Which of the following prevention policy settings monitors contents of scripts and shells for execution of malicious content on compatible operating systems?
A. Script-based Execution Monitoring
B. FileSystem Visibility
C. Engine (Full Visibility)
D. Suspicious Scripts and Commands
Correct Answer: A
The prevention policy setting that monitors contents of scripts and shells for execution of malicious content on compatible operating systems is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. You can enable or disable Script-based Execution Monitoring in the Prevention Policy for Windows hosts1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 142:
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:
A. Adware and PUP
B. Advanced Machine Learning
C. Sensor Anti-Malware
D. Execution Blocking
Correct Answer: A
With EDR license, if you go to "Audit logs > Machine-learning prevention monitoring", three options appear: Cloud Anti-malware, Sensor Anti-malware and AdwareandPUP. Therefore, answer is A.
Question 143:
You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?
A. ExtendedWindow=1
B. Timeout=0
C. ProvNoWait=1
D. Timeout=30
Correct Answer: C
"ProvNoWait=1
The sensor does not abort installation if it can't connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20
minutes. After that, the host will automatically uninstall its sensor.)"
"ProvWaitTime=3600000
The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes)."
Question 144:
If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file?
A. Older versions of the sensor are not available for download
C. By installing the current sensor and clicking the "downgrade" button during the install
D. By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads
Correct Answer: D
The way to find the older installer file for the Falcon sensor is to click on "Older versions" links under the Host setup and management > Deploy > Sensor downloads. The Sensor downloads page allows you to download the latest version of the Falcon sensor for different operating systems and platforms. However, if you need to install an older version of the sensor, you can click on the "Older versions" links below each sensor download button. This will open a new page where you can select and download any previous version of the sensor1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 145:
On a Windows host, what is the best command to determine if the sensor is currently running?
A. sc query csagent
B. netstat -a
C. This cannot be accomplished with a command
D. ping falcon.crowdstrike.com
Correct Answer: A
On a Windows host, the best command to determine if the sensor is currently running is sc query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 146:
Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?
A. Sensor Report
B. Machine Learning Prevention Monitoring
C. Falcon UI Audit Trail
D. Machine Learning Debug
Correct Answer: B
The Machine Learning Prevention Monitoring report in the Prevention Policy Management option allows you to monitor the impact of machine learning (ML) prevention settings on your environment. You can view the number of ML detections and preventions by severity, policy, and host group. You can also drill down into specific events and hosts to see more details. This report can help you determine the appropriate ML levels to set in a prevention policy based on your risk tolerance and security posture1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 147:
When creating new IOCs in IOC management, which of the following fields must be configured?
A. Hash, Description, Filename
B. Hash, Action and Expiry Date
C. Filename, Severity and Expiry Date
D. Hash, Platform and Action
Correct Answer: D
When creating new IOCs in IOC management, the administrator must configure the Hash, Platform and Action fields. The Hash field is the value of the IOC, such as MD5, SHA1 or SHA256. The Platform field is the operating system that the IOC applies to, such as Windows, Linux or Mac. The Action field is the action that Falcon will take when detecting the IOC, such as Detect, Block or Allow. The other fields are either optional or not available. Reference: CrowdStrike Falcon User Guide, page 44
Question 148:
Which of the following is NOT an available action for an API Client?
A. Edit an API Client
B. Reset an API Client Secret
C. Retrieve an API Client Secret
D. Delete an API Client
Correct Answer: C
The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2. References: 2: Cybersecurity Resources | CrowdStrike
Question 149:
Why is it important to know your company's event data retention limits in the Falcon platform?
A. This is not necessary; you simply select "All Time" in your query to search all data
B. You will not be able to search event data into the past beyond your retention period
C. Data such as process records are kept for a shorter time than event data
D. Your query will require you to specify the data pool associated with the date you wish to search
Correct Answer: B
It is important to know your company's event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits. Reference: CrowdStrike Falcon User Guide, page 48.
Question 150:
Which of the following is NOT a way to determine the sensor version installed on a specific endpoint?
A. Use the Sensor Report to filter to the specific endpoint
B. Use the Investigate > Host Search to filter to the specific endpoint
C. Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details
D. From a command line, run the sc query csagent -version command
Correct Answer: D
From a command line, running the sc query csagent -version command is not a way to determine the sensor version installed on a specific endpoint. This command will only show the status of the csagent service, not the sensor version. The other options are valid ways to determine the sensor version installed on a specific endpoint using Falcon UI or API. You can use the Sensor Report, the Host Search, or the Host Management features to filter, search, or select the desired endpoint and view the sensor version information12. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 2: How to Become a CrowdStrike Certified Falcon Administrator
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.