WINDOWS SAMPLE DETECTION & TESTING
To help you get started, we have pre-populated your Falcon trial with three simulated sample detections. These let you explore how detections appear in the Falcon interface without having to run an actual attack.
1. Viewing Detections
The Falcon interface Detections view shows recent detections in your environment.
Sample-Detect-1, Sample-Detect-2, and Sample-Detect-3, with the username Trial
Learn more by clicking on any of the three detections. When you do so, an Execution Details panel appears on the right and an expanded view of all processes involved in the detection shows in the main window.
In Execution Details, you can learn about the specific detection. Falcon also provides information about tactics, techniques, and objectives used in each detection. You can also see what prevention actions Falcon took, plus get details about the commands, executables, and files involved.
By default, Execution Details displays information about the final process in the detection.
2. Process Views
Falcon provides three process views to help you visualize a detection. Click the Full detection details icon in any detection row to expose the View as drop-down menu in the Detections page’s upper right corner.
a. Select View as Process Tree, View as Process Table, or View as Process
After you have reviewed the sample detection, you can optionally change its status. Click on “New” to update it:
b. A dialogue window will open. Change the status to “Ignored” and click “Update”.
3. Generating Your Own Detection
It’s easy to create a detection from the computer where you installed the Falcon sensor as well. To do so, run this harmless test command on the computer:
a. Open a Windows command prompt (cmd.exe)
b. Type or copy and paste this command:
choice /M crowdstrike_sample_detection
A prompt will appear asking you to type Y for yes or N for no. Note that a test detection will occur regardless of how you answer.
c. Switch back to the Falcon console and review your recent detection activity (Activity > Detections) to inspect the new alert. You may need to refresh the page. Activity > Detections to inspect the new alert.