On which page of the Falcon console can one locate the Customer ID (CID)?
A. Hosts Management
B. API Clients and Keys
C. Sensor Dashboard
D. Sensor Downloads
Correct Answer: B
The page of the Falcon console where one can locate the Customer ID (CID) is API Clients and Keys. The API Clients and Keys page allows you to create and manage API clients and keys for accessing the Falcon platform programmatically. The Customer ID (CID) is a unique identifier for your organization that is required for authenticating your API requests. You can find your CID at the top of the API Clients and Keys page2. References: 2: Cybersecurity Resources | CrowdStrike
Question 102:
When a user initiates a sensor installs, where can the logs be found?
A. %SYSTEMROOT%\Logs
B. %SYSTEMROOT%\Temp
C. %LOCALAPPDATA%\Logs
D. % LOCALAPP D ATA%\Tem p
Correct Answer: B
When a user initiates a sensor install, the logs can be found in %SYSTEMROOT%\Temp. This folder contains temporary files and folders created by the system or applications, including the sensor installation logs. The sensor installation logs have names that start with CSFalconContainer and end with .log, such as CSFalconContainer-2023-08-31_11-23-21.log. These logs can help you troubleshoot any issues or errors that may occur during the sensor installation process3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 103:
Which of the following is TRUE regarding Falcon Next-Gen AntiVirus (NGAV)?
A. Falcon NGAV relies on signature-based detections
B. Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy
C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders
D. Falcon NGAV is not a replacement for Windows Defender or other antivirus programs
Correct Answer: C
The Detection sliders cannot be set to a value less aggressive than the Prevention sliders in Falcon Next-Gen AntiVirus (NGAV). This is because prevention is a subset of detection, and it would not make sense to prevent threats that are not detected. The other options are either incorrect or not true of Falcon NGAV. Reference: [CrowdStrike Falcon User Guide], page 35.
Question 104:
A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause?
A. The host has a user logged into it
B. The domain controller is preventing the connection
C. They do not have an RTR role assigned to them
D. There is another analyst connected into it
Correct Answer: C
The most likely cause for not being able to use Real-Time Response to start a session with a host that has a sensor installed is that they do not have an RTR role assigned to them. An RTR (Real Time Response) role is a role that grants
access and permissions to use the Real Time Response feature in Falcon, which allows you to remotely access and investigate hosts in real time. There are three types of RTR roles:
Real Time Response -Read-Only Analyst, Real Time Response -Active Responder, and Real Time Response -Administrator. You need to have at least one of these roles assigned to you in order to use Real Time Response2.
What is the purpose of precedence with respect to the Sensor Update policy?
A. Precedence applies to the Prevention policy and not to the Sensor Update policy
B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)
C. Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)
D. Precedence ensures that conflicting policy settings are not set in the same policy
Correct Answer: B
The purpose of precedence with respect to the Sensor Update policy is that hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number). This means that if a host belongs to more than one group that has different Sensor Update policies assigned, it will use the policy that has the highest precedence (lowest number) among them. The other options are either incorrect or not related to precedence. Reference: CrowdStrike Falcon User Guide, page 38.
Question 106:
An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this?
A. The API client secret can be viewed from the Edit API client pop-up box
B. Enable the Client Secret column to reveal the API client secret
C. Re-create the API client using the exact name to see the API client secret
D. The API client secret cannot be retrieved after it has been created
Correct Answer: D
The API client secret cannot be retrieved after it has been created. The secret is only displayed once when the API client is created, and it cannot be viewed or edited later. Therefore, it is important to save the secret securely and use it along with the client ID to authenticate the API client. The other options are either incorrect or not possible. Reference: CrowdStrike Falcon User Guide, page 54.
Question 107:
You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE?
A. System monitoring will be unavailable
B. Event reporting will be unavailable
C. Prevention patterns will not be triggered
D. Some detection patterns and preventions will not be triggered
Correct Answer: D
The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud. This means that some detection patterns and preventions that rely on telemetry, machine learning, or cloud analysis will not be triggered. References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
Question 108:
An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?
A. Custom Alert History
B. Workflow Execution log
C. Workflow Audit log
D. Falcon UI Audit Trail
Correct Answer: B
The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 109:
While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose?
A. Configure a Real Time Response policy allowlist with the specific IP addresses
B. Configure a Containment Policy with the specific IP addresses
C. Configure a Containment Policy with the entire internal IP CIDR block
D. Configure the Host firewall to allowlist the specific IP addresses
Correct Answer: B
While a host is Network contained, the administrator can allow the host to access internal network resources on specific IP addresses to perform patching and remediation by configuring a Containment Policy with the specific IP addresses. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.
Question 110:
Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts?
A. Real Time Responder ?Administrator
B. Real Time Responder ?Read Only Analyst
C. Real Time Responder ?Script Developer
D. Real Time Responder ?Active Responder
Correct Answer: A
Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.