Question 1

What files or processes should I leave out of CrowdStrike Falcon?

Accepted Answer

Recommended exclusions in CrowdStrike Falcon include files, folders, or processes that are critical to operations or known to cause false positives, such as legacy application files and essential system processes.

Question 2

How do I find things to exclude in CrowdStrike Falcon?

Accepted Answer

To identify candidates for exclusion, monitor for false positives during scans and review application logs for flagged legitimate applications. Tools like Sysinternals Process Monitor can help track file access and identify conflicting processes.

Question 3

What do I do after I find exclusions in CrowdStrike Falcon?

Accepted Answer

Once you identify exclusions, follow the outlined steps to exclude these items, document each exclusion, and maintain a change log. Always assess the security risks associated with exclusions before finalizing your decisions.

Question 4

How can I test exclusions in CrowdStrike Falcon before rolling them out?

Accepted Answer

To test exclusions in CrowdStrike Falcon effectively, follow these steps:

1. **Create a Test Group**: Select a small, diverse subset of endpoints representing your environment.

2. **Apply Exclusions**: Implement exclusions only for this test group, documenting each exclusion per endpoint.

3. **Monitoring and Logging**: Monitor for unusual behavior using CrowdStrike’s logging tools, focusing on previously flagged false positives.

4. **User Feedback**: Collect feedback from users in the test group regarding application performance and security concerns after applying exclusions.

5. **Iterate**: Adjust exclusions based on monitoring data and user feedback. Refine or explore alternative solutions for persistent issues.

Once confident in the security of the exclusions, roll them out across your environment while continuing to monitor closely.

Question 5

How often should I check and manage exclusions in CrowdStrike Falcon for best security?

Accepted Answer

To effectively review and manage exclusions in CrowdStrike Falcon, follow these best practices:

1. **Scheduled Reviews**: Conduct quarterly reviews or after significant changes to your infrastructure to assess the necessity of exclusions.

2. **Review Documentation**: Evaluate each exclusion against current operational needs, considering whether they remain critical or if updates have resolved previous conflicts.

3. **Risk Assessment**: Assess the risks of removing exclusions and ensure adequate security measures are in place, informed by the latest threat intelligence.

4. **Feedback Loop**: Create a mechanism for users to report issues related to exclusions, providing insights into their impact on productivity.

5. **Utilize Reporting Tools**: Analyze alert trends using CrowdStrike Falcon’s reporting features to determine the relevance of exclusions.

6. **Engage Stakeholders**: Involve IT security teams and application owners to align exclusions with business objectives, ensuring security is not compromised.

These steps help maintain optimal security while managing exclusions effectively.

How to Configure Exclusions in CrowdStrike Falcon

Step 1: Log Into the CrowdStrike Falcon Console

Step 3: Add Exclusions

File or Folder Exclusions

Best Practices for Exclusions

Frequently Asked Questions

Need Professional Help?

Creating and Managing User Roles in CrowdStrike Falcon

How to Configure CrowdStrike Exclusions for Exchange Server

Deploying the CrowdStrike Falcon Sensor Using Group Policy (GPO)