option
Questions
ayuda
daypo
CREATE TEST
search.php

ERASED TEST, YOU MAY BE INTERESTED ON CCFA

COMMENTS STATISTICS RECORDS
TAKE THE TEST
Title of test:
CCFA

Description:
CCFA EXAM STUDY MATERIALS USED FOR EXAM FOR STUDY

Author:
ccfaa
Other tests from this author

Creation Date: 17/10/2024

Category: Others

Number of questions: 85
Share the Test:
New CommentNuevo Comentario
No comments about this test.
Content:
What may prevent a user from logging into Falcon via single sign-on (SSO)? The SSO username doesn't match their email address in Falcon The maintenance token has expired Falcon is in reduced functionality mode The user never configured their security questions.
The Customer ID (CID) is important in which of the following scenarios? When adding a user to the Falcon console under the Users application When performing the sensor installation process When setting up API keys When performing a Host Search.
Which statement describes what is recommended for the Default Sensor Update policy? The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled.
You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings? Script-based Execution Monitoring Interpreter-Only Additional User Mode Data Engine (Full Visibility).
What is the purpose of the Machine-Learning Prevention Monitoring Report? It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings.
The Remote Access Graph in Visibility Reports displays: a bar chart where a bar represents a daily count of remote connections a geographical chart showing the geo-location of remote IP address a graph showing connections between hosts and users a pie chart showing a count per remote logon type.
What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud? falconcloud.net cloudprotect-cs.net cloudsink.net csfalcon.net .
Why would you use the Prevention Policy Debug Report? To confirm that prevention policy precedence was applied to hosts To confirm the number of detections on a host To confirm that prevention policy settings were applied to a host To confirm the number of host groups to which a policy was applied.
What is the earliest version of Windows Server that a Sensor is compatible with? Server 2012 Server 2003 Server 2008 R2 SP1 Server 2008.
Which command would tell you if a Falcon Sensor was running on a Windows host? netstat.exe -f cswindiag.exe -status sc.exe query falcon sc.exe query csagent.
After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's? Response Policy IP Allowlist Management Maintenance Token Containment Policy.
On which page of the Falcon console can one locate the Customer ID (CID)? API Clients and Keys Sensor Dashboard Hosts Management Sensor Downloads.
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud? Proxy information Deep packet inspection NMAP scanning TCP inspection.
Which of the following tools developed by CrowdStrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor? CSUninstallTool.exe UninstallTool.exe CrowdStrikeRemovalTool.exe FalconUninstall.exe.
Assume the Falcon Sensor was installed on a Virtual Machine template using the installation parameter NO_START=1. Afterward, the Virtual Machine template is rebooted. What is the effect on the Falcon Sensor after reboot? The Falcon Sensor would start, but only send a heartbeat to the Falcon console The Falcon Sensor would not automatically start on reboot. It would have to be manually started The Falcon Sensor would disable BIOS checks at startup The Falcon Sensor would start at reboot and generate an Agent ID.
What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly? Windows Proxy Deep packet inspection Linux Sub-System PowerShell.
Which option best describes the general process for a manual installation of the Falcon Sensor on MacOS? Grant the Falcon package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats' Install the Falcon package passing it the installation token in the command line Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access Grant the Falcon package Full Disk Access, install the Falcon package, use falconctl to license the sensor .
Where can you find your company's Customer ID (CID)? The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum The CID is located at Hosts > Host Management The CID is only available by calling support The CID is a secret key used for Falcon communication and is never shared with the customer.
Which of the following best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy? Prevents the sensor from entering Reduced Functionality Mode Prevents unauthorized uninstallation of the sensor Prevents automatic updates of the sensor Prevents modification of sensor update policy.
A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause? The host has a user logged into it The domain controller is preventing the connection They do not have an RTR role assigned to them There is another analyst connected into it.
How can a API client secret be viewed after it has been created? Selecting "show secret" within the 3-dot dropdown menu will reveal the secret for the selected api client Within the API management page, API client secrets can be accessed within the "edit client" functionality The API client secret must be reset or a new client created as the secret cannot be viewed after it has been created The API client secret can be provided by support via direct email request from a Falcon Administrator.
Which of the following is NOT an available action for an API Client? Reset an API Client Secret Retrieve an API Client Secret Edit an API Client Delete an API Client.
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group; however, when applying the new prevention policy this group is not appearing in the list of available groups. What is the most likely issue? The "Servers" group already has a policy applied to it The "Servers" group must be disabled first The new prevention policy should be enabled first Host type was not defined correctly within the prevention policy.
What critical prevention policy setting prevents sensor-related files, folders, and registry objects from being renamed or deleted? Sensor Modification Protection System Configuration Protection Sensor Tampering Protection Host Modification Protection.
When editing an existing IOA exclusion, what can NOT be edited? The exclusion name All parts of the exclusion can be changed The IOA name The hosts groups.
After enabling an IOA rule and its respective rule group, what else must be done for an IOA to be fully functional? Nothing else needs to be done; the rule should start working The rule group must be assigned to one or more prevention policies The rule needs to be manually triggered to ensure it works as intended You must individually select which hosts you would like to apply to rule to.
Which of the following uses Regex to create a detection or take a preventative action? Machine Learning Exclusion Custom IOA Custom IOC Sensor Visibility Exclusion.
When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well? .*\.baddomain\.xyz|baddomain\.xyz **baddomain\.xyz|baddomain\.xyz** .*baddomain\.xyz|baddomain\.xyz.* Custom IOA rules cannot be created for domains.
Which Real Time Response role will allow you to see all analyst session details? None of the Real Time Response roles allows this Real Time Response - Active Responder Real Time Response - Read-Only Analyst Real Time Response - Administrator.
How do user permissions function in Falcon? Custom user role permission sets are shared with all CrowdStrike customers globally Each Falcon permission needs to be selected when the user account is created User permissions grow more restrictive, the more roles assigned to a user the less capabilities they would potentially have User permissions are cumulative, the more roles assigned to a user the more capabilities they would potentially have.
If you are not able to update your Falcon sensors on a regular basis, what is the maximum recommended aging period before updating your sensors? 7 days 60 days 90 days There is no maximum aging period.
What is the purpose of the "Auto - Latest" setting in a sensor update policy? This setting overrides any user confirmation/interaction and applies the selected policy This setting automatically assigns the latest Indicator of Attack (IOA) profiles and Next-Gen Antivirus (NGAV) machine learning to the selected endpoints ensuring the highest level of security This setting automatically assigns new hosts that come online to this policy This setting will cause all assigned hosts to be updated to the most current version as soon as it becomes available.
Which of the following steps are required to delete a sensor update policy? Remove the policy from all assigned host groups, disable the policy, then click Delete from the policy's settings From the policy's settings, disable all toggles first, then click Delete Remove the policy from all assigned host groups, then click Delete from the policy's settings From the policy's settings, disable the policy, then click Delete.
What best describes the relationship between Sensor Update policies and Operating Systems? Sensor Update polices are not Operating System specific. One policy can be applied to all Operating Systems A Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux) Windows and Mac share Sensor Update policies. Linux requires its own set of polices based on the different kernel versions Windows has its own Sensor Update polices. But Mac and Linux share Sensor Update policies.
Which of the following pages provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System? Sensor Health Support and resources Activity Overview Hosts Overview.
What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page? Preventions will be disabled for the host You cannot disable detections for a host The detections for the host are removed from the console immediately and no new detections will display in the console going forward Existing detections for the host remain, but no new detections will display in the console going forward.
An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after how many days? 75 Days 45 Days 60 Days 90 Days.
Which statement is TRUE regarding disabling detections on a host? Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed Hosts with detections disabled will not alert on anything until detections are enabled again Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on IOA-based detections. It will remain that way until detections are enabled again Hosts cannot have their detections disabled individually.
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)? A misconfiguration in your prevention policy for the host The host lost internet connectivity A Sensor Update Policy was misconfigured Microsoft updates altering the kernel.
How many days will an inactive host remain visible within the Host Management or Trash pages? 90 days 120 days 15 days 45 days.
Which of the following is TRUE regarding disabling detections for a host? The DetectionSummaryEvent continues being sent to the Streaming API for that host After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search.
On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform? Status Platform Hostname Type.
Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)? Containment Policy Inactive Sensor Report Host Dashboard Host Management > Filter for RFM.
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days? Disabled Sensors Inactive Sensors Custom Reports Sensor Report.
Which of the following would give you information about inactive sensors within the Falcon console? Sensor Coverage Lookup Sensor Health Sensor Update Policies Sensor Downloads.
What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled? Enables custom detections for the host New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host Preventions will be enabled for the host .
When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered? The sensor would provide minimal protection The sensor provides no protection, and only collects Sensor Heart Beat events The sensor would function as normal The sensor would provide protection as normal, without event telemetry.
What kind of hosts can be contained in Falcon? Only Windows hosts running the Falcon sensor Only Windows and Linux hosts running the Falcon sensor Only Windows and MacOS hosts running the Falcon sensor Any host running the Falcon sensor.
Which of the following policies allowlist network traffic even while a host is Network Contained? Firewall Policy IP Allowlist Policy Response Policy Containment Policy.
Where should you look to find the history of the successes and failures for any Falcon Fusion workflows? Custom Alert History Workflow Execution log Workflow Audit log Falcon UI Audit Trail.
What three things does a workflow condition consist of? A parameter, an operator, and a value Notifications, alerts, and API's Triggers, actions, and alerts A beginning, a middle, and an end.
Which of the following can be found in the Falcon UI Audit Trail Report? Audit records of Falcon instance billing Audit records of actions taken by both users and API clients Audit records of actions taken by only APIs Audit records of actions taken by only users.
What information does the API Audit Trail Report provide? A list of specific changes to prevention policy A list of actions taken via Falcon OAuth2-based APIs A list of newly added hosts A list of analyst login activity.
Which user role will NOT enable the user to connect to a host using Real Time Response? Real Time Response -Administrator Real Time Response - Active Responder Real Time Response - Read-Only Analyst Falcon Administrator.
Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported? Reduce Functionality Audit Report Inactive Sensor Report Sensor Health Report Sensor Coverage Lookup.
You have a new patch server that should be reachable while hosts in your environment are network contained. The server’s IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this? Add an allowlist entry containing CIDR notation for the /24 network the server belongs to Add an allowlist entry containing the host group that the server belongs to Add an allowlist entry for the individual server’s MAC address Add an allowlist entry for the individual server’s IP address.
What will happen to a host that is not part of any group which has a prevention policy assigned to it? The host will apply the default prevention policy The host will apply a sensor-based policy to prevent a majority of known threats The host will send a notification to the Falcon Administrator to assign a prevention policy The host will disable the falcon sensor.
Which of the following controls the speed in which your sensors will receive automatic sensor updates? Maintenance Tokens Sensor Update Policy Channel File Update Throttling Sensor Update Throttling.
After agent installation, an agent opens a permanent ____ connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated. HTTP SSH TLS TCP.
When troubleshooting the Falcon Sensor on Windows, what is the correct parameter to output the log directory to a specified file? LOG=log.txt /log log.txt C:\CSSensorInstall\LogFiles \log log.txt.
During a sensor installation, what unique identifier is given to each sensor? Agent ID (AID) Security ID (SID) Computer ID (CID) Endpoint ID (EID).
Where can you find information about all supported operating systems for the Falcon sensor? Documentation News Sensor Release Notes Sensor Downloads.
What sensor update policy will a sensor receive if it does not have a host group assignment? Auto N-2 policy They don’t get a policy The default policy Auto N-1 policy.
What information is provided in “Remote or network Logon Activities” under Visibility Reports? A list of all logons for all users A list of last endpoints that a user logged in to A list of users who are remotely logged on to devices based on local IP and local port A list of unique users who are remotely logged on to devices based on the country.
How would an installation token be configured if the Falcon Sensor was installed on a Red Hat Enterprise Linux host? You will be prompted to enter the installation token during the install if it is required sudo yum install --cid= --provisioning-token=ABCD1234 sudo /opt/CrowdStrike/falconctl -s -t ABCD1234 sudo /opt/CrowdStrike/falconctl -s --cid= --provisioning-token=ABCD1234.
What is the best way to write an ML exclusion for any executable file at "C:\Program Files\Software\"? You cannot. You must list a specific file in an exclusion rule Program Files\Software\** Program Files\Software\.* Program Files\Software\*.exe.
Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the detection, you see that it's triggering only on a specific Falcon IOA. What would be the best course of action for this situation? Create a sensor visibility exclusion for "C:\Users\Bob\DevCode\felix.dll" Create an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll" Create a Custom IOC and set it to "Allow" for "C:\Users\Bob\DevCode\felix.dll" Manually turn off the built-in IOA through prevention policies.
Why do Sensor Update policies need to be configured for each OS (Windows, Mac, Linux)? Sensor Update policies are OS dependent This is false. One policy can be applied to all Operating Systems To assist with auditing and change management To bundle the Sensor and Prevention policies together into a deployment package.
What is the purpose of the Default Sensor Policy? Used to reset all sensor settings to Default. Acts as a "catch all" policy if no other Sensor Policies are applied. Tests the sensor configuration settings before deployment. A mechanism to deploy the oldest supported version of the Falcon Sensor.
What will happen to a host if it is not assigned a Sensor Update policy? The host will automatically create a custom Sensor Update policy The host will uninstall the Sensor and provide an alert to the installation team The host will use the Default Sensor Update policy The host will automatically update to the newest sensor version and auto-update to future release.
When deploying the Falcon Sensor alongside an existing security solution, you enable the Quarantine prevention setting in Falcon. What is the recommended configuration for both solutions? Disable or remove the other AV solution and configure ODS Cloud Anti-Malware prevention in Falcon to Moderate or higher Disable or remove the other AV solution and configure NGAV Sensor Machine Learning prevention in Falcon to Moderate or higher Disable or remove the other AV solution and configure NGAV Sensor Machine Learning prevention in Falcon to Cautious Disable or remove the other AV solution and configure NGAV Cloud Machine Learning prevention in Falcon to Extra-Aggressive.
What are the two triggers that cause a fusion workflow to run? Fusion workflows are manually ran Event and scheduled triggers Condition and action triggers Incident and detections triggers.
What default roles can view, create, and edit workflows? Falcon Administrator, Falcon Security Lead Falcon Administrator, Workflow Author Falcon Administrator, Falcon Security Lead, Workflow Author Falcon Administrator, Workflow Author, Falcon Security Lead, Falcon Investigator.
When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive? Username Hostname Domain Model.
What are the three configurable parts of a machine learning exclusion? File paths, names, and extensions Drive letters, directories, and patterns Parameters, operators, and values Triggers, actions and alerts.
Where in the Falcon platform can you confirm the sensor build version installed on a particular host? Host Management page by filtering for and selecting the host Dashboards by viewing the Executive Summary Dashboard Tool Downloads page by downloading the Sensor Reporting Tool Sensor Downloads page by filtering for a sensor build and selecting the host.
When a user initiates a sensor install, where can the logs be found? %LOCALAPPDATA%\Logs %SYSTEMROOT%\Logs %LOCALAPPDATA%\Temp %SYSTEMROOT%\Temp.
Certain services are required to be running to install the Windows Falcon sensor. What may cause the LMHost service to be disabled? Windows Base Filtering Engine WinHTTP AutoProxy TCP/IP NetBIOS Helper DHCP Client.
Which of the follow should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax? IOA Exclusions Sensor Visibility Exclusion Machine Learning Exclusions IOC Exclusions.
You have been asked to troubleshoot why Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host. Which report can be used to determine if this is an issue with an old prevention policy? Custom Alerting Audit Trail SBEM Debug Report Prevention Policy Debug Host Update Status Report.
Which of the following scenarios best describes when you would add IP addresses to the containment policy? You want to automate the Network Containment process based on the IP address of a host A new group of analysts need to be able to place hosts under Network Containment Your organization has resources that need to be accessible when hosts are network contained Your organization has additional IP addresses that need to be able to access the Falcon console.
What would be the most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally? A Sensor Visibility exclusion An IOA exclusion Custom IOC entry A Machine Learning exclusion.
You have a member of your SECOPS team that is building custom scripts for your environment and they cannot save or share them in Falcon. What additional role do they need to be able accomplish this? Real Time Responde - Active Responder All Real Time Response roles can do this Falcon Scripts Manager Real Time Response - Administrator.
A member of your SECOPS team currently has the role of Falcon Security Lead to be able to Manage detections, quarantine files and reset user credentials. Which additional role is required to also allow them to view and modify remediation actions? Detections Exception Manager Remediation Manager Endpoint Manager Quarantine Manager.
Which of the following includes all that can be configured to alert as a Custom IOC (Indicator of Compromise) in IOC Management? Hash, Domain, Filename Hash Hash, Domain Hash, Domain, IP Address.
Report abuse