What is the function of a single asterisk (*) in an ML exclusion pattern? A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path C. The single asterisk is the insertion point for the variable list that follows the path D. The single asterisk is only used to start an expression, and it represents the drive letter.
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future? A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow" C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection" D. Using IOC Management, add the hash of the binary in question and set the action to "No Action".
What is the purpose of a containment policy? A. To define which Falcon analysts can contain endpoints
B. To define the duration of Network Containment C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection) D. To define allowed IP addresses over which your hosts will communicate when contained.
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts? A. File exclusions are not aligned to groups or hosts B. There is a limit of three groups of hosts applied to any exclusion C. There is no limit and exclusions can be applied to any or all groups D. Each exclusion can be aligned to only one group of hosts.
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability? A. Real Time Responder B. Endpoint Manager C. Falcon Investigator D. Remediation Manager.
What must an admin do to reset a user's password? A. From User Management, open the account details for the affected user and select "Generate New Password" B. From User Management, select "Reset Password" from the three dot menu for the affected user account C. From User Management, select "Update Account" and manually create a new password for the affected user account D. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid.
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts? A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality" C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality".
When creating new IOCs in IOC management, which of the following fields must be configured? A. Hash, Description, Filename B. Hash, Action and Expiry Date C. Filename, Severity and Expiry Date D. Hash, Platform and Action.
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement? A. Remediation Manager B. Real Time Responder – Read Only Analyst C. Falcon Analyst – Read Only D. Real Time Responder – Active Responder.
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path? A. USB Device Policy B. Firewall Rule Group C. Containment Policy D. Machine Learning Exclusions.
How do you disable all detections for a host? A. Create an exclusion rule and apply it to the machine or group of machines B. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID) C. You cannot disable all detections on individual hosts as it would put them at risk D. In Host Management, select the host and then choose the option to Disable Detections.
To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective? A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action.
Which role is required to manage groups and policies in Falcon? A. Falcon Host Analyst B. Falcon Host Administrator C. Prevention Hashes Manager D. Falcon Host Security Lead.
Which of the following can a Falcon Administrator edit in an existing user's profile? A. First or Last name B. Phone number C. Email address D. Working groups.
You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements? A. Specific sensor version number B. Auto - TEST-QA C. Sensor version updates off D. Auto - N-1.
What is the goal of a Network Containment Policy? A. Increase the aggressiveness of the assigned prevention policy B. Limit the impact of a compromised host on the network C. Gain more visibility into network activities D. Partition a network for privacy.
Which of the following applies to Custom Blocking Prevention Policy settings? A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy B. Blocklisting applies to hashes, IP addresses, and domains C. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary D. You can only blocklist hashes via the API.
How many "Auto" sensor version update options are available for Windows Sensor Update Policies? A. 1 B. 2 C. 0 D. 3.
The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon? A. Policy alignment is configured in the "Host Management" section in the Hosts application B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window C. Policy alignment is configured in the General Settings section under the Configuration menu D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab.
How long are detection events kept in Falcon? A. Detection events are kept for 90 days B. Detections events are kept for your subscribed data retention period C. Detection events are kept for 7 days D. Detection events are kept for 30 days.
What information is provided in Logan Activities under Visibility Reports? A. A list of all logons for all users B. A list of last endpoints that a user logged in to C. A list of users who are remotely logged on to devices based on local IP and local port D. A list of unique users who are remotely logged on to devices based on the country.
What can the Quarantine Manager role do? A. Manage and change prevention settings B. Manage quarantined files to release and download C. Manage detection settings D. Manage roles and users.
What command should be run to verify if a Windows sensor is running? A. regedit myfile.reg B. sc query csagent C. netstat -f D. ps -ef | grep falcon.
When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other? A. Custom IOA Rule Groups B. Custom IOC Groups C. Enterprise Groups D. Operating System Groups.
Which role allows a user to connect to hosts using Real-Time Response? A. Endpoint Manager B. Falcon Administrator C. Real Time Responder – Active Responder D. Prevention Hashes Manager.
You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20 minute default provisioning window? A. ExtendedWindow=1 B. Timeout=0 C. ProvNoWait=1 D. Timeout=30.
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days? A. Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors widget B. Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors" C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days D. Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days.
In order to quarantine files on the host, what prevention policy settings must be enabled? A. Malware Protection and Custom Execution Blocking must be enabled B. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled D. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled.
Why is it critical to have separate sensor update policies for Windows/Mac/*nix? A. There may be special considerations for each OS B. To assist with testing and tracking sensor rollouts C. The network protocols are different for each host OS D. It is an auditing requirement.
How do you assign a policy to a specific group of hosts? A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s). B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s). C. Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and select criteria such as OU, OS, Hostname pattern, etc. D. On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if needed) and click Add.
You want to create a detection-only policy. How do you set this up in your policy's settings? A. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender. B. Select the "Detect-Only" template. Disable hash blocking and exclusions. C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect. D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.
Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com? A. .*badguydomain\.com.* B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill C. badguydomain\.com.* D. Custom IOA rules cannot be created for domains.
Where can you modify settings to permit certain traffic during a containment period? A. Prevention Policy B. Host Settings C. Containment Policy D. Firewall Settings.
Which option allows you to exclude behavioral detections from the detections page? A. Machine Learning Exclusion B. IOA Exclusion C. IOC Exclusion D. Sensor Visibility Exclusion.
What are custom alerts based on? A. Custom workflows B. Custom event based triggers C. Predefined alert templates D. User defined Splunk queries.
When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created? A. Base URL B. Secret C. Client ID D. Client name.
You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM? A. A Sensor Update Policy was misconfigured B. A host was offline for more than 24 hours C. A patch was pushed overnight to all Windows systems D. A host was placed in network containment from a detection.
Which of the following is TRUE of the Logon Activities Report? A. Shows a graphical view of user logon activity and the hosts the user connected to B. The report can be filtered by computer name C. It gives a detailed list of all logon activity for users D. It only gives a summary of the last logon activity for users.
Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts? A. Real Time Responder – Administrator B. Real Time Responder – Read Only Analyst C. Real Time Responder – Script Developer D. Real Time Responder – Active Responder.
What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform? A. For - While statement(s) B. Trigger, condition(s) and action(s) C. Event trigger(s) D. Predefined workflow template(s).
An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this? A. The API client secret can be viewed from the Edit API client pop-up box B. Enable the Client Secret column to reveal the API client secret C. Re-create the API client using the exact name to see the API client secret D. The API client secret cannot be retrieved after it has been created.
Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud? A. TCP port 22 (SSH) B. TCP port 443 (HTTPS) C. TCP port 80 (HTTP) D. TCP UDP port 53 (DNS).
Where do you obtain the Windows sensor installer for CrowdStrike Falcon? A. Sensors are downloaded from the Hosts > Sensor Downloads B. Sensor installers are unique to each customer and must be obtained from support C. Sensor installers are downloaded from the Support section of the CrowdStrike website D. Sensor installers are not used because sensors are deployed from within Falcon.
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)? A. Falcon console updates are pending B. Falcon sensors installing an update C. Notifications have been disabled on that host sensor D. Microsoft updates.
On which page of the Falcon console would you create sensor groups? A. User management B. Sensor update policies C. Host management D. Host groups.
While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose? A. Configure a Real Time Response policy allowlist with the specific IP addresses B. Configure a Containment Policy with the specific IP addresses C. Configure a Containment Policy with the entire internal IP CIDR block D. Configure the Host firewall to allowlist the specific IP addresses.
Which of the following is TRUE regarding Falcon Next-Gen AntiVirus (NGAV)? A. Falcon NGAV relies on signature-based detections B. Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders D. Falcon NGAV is not a replacement for Windows Defender or other antivirus programs.
What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon? A. To group hosts with others in the same business unit B. To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time C. To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion D. To allow the controlled assignment of sensor versions onto specific hosts.
What impact does disabling detections on a host have on an API? A. Endpoints with detections disabled will not alert on anything until detections are enabled again B. Endpoints cannot have their detections disabled individually C. DetectionSummaryEvent stops sending to the Streaming API for that host D. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed.
Under which scenario can Sensor Tags be assigned? A. While triaging a detection B. While managing hosts in the Falcon console C. While updating a sensor in the Falcon console D. While installing a sensor.
Custom IOA rules are defined using which syntax? A. Glob B. PowerShell C. Yara D. Regex.
With Custom Alerts, it is possible to __________. A. schedule the alert to run at any interval B. receive an alert in an email C. configure prevention actions for alerting D. be alerted to activity in real-time.
How do you assign a Prevention policy to one or more hosts? A. Create a new policy and assign it directly to those hosts on the Host Management page B. Modify the users roles on the User Management page C. Ensure the hosts are in a group and assign that group to a custom Prevention policy D. Create a new policy and assign it directly to those hosts on the Prevention policy page.
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this? A. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running B. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution" C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking. D. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow".
Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe? A. \Program Files\My Program\My Files\* B. \Program Files\My Program\* C. *\* D. *\Program Files\My Program\*\.
When a host is placed in Network Containment, which of the following is TRUE? A. The host machine is unable to send or receive network traffic outside of the local network B. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy C. The host machine is unable to send or receive any network traffic D. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy.
When would the No Action option be assigned to a hash in IOC Management? A. When you want to save the indicator for later action, but do not want to block or allow it at this time B. Add the indicator to your allowlist and do not detect it C. There is no such option as No Action available in the Falcon console D. Add the indicator to your blocklist and show it as a detection.
Why is it important to know your company's event data retention limits in the Falcon platform? A. This is not necessary; you simply select "All Time" in your query to search all data B. You will not be able to search event data into the past beyond your retention period C. Data such as process records are kept for a shorter time than event data D. Your query will require you to specify the data pool associated with the date you wish to search.
What is the purpose of precedence with respect to the Sensor Update policy? A. Precedence applies to the Prevention policy and not to the Sensor Update policy B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number) C. Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number) D. Precedence ensures that conflicting policy settings are not set in the same policy.
When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies? A. Maintenance token B. Customer ID (CID) C. Bulk update key D. Agent ID (AID).
How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity? A. By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page B. By enabling "Upload quarantined files" in the General Settings configuration page C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page D. By selecting "Enable pop-up messages" from the User configuration page.
Where in the Falcon console can information about supported operating system versions be found? A. Configuration module B. Intelligence module C. Support module D. Discover module.
What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation? A. Endpoint ID (EID) B. Agent ID (AID) C. Security ID (SID) D. Computer ID (CID).
Which of the following is a valid step when troubleshooting sensor installation failure? A. Confirm all required services are running on the system B. Enable the Windows firewall C. Disable SSL and TLS on the host D. Delete any available application crash log files.
You need to export a list of all detections for a specific Host Name in the last 24 hours. What is the best way to do this? A. Go to Host Management in the Host page. Select the host and use the Export Detections button B. Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section C. In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results D. Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section.
Which role will allow someone to manage quarantine files? A. Falcon Security Lead B. Detections Exceptions Manager C. Falcon Analyst – Read Only D. Endpoint Manager.
What is the maximum number of patterns that can be added when creating a new exclusion? A.10 B. 0 C. 1 D. 5.
You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization? A. Prevention Policy Audit Trail B. Prevention Policy Debug C. Prevention Hashes Ignored D. Machine-Learning Prevention Monitoring.
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria? A. Sensor version set to N-1 and Bulk maintenance mode is turned on B. Sensor version fixed and Uninstall and maintenance protection turned on C. Sensor version updates off and Uninstall and maintenance protection turned off D. Sensor version set to N-2 and Bulk maintenance mode is turned on.
Once an exclusion is saved, what can be edited in the future? A. All parts of the exclusion can be changed B. Only the selected groups and hosts to which the exclusion is applied can be changed C. Only the options to "Detect/Block" and/or "File Extraction" can be changed D. The exclusion pattern cannot be changed.
Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)? A. Next-Gen Antivirus (NGAV) protection B. Adware and Potentially Unwanted Program detection and prevention C. Real-time offline protection D. Identification and analysis of unknown executables.
How do you find a list of inactive sensors? A. The Falcon platform does not provide reporting for inactive sensors B. A sensor is always considered active until removed by an Administrator C. Run the Inactive Sensor Report in the Host setup and management option D. Run the Sensor Aging Report within the Investigate option.
Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy? A. Sensor Report B. Machine Learning Prevention Monitoring C. Falcon UI Audit Trail D. Machine Learning Debug.
Why is the ability to disable detections helpful? A. It gives users the ability to set up hosts to test detections and later remove them from the console B. It gives users the ability to uninstall the sensor from a host C. It gives users the ability to allowlist a false positive detection D. It gives users the ability to remove all data from hosts that have been uninstalled.
The Logon Activities Report includes all of the following information for a particular user EXCEPT __________. A. the account type for the user (e.g. Domain Administrator, Local User) B. all hosts the user logged into C. the logon type (e.g. interactive, service) D. the last time the user's password was set.
An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures? A. Custom Alert History B. Workflow Execution log C. Workflow Audit log D. Falcon UI Audit Trail.
You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow? A. Clone the workflow and replace the existing email with your CISO's email B. Add a sequential action to send a custom email to your CISO C. Add a parallel action to send a custom email to your CISO D. Add the CISO's email to the existing action.
Which of the following is NOT an available filter on the Hosts Management page? A. Hostname B. Username C. Group D. OS Version.
What is the primary purpose of using glob syntax in an exclusion? A. To specify a Domain be excluded from detections B. To specify exclusion patterns to easily exclude files and folders and extensions from detections C. To specify exclusion patterns to easily add files and folders and extensions to be prevented D. To specify a network share be excluded from detections.
How are user permissions set in Falcon? A. Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions B. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments C. An administrator selects individual granular permissions from the Falcon Permissions List during user creation D. Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions.
Which of the following is NOT a way to determine the sensor version installed on a specific endpoint? A. Use the Sensor Report to filter to the specific endpoint B. Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details C. From a command line, run the sc query csagent -version command D. Use the Investigate > Host Search to filter to the specific endpoint.
Which is the correct order for manually installing a Falcon Package on a macOS system? A. Install the Falcon package, then register the Falcon Sensor via the registration package B. Install the Falcon package, then register the Falcon Sensor via command line C. Register the Falcon Sensor via command line, then install the Falcon package D. Register the Falcon Sensor via the registration package, then install the Falcon package.
You are beginning the rollout of the Falcon Sensor for the first time side-by-side with your existing security solution. You need to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions during the testing phase. What settings do you choose? A. • Detection slider: Extra Aggressive
• Prevention slider: Cautious B. • Detection slider: Moderate
• Prevention slider: Disabled C. • Detection slider: Cautious
• Prevention slider: Cautious D. • Detection slider: Disabled
• Prevention slider: Disabled.
How does the Unique Hosts Connecting to Countries Map help an administrator? A. It highlights countries with known malware B. It helps visualize global network communication C. It identifies connections containing threats D. It displays intrusions from foreign countries.
On a Windows host, what is the best command to determine if the sensor is currently running? A. sc query csagent B. netstat -a C. This cannot be accomplished with a command D. ping falcon.crowdstrike.com.
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation? A. SSL inspection should be configured to occur on all Falcon traffic B. Some network configurations, such as deep packet inspection, interfere with certificate validation C. HTTPS interception should be enabled to proceed with certificate validation D. Common sources of interference with certificate pinning include protocol race conditions and resource contention.
Which is a filter within the Host setup and management > Host management page? A. User name B. OU C. BIOS Version D. Locality.
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group? A. Create a Dynamic Group with Type=Workstation Assignment B. Create a Dynamic Group and Import All Workstations C. Create a Static Group and Import all Workstations D. Create a Static Group with Type=Workstation Assignment.
When the Notify End Users policy setting is turned on, which of the following is TRUE? A. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist B. End users will be immediately notified via a pop-up that their machine is in-network isolation C. End-users receive a pop-up notification when a prevention action occurs D. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine.
If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file? A. Older versions of the sensor are not available for download B. By emailing CrowdStrike support at support@crowdstrike.com C. By installing the current sensor and clicking the "downgrade" button during the install D. By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads.
Which of the following best describes the Default Sensor Update policy? A. The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature B. The Default Sensor Update policy is only used for testing sensor updates C. The Default Sensor Update policy is a "catch-all" policy D. The Default Sensor Update policy is disabled by default.
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is: A. Adware & PUP B. Advanced Machine Learning C. Sensor Anti-Malware D. Execution Blocking.
You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage? A. *nix B. Windows C. Both Windows and *nix D. Only Mac.
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items? A. Aggressive B. Cautious C. Minimal D. Moderate.
What type of information is found in the Linux Sensors Dashboard? A. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage B. Hidden File execution, Execution of file from the trash, Versions Running with Computer Names C. Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified D. Private Information Accessed, Archiving Tools – Exfil, Files Made Executable.
Why would you assign hosts to a static group instead of a dynamic group? A. You do not want the group membership to change automatically B. You are managing more than 1000 hosts C. You need hosts to be automatically assigned to a group D. You want the group to contain hosts from multiple operating systems.
What can exclusions be applied to? A. Individual hosts selected by the administrator B. Either all hosts or specified groups C. Only the default host group D. Only the groups selected by the administrator.
You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE? A. System monitoring will be unavailable B. Event reporting will be unavailable C. Prevention patterns will not be triggered D. Some detection patterns and preventions will not be triggered.
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after how many days? A. 45 Days B. 60 Days C. 30 Days D. 90 Days.
When a host belongs to more than one host group, how is sensor update precedence determined? A. Groups have no impact on sensor update policies B. Sensors of hosts that belong to more than one group must be manually updated C. The highest precedence policy from the most important group is applied to the host D. All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host.
What may prevent a user from logging into Falcon via single sign-on (SSO)? A. The SSO username doesn't match their email address in Falcon B. The maintenance token has expired C. Falcon is in reduced functionality mode D. The user never configured their security questions.
The Customer ID (CID) is important in which of the following scenarios? A. When adding a user to the Falcon console under the Users application B. When performing the sensor installation process C. When setting up API keys D. When performing a Host Search.
Which statement describes what is recommended for the Default Sensor Update policy? A. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible B. The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version C. Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required D. No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled.
You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings? A. Script-based Execution Monitoring B. Interpreter-Only C. Additional User Mode Data D. Engine (Full Visibility).
What is the purpose of the Machine-Learning Prevention Monitoring Report? A. It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined B. It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious C. It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks D. It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings.
The Remote Access Graph in Visibility Reports displays: A. a bar chart where a bar represents a daily count of remote connections B. a geographical chart showing the geo-location of remote IP address C. a graph showing connections between hosts and users D. a pie chart showing a count per remote logon type.
What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud? A. falconcloud.net B. cloudprotect-cs.net C. cloudsink.net D. csfalcon.net.
Why would you use the Prevention Policy Debug Report? A. To confirm that prevention policy precedence was applied to hosts B. To confirm the number of detections on a host C. To confirm that prevention policy settings were applied to a host D. To confirm the number of host groups to which a policy was applied.
What is the earliest version of Windows Server that a Sensor is compatible with? A. Server 2012 B. Server 2003 C. Server 2008 R2 SP1 D. Server 2008.
Which command would tell you if a Falcon Sensor was running on a Windows host? A. netstat.exe -f B. cswindiag.exe -status C. sc.exe query falcon D. sc.exe query csagent.
After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's? A. Response Policy B. IP Allowlist Management C. Maintenance Token D. Containment Policy.
On which page of the Falcon console can one locate the Customer ID (CID)? A. API Clients and Keys B. Sensor Dashboard C. Hosts Management D. Sensor Downloads.
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud? A. Proxy information B. Deep packet inspection C. NMAP scanning D. TCP inspection.
Which of the following tools developed by CrowdStrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor? A. CSUninstallTool.exe B. UninstallTool.exe C. CrowdStrikeRemovalTool.exe D. FalconUninstall.exe.
Assume the Falcon Sensor was installed on a Virtual Machine template using the installation parameter NO_START=1. Afterward, the Virtual Machine template is rebooted. What is the effect on the Falcon Sensor after reboot? A. The Falcon Sensor would start, but only send a heartbeat to the Falcon console B. The Falcon Sensor would not automatically start on reboot. It would have to be manually started C. The Falcon Sensor would disable BIOS checks at startup D. The Falcon Sensor would start at reboot and generate an Agent ID.
What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly? A. Windows Proxy B. Deep packet inspection C. Linux Sub-System D. PowerShell.
Which option best describes the general process for a manual installation of the Falcon Sensor on MacOS? A. Grant the Falcon package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats B. Install the Falcon package passing it the installation token in the command line C. Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access D. Grant the Falcon package Full Disk Access, install the Falcon package, use falconctl to license the sensor.
Where can you find your company's Customer ID (CID)? A. The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum B. The CID is located at Hosts > Host Management C. The CID is only available by calling support D. The CID is a secret key used for Falcon communication and is never shared with the customer.
Which of the following best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy? A. Prevents the sensor from entering Reduced Functionality Mode B. Prevents unauthorized uninstallation of the sensor C. Prevents automatic updates of the sensor D. Prevents modification of sensor update policy.
A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause? A. The host has a user logged into it B. The domain controller is preventing the connection C. They do not have an RTR role assigned to them D. There is another analyst connected into it.
How can a API client secret be viewed after it has been created? A. Selecting "show secret" within the 3-dot dropdown menu will reveal the secret for the selected api client B. Within the API management page, API client secrets can be accessed within the "edit client" functionality C. The API client secret must be reset or a new client created as the secret cannot be viewed after it has been created D. The API client secret can be provided by support via direct email request from a Falcon Administrator.
Which of the following is NOT an available action for an API Client? A. Reset an API Client Secret B. Retrieve an API Client Secret C. Edit an API Client D. Delete an API Client.
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group; however, when applying the new prevention policy this group is not appearing in the list of available groups. What is the most likely issue? A. The "Servers" group already has a policy applied to it B. The "Servers" group must be disabled first C. The new prevention policy should be enabled first D. Host type was not defined correctly within the prevention policy.
What critical prevention policy setting prevents sensor-related files, folders, and registry objects from being renamed or deleted? A. Sensor Modification Protection B. System Configuration Protection C. Sensor Tampering Protection D. Host Modification Protection.
When editing an existing IOA exclusion, what can NOT be edited? A. The exclusion name B. All parts of the exclusion can be changed C. The IOA name D. The hosts groups.
After enabling an IOA rule and its respective rule group, what else must be done for an IOA to be fully functional? A. Nothing else needs to be done; the rule should start working B. The rule group must be assigned to one or more prevention policies C. The rule needs to be manually triggered to ensure it works as intended D. You must individually select which hosts you would like to apply to rule to.
Which of the following uses Regex to create a detection or take a preventative action? A. Machine Learning Exclusion B. Custom IOA C. Custom IOC D. Sensor Visibility Exclusion.
When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well? A. .*\.baddomain\.xyz|baddomain\.xyz B. **baddomain\.xyz|baddomain\.xyz** C. .*baddomain\.xyz|baddomain\.xyz.* D. Custom IOA rules cannot be created for domains.
Which Real Time Response role will allow you to see all analyst session details? A. None of the Real Time Response roles allows this B. Real Time Response - Active Responder C. Real Time Response - Read-Only Analyst D. Real Time Response - Administrator.
How do user permissions function in Falcon? A. Custom user role permission sets are shared with all CrowdStrike customers globally B. Each Falcon permission needs to be selected when the user account is created C. User permissions grow more restrictive, the more roles assigned to a user the less capabilities they would potentially have D. User permissions are cumulative, the more roles assigned to a user the more capabilities they would potentially have.
If you are not able to update your Falcon sensors on a regular basis, what is the maximum recommended aging period before updating your sensors? A. 7 days B. 60 days C. 90 days D. There is no maximum aging period.
What is the purpose of the "Auto - Latest" setting in a sensor update policy? A. This setting overrides any user confirmation/interaction and applies the selected policy B. This setting automatically assigns the latest Indicator of Attack (IOA) profiles and Next-Gen Antivirus (NGAV) machine learning to the selected endpoints ensuring the highest level of security C. This setting automatically assigns new hosts that come online to this policy D. This setting will cause all assigned hosts to be updated to the most current version as soon as it becomes available.
Which of the following steps are required to delete a sensor update policy? A. Remove the policy from all assigned host groups, disable the policy, then click Delete from the policy's settings B. From the policy's settings, disable all toggles first, then click Delete C. Remove the policy from all assigned host groups, then click Delete from the policy's settings D. From the policy's settings, disable the policy, then click Delete.
What best describes the relationship between Sensor Update policies and Operating Systems? A. Sensor Update polices are not Operating System specific. One policy can be applied to all Operating Systems B. A Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux) C. Windows and Mac share Sensor Update policies. Linux requires its own set of polices based on the different kernel versions D. Windows has its own Sensor Update polices. But Mac and Linux share Sensor Update policies.
Which of the following pages provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System? A. Sensor Health B. Support and resources C. Activity Overview D. Hosts Overview.
What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page? A. Preventions will be disabled for the host B. You cannot disable detections for a host C. The detections for the host are removed from the console immediately and no new detections will display in the console going forward D. Existing detections for the host remain, but no new detections will display in the console going forward.
An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after how many days? A. 75 Days B. 45 Days C. 60 Days D. 90 Days.
Which statement is TRUE regarding disabling detections on a host? A. Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed B. Hosts with detections disabled will not alert on anything until detections are enabled again C. Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on IOA-based detections. It will remain that way until detections are enabled again D. Hosts cannot have their detections disabled individually.
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)? A. A misconfiguration in your prevention policy for the host B. The host lost internet connectivity
C. A Sensor Update Policy was misconfigured D. Microsoft updates altering the kernel.
How many days will an inactive host remain visible within the Host Management or Trash pages? A. 90 days B. 120 days C. 15 days D. 45 days.
Which of the following is TRUE regarding disabling detections for a host? A. The DetectionSummaryEvent continues being sent to the Streaming API for that host B. After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled C. The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled D. After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search.
On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform? A. Status B. Platform C. Hostname D. Type.
Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)? A. Containment Policy B. Inactive Sensor Report C. Host Dashboard D. Host Management > Filter for RFM.
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days? A. Disabled Sensors B. Inactive Sensors C. Custom Reports D. Sensor Report.
Which of the following would give you information about inactive sensors within the Falcon console? A. Sensor Coverage Lookup B. Sensor Health C. Sensor Update Policies D. Sensor Downloads.
What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled? A. Enables custom detections for the host B. New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host C. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host D. Preventions will be enabled for the host.
When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered? A. The sensor would provide minimal protection B. The sensor provides no protection, and only collects Sensor Heart Beat events C. The sensor would function as normal D. The sensor would provide protection as normal, without event telemetry.
What kind of hosts can be contained in Falcon? A. Only Windows hosts running the Falcon sensor B. Only Windows and Linux hosts running the Falcon sensor C. Only Windows and MacOS hosts running the Falcon sensor D. Any host running the Falcon sensor.
Which of the following policies allowlist network traffic even while a host is Network Contained? A. Firewall Policy B. IP Allowlist Policy C. Response Policy D. Containment Policy.
Where should you look to find the history of the successes and failures for any Falcon Fusion workflows? A. Custom Alert History B. Workflow Execution log C. Workflow Audit log D. Falcon UI Audit Trail.
What three things does a workflow condition consist of? A. Notifications, alerts, and API's B. Triggers, actions, and alerts C. A parameter, an operator, and a value D. A beginning, a middle, and an end.
Which of the following can be found in the Falcon UI Audit Trail Report? A. Audit records of Falcon instance billing B. Audit records of actions taken by both users and API clients C. Audit records of actions taken by only APIs D. Audit records of actions taken by only users.
What information does the API Audit Trail Report provide? A. A list of specific changes to prevention policy B. A list of actions taken via Falcon OAuth2-based APIs C. A list of newly added hosts D. A list of analyst login activity.
A sensor has not contacted the Falcon cloud for 45 days. What, if any, action takes place at that time? The Sensor is upgraded to the most recent version All events from the sensor say Inactive in Computername field The sensor uninstalls itself The sensor is deleted from the hosts list.
Which Real-Time response (RTR) role is automatically assigned to the falcon administrator ? Administrator No RTR roles are automatically assigned to the Falcon administrator Active Responder Read only analyst.
which of the following in not a method of configure sensor grouping tags on a windows host? Using the ACTIONS options when managing host in the console Editing the registry Via an RTR session Using the GROUPING_TAGS parameter during installation Editing the registry after sensor installation.
What happens when a sensor build is chosen in a custom sensor update policy? All assigned hosts with a lower build will be upgraded to the build selected All assigned hosts with a higher build will be downgraded to the build selected All hosts will be upgraded or downgraded to the build selected All assigned hosts will be upgraded or downgraded to the build selected.
What Syntax is used to configure Machine Learning exclusions? Regex Patterns Splunk Patterns Glob Patterns Scala Patterns.
When creating a new USB Device Policy, What MODE options are available? Disable and enforce; Disable only Prevent and enforce; Prevent only Monitor and enforce; Monitor only Detect and enforce; Detect only.
What command should be run to verify if Linux sensor is running? regedit myfile.reg netstat - f sc query csagent ps -ef | grep falcon.
Which of the following is NOT a condition for successful Network Containment? Users of the Falcon Security Lead or Falcon Any host with a sensor installed you must establish an Real Time Responce session first The host machine must receive network traffic to/from the Falcon Cloud.
When installing the sensor, what should you ensure for it to complete the provisioning process? The same sensor installer package is used on all OS platforms The host is rebooted immediately after the provisioning phase is complete Sensors should be installed on all hosts at the same time The host can communucate with the Falcon Cloud regardless of the OS platform.
|
