Where do you obtain the Windows sensor installer for CrowdStrike Falcon?
A. Sensors are downloaded from the Hosts > Sensor Downloads
B. Sensor installers are unique to each customer and must be obtained from support
C. Sensor installers are downloaded from the Support section of the CrowdStrike website
D. Sensor installers are not used because sensors are deployed from within Falcon
Correct Answer: A
The Windows sensor installer for CrowdStrike Falcon can be downloaded from the Hosts > Sensor Downloads page in the Falcon console. This page allows you to download different sensor versions and installers for various operating systems and platforms, as well as view installation instructions and release notes. The other options are either incorrect or not available. Reference: CrowdStrike Falcon User Guide, page 27.
Question 112:
You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?
A. Prevention Policy Audit Trail
B. Prevention Policy Debug
C. Prevention Hashes Ignored
D. Machine-Learning Prevention Monitoring
Correct Answer: D
Audit logs --> Machine-learning prevention monitoring It shows the count of ML expected detections based on the detection levels for a defined time period and the list of files that would be detected on each detection level.
Question 113:
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?
A. Microsoft updates altering the kernel
B. The host lost internet connectivity
C. A misconfiguration in your prevention policy for the host
D. A Sensor Update Policy was misconfigured
Correct Answer: B
The likely reason your Windows host would be in Reduced Functionality Mode (RFM) is that the host lost internet connectivity. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. Losing internet connectivity is a common cause of RFM, as it prevents the sensor from communicating with the Falcon cloud. A misconfiguration in your prevention policy or sensor update policy will not cause RFM, as these policies are applied by the Falcon cloud and do not affect the sensor's license, network, or certificate status. Microsoft updates altering the kernel may cause compatibility issues with the sensor, but not RFM3. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 114:
What is the purpose of the Default Sensor Policy?
A. A mechanism to deploy the oldest supported version of the Falcon Sensor.
B. Tests the sensor configuration settings before deployment.
C. Used to reset all sensor settings to Default.
D. Acts as a "catch all" policy if no other Sensor Policies are applied.
Correct Answer: D
The purpose of the Default Sensor Policy is that it acts as a "catch all" policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a "catchall" policy that is enabled by default and has the "Malware Protection" feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 115:
When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?
A. The sensor would provide protection as normal, without event telemetry
B. The sensor would provide minimal protection
C. The sensor would function as normal
D. The sensor provides no protection, and only collects Sensor Heart Beat events
Correct Answer: B
When a Linux host is in Reduced Functionality Mode (RFM), the sensor would provide minimal protection. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Linux sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the /tmp directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 116:
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group; however, when applying the new prevention policy this group is not appearing in the list of available groups. What is the most likely issue?
A. The new prevention policy should be enabled first
B. The "Servers" group already has a policy applied to it
C. The "Servers" group must be disabled first
D. Host type was not defined correctly within the prevention policy
Correct Answer: B
The most likely issue for not being able to apply a new prevention policy to the "Servers" group is that the "Servers" group already has a policy applied to it. A prevention policy is a policy that defines the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign custom prevention policies to different hosts or groups in your environment. However, you can only assign one prevention policy per host or group at a time. If a host or group already has a prevention policy applied to it, you cannot apply another prevention policy to it unless you remove or replace the existing one2. References: 2: Cybersecurity Resources | CrowdStrike
Question 117:
Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?
A. Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor
B. Install the Falcon package passing it the installation token in the command line
C. Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access
D. Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'
Correct Answer: C
The option that best describes the general process for installation of the Falcon Sensor on MacOS is to install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access. The Falcon package contains the sensor binary and the kernel extension, which can be installed by double-clicking on it or using a command-line tool such as installer. The falconctl tool is a command-line utility that allows you to configure and manage the sensor on MacOS systems. You can use falconctl to license the sensor by providing your Customer ID (CID) and optionally your Sensor Group ID (SGID). After licensing the sensor, you need to approve the system extension in the Security and Privacy settings of your system preferences, which will require a restart. Finally, you need to grant the sensor Full Disk Access in the Privacy settings of your system preferences, which will allow the sensor to monitor and protect your files and folders1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 118:
When the Notify End Users policy setting is turned on, which of the following is TRUE?
A. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist
B. End users will be immediately notified via a pop-up that their machine is in-network isolation
C. End-users receive a pop-up notification when a prevention action occurs
D. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine
Correct Answer: C
When the Notify End Users policy setting is turned on, end-users receive a pop-up notification when a prevention action occurs. This setting allows you to inform the end-users that the Falcon sensor has blocked or quarantined a malicious item on their system. The notification will also provide the name and path of the item, the reason for the prevention, and a link to contact support if needed1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 119:
Where can you find your company's Customer ID (CID)?
A. The CID is a secret key used for Falcon communication and is never shared with the customer
B. The CID is only available by calling support
C. The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum
D. The CID is located at Hosts > Host Management
Correct Answer: C
The CID (Customer ID) is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. The checksum is a value that verifies the integrity of the sensor download file. You can find your CID and checksum at the top of the Sensor Downloads page1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 120:
How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?
A. By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page
B. By enabling "Upload quarantined files" in the General Settings configuration page
C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page
D. By selecting "Enable pop-up messages" from the User configuration page
Correct Answer: C
A Falcon Administrator can configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity by turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page. This setting allows users to enable or disable end user notifications for prevention actions taken by Falcon on Windows hosts. The other options are either incorrect or not related to configuring pop-up messages. Reference: CrowdStrike Falcon User Guide, page 36.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.