Falcon Prevent works every single day to block threats in your environment. This simplifies your day to day operations by reducing the number of incidents and outbreaks you have to deal with, but we further simplify the task of endpoint security by streamlining workflows in our management interface. We make it easy to identify high priority alerts, triage the situation, assign it to the appropriate person and ultimately close the case.
In this section we’ll explore different ways to prioritize workflows in the Falcon UI. When you login to the UI, you start on the "Detections Dashboard", which gives a quick overview of detections in your environment. To get details on new alerts click the "New Detections" counter.
a. The faceted search panel across the top of the page can help filter and prioritize alerts. Notice that the Status "new" is already selected.
b. If you followed our "Section 3 - Efficacy" tests, you will probably have quite a few detections in here, but they are from just two different hosts, your own machine and your cloudshare malware lab. By using the "Grouping" function you can prioritize efforts based on hosts. By clicking on the "No grouping" column all the grouping options are listed. For this exercise click "Group by Host".
c. Falcon provides a detailed process tree visualization for every detection. A process tree can help visualize an attack with it’s parent process and child processes to provide simple to understand insight into what happened during an attack.
The most interesting process tree that we have generated so far is from the spear phishing example. To jump to that detection select "Malicious Document" from the "Scenario" column of the faceted search at the top of the page. Select the detection and then click on the process tree icon located on the right.
d. By clicking on different elements in the process tree, the information in the details pane on the right changes to reflect the selected element. In our example, you can clearly see how the attack started with an email in Outlook, opened an Excel document and from there tried to run malicious PowerShell code.
2. Managing Alerts
In day-to-day security operations understanding, acknowledging and managing alerts is an important activity. Falcon Prevent makes this easy.
a. Now that you verified that this phishing attack has been prevented, you can proceed by closing out the alert. Click on the "New" button to update the status.
b. A dialogue window will open. Change the status to "True Positive" and click the "Update" Button.
c. Note that multiple alerts can be managed simultaneously. To clear all of your remaining test alerts, go back to the detections dashboard (notice that the "New" counter has decreased by one) and click on "New detections".
d. On the Detections screen, click the "Select All" box and then hit "Update & Assign".
e. A dialogue window will open. Change the status to "True Positive" and click the "Update" Button.
f. At this point, you have dealt with all the alerts generated by your testing and you should have a clean dashboard. This will make it easy to identify any new alerts.
From it's easy to navigate management interface to its nearly invisible footprint on the endpoint, Falcon is designed with the user in mind. Up to now you have tested installation, performance, efficacy and management workflows. At this point you are ready to add more systems and begin to replace your existing antivirus with Falcon Prevent. In the next section we will cover deployment on a larger scale and additional installation options.