The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation?
A. SSL inspection should be configured to occur on all Falcon traffic
B. Some network configurations, such as deep packet inspection, interfere with certificate validation
C. HTTPS interception should be enabled to proceed with certificate validation
D. Common sources of interference with certificate pinning include protocol race conditions and resource contention
Correct Answer: B
The statement that some network configurations, such as deep packet inspection, interfere with certificate validation is true concerning Falcon sensor certificate validation. The Falcon sensor uses certificate pinning to defend against man-inthe-middle attacks, which means that it verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. Some network configurations, such as deep packet inspection, SSL inspection, or HTTPS interception, may attempt to modify or replace the server certificate, which will cause the sensor to reject the connection and generate an error3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 42:
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?
A. Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors widget
B. Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors"
C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days
D. Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days
Correct Answer: C
The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 31.
Question 43:
What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?
A. The detections for the host are removed from the console immediately and no new detections will display in the console going forward
B. You cannot disable detections for a host
C. Existing detections for the host remain, but no new detections will display in the console going forward
D. Preventions will be disabled for the host
Correct Answer: A
The option that best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page is that the detections for the host are removed from the console immediately and no new detections will display in the console going forward. The "Disable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 44:
Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?
A. .*badguydomain.com.*
B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill
C. badguydomain\.com.*
D. Custom IOA rules cannot be created for domains
Correct Answer: A
You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com
Question 45:
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?
A. Real Time Responder
B. Endpoint Manager
C. Falcon Investigator
D. Remediation Manager
Correct Answer: A
The Real Time Responder role allows users to use the "Connect to Host" feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 18.
Question 46:
On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform?
A. Status
B. Platform
C. Hostname
D. Type
Correct Answer: D
The filter that could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform on the Host Management page is Type. The Type filter allows you to filter hosts by their device type, such as workstation, server,
or domain controller. The device type is assigned to each host based on their Active Directory domain structure. You can use the Type filter to quickly identify all hosts that have the workstation type assigned in their domain2.
You are beginning the rollout of the Falcon Sensor for the first time side-by-side with your existing security solution. You need to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions
during the testing phase.
What settings do you choose?
A. Detection slider: Extra Aggressive Prevention slider: Cautious
B. Detection slider: Moderate Prevention slider: Disabled
C. Detection slider: Cautious Prevention slider: Cautious
D. Detection slider: Disabled Prevention slider: Disabled
Correct Answer: C
The best settings to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions during the testing phase are Cautious for both Detection and Prevention sliders. This setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 48:
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
A. File exclusions are not aligned to groups or hosts
B. There is a limit of three groups of hosts applied to any exclusion
C. There is no limit and exclusions can be applied to any or all groups
D. Each exclusion can be aligned to only one group of hosts
Correct Answer: C
An exclusion is a rule that tells the Falcon platform to ignore certain files, folders, processes, or registry keys when performing prevention or detection actions. An administrator can create an exclusion and apply it to one or more groups of hosts, or to all hosts in the organization. For example, an administrator can create an exclusion for a legitimate application that is causing false positives and apply it to the group of hosts that are running that application. Reference: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 49:
Which of the following uses Regex to create a detection or take a preventative action?
A. Custom IOC
B. Machine Learning Exclusion
C. Custom IOA D. Sensor Visibility Exclusion
Correct Answer: C
The option that uses regex to create a detection or take a preventative action is Custom IOA. A Custom IOA (indicator of attack) allows you to define custom rules for detecting or preventing suspicious behavior based on process execution, file write, network connection, or registry events. You can use regex syntax to create a Custom IOA rule that matches the event data that you want to monitor or block1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 50:
How do you assign a Prevention policy to one or more hosts?
A. Create a new policy and assign it directly to those hosts on the Host Management page
B. Modify the users roles on the User Management page
C. Ensure the hosts are in a group and assign that group to a custom Prevention policy
D. Create a new policy and assign it directly to those hosts on the Prevention policy page
Correct Answer: C
The administrator can assign a Prevention policy to one or more hosts by ensuring the hosts are in a group and assigning that group to a custom Prevention policy. This allows users to apply different prevention settings and options to different groups of hosts based on their needs and preferences. The other options are either incorrect or not applicable to assigning a Prevention policy. Reference: [CrowdStrike Falcon User Guide], page 34.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.