When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?
A. Custom IOA Rule Groups
B. Custom IOC Groups
C. Enterprise Groups
D. Operating System Groups
Correct Answer: A
Prevention Policies are created based on the OS (Windows, MAC and Linux policies). Once a prevention policy is created, three options appear on top: Settings, Assigned Host Groups and Assigned Custom IOAS (tested on Crowdstrike). Therefore, Host Groups and Custom IOAS are the two different types of groups a prevention policy can be aligned to.
Question 62:
Which role is required to manage groups and policies in Falcon?
A. Falcon Host Analyst
B. Falcon Host Administrator
C. Prevention Hashes Manager
D. Falcon Host Security Lead
Correct Answer: B
The Falcon Host Administrator role is required to manage groups and policies in Falcon. This role allows users to create, edit and delete groups and policies, as well as assign them to hosts. The other roles do not have this capability.
Reference:
[CrowdStrike Falcon User Guide], page 17.
Question 63:
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?
A. Falcon console updates are pending
B. Falcon sensors installing an update
C. Notifications have been disabled on that host sensor
D. Microsoft updates
Correct Answer: D
The most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM) is Microsoft updates. RFM occurs when the sensor detects a change in the operating system that requires a reboot to complete. Microsoft updates are one of the common causes of such a change. The other options are either incorrect or not related to RFM. Reference: CrowdStrike Falcon User Guide, page 30.
Question 64:
Which role allows a user to connect to hosts using Real-Time Response?
A. Endpoint Manager
B. Falcon Administrator
C. Real Time Responder ?Active Responder
D. Prevention Hashes Manager
Correct Answer: C
The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder ?Active Responder. This role allows users to use the "Connect to Host" feature to gather additional information from the host, as well as
execute commands and scripts on the host. The other roles do not have this capability. Reference:
[CrowdStrike Falcon User Guide], page 18.
Question 65:
Which command would tell you if a Falcon Sensor was running on a Windows host?
A. cswindiag.exe -status
B. netstat.exe -f
C. sc.exe query csagent
D. sc.exe query falcon
Correct Answer: C
The command that would tell you if a Falcon Sensor was running on a Windows host is sc.exe query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 66:
Which is a filter within the Host setup and management > Host management page?
A. User name
B. OU
C. BIOS Version
D. Locality
Correct Answer: B
OU (organizational unit) is a filter within the Host setup and management > Host management page. The Host management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also filter by OU, which is a logical grouping of hosts based on their Active Directory domain structure1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 67:
What is the purpose of the Machine-Learning Prevention Monitoring Report?
A. It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined
B. It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious
C. It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks
D. It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings
Correct Answer: D
Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that would have been blocked in your environment over the selected timeframe based on different Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).
Question 68:
Which of the follow should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax?
A. Sensor Visibility Exclusion
B. Machine Learning Exclusions
C. IOC Exclusions
D. IOA Exclusions
Correct Answer: D
The option that should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax is IOA Exclusions. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. However, using IOA exclusions may reduce the visibility and protection of the Falcon sensor, as it may allow malicious activity to bypass the sensor's detection and prevention capabilities. Therefore, you should use IOA exclusions with extreme caution and only when necessary2. References: 2: Cybersecurity Resources | CrowdStrike
Question 69:
After agent installation, an agent opens a permanent___connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.
A. SSH
B. TLS
C. HTTP
D. TCP
Correct Answer: B
After agent installation, an agent opens a permanent TLS connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated. TLS (Transport Layer Security) is a protocol that
provides secure and encrypted communication between the agent and the Falcon cloud. Port 443 is the standard port for HTTPS (Hypertext Transfer Protocol Secure) traffic. The agent uses this connection to send and receive data,
commands, policies, and updates from the Falcon cloud2.
Once an exclusion is saved, what can be edited in the future?
A. All parts of the exclusion can be changed
B. Only the selected groups and hosts to which the exclusion is applied can be changed
C. Only the options to "Detect/Block" and/or "File Extraction" can be changed
D. The exclusion pattern cannot be changed
Correct Answer: A
Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions. Reference: CrowdStrike Falcon User Guide, page 37.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.