CCFAFree trialFree trial

By crowdstrike
Aug, 2025

Verified

25Q per page

Question 1

What is the function of a single asterisk (*) in an ML exclusion pattern?

  • A: The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  • B: The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  • C: The single asterisk is the insertion point for the variable list that follows the path
  • D: The single asterisk is only used to start an expression, and it represents the drive letter

Question 2

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  • A: USB Device Policy
  • B: Firewall Rule Group
  • C: Containment Policy
  • D: Machine Learning Exclusions

Question 3

When a host belongs to more than one host group, how is sensor update precedence determined?

  • A: Groups have no impact on sensor update policies
  • B: Sensors of hosts that belong to more than one group must be manually updated
  • C: The highest precedence policy from the most important group is applied to the host
  • D: All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host

Question 4

What may prevent a user from logging into Falcon via single sign-on (SSO)?

  • A: The SSO username doesn't match their email address in Falcon
  • B: The maintenance token has expired
  • C: Falcon is in reduced functionality mode
  • D: The user never configured their security questions

Question 5

The Customer ID (CID) is important in which of the following scenarios?

  • A: When adding a user to the Falcon console under the Users application
  • B: When performing the sensor installation process
  • C: When setting up API keys
  • D: When performing a Host Search

Question 6

Which statement describes what is recommended for the Default Sensor Update policy?

  • A: The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible
  • B: The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version
  • C: Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required
  • D: No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled

Question 7

You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

  • A: Script-based Execution Monitoring
  • B: Interpreter-Only
  • C: Additional User Mode Data
  • D: Engine (Full Visibility)

Question 8

What is the purpose of the Machine-Learning Prevention Monitoring Report?

  • A: It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined
  • B: It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious
  • C: It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks
  • D: It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings

Question 9

The Remote Access Graph in Visibility Reports displays:

  • A: a bar chart where a bar represents a daily count of remote connections
  • B: a geographical chart showing the geo-location of remote IP address
  • C: a graph showing connections between hosts and users
  • D: a pie chart showing a count per remote logon type

Question 10

What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud?

  • A: falconcloud.net
  • B: cloudprotect-cs.net
  • C: cloudsink.net
  • D: csfalcon.net

Question 11

Why would you use the Prevention Policy Debug Report?

  • A: To confirm that prevention policy precedence was applied to hosts
  • B: To confirm the number of detections on a host
  • C: To confirm that prevention policy settings were applied to a host
  • D: To confirm the number of host groups to which a policy was applied

Question 12

What is the earliest version of Windows Server that a Sensor is compatible with?

  • A: Server 2012
  • B: Server 2003
  • C: Server 2008 R2 SP1
  • D: Server 2008

Question 13

How do you disable all detections for a host?

  • A: Create an exclusion rule and apply it to the machine or group of machines
  • B: Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
  • C: You cannot disable all detections on individual hosts as it would put them at risk
  • D: In Host Management, select the host and then choose the option to Disable Detections

Question 14

Which command would tell you if a Falcon Sensor was running on a Windows host?

  • A: netstat.exe -f
  • B: cswindiag.exe -status
  • C: sc.exe query falcon
  • D: sc.exe query csagent

Question 15

After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

  • A: Response Policy
  • B: IP Allowlist Management
  • C: Maintenance Token
  • D: Containment Policy

Question 16

On which page of the Falcon console can one locate the Customer ID (CID)?

  • A: API Clients and Keys
  • B: Sensor Dashboard
  • C: Hosts Management
  • D: Sensor Downloads

Question 17

The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud?

  • A: Proxy information
  • B: Deep packet inspection
  • C: NMAP scanning
  • D: TCP inspection

Question 18

Which of the following tools developed by CrowdStrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor?

  • A: CSUninstallTool.exe
  • B: UninstallTool.exe
  • C: CrowdStrikeRemovalTool.exe
  • D: FalconUninstall.exe

Question 19

Assume the Falcon Sensor was installed on a Virtual Machine template using the installation parameter NO_START=1. Afterward, the Virtual Machine template is rebooted. What is the effect on the Falcon Sensor after reboot?

  • A: The Falcon Sensor would start, but only send a heartbeat to the Falcon console
  • B: The Falcon Sensor would not automatically start on reboot. It would have to be manually started
  • C: The Falcon Sensor would disable BIOS checks at startup
  • D: The Falcon Sensor would start at reboot and generate an Agent ID

Question 20

What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

  • A: Windows Proxy
  • B: Deep packet inspection
  • C: Linux Sub-System
  • D: PowerShell

Question 21

Which option best describes the general process for a manual installation of the Falcon Sensor on MacOS?

  • A: Grant the Falcon package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'
  • B: Install the Falcon package passing it the installation token in the command line
  • C: Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access
  • D: Grant the Falcon package Full Disk Access, install the Falcon package, use falconctl to license the sensor

Question 22

Where can you find your company's Customer ID (CID)?

  • A: The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum
  • B: The CID is located at Hosts > Host Management
  • C: The CID is only available by calling support
  • D: The CID is a secret key used for Falcon communication and is never shared with the customer

Question 23

Which of the following best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy?

  • A: Prevents the sensor from entering Reduced Functionality Mode
  • B: Prevents unauthorized uninstallation of the sensor
  • C: Prevents automatic updates of the sensor
  • D: Prevents modification of sensor update policy

Question 24

To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

  • A: Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
  • B: Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
  • C: Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
  • D: Using IOC management, import the list of hashes and IP addresses and set the action to No Action

Question 25

A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause?

  • A: The host has a user logged into it
  • B: The domain controller is preventing the connection
  • C: They do not have an RTR role assigned to them
  • D: There is another analyst connected into it
Page 1 of 10 • Questions 1-25 of 234
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!