What best describes the relationship between Sensor Update policies and Operating Systems?
A. Windows and Mac share Sensor Update policies. Linux requires its own set of polices based on the different kernel versions
B. Sensor Update polices are not Operating System specific. One policy can be applied to all Operating Systems
C. Windows has its own Sensor Update polices. But Mac and Linux share Sensor Update policies
D. A Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux)
Correct Answer: D
The option that describes the relationship between Sensor Update policies and Operating Systems is that a Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux). This option is essentially a repetition of question 141 and its answer. Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for each operating system type in your environment1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 12:
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?
A. Sensor version set to N-1 and Bulk maintenance mode is turned on
B. Sensor version fixed and Uninstall and maintenance protection turned on
C. Sensor version updates off and Uninstall and maintenance protection turned off
D. Sensor version set to N-2 and Bulk maintenance mode is turned on
Correct Answer: B
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, the administrator should set the Sensor version to fixed and turn on the Uninstall and maintenance protection setting in the Sensor Update Policy. This will allow the administrator to specify which sensor version will be used by the hosts using this policy, and also require a maintenance token to uninstall or upgrade the sensor. The other options are either incorrect or not sufficient to meet this criteria. Reference: CrowdStrike Falcon User Guide, page 38.
Question 13:
Which is the correct order for manually installing a Falcon Package on a macOS system?
A. Install the Falcon package, then register the Falcon Sensor via the registration package
B. Install the Falcon package, then register the Falcon Sensor via command line
C. Register the Falcon Sensor via command line, then install the Falcon package
D. Register the Falcon Sensor via the registration package, then install the Falcon package
Correct Answer: B
The correct order for manually installing a Falcon Package on a macOS system is to install the Falcon package, then register the Falcon Sensor via command line. The Falcon package contains the sensor binary and the kernel extension, while the registration package contains the customer ID and the sensor group ID. The registration package is not required for macOS systems, as the registration information can be provided via command line after installing the Falcon package1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 14:
When a host belongs to more than one host group, how is sensor update precedence determined?
A. Groups have no impact on sensor update policies
B. Sensors of hosts that belong to more than one group must be manually updated
C. The highest precedence policy from the most important group is applied to the host
D. All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host
Correct Answer: D
The option that describes how sensor update precedence is determined when a host belongs to more than one host group is that all of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. You can create and assign custom Sensor Update policies to different hosts or groups in your environment. Each Sensor Update policy has a precedence value, which determines its priority over other policies. The higher the precedence value, the higher the priority. If a host belongs to more than one host group, each with a different Sensor Update policy assigned, then all of the host's groups are examined in aggregate and the policy with highest precedence among them is applied to the host. References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
Question 15:
What type of information is found in the Linux Sensors Dashboard?
A. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
B. Hidden File execution, Execution of file from the trash, Versions Running with Computer Names
C. Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified
D. Private Information Accessed, Archiving Tools ?Exfil, Files Made Executable
Correct Answer: A
The type of information that is found in the Linux Sensors Dashboard is Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage. The Linux Sensors Dashboard is a dashboard that provides an overview of the Linux hosts in your environment that have Falcon sensors installed. You can use this dashboard to monitor the health and activity of your Linux hosts, such as their kernel versions, root shell usage, network communication, detections, and preventions. References: How to Become a CrowdStrike Certified Falcon Administrator
Question 16:
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?
A. Aggressive
B. Cautious
C. Minimal
D. Moderate
Correct Answer: B
The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor's ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low- confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive. References: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 17:
In order to quarantine files on the host, what prevention policy settings must be enabled?
A. Malware Protection and Custom Execution Blocking must be enabled
B. Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" must be enabled
C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
D. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled
Correct Answer: B
In order to quarantine files on the host, the administrator must enable the Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" in the prevention policy settings. This will allow Falcon to quarantine malicious files and register them with Windows Security Center. The other options are either incorrect or not sufficient to enable quarantine. Reference: [CrowdStrike Falcon User Guide], page 36.
Question 18:
What command should be run to verify if a Windows sensor is running?
A. regedit myfile.reg
B. sc query csagent
C. netstat -f
D. ps -ef | grep falcon
Correct Answer: B
The command that should be run to verify if a Windows sensor is running is sc query csagent. This command will display the status and information of the csagent service, which is the Falcon sensor service. The other commands are either incorrect or not applicable to Windows sensors. Reference: [CrowdStrike Falcon User Guide], page 29.
Question 19:
Which of the following tools developed by Crowdstrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor?
A. CrowdStrikeRemovalTool.exe
B. UninstallTool.exe
C. CSUninstallTool.exe
D. FalconUninstall.exe
Correct Answer: C
The tool developed by Crowdstrike that is intended to help with removal of the CrowdStrike Windows Falcon Sensor is CSUninstallTool.exe. This tool is a command- line utility that can uninstall the Falcon sensor from a Windows system without requiring user interaction or network connectivity. The tool can also bypass the Uninstall and Maintenance Protection feature if enabled in the Sensor Update Policy. References: Cybersecurity Resources | CrowdStrike
Question 20:
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have
chosen to use Falcon to do this.
Which is the best way to accomplish this?
A. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
B. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"
C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
D. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"
Correct Answer: C
The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal. Reference: [CrowdStrike Falcon User Guide], page 44.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.