An analyst has reported they are not receiving workflow triggered notifications in the past few days.
Where should you first check for potential failures?
- A . Custom Alert History
- B . Workflow Execution log
- C . Workflow Audit log
- D . Falcon UI Audit Trail
How are user permissions set in Falcon?
- A . Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
- B . Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
- C . An administrator selects individual granular permissions from the Falcon Permissions List during user creation
- D . Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions
When creating new IOCs in IOC management, which of the following fields must be configured?
- A . Hash, Description, Filename
- B . Hash, Action and Expiry Date
- C . Filename, Severity and Expiry Date
- D . Hash, Platform and Action
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group.
What is the next step to disable RTR only on these hosts?
- A . Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- B . Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
- C . Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- D . Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
Which exclusion pattern will prevent detections on a file at C:Program FilesMy ProgramMy Filesprogram.exe?
- A . Program FilesMy ProgramMy Files*
- B . Program FilesMy Program*
- C . **
- D . *Program FilesMy Program*
Once an exclusion is saved, what can be edited in the future?
- A . All parts of the exclusion can be changed
- B . Only the selected groups and hosts to which the exclusion is applied can be changed
- C . Only the options to "Detect/Block" and/or "File Extraction" can be changed
- D . The exclusion pattern cannot be changed
Why is the ability to disable detections helpful?
- A . It gives users the ability to set up hosts to test detections and later remove them from the console
- B . It gives users the ability to uninstall the sensor from a host
- C . It gives users the ability to allowlist a false positive detection
- D . It gives users the ability to remove all data from hosts that have been uninstalled
What impact does disabling detections on a host have on an API?
- A . Endpoints with detections disabled will not alert on anything until detections are enabled again
- B . Endpoints cannot have their detections disabled individually
- C . DetectionSummaryEvent stops sending to the Streaming API for that host
- D . Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed
What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?
- A . To group hosts with others in the same business unit
- B . To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time
- C . To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion
- D . To allow the controlled assignment of sensor versions onto specific hosts
What command should be run to verify if a Windows sensor is running?
- A . regedit myfile.reg
- B . sc query csagent
- C . netstat -f
- D . ps -ef | grep falcon
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:
- A . Adware & PUP
- B . Advanced Machine Learning
- C . Sensor Anti-Malware
- D . Execution Blocking
What is the purpose of precedence with respect to the Sensor Update policy?
- A . Precedence applies to the Prevention policy and not to the Sensor Update policy
- B . Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)
- C . Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)
- D . Precedence ensures that conflicting policy settings are not set in the same policy
Which is the correct order for manually installing a Falcon Package on a macOS system?
- A . Install the Falcon package, then register the Falcon Sensor via the registration package
- B . Install the Falcon package, then register the Falcon Sensor via command line
- C . Register the Falcon Sensor via command line, then install the Falcon package
- D . Register the Falcon Sensor via the registration package, then install the Falcon package
When uninstalling a sensor, which of the following is required if the ‘Uninstall and maintenance protection’ setting is enabled within the Sensor Update Policies?
- A . Maintenance token
- B . Customer ID (CID)
- C . Bulk update key
- D . Agent ID (AID)
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?
- A . Aggressive
- B . Cautious
- C . Minimal
- D . Moderate
You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes.
Which of the following parameters can be used to override the 20 minute default provisioning window?
- A . ExtendedWindow=1
- B . Timeout=0
- C . ProvNoWait=1
- D . Timeout=30
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host.
What is the most appropriate role that can be added to fullfil this requirement?
- A . Remediation Manager
- B . Real Time Responder C Read Only Analyst
- C . Falcon Analyst C Read Only
- D . Real Time Responder C Active Responder
Which option allows you to exclude behavioral detections from the detections page?
- A . Machine Learning Exclusion
- B . IOA Exclusion
- C . IOC Exclusion
- D . Sensor Visibility Exclusion
Which role will allow someone to manage quarantine files?
- A . Falcon Security Lead
- B . Detections Exceptions Manager
- C . Falcon Analyst C Read Only
- D . Endpoint Manager
When a host is placed in Network Containment, which of the following is TRUE?
- A . The host machine is unable to send or receive network traffic outside of the local network
- B . The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy
- C . The host machine is unable to send or receive any network traffic
- D . The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy
How do you disable all detections for a host?
- A . Create an exclusion rule and apply it to the machine or group of machines
- B . Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
- C . You cannot disable all detections on individual hosts as it would put them at risk
- D . In Host Management, select the host and then choose the option to Disable Detections
In order to quarantine files on the host, what prevention policy settings must be enabled?
- A . Malware Protection and Custom Execution Blocking must be enabled
- B . Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled
- C . Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
- D . Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled
What is the maximum number of patterns that can be added when creating a new exclusion?
- A . 10
- B . 0
- C . 1
- D . 5
Which of the following is TRUE of the Logon Activities Report?
- A . Shows a graphical view of user logon activity and the hosts the user connected to
- B . The report can be filtered by computer name
- C . It gives a detailed list of all logon activity for users
- D . It only gives a summary of the last logon activity for users
You have created a Sensor Update Policy for the Mac platform.
Which other operating system(s) will this policy manage?
- A . *nix
- B . Windows
- C . Both Windows and *nix
- D . Only Mac
D
Explanation:
Reference: https://www.crowdstrike.com/blog/tech-center/how-to-manage-policies-in-falcon/
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints.
What is the best way to prevent these in the future?
- A . Contact support and request that they modify the Machine Learning settings to no longer include this detection
- B . Using IOC Management, add the hash of the binary in question and set the action to "Allow"
- C . Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
- D . Using IOC Management, add the hash of the binary in question and set the action to "No Action"
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?
- A . Falcon console updates are pending
- B . Falcon sensors installing an update
- C . Notifications have been disabled on that host sensor
- D . Microsoft updates
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?
- A . Create a Dynamic Group with Type=Workstation Assignment
- B . Create a Dynamic Group and Import All Workstations
- C . Create a Static Group and Import all Workstations
- D . Create a Static Group with Type=Workstation Assignment
Which role allows a user to connect to hosts using Real-Time Response?
- A . Endpoint Manager
- B . Falcon Administrator
- C . Real Time Responder C Active Responder
- D . Prevention Hashes Manager
Where can you modify settings to permit certain traffic during a containment period?
- A . Prevention Policy
- B . Host Settings
- C . Containment Policy
- D . Firewall Settings
Which of the following is a valid step when troubleshooting sensor installation failure?
- A . Confirm all required services are running on the system
- B . Enable the Windows firewall
- C . Disable SSL and TLS on the host
- D . Delete any available application crash log files
How many "Auto" sensor version update options are available for Windows Sensor Update Policies?
- A . 1
- B . 2
- C . 0
- D . 3
Where in the Falcon console can information about supported operating system versions be found?
- A . Configuration module
- B . Intelligence module
- C . Support module
- D . Discover module
Under which scenario can Sensor Tags be assigned?
- A . While triaging a detection
- B . While managing hosts in the Falcon console
- C . While updating a sensor in the Falcon console
- D . While installing a sensor
How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?
- A . By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page
- B . By enabling "Upload quarantined files" in the General Settings configuration page
- C . By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page
- D . By selecting "Enable pop-up messages" from the User configuration page
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode."
What setting can you use to reduce false positives on this file path?
- A . USB Device Policy
- B . Firewall Rule Group
- C . Containment Policy
- D . Machine Learning Exclusions
What is the primary purpose of using glob syntax in an exclusion?
- A . To specify a Domain be excluded from detections
- B . To specify exclusion patterns to easily exclude files and folders and extensions from detections
- C . To specify exclusion patterns to easily add files and folders and extensions to be prevented
- D . To specify a network share be excluded from detections
Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?
- A . Next-Gen Antivirus (NGAV) protection
- B . Adware and Potentially Unwanted Program detection and prevention
- C . Real-time offline protection
- D . Identification and analysis of unknown executables
On a Windows host, what is the best command to determine if the sensor is currently running?
- A . sc query csagent
- B . netstat -a
- C . This cannot be accomplished with a command
- D . ping falcon.crowdstrike.com
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host.
Which role do you need added to your user account to have this capability?
- A . Real Time Responder
- B . Endpoint Manager
- C . Falcon Investigator
- D . Remediation Manager
Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?
- A . TCP port 22 (SSH)
- B . TCP port 443 (HTTPS)
- C . TCP port 80 (HTTP)
- D . TCP UDP port 53 (DNS)
What type of information is found in the Linux Sensors Dashboard?
- A . Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
- B . Hidden File execution, Execution of file from the trash, Versions Running with ComputerNames
- C . Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified
- D . Private Information Accessed, Archiving Tools C Exfil, Files Made Executable
How long are detection events kept in Falcon?
- A . Detection events are kept for 90 days
- B . Detections events are kept for your subscribed data retention period
- C . Detection events are kept for 7 days
- D . Detection events are kept for 30 days
What can the Quarantine Manager role do?
- A . Manage and change prevention settings
- B . Manage quarantined files to release and download
- C . Manage detection settings
- D . Manage roles and users
How do you find a list of inactive sensors?
- A . The Falcon platform does not provide reporting for inactive sensors
- B . A sensor is always considered active until removed by an Administrator
- C . Run the Inactive Sensor Report in the Host setup and management option
- D . Run the Sensor Aging Report within the Investigate option
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks.
Which statement is TRUE concerning Falcon sensor certificate validation?
- A . SSL inspection should be configured to occur on all Falcon traffic
- B . Some network configurations, such as deep packet inspection, interfere with certificate validation
- C . HTTPS interception should be enabled to proceed with certificate validation
- D . Common sources of interference with certificate pinning include protocol race conditions and resource contention
You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message.
What is the best way to update the workflow?
- A . Clone the workflow and replace the existing email with your CISO’s email
- B . Add a sequential action to send a custom email to your CISO
- C . Add a parallel action to send a custom email to your CISO
- D . Add the CISO’s email to the existing action
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this.
Which is the best way to accomplish this?
- A . Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
- B . Using Custom Alerts in the Investigate App, create a new alert using the template"Process Execution" and within that rule, select the option to "Block Execution"
- C . Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
- D . Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"
Which is a filter within the Host setup and management > Host management page?
- A . User name
- B . OU
- C . BIOS Version
- D . Locality
How do you assign a Prevention policy to one or more hosts?
- A . Create a new policy and assign it directly to those hosts on the Host Management page
- B . Modify the users roles on the User Management page
- C . Ensure the hosts are in a group and assign that group to a custom Prevention policy
- D . Create a new policy and assign it directly to those hosts on the Prevention policy page
Where do you obtain the Windows sensor installer for CrowdStrike Falcon?
- A . Sensors are downloaded from the Hosts > Sensor Downloads
- B . Sensor installers are unique to each customer and must be obtained from support
- C . Sensor installers are downloaded from the Support section of the CrowdStrike website
- D . Sensor installers are not used because sensors are deployed from within Falcon
Which of the following applies to Custom Blocking Prevention Policy settings?
- A . Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy
- B . Blocklisting applies to hashes, IP addresses, and domains
- C . Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary
- D . You can only blocklist hashes via the API
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
- A . File exclusions are not aligned to groups or hosts
- B . There is a limit of three groups of hosts applied to any exclusion
- C . There is no limit and exclusions can be applied to any or all groups
- D . Each exclusion can be aligned to only one group of hosts
Why is it critical to have separate sensor update policies for Windows/Mac/*nix?
- A . There may be special considerations for each OS
- B . To assist with testing and tracking sensor rollouts
- C . The network protocols are different for each host OS
- D . It is an auditing requirement
What information is provided in Logan Activities under Visibility Reports?
- A . A list of all logons for all users
- B . A list of last endpoints that a user logged in to
- C . A list of users who are remotely logged on to devices based on local IP and local port
- D . A list of unique users who are remotely logged on to devices based on the country