How does the Unique Hosts Connecting to Countries Map help an administrator?
A. It highlights countries with known malware
B. It helps visualize global network communication
C. It identifies connections containing threats
D. It displays intrusions from foreign countries
Correct Answer: B
The Unique Hosts Connecting to Countries Map helps an administrator to visualize global network communication. The map shows the number of unique hosts in your environment that have established network connections to different countries in the past 24 hours. You can use this map to identify unusual or suspicious network activity, such as connections to high-risk countries or regions, or connections from hosts that are not expected to communicate with external entities2. References: 2: Cybersecurity Resources | CrowdStrike
Question 52:
Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?
A. Next-Gen Antivirus (NGAV) protection
B. Adware and Potentially Unwanted Program detection and prevention
C. Real-time offline protection
D. Identification and analysis of unknown executables
Correct Answer: D
According to documentation (documentation/detections/technique/sensor- based-ml-cst0007): CrowdStrike sensor-based machine learning (ML) identifies and analyzes unknown executables as they run on hosts. This technique is triggered by files and file attributes associated with known malware. This is similar to the [Cloud-based ML](/support/documentation/detections/technique/cloud-based-ml) technique. Cloud-based ML is informed by global analysis of executables that classifies and identifies malware. The key difference is that it doesn't run on hosts when they're offline.
Question 53:
The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?
A. Policy alignment is configured in the "Host Management" section in the Hosts application
B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window
C. Policy alignment is configured in the General Settings section under the Configuration menu
D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab
Correct Answer: D
The alignment of a particular prevention policy to one or more host groups can be completed in each policy in the "Assigned Host Groups" tab. This tab allows the administrator to select which host groups will use the policy, as well as view the number of hosts and sensors assigned to each group. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 34.
Question 54:
You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?
A. Clone the workflow and replace the existing email with your CISO's email
B. Add a sequential action to send a custom email to your CISO
C. Add a parallel action to send a custom email to your CISO
D. Add the CISO's email to the existing action
Correct Answer: C
The best way to update the workflow is to add a parallel action to send a custom email to your CISO. A parallel action allows you to perform multiple actions simultaneously when a workflow is triggered, without affecting the order or outcome of other actions. A sequential action, on the other hand, requires one action to complete before another action can start. By adding a parallel action, you can ensure that both the escalation team and your CISO receive an email notification as soon as possible1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 55:
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after how many days?
A. 45 Days
B. 60 Days
C. 30 Days
D. 90 Days
Correct Answer: D
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after 90 days. A sensor that has not contacted the Falcon cloud for more than seven days is considered inactive and will be moved from the Host Management page to the Trash page. An inactive sensor will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive sensor from the Trash page if it contacts the Falcon cloud again within 90 days. References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
Question 56:
Which of the following scenarios best describes when you would add IP addresses to the containment policy?
A. You want to automate the Network Containment process based on the IP address of a host
B. Your organization has additional IP addresses that need to be able to access the Falcon console
C. A new group of analysts need to be able to place hosts under Network Containment
D. Your organization has resources that need to be accessible when hosts are network contained
Correct Answer: D
The scenario that best describes when you would add IP addresses to the containment policy is that your organization has resources that need to be accessible when hosts are network contained. As explained in the previous question,
adding IP addresses to the containment policy allows you to create an allowlist of trusted IP addresses that can communicate with your contained hosts. This can be useful when you need to isolate a host from the network due to a potential
compromise or investigation, but still want to allow it to access certain resources or services that are essential for your organization's operations or security2.
Which of the following controls the speed in which your sensors will receive automatic sensor updates?
A. Maintenance Tokens
B. Sensor Update Policy
C. Sensor Update Throttling
D. Channel File Update Throttling
Correct Answer: C
The option that controls the speed in which your sensors will receive automatic sensor updates is Sensor Update Throttling. Sensor Update Throttling allows you to limit the number of sensors that can download a new sensor version per hour. This way, you can avoid network congestion or bandwidth issues caused by simultaneous sensor updates. You can configure the Sensor Update Throttling setting in the Sensor Update Policy for each platform1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 58:
What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?
A. Enables custom detections for the host
B. New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host
C. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host
D. Preventions will be enabled for the host
Correct Answer: C
The option that best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The "Enable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 59:
Which of the following best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy?
A. Prevents automatic updates of the sensor
B. Prevents the sensor from entering Reduced Functionality Mode
C. Prevents modification of sensor update policy
D. Prevents unauthorized uninstallation of the sensor
Correct Answer: D
The option that best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy is that it prevents unauthorized uninstallation of the sensor. The Uninstall and Maintenance Protection setting is a feature that adds an extra layer of security to the sensor by requiring a maintenance token to uninstall or update the sensor manually. The maintenance token is a unique code that can be generated by a Falcon Administrator or a Real Time Response -Administrator in the Falcon console. Without a valid maintenance token, the sensor cannot be uninstalled or updated by anyone, including local administrators or malware2. References: 2: Cybersecurity Resources | CrowdStrike
Question 60:
Which of the following applies to Custom Blocking Prevention Policy settings?
A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy
B. Blocklisting applies to hashes, IP addresses, and domains
C. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary
D. You can only blocklist hashes via the API
Correct Answer: A
Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on "Upload Hashes" in the upper right-hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike Falcon?API. https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom- blacklisting/
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.