Falcon Prevent works around the clock to block threats in your environment. This simplifies your day to day operations by reducing the number of incidents and outbreaks you have to deal with - we further simplify the task of endpoint security by streamlining workflows in our management interface.
In this section we’ll explore different ways to prioritize workflows in the Falcon UI. We make it easy to identify high priority alerts, triage threats, and assign work to the appropriate analyst.
1. Managing Workflows
When you login to the UI, you start on the "Detections Dashboard", which gives a quick overview of detections in your environment. To get details on new alerts click the "New Detections" counter.
a. The faceted search panel across the top of the page can help filter and prioritize alerts. Notice that the Status "new" is already selected.
b. Falcon provides a detailed process tree visualization for every detection. A process tree can help visualize an attack with its parent process and child processes to provide simple to understand insight into what happened during an attack.
To understand the value of the process tree, we are going to take a deeper look at the “Defense Evasion” event. We can filter to see only those detections by selecting "Defense Evasion" from the "Tactic" column of the faceted search at the top of the page. Select the detection and then click on the process tree icon located on the right.
c. By clicking on different elements in the process tree, the information in the details pane on the right changes to reflect the selected element. In our example, you can clearly see where the attack started as well as the full command line and file path.
2. Managing Alerts
In day-to-day security operations understanding, acknowledging and managing alerts is an important activity. Falcon Prevent makes this easy.
a. Now that you understand this attack, you can proceed by closing out the alert. Click on the "New" button to update the status.
b. A dialogue window will open. Change the status to "True Positive" and click the "Update" Button.
c. Note that multiple alerts can be managed simultaneously. To clear all of your remaining test alerts, go back to the detections dashboard (notice that the "New"counter has decreased by one) and click on "New detections".
d. On the Detections screen, click the "Select All" box and then hit "Update & Assign".
e. A dialogue window will open. Change the status to "True Positive" and click the "Update" Button.
f. At this point, you have dealt with all the alerts generated by your testing and you should have a clean dashboard. This will make it easy to identify any new alerts.
From its easy to navigate management interface to its nearly invisible footprint on the endpoint, Falcon is designed with the user in mind. Up to now you have tested installation, efficacy and management workflows. At this point you are ready to add more systems and begin to replace your existing antivirus with Falcon Prevent. In the next section we will cover deployment on a larger scale and additional installation options.