Regular Expressions in Cybersecurity

Questions and Answers

What is the function of the Containment Policy in Network Containment?

To restrict all network traffic completely.

To enable communication only with allowlisted resources. (correct)

To allow full network access for all hosts.

To monitor all network traffic without restrictions.

In IOC Management, which option allows you to retain an indicator without immediate action?

Review Later

Allow and Ignore

Block and Detect

No Action (correct)

Why is it crucial to know your company's event data retention limits?

To enhance user interface customization.

To increase the overall network speed.

To optimize hardware resource allocation.

To ensure compliance with legal regulations. (correct)

What happens to a host in Network Containment regarding network traffic?

It can send and receive traffic only to/from the Falcon Cloud and specified resources.

What is the primary purpose of the No Action option in IOC Management?

To allow indefinite tracking of indicators without enforcement.

What does Network Containment aim to achieve for a host machine?

To isolate it from external network threats.

What does the Containment Policy allow an administrator to do during a containment period?

Specify which ports, protocols, and IP addresses are allowed or blocked

Which exclusion type stops all behavioral detections for a specific Indicator of Attack (IOA)?

IOA Exclusion

Which aspect is NOT impacted by knowing data retention limits on the Falcon platform?

Understanding user access levels to the platform.

When assigning the No Action option to an IOC indicator, what is NOT true?

The indicator will be actively blocked.

Which of the following best describes the role of custom alerts?

They are generated from custom event-based triggers.

In terms of user roles within the Falcon platform, which role is typically responsible for policy configurations?

a system administrator role

What type of user action can lead to modifications in Sensor Update Policies?

Manual user intervention or policies predefined by roles

Which option is directly related to the management of Indicators of Compromise (IOCs) within the Falcon system?

IOC Exclusions

What actions can a regular user perform regarding security event handling?

View security events and reports

Which component of the Falcon platform is primarily used to enforce security policies at the network level?

Containment Policy

What is the primary purpose of using custom alerts in Splunk?

To configure email notifications for specific activities

Which of the following steps is NOT part of scheduling a custom alert?

Defining user roles

What must be saved immediately when creating an API client?

Secret

What is the most likely cause of multiple Windows hosts entering Reduced Functionality Mode (RFM)?

Sensor update policy misconfiguration

What does the secret represent when creating an API client?

A randomly generated string for authentication

Which aspect is crucial when configuring email alerts based on predefined templates?

Choosing the relevant activity topics

Which of the following is a feature of custom alerts in Splunk?

Using predefined templates for configuration

In Splunk, what is the immediate consequence of not saving the API client's secret?

Inability to authenticate future requests from that client

Study Notes

Regex and Containment Policies

• Regex Usage: Utilizing leading "." captures the beginning of a target domain and trailing "." captures variants in subdomains (e.g., www.badguydomain.com).
• Containment Policy Role: Permits customization of traffic during containment by specifying allowed/blocked ports, protocols, and IPs.

Behavioral Detections and Exclusions

• IOA Exclusion Purpose: Designed to halt all behavioral detections related to specific IOAs generated by CrowdStrike, allowing for greater control over alerts.
• Exclusion Categories: Various exclusion options exist, with the IOA Exclusion being crucial for managing behavioral detections.

Network Containment and Host Communication

• Network Containment Effect: Hosts in this state can only communicate with the Falcon Cloud and allowlisted resources, isolating them from general network traffic.
• Containment Policy Advantages: It allows continued communication of essential services while preventing broader network interactions.

IOC Management Protocols

• No Action Option Explained: This option allows saving an indicator for future action without blocking or allowing it, serving as a tracking tool.
• Future Reference Utility: Indicators with "No Action" remain in the IOC list for potential future evaluations or decisions.

Custom Alerts Configuration

• Custom Alert Scheduling: Consists of selecting a template, previewing results, and finally scheduling the alert to monitor specific activities in the environment.
• Email Notification Process: When a custom alert triggers, it notifies recipients via email without generating a new detection alert.

API Client Creation Essentials

• API Secret Importance: The secret, a crucial element for API client authentication, must be saved immediately as it is not retrievable post-creation.
• Other Client Components: While Client ID and Client Name can be modified or viewed later, the Base URL is less critical for immediate storage.

Reduced Functionality Mode (RFM) Causes

• Potential RFM Triggers: RFM may result from misconfigured Sensor Update Policies, extended offline periods for hosts, or widespread patches applied overnight.

Description

This quiz focuses on the application of regular expressions (RegEx) in cybersecurity scenarios, particularly in filtering domains and executing specific arguments. You'll engage with practical examples and test your understanding of how RegEx can effectively manage and mitigate threats in a digital environment.