Currently there are no comments in this discussion, be the first to comment!
How does a DNSRequest event link to its responsible process?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.
Where are quarantined files stored on Windows hosts?
According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2.The file is also encrypted and renamed with a random string of characters2.On Windows hosts, quarantined files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2.
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1.It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1.The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1.RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1.You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.
How long are quarantined files stored on the host?
According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2.When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2.This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
Currently there are no comments in this discussion, be the first to comment!