What statement is TRUE about managing a user's role?
A. The Administrator cannot re-use the account email for a new account
B. You must have Falcon MFA enabled first
C. You must be a Falcon Security Lead
D. You must be a Falcon Administrator
Correct Answer: D
The statement that is true about managing a user's role is that you must be a Falcon Administrator. A Falcon Administrator is a role that has full access and control over all features and functions in Falcon, including user management. A Falcon Administrator can create, modify, delete, and assign roles to other users in Falcon. A Falcon Administrator can also re-use the account email for a new account, enable Falcon MFA (multi-factor authentication), and assign other roles such as Falcon Security Lead or Falcon Investigator. References: Cybersecurity Resources | CrowdStrike
Question 22:
When a host is placed in Network Containment, which of the following is TRUE?
A. The host machine is unable to send or receive network traffic outside of the local network
B. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy
C. The host machine is unable to send or receive any network traffic
D. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy
Correct Answer: D
When a host is placed in Network Containment, the host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy. This allows users to isolate a host from the network, while still allowing it to communicate with the Falcon Cloud and other essential services. The other options are either incorrect or not true of Network Containment. Reference: CrowdStrike Falcon User Guide, page 40.
Question 23:
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil
this requirement?
A. Remediation Manager
B. Real Time Responder ?Read Only Analyst
C. Falcon Analyst ?Read Only
D. Real Time Responder ?Active Responder
Correct Answer: B
The Real Time Responder - Read Only Analyst only allows to run the commands
"cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.
Question 24:
What are custom alerts based on?
A. Custom workflows
B. Custom event based triggers
C. Predefined alert templates
D. User defined Splunk queries
Correct Answer: C
Scheduling a Custom Alert for your environment consists of three steps:
choosing the template you'd like to configure, previewing the search results, then scheduling the alert. Use Custom Alerts to configure email alerts using predefined templates so you're notified about specific activity in your environment. When
an alert runs and finds results, it sends an email to specified recipients instead of generating a new detection. Custom Alerts let you set up email alerts based on predefined templates that cover a wide range of topics including Real Time
Response session initiation, host containment, OS security settings, and more that are not yet covered by notification workflows.
Question 25:
How can a API client secret be viewed after it has been created?
A. Within the API management page, API client secrets can be accessed within the "edit client" functionality
B. The API client secret must be reset or a new client created as the secret cannot be viewed after it has been created
C. The API client secret can be provided by support via direct email request from a Falcon Administrator
D. Selecting "show secret" within the 3-dot dropdown menu will reveal the secret for the selected api client
Correct Answer: B
The way an API client secret can be viewed after it has been created is that the API client secret must be reset or a new client created as the secret cannot be viewed after it has been created. As explained in question 137, an API client secret is only displayed once during creation for security reasons. If you lose or forget your API client secret, you cannot view it again in the Falcon console. You have two options to resolve this issue: either reset your API client secret or create a new API client. Resetting your API client secret will generate a new secret for your existing API client, which will invalidate any previous secret. Creating a new API client will generate a new API client ID and secret, which will require you to update any applications or scripts that use the Falcon APIs2. References: 2: Cybersecurity Resources | CrowdStrike
Question 26:
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?
A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"
Correct Answer: B
to match any number of characters including none while not matching beyond path separators (\ or /) and double asterisks are used to recursively match zero or more directories that fall under the current directory.
Question 27:
What information is provided in Logan Activities under Visibility Reports?
A. A list of all logons for all users
B. A list of last endpoints that a user logged in to
C. A list of users who are remotely logged on to devices based on local IP and local port
D. A list of unique users who are remotely logged on to devices based on the country
Correct Answer: B
The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to. This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report. Reference: [CrowdStrike Falcon User Guide], page 50.
Question 28:
Which role will allow someone to manage quarantine files?
A. Falcon Security Lead
B. Detections Exceptions Manager
C. Falcon Analyst ?Read Only
D. Endpoint Manager
Correct Answer: A
The role that will allow someone to manage quarantine files is Falcon Security Lead. This role allows users to view and manage quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 19.
Question 29:
How long are detection events kept in Falcon?
A. Detection events are kept for 90 days
B. Detections events are kept for your subscribed data retention period
C. Detection events are kept for 7 days
D. Detection events are kept for 30 days
Correct Answer: A
" Data is only available in the Falcon UI for investigations, etc. through the company's data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year
Question 30:
Which of the following pages provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System?
A. Support and resources
B. Activity Overview
C. Hosts Overview
D. Sensor Health
Correct Answer: D
The page that provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System is Sensor Health. The Sensor Health page allows you to view and monitor the health and status of all sensors in your environment. You can use this page to identify any sensors that have issues or errors, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. You can filter the sensors by operating system, sensor version, last seen date, health events, detections, and preventions. References: How to Become a CrowdStrike Certified Falcon Administrator
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.