| Zero Trust Architecture |
- 1.1 Describe what the NIST SP 800-207 framework for Zero Trust architecture defines
- 1.2 Describe the security need and impetus for the Zero Trust architecture
- 1.3 Describe the implementation of the Zero Trust architecture within Falcon Identity Protection
- 1.4 Describe the fundamental principles of Zero Trust (continuous validation, etc.)
- 1.5 Describe the difference between a traditional "wall-and-moat" security model and a modern Zero Trust model
- 1.6 Describe some of the key use cases for Falcon Zero Trust
- 1.7 Describe how a Falcon user's Zero Trust Assessment (ZTA) score is calculated
|
| Identity Protection Tenets |
- 2.1 Describe the identity protection architecture employed at CrowdStrike as a part of the Falcon Identity Protection module
- 2.2 Describe how Falcon Identity Protection inspects traffic in the domain
- 2.3 Describe how Falcon Identity Protection complements traditional EDR solutions
- 2.4 Describe how Falcon Identity Protection helps secure against the human elements of security vulnerability
- 2.5 Describe how Falcon Identity Protection empowers the team to mitigate and prevent identity based exploits and attacks
- 2.6 Identify key differences between Falcon Identity Protection log-free detections and traditional EDR solutions
- 2.7 Describe the threat landscape and the need for identity-based security solutions
|
| Falcon Identity Protection Fundamentals |
- 3.1 Identify the menu categories (monitor, enforce, explore and configure) of Falcon Identity Protection
- 3.2 Describe the contents of each menu category (monitor, enforce, explore and configure) within Falcon Identity Protection
- 3.3 Identify the goal of each menu category (monitor, enforce, explore and configure)
- 3.4 Recognize the availability of specific tools limited by product subscription for Identity Threat Detection vs. Identity Threat Protection (ITD vs. ITP)
- 3.5 Describe the purpose of Falcon Identity Protection in general security terms
- 3.6 Explain how Falcon Identity Protection works to mitigate threats that bypass traditional MITRE ATT&CK framework vectors
- 3.7 Describe the Falcon roles working within Falcon Identity Protection and the features available to those roles
|
| Domain Security Assessment |
- 4.1 Explain what the Risk Score represents in the domain
- 4.2 Describe how the Score Trend is represented and how to affect the score
- 4.3 Explain the Risk Matrix and how risks are represented
- 4.4 Describe how to lower the domain risk score
- 4.5 Explain and describe how to prioritize addressing risks in the domains
- 4.6 Describe where Falcon Identity Protection fits in the security model
- 4.7 Explain the factors that contribute to the domain risk scores
- 4.8 Describe what "Severity," "Likelihood" and "Consequence" mean in terms of potential risk factors related to identity
- 4.9 Define the goals in the Domain Security overview and how they relate to identity protection outcomes
- 4.10 Describe how to change the "Goal" and what each goal in the domain security overview is geared toward
- 4.11 Describe how to change "Scope" and what that does for the Overview dashboard
|
| Risk Assessment |
- 5.1 Describe the categories of entity risk (low, medium, high) and their thresholds
- 5.2 Demonstrate how to move a user from higher to lower risk
- 5.3 Describe the elements that contribute to higher Risk Scores
- 5.4 Explain the Risk Analysis dashboard
- 5.5 Explain the Event Analysis dashboard
- 5.6 Apply filters for targeted risk analysis
- 5.7 Explain how to generate custom insights with filters
- 5.8 Describe how to create a custom report
- 5.9 Explain the difference of when one creates a custom insight versus a custom report
- 5.10 Describe how to export and schedule custom reports
|
| User Assessment |
- 6.1 Describe the attributes and data points associated with users in Falcon Identity Protection
- 6.2 Explain the difference between a user, an endpoint and an entity
- 6.3 Describe the difference between human and programmatic accounts
- 6.4 Describe the icons and their meaning when identifying users
- 6.5 Explain what the default insights do in the Users view
- 6.6 Explain how to create custom filters in the Users view
- 6.7 Describe how high-risk users are baselined
- 6.8 Explain the risk baselining process and various timelines needed for accurate baselines
- 6.9 Describe the various risky types of accounts (stale, never logged in, compromised password, etc.) and the risks they pose
- 6.10 Explain how to add custom lists to the Compromised Password directory
- 6.11 Explain what risks users with elevated privileges pose and how to assess those users
- 6.12 Explain the user watchlist and honeytoken accounts
- 6.13 Describe the use cases for a honeytoken account
|
| Threat Hunting and Investigation |
- 7.1 Describe an identity-based detection
- 7.2 Describe an identity-based incident
- 7.3 Describe the investigation pivots available from an identity-based incident
- 7.4 Explain the difference between an identity-based incident and detection
- 7.5 Describe how to pivot to related entities
- 7.6 Explain how to navigate an identity-based incident tree
- 7.7 Describe the evolution of an incident over time as more detections accumulate
- 7.8 Describe the information contained in the different types of identity-based detections
- 7.9 Explain the key information highlighted in various detections
- 7.10 Describe how to filter and search for detections
- 7.11 Demonstrate how to investigate the history of an incident and potential incident type changes
- 7.12 Explain how to enable/disable detection exclusions
- 7.13 Describe how to add exceptions to detection exclusions
- 7.14 Describe the logic behind detection exclusions
- 7.15 Describe the use cases for enabling or disabling detection types
- 7.16 Describe the difference between a detection-based risk and an analysis-based risk
|
| Risk Management with Policy Rules |
- 8.1 Describe the purpose of policy rules and policy groups
- 8.2 Demonstrate the policy rule creation process
- 8.3 Explain the purpose of the various triggers and conditions within a policy rule
- 8.4 Explain how to enable and disable policy rules
- 8.5 Explain how to group, ungroup and manage groups of rules
- 8.6 Describe how to apply any changes made to policy rules
- 8.7 Describe the Falcon role(s) necessary to write and manage policy rules
|
| Configuration and Connectors |
- 9.1 Describe how to monitor the domain controllers (DCs) in the domain (visibility into the DCs reporting and endpoints per DC)
- 9.2 Describe how to create and manage subnets
- 9.3 Explain how to enforce policy rules using subnets
- 9.4 Explain the risk configuration settings
- 9.5 Describe how to add exceptions to risk configurations
- 9.6 Explain the two types of connectors (MFA, IDaaS)
- 9.7 Explain the two types of MFA connectors (Cloud MFA, On-Premises RADIUS MFA)
- 9.8 Identify the supported MFA and IDaaS connectors
- 9.9 Describe where to find connector setup documentation
- 9.10 Describe how to enable authentication traffic inspection (ATI) on DCs in the domain
- 9.11 Describe the available configuration options within Falcon Identity Protection policies as it relates to data captured by the Falcon sensor
- 9.12 Describe what business privileges are, and how they impact entities
- 9.13 Explain how configured blocklisted/allowlisted countries impact detections
|
| Multifactor Authentication (MFA) and Identity-as-a-service (IDaaS) Configuration Basics |
- 10.1 Explain how to access the IDaaS and MFA configuration settings
- 10.2 Explain the configuration fields associated with the various connectors
- 10.3 Describe how to configure the settings for MFA connectors
- 10.4 Describe how to enable third-party MFA for Falcon Identity Protection
- 10.5 Describe how Falcon Identity Protection extends on capabilities of existing MFA providers and does not intend to replace it
|
| Falcon Fusion SOAR for Identity Protection |
- 11.1 Describe the building blocks of a Falcon Fusion SOAR workflow
- 11.2 Explain how to define triggers
- 11.3 Explain how to add conditions
- 11.4 Explain what various conditions do and how to combine them to limit the scope of a workflow
- 11.5 Describe how to create custom, templated, scheduled and on-demand workflows
- 11.6 Describe how to create branching workflows and loops
- 11.7 Create workflows in Falcon Fusion SOAR to accomplish specific goals
|
| GraphQL API |
- 12.1 Describe where you can find Identity API (GraphQL) documentation
- 12.2 Create an API key specific to Falcon Identity Protection
- 12.3 Describe the differences between the different Falcon Identity Protection API permissions
- 12.4 Pivot from a Threat Hunter search into GraphQL
- 12.5 Build a simple query that returns all privileged users with high risk
|
| Official Information |
https://assets.crowdstrike.com/is/content/crowdstrikeinc/Guide-_-CSU-Exam-Guide-CrowdStrike-Certified-Cloud-Specialist-CCIS_newpdf |
