Recognize patterns such as an enterprise-wide file infection process and attempting to determine the root
  • cause or source of the infection
  • Differentiate testing, DevOps or general user activity from adversary behavior
  • Identify the vulnerability exploited from an initial attack vector
NAVIGATION
  • Retrieve the information required to generate a Process Timeline
  • Demonstrate how to get to a Process Explorer from a Event Search
  • Find quarantined files
REPORTS
  • Export detection and process data from Full Detection Details for further review
  • Explain what information is in the Detection Activity Report
  • Describe what information is in the Executive Summary Dashboard
  • Describe what information is in the Detection Resolution Dashboard
  • Explain what information a Linux Sensor Report will provide
  • Explain what information a Mac Sensor Report will provide
  • Locate built-in Hunting reports and explain what they provide
  • Explain what information the PowerShell Hunt report provides and demonstrate how to filter it
  • Demonstrate the ability to find built-in visibility reports and explain what they provide
SEARCH TOOLS
  • Explain what information a User Search provides
  • Explain what information a IP Search provides
  • Explain what information a Hash Executions (Search) provides
  • Explain what information a Hash Search provides
  • Explain what information a Bulk Domain Search provides

PRACTICE TEST AND INTERVIEW QUESTIONS

At CyberVZN trainings, we provide practice tests at the end of the course, Splunk interview question and answers, Community question and answers, and Sample Resumes to crack the interview.

OUR COURSES

Training1