This Falcon Forensics training course is for threat hunters or anyone who will utilize Falcon Forensics to collect forensic information and use that information to perform investigations. The course utilizes Falcon Forensics within the Investigate application to perform basic investigations using various dashboards. You will learn about the forensic data collected, basic Splunk syntax and searches related to investigations.
By attending Falcon Forensics workshop, delegates will learn to:
- Identify the information collected and artifacts created when running Falcon Forensics
- Navigate the Falcon Forensics dashboards
- Recall the Event Data Dictionary and sourcetypes
- Identify interesting items in the Quick Wins dashboard
- Use the Host Timeline dashboard to effectively narrow in on a specific timeline and host
- Investigate interesting information in the Host Info dashboard
- Investigate using Splunk queries
- Knowledge of Falcon Platform
- Have an intermediate knowledge of cybersecurity incident investigation and the incident lifecycle
- Have a working knowledge of Windows forensic artifacts including amcache/shimcache/prefetch, registry, event logs, scheduled tasks/jobs, users/groups, etc.