Falcon ‐ IOC management - mluchettii/internship-portfolio GitHub Wiki

Creating an indicator
Creating an ML exclusion

Creating an indicator

In this section, I will create an indicator for StartBlueScreen.exe, a known trojan. I start by copying the hash.

I pasted the hash in the first field, gave it an accurate description and filename, indicated that it affects Windows systems...

...then labeled it as High severity with action to Block. After adding the hash, the Falcon sensor will now automatically detect the file with this unique hash and quarantine it.

Creating an ML exclusion

It's also possible to create machine learning exclusions. As an example, I created an exclusion for the Falcon Sensor installer located in my Downloads. Now, the Falcon sensor will exclude that file from consideration. This option is very useful for fine tuning false positives.

Falcon ‐ IOC management - mluchettii/internship-portfolio GitHub Wiki

Table of Contents

Creating an indicator

Creating an ML exclusion