When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?
A. Create a Dynamic Group with Type=Workstation Assignment
B. Create a Dynamic Group and Import All Workstations
C. Create a Static Group and Import all Workstations
D. Create a Static Group with Type=Workstation Assignment
Correct Answer: A
The best method to ensure all workstation hosts are added to the group is to create a Dynamic Group with Type=Workstation Assignment. A Dynamic Group is a group that automatically updates its membership based on certain criteria or filters. A Type=Workstation Assignment filter will match all hosts that have the workstation type assigned in their Active Directory domain. This way, any new or existing workstation hosts will be added to the group without manual intervention1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 92:
Why is it critical to have separate sensor update policies for Windows/Mac/*nix?
A. There may be special considerations for each OS
B. To assist with testing and tracking sensor rollouts
C. The network protocols are different for each host OS
A. The Falcon platform does not provide reporting for inactive sensors
B. A sensor is always considered active until removed by an Administrator
C. Run the Inactive Sensor Report in the Host setup and management option
D. Run the Sensor Aging Report within the Investigate option
Correct Answer: C
The Inactive Sensor Report in the Host setup and management option allows you to view a list of hosts that have not communicated with the Falcon platform for a specified period of time. You can filter the report by sensor version, OS, and last seen date. This report can help you identify hosts that may have connectivity issues or need sensor updates1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 94:
Which of the following best describes the Default Sensor Update policy?
A. The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature
B. The Default Sensor Update policy is only used for testing sensor updates
C. The Default Sensor Update policy is a "catch-all" policy
D. The Default Sensor Update policy is disabled by default
Correct Answer: C
The Default Sensor Update policy is a "catch-all" policy. This means that any host that is not assigned to a specific sensor update policy will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is enabled by default and has the "Uninstall and maintenance protection" feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it2. References: 2: Cybersecurity Resources | CrowdStrike
Question 95:
What may prevent a user from logging into Falcon via single sign-on (SSO)?
A. The SSO username doesn't match their email address in Falcon
B. The maintenance token has expired
C. Falcon is in reduced functionality mode
D. The user never configured their security questions
Correct Answer: A
The option that may prevent a user from logging into Falcon via single sign- on (SSO) is that the SSO username doesn't match their email address in Falcon. SSO is a feature that allows you to use an external identity provider (IdP) to
authenticate and authorize users to access the Falcon platform. SSO simplifies and streamlines the login process, as users only need to remember one set of credentials for multiple applications. However, SSO requires that the username in
the IdP matches the email address in Falcon for each user. If there is a mismatch between the username and the email address, the user will not be able to log into Falcon via SSO.
Check in documentation, there are two kind of tags, the Falcon Grouping Tags that can be managed in falcon console or API and the Sensor Grouping Tags that are configured as parameter in cli, that kind of tags can be diferentiated because it appears with the prefix SensorGroupingTags followed with the name of the tag. If you want to modify a sensor tag is necessary change a registry key value and reboot the device or waiting until the sensor is upgraded.
Question 97:
Which Real Time Response role will allow you to see all analyst session details?
A. Real Time Response - Read-Only Analyst
B. None of the Real Time Response roles allows this
C. Real Time Response -Active Responder
D. Real Time Response -Administrator
Correct Answer: D
The Real Time Response role that will allow you to see all analyst session details is Real Time Response -Administrator. A Real Time Response -Administrator is a role that has full access and control over the Real Time Response feature in Falcon, which allows you to remotely access and investigate hosts in real time. A Real Time Response - Administrator can view all analyst session details, such as session ID, host name, start and end time, commands executed, and output received. A Real Time Response -Administrator can also create, modify, delete, and assign scripts and commands to other analysts2. References: 2: Cybersecurity Resources | CrowdStrike
Question 98:
When would the No Action option be assigned to a hash in IOC Management?
A. When you want to save the indicator for later action, but do not want to block or allow it at this time
B. Add the indicator to your allowlist and do not detect it
C. There is no such option as No Action available in the Falcon console
D. Add the indicator to your blocklist and show it as a detection
Correct Answer: A
The No Action option can be assigned to a hash in IOC Management when you want to save the indicator for later action, but do not want to block or allow it at this time. This option will neither detect nor prevent the execution of the hash, but will keep it in the IOC list for future reference. The other options are either incorrect or not related to the No Action option. Reference: CrowdStrike Falcon User Guide, page 44.
Question 99:
Which of the following is TRUE of the Logon Activities Report?
A. Shows a graphical view of user logon activity and the hosts the user connected to
B. The report can be filtered by computer name
C. It gives a detailed list of all logon activity for users
D. It only gives a summary of the last logon activity for users
Correct Answer: D
The Logon Activities Report shows a graphical view of user logon activity and the hosts the user connected to, but it only gives a summary of the last logon activity for users. It does not give a detailed list of all logon activity for users, nor can it be filtered by computer name. The other options are either incorrect or not true of the report. Reference: CrowdStrike Falcon User Guide, page 50.
Question 100:
When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?
A. Username
B. Model
C. Domain
D. Hostname
Correct Answer: D
When performing targeted filtering for a host on the Host Management Page, the filter bar attribute that is not case-sensitive is Hostname. The Hostname attribute allows you to filter hosts by their computer name or DNS name. The Hostname filter is not case- sensitive, meaning that it will match hosts regardless of the capitalization of their names. For example, filtering by hostname=DESKTOP-1234 will match hosts with names such as DESKTOP-1234, desktop-1234, or Desktop12342. References: 2: Cybersecurity Resources | CrowdStrike
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.