Sample Detection and Testing

To help you get started, we have pre-populated your Falcon trial with three simulated
sample detections.

These let you explore how detections appear in the Falcon interface without having to
run an actual attack.

Step-by-step instructions

Estimated Time

10 minutes

Requirements

Typical device, Mac or Windows OS and Google Chrome browser

Windows
Mac

1Viewing Detections

  • The Falcon interface Detections page which is under Activity shows recent detections in your environment.
  • Three simulated detections are included in your trial. They are labeled Sample-Detect-1, Sample-Detect-2, and Sample-Detect-3, with the username Trial.

  • Learn more by clicking on any of the three detections. When you do so, an Execution Details panel appears on the right and an expanded view of all processes involved in the detection shows in the main window.
  • In Execution Details, you can learn about the specific detection. Falcon also provides information about tactics, techniques, and objectives used in each detection.

  • You can also see what prevention actions Falcon took, plus get details about the commands, executables, and files involved. By default, Execution Details displays information about the final process in the detection.

2Process Views

  • Falcon provides three process views to help you visualize a detection.
  • Click the Full Detections details icon in any detection row to expose the View as drop-down menu in the Detections page’s upper right corner.

3Viewing options

  • Further above you can switch to other viewing options from the View as dropdown. Select View as Process Tree, View as Process Table, or View as Process.

  • After you have reviewed the sample detection, you can optionally change its status. Click on New to update it.

  • A dialogue window will open. Change the status to Ignored and click Update.

4Generating Your Own Detection

It’s easy to create a detection from the computer where you installed the Falcon sensor as well. To do so, run this harmless test command on the computer:

  • Open a Windows command prompt (cmd.exe)
  • Type or copy and paste this command: choice /M crowdstrike_sample_detection

A prompt will appear asking you to type Y for yes or N for no. Note that a test detection will occur regardless of how you answer.

  • Switch back to the Falcon console and review your recent detection activity Detections to inspect the new alert.
  • You may need to refresh the page to inspect the new alert.

1Viewing Detections

  • The Falcon interface Detections page which is under Activity shows recent detections in your environment.
  • Three simulated detections are included in your trial. They are labeled Sample-Detect-1, Sample-Detect-2, and Sample-Detect-3, with the username Trial.

  • Learn more by clicking on any of the three detections. When you do so, an Execution Details panel appears on the right and an expanded view of all processes involved in the detection shows in the main window.
  • In Execution Details, you can learn about the specific detection. Falcon also provides information about tactics, techniques, and objectives used in each detection.

  • You can also see what prevention actions Falcon took, plus get details about the commands, executables, and files involved. By default, Execution Details displays information about the final process in the detection.

2Process Views

  • Falcon provides three process views to help you visualize a detection.
  • Click the Full detections details icon in any detection row to expose the View as drop-down menu in the Detections page’s upper right corner.

3Viewing options

  • Further above you can switch to other viewing options from the View as dropdown. Select View as Process Tree, View as Process Table, or View as Process.

  • After you have reviewed the sample detection, you can optionally change its status. Click on New to update it.

  • A dialogue window will open. Change the status to Ignored and click Update.

Installation
Advanced Attack Testing

NEED HELP?

If you have any questions, reach out and we'll be in touch soon.

TAKE-AWAYS

During these steps you’ve downloaded the Falcon Sensor, viewed sample detections, and created your own detection.

If you didn’t do so earlier, you can add additional team members to your account under “users”. Your account currently
has Falcon Prevent, our next-generation antivirus solution enabled.

This is the recommended module to start with, but if you’re a more advanced user you can enable additional modules
via the CS store.

WAS THIS SECTION HELPFUL?

Your feedback is highly appreciated and will help us to improve our ability to serve you and other users of our web sites. Please send feedback about this section of the trial guide to falcontrial@crowdstrike.com.