CCFA - CrowdStrike Certified Falcon Responder

o enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action

C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block

Which of the following can a Falcon Administrator edit in an existing user's profile?

A. First or Last name
B. Phone number
C. Email address
D. Working groups

A. First or Last name

What is the function of a single asterisk (*) in an ML exclusion pattern?

A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
C. The single asterisk is the insertion point for the variable list that follows the path
D. The single asterisk is only used to start an expression, and it represents the drive letter

B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

What is the purpose of a containment policy?

A. To define which Falcon analysts can contain endpoints
B. To define the duration of Network Containment
C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
D. To define allowed IP addresses over which your hosts will communicate when contained

D. To define allowed IP addresses over which your hosts will communicate when contained

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

A. File exclusions are not aligned to groups or hosts
B. There is a limit of three groups of hosts applied to any exclusion
C. There is no limit and exclusions can be applied to any or all groups
D. Each exclusion can be aligned to only one group of hosts

C. There is no limit and exclusions can be applied to any or all groups

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

A. Real Time Responder
B. Endpoint Manager
C. Falcon Investigator
D. Remediation Manager

A. Real Time Responder

What must an admin do to reset a user's password?

A. From User Management, open the account details for the affected user and select "Generate New Password"
B. From User Management, select "Reset Password" from the three dot menu for the affected user account
C. From User Management, select "Update Account" and manually create a new password for the affected user account
D. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

B. From User Management, select "Reset Password" from the three dot menu for the affected user account

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

When creating new IOCs in IOC management, which of the following fields must be configured?

A. Hash, Description, Filename
B. Hash, Action and Expiry Date
C. Filename, Severity and Expiry Date
D. Hash, Platform and Action

D. Hash, Platform and Action

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

A. Remediation Manager
B. Real Time Responder - Read Only Analyst
C. Falcon Analyst - Read Only
D. Real Time Responder - Active Responder

B. Real Time Responder - Read Only Analyst

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

A. USB Device Policy
B. Firewall Rule Group
C. Containment Policy
D. Machine Learning Exclusions

D. Machine Learning Exclusions

How do you disable all detections for a host?

A. Create an exclusion rule and apply it to the machine or group of machines
B. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
C. You cannot disable all detections on individual hosts as it would put them at risk
D. In Host Management, select the host and then choose the option to Disable Detections

D. In Host Management, select the host and then choose the option to Disable Detections

Which role is required to manage groups and policies in Falcon?

A. Falcon Host Analyst
B. Falcon Host Administrator
C. Prevention Hashes Manager
D. Falcon Host Security Lead

B. Falcon Host Administrator

You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

A. Specific sensor version number
B. Auto - TEST-QA
C. Sensor version updates off
D. Auto - N-1

A. Specific sensor version number

What is the goal of a Network Containment Policy?

A. Increase the aggressiveness of the assigned prevention policy
B. Limit the impact of a compromised host on the network
C. Gain more visibility into network activities
D. Partition a network for privacy

B. Limit the impact of a compromised host on the network

Which of the following applies to Custom Blocking Prevention Policy settings?

A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy
B. Blocklisting applies to hashes, IP addresses, and domains
C. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary
D. You can only blocklist hashes via the API

A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

A. 1
B. 2
C. 0
D. 3

D. 3

The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

A. Policy alignment is configured in the "Host Management" section in the Hosts application
B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window
C. Policy alignment is configured in the General Settings section under the Configuration menu
D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab

D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab

How long are detection events kept in Falcon?

A. Detection events are kept for 90 days
B. Detections events are kept for your subscribed data retention period
C. Detection events are kept for 7 days
D. Detection events are kept for 30 days

B. Detections events are kept for your subscribed data retention period

What information is provided in Logon Activities under Visibility Reports?

A. A list of all logons for all users
B. A list of last endpoints that a user logged in to
C. A list of users who are remotely logged on to devices based on local IP and local port
D. A list of unique users who are remotely logged on to devices based on the country

B. A list of last endpoints that a user logged in to

What can the Quarantine Manager role do?

A. Manage and change prevention settings
B. Manage quarantined files to release and download
C. Manage detection settings
D. Manage roles and users

B. Manage quarantined files to release and download

What command should be run to verify if a Windows sensor is running?

A. regedit myfile.reg
B. sc query csagent
C. netstat -f
D. ps -ef | grep falcon

B. sc query csagent

When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

A. Custom IOA Rule Groups
B. Custom IOC Groups
C. Enterprise Groups
D. Operating System Groups

A. Custom IOA Rule Groups

Which role allows a user to connect to hosts using Real-Time Response?

A. Endpoint Manager
B. Falcon Administrator
C. Real Time Responder - Active Responder
D. Prevention Hashes Manager

C. Real Time Responder - Active Responder

You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20 minute default provisioning window?

A. ExtendedWindow=1
B. Timeout=0
C. ProvNoWait=1
D. Timeout=30

C. ProvNoWait=1

How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?

A. Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors widget
B. Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors"
C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days
D. Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days

C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days

In order to quarantine files on the host, what prevention policy settings must be enabled?

A. Malware Protection and Custom Execution Blocking must be enabled
B. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled
C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
D. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled

B. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled

Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

A. There may be special considerations for each OS
B. To assist with testing and tracking sensor rollouts
C. The network protocols are different for each host OS
D. It is an auditing requirement

A. There may be special considerations for each OS

How do you assign a policy to a specific group of hosts?

A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s).
B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).
C. Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and select criteria such as OU, OS, Hostname pattern, etc.
D. On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if needed) and click Add.

B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).

You want to create a detection-only policy. How do you set this up in your policy's settings?

A. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.
B. Select the "Detect-Only" template. Disable hash blocking and exclusions.
C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.
D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?

A. .badguydomain\.com.
B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill
C. badguydomain\.com.*
D. Custom IOA rules cannot be created for domains

A. .badguydomain\.com.

Where can you modify settings to permit certain traffic during a containment period?

A. Prevention Policy
B. Host Settings
C. Containment Policy
D. Firewall Settings

C. Containment Policy

Which option allows you to exclude behavioral detections from the detections page?

A. Machine Learning Exclusion
B. IOA Exclusion
C. IOC Exclusion
D. Sensor Visibility Exclusion

B. IOA Exclusion

What are custom alerts based on?

A. Custom workflows
B. Custom event based triggers
C. Predefined alert templates
D. User defined Splunk queries

C. Predefined alert templates

When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

A. Base URL
B. Secret
C. Client ID
D. Client name

B. Secret

You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM?

A. A Sensor Update Policy was misconfigured
B. A host was offline for more than 24 hours
C. A patch was pushed overnight to all Windows systems
D. A host was placed in network containment from a detection

C. A patch was pushed overnight to all Windows systems

Which of the following is TRUE of the Logon Activities Report?

A. Shows a graphical view of user logon activity and the hosts the user connected to
B. The report can be filtered by computer name
C. It gives a detailed list of all logon activity for users
D. It only gives a summary of the last logon activity for users

D. It only gives a summary of the last logon activity for users

Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts?

A. Real Time Responder - Administrator
B. Real Time Responder - Read Only Analyst
C. Real Time Responder - Script Developer
D. Real Time Responder - Active Responder

A. Real Time Responder - Administrator

What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

A. For - While statement(s)
B. Trigger, condition(s) and action(s)
C. Event trigger(s)
D. Predefined workflow template(s)

B. Trigger, condition(s) and action(s)

An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this?

A. The API client secret can be viewed from the Edit API client pop-up box
B. Enable the Client Secret column to reveal the API client secret
C. Re-create the API client using the exact name to see the API client secret
D. The API client secret cannot be retrieved after it has been created

D. The API client secret cannot be retrieved after it has been created

Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?

A. TCP port 22 (SSH)
B. TCP port 443 (HTTPS)
C. TCP port 80 (HTTP)
D. TCP UDP port 53 (DNS)

B. TCP port 443 (HTTPS)

Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

A. Sensors are downloaded from the Hosts > Sensor Downloads
B. Sensor installers are unique to each customer and must be obtained from support
C. Sensor installers are downloaded from the Support section of the CrowdStrike website
D. Sensor installers are not used because sensors are deployed from within Falcon

A. Sensors are downloaded from the Hosts > Sensor Downloads

What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

A. Falcon console updates are pending
B. Falcon sensors installing an update
C. Notifications have been disabled on that host sensor
D. Microsoft updates

D. Microsoft updates

On which page of the Falcon console would you create sensor groups?

A. User management
B. Sensor update policies
C. Host management
D. Host groups

D. Host groups

While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose?

A. Configure a Real Time Response policy allowlist with the specific IP addresses
B. Configure a Containment Policy with the specific IP addresses
C. Configure a Containment Policy with the entire internal IP CIDR block
D. Configure the Host firewall to allowlist the specific IP addresses

B. Configure a Containment Policy with the specific IP addresses

Which of the following is TRUE regarding Falcon Next-Gen AntiVirus (NGAV)?

A. Falcon NGAV relies on signature-based detections
B. Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy
C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders
D. Falcon NGAV is not a replacement for Windows Defender or other antivirus programs

C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders

What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

A. To group hosts with others in the same business unit
B. To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time
C. To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion
D. To allow the controlled assignment of sensor versions onto specific hosts

D. To allow the controlled assignment of sensor versions onto specific hosts

What impact does disabling detections on a host have on an API?

A. Endpoints with detections disabled will not alert on anything until detections are enabled again
B. Endpoints cannot have their detections disabled individually
C. DetectionSummaryEvent stops sending to the Streaming API for that host
D. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

C. DetectionSummaryEvent stops sending to the Streaming API for that host

Under which scenario can Sensor Tags be assigned?

A. While triaging a detection
B. While managing hosts in the Falcon console
C. While updating a sensor in the Falcon console
D. While installing a sensor

D. While installing a sensor
Hide Solution

Custom IOA rules are defined using which syntax?

A. Glob
B. PowerShell
C. Yara
D. Regex

A. Glob

With Custom Alerts, it is possible to __________.

A. schedule the alert to run at any interval
B. receive an alert in an email
C. configure prevention actions for alerting
D. be alerted to activity in real-time

B. receive an alert in an email

How do you assign a Prevention policy to one or more hosts?

A. Create a new policy and assign it directly to those hosts on the Host Management page
B. Modify the users roles on the User Management page
C. Ensure the hosts are in a group and assign that group to a custom Prevention policy
D. Create a new policy and assign it directly to those hosts on the Prevention policy page

C. Ensure the hosts are in a group and assign that group to a custom Prevention policy

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

A. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
B. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"
C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
D. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

A. \Program Files\My Program\My Files\*
B. \Program Files\My Program\*
C. \
D. \Program Files\My Program\\

A. \Program Files\My Program\My Files\*

When a host is placed in Network Containment, which of the following is TRUE?

A. The host machine is unable to send or receive network traffic outside of the local network
B. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy
C. The host machine is unable to send or receive any network traffic
D. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy

D. The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy

When would the No Action option be assigned to a hash in IOC Management?

A. When you want to save the indicator for later action, but do not want to block or allow it at this time
B. Add the indicator to your allowlist and do not detect it
C. There is no such option as No Action available in the Falcon console
D. Add the indicator to your blocklist and show it as a detection

When you want to save the indicator for later action, but do not want to block or allow it at this time

Why is it important to know your company's event data retention limits in the Falcon platform?

A. This is not necessary; you simply select "All Time" in your query to search all data
B. You will not be able to search event data into the past beyond your retention period
C. Data such as process records are kept for a shorter time than event data
D. Your query will require you to specify the data pool associated with the date you wish to search

B. You will not be able to search event data into the past beyond your retention period

What is the purpose of precedence with respect to the Sensor Update policy?

A. Precedence applies to the Prevention policy and not to the Sensor Update policy
B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)
C. Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)
D. Precedence ensures that conflicting policy settings are not set in the same policy

B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies?

A. Maintenance token
B. Customer ID (CID)
C. Bulk update key
D. Agent ID (AID)

A. Maintenance token

How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?

A. By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page
B. By enabling "Upload quarantined files" in the General Settings configuration page
C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page
D. By selecting "Enable pop-up messages" from the User configuration page
Show Suggested Answer

C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page

Where in the Falcon console can information about supported operating system versions be found?

A. Configuration module
B. Intelligence module
C. Support module
D. Discover module

C. Support module

What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

A. Endpoint ID (EID)
B. Agent ID (AID)
C. Security ID (SID)
D. Computer ID (CID)

B. Agent ID (AID)

Which of the following is a valid step when troubleshooting sensor installation failure?

A. Confirm all required services are running on the system
B. Enable the Windows firewall
C. Disable SSL and TLS on the host
D. Delete any available application crash log files

A. Confirm all required services are running on the system

You need to export a list of all detections for a specific Host Name in the last 24 hours. What is the best way to do this?

A. Go to Host Management in the Host page. Select the host and use the Export Detections button
B. Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section
C. In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results
D. Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section

C. In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results

Which role will allow someone to manage quarantine files?

A. Falcon Security Lead
B. Detections Exceptions Manager
C. Falcon Analyst - Read Only
D. Endpoint Manager

A. Falcon Security Lead

What is the maximum number of patterns that can be added when creating a new exclusion?

A.10
B. 0
C. 1
D. 5

C. 1

You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?

A. Prevention Policy Audit Trail
B. Prevention Policy Debug
C. Prevention Hashes Ignored
D. Machine-Learning Prevention Monitoring

D. Machine-Learning Prevention Monitoring
Hide Answer

In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

A. Sensor version set to N-1 and Bulk maintenance mode is turned on
B. Sensor version fixed and Uninstall and maintenance protection turned on
C. Sensor version updates off and Uninstall and maintenance protection turned off
D. Sensor version set to N-2 and Bulk maintenance mode is turned on
Show Suggested Answer

B. Sensor version fixed and Uninstall and maintenance protection turned on

Once an exclusion is saved, what can be edited in the future?

A. All parts of the exclusion can be changed
B. Only the selected groups and hosts to which the exclusion is applied can be changed
C. Only the options to "Detect/Block" and/or "File Extraction" can be changed
D. The exclusion pattern cannot be changed

A. All parts of the exclusion can be changed

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

A. Next-Gen Antivirus (NGAV) protection
B. Adware and Potentially Unwanted Program detection and prevention
C. Real-time offline protection
D. Identification and analysis of unknown executables

C. Real-time offline protection

How do you find a list of inactive sensors?

A. The Falcon platform does not provide reporting for inactive sensors
B. A sensor is always considered active until removed by an Administrator
C. Run the Inactive Sensor Report in the Host setup and management option
D. Run the Sensor Aging Report within the Investigate option

C. Run the Inactive Sensor Report in the Host setup and management option

Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

A. Sensor Report
B. Machine Learning Prevention Monitoring
C. Falcon UI Audit Trail
D. Machine Learning Debug

B. Machine Learning Prevention Monitoring

Why is the ability to disable detections helpful?

A. It gives users the ability to set up hosts to test detections and later remove them from the console
B. It gives users the ability to uninstall the sensor from a host
C. It gives users the ability to allowlist a false positive detection
D. It gives users the ability to remove all data from hosts that have been uninstalled

A. It gives users the ability to set up hosts to test detections and later remove them from the console

The Logon Activities Report includes all of the following information for a particular user EXCEPT __________.

A. the account type for the user (e.g. Domain Administrator, Local User)
B. all hosts the user logged into
C. the logon type (e.g. interactive, service)
D. the last time the user's password was set

D. the last time the user's password was set
Hide Answer

An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

A. Custom Alert History
B. Workflow Execution log
C. Workflow Audit log
D. Falcon UI Audit Trail

B. Workflow Execution log

You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?

A. Clone the workflow and replace the existing email with your CISO's email
B. Add a sequential action to send a custom email to your CISO
C. Add a parallel action to send a custom email to your CISO
D. Add the CISO's email to the existing action

C. Add a parallel action to send a custom email to your CISO

Which of the following is NOT an available filter on the Hosts Management page?

A. Hostname
B. Username
C. Group
D. OS Version

B. Username

What is the primary purpose of using glob syntax in an exclusion?

A. To specify a Domain be excluded from detections
B. To specify exclusion patterns to easily exclude files and folders and extensions from detections
C. To specify exclusion patterns to easily add files and folders and extensions to be prevented
D. To specify a network share be excluded from detections

B. To specify exclusion patterns to easily exclude files and folders and extensions from detections

How are user permissions set in Falcon?

A. Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
B. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
C. An administrator selects individual granular permissions from the Falcon Permissions List during user creation
D. Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions

B. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments

Which of the following is NOT a way to determine the sensor version installed on a specific endpoint?

A. Use the Sensor Report to filter to the specific endpoint
B. Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details
C. From a command line, run the sc query csagent -version command
D. Use the Investigate > Host Search to filter to the specific endpoint

From a command line, run the sc query csagent -version command

Which is the correct order for manually installing a Falcon Package on a macOS system?

A. Install the Falcon package, then register the Falcon Sensor via the registration package
B. Install the Falcon package, then register the Falcon Sensor via command line
C. Register the Falcon Sensor via command line, then install the Falcon package
D. Register the Falcon Sensor via the registration package, then install the Falcon package

B. Install the Falcon package, then register the Falcon Sensor via command line

You are beginning the rollout of the Falcon Sensor for the first time side-by-side with your existing security solution. You need to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions during the testing phase. What settings do you choose?

A. • Detection slider: Extra Aggressive• Prevention slider: Cautious
B. • Detection slider: Moderate• Prevention slider: Disabled
C. • Detection slider: Cautious• Prevention slider: Cautious
D. • Detection slider: Disabled• Prevention slider: Disabled

B. • Detection slider: Moderate• Prevention slider: Disabled

How does the Unique Hosts Connecting to Countries Map help an administrator?

A. It highlights countries with known malware
B. It helps visualize global network communication
C. It identifies connections containing threats
D. It displays intrusions from foreign countries

B. It helps visualize global network communication

On a Windows host, what is the best command to determine if the sensor is currently running?

A. sc query csagent
B. netstat -a
C. This cannot be accomplished with a command
D. ping falcon.crowdstrike.com

A. sc query csagent

The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation?

A. SSL inspection should be configured to occur on all Falcon traffic
B. Some network configurations, such as deep packet inspection, interfere with certificate validation
C. HTTPS interception should be enabled to proceed with certificate validation
D. Common sources of interference with certificate pinning include protocol race conditions and resource contention

B. Some network configurations, such as deep packet inspection, interfere with certificate validation

Which is a filter within the Host setup and management > Host management page?

A. User name
B. OU
C. BIOS Version
D. Locality

OU (Organisational Unit)

When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?

A. Create a Dynamic Group with Type=Workstation Assignment
B. Create a Dynamic Group and Import All Workstations
C. Create a Static Group and Import all Workstations
D. Create a Static Group with Type=Workstation Assignment
Show Suggested Answer

A. Create a Dynamic Group with Type=Workstation Assignment

When the Notify End Users policy setting is turned on, which of the following is TRUE?
A. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist
B. End users will be immediately notified via a pop-up that their machine is in-network isolation
C. End-users receive a pop-up notification when a prevention action occurs
D. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

C. End-users receive a pop-up notification when a prevention action occurs

If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file?

A. Older versions of the sensor are not available for download
B. By emailing CrowdStrike support at support@crowdstrike.com
C. By installing the current sensor and clicking the "downgrade" button during the install
D. By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads

D. By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads
Show Suggested Answer

Which of the following best describes the Default Sensor Update policy?

A. The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature
B. The Default Sensor Update policy is only used for testing sensor updates
C. The Default Sensor Update policy is a "catch-all" policy
D. The Default Sensor Update policy is disabled by default

C. The Default Sensor Update policy is a "catch-all" policy

Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:

A. Adware & PUP
B. Advanced Machine Learning
C. Sensor Anti-Malware
D. Execution Blocking

A. Adware & PUP

You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage?

A. *nix
B. Windows
C. Both Windows and *nix
D. Only Mac

D. Only Mac

Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

A. Aggressive
B. Cautious
C. Minimal
D. Moderate

B. Cautious

What type of information is found in the Linux Sensors Dashboard?

A. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
B. Hidden File execution, Execution of file from the trash, Versions Running with Computer Names
C. Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified
D. Private Information Accessed, Archiving Tools - Exfil, Files Made Executable

A. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage

Why would you assign hosts to a static group instead of a dynamic group?

A. You do not want the group membership to change automatically
B. You are managing more than 1000 hosts
C. You need hosts to be automatically assigned to a group
D. You want the group to contain hosts from multiple operating systems

A. You do not want the group membership to change automatically Most Voted

What can exclusions be applied to?

A. Individual hosts selected by the administrator
B. Either all hosts or specified groups
C. Only the default host group
D. Only the groups selected by the administrator

B. Either all hosts or specified groups

You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE?

A. System monitoring will be unavailable
B. Event reporting will be unavailable
C. Prevention patterns will not be triggered
D. Some detection patterns and preventions will not be triggered

D. Some detection patterns and preventions will not be triggered

A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after how many days?

A. 45 Days
B. 60 Days
C. 30 Days
D. 90 Days

A. 45 Days

When a host belongs to more than one host group, how is sensor update precedence determined?

A. Groups have no impact on sensor update policies
B. Sensors of hosts that belong to more than one group must be manually updated
C. The highest precedence policy from the most important group is applied to the host
D. All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host

D. All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host
Hide Answer