What prevention policy setting prevents sensor-related files, folders, and registry objects from being renamed or deleted?
AHost Modification Protection
BSystem Configuration Protection
CSensor Tampering Protection
DSensor Modification Protection
A member of your SECOPS team is building custom scripts for RTR, but they are unable to save or share them in Falcon.
What additional role do they need to be able accomplish this?
AReal Time Response – Active Responder
BReal Time Response – Administrator
CAll Real Time Response roles can do this
DFalcon Scripts Manager
What happens to detections in the console after clicking “Disable Detections” for a host from within the Host Management page?
AThe detections for the host are removed from the console immediately. No new detections will display in the console going forward.
BDetections from the host are paused for 7 days. Existing detections from the host are removed from the console within 24 hours.
CExisting detections for the host remain. No new detections will display in the console going forward.
DExisting detections for the host are removed from the console. The process that triggered them is allow-listed to prevent future alerts. Detections for other alerts are unaffected.
You are tasked with creating a group for hosts running Windows 10.
What kind of group should you create to make sure all applicable hosts are included in your environment?
ACreate a static group with the assignment rule criteria set to OS Type Workstation
BCreate a dynamic group with the assignment rule criteria set to OS Type Workstation
CCreate a static group with the assignment rule criteria for OS Version set to Windows 10
DCreate a dynamic group with the assignment rule criteria for OS Version set to Windows 10
To improve the organization’s security posture, you are designing a Fusion SOAR workflow to generate an alert when critical vulnerabilities are detected by Falcon.
When creating a new workflow from scratch, what component of the workflow must be configured first?
AAction
BTrigger
CCondition
DWorkflow Name
Which statement best describes user permissions in Falcon?
ACustom user role permission sets can be shared with all CrowdStrike customers globally
BUsers can only have predefined default roles assigned to them before using a custom role
CUser permissions can be defined by default or custom roles as needed
DEach Falcon permission needs to be selected when the user account is created
When would the No Action option be assigned to a hash in IOC Management?
AWhen you want to save the indicator for later action, but do not want to block or allow it at this time
BThere is no such option as No Action available in the Falcon console
CWhen you want to add the indicator to your allowlist, but not detect it
DWhen you want to add the indicator to your blocklist and show it as a detection
Which role allows management of quarantined files?
AFalcon Analyst – Read Only
BDetections Exceptions Manager
CFalcon Security Lead
DEndpoint Manager
When installing the Falcon Sensor manually on Microsoft Windows, where is the installation log data stored?
A%LOCALAPPDATA%\Temp
B%SYSTEMROOT%\Temp
C%SYSTEMROOT%\Logs
D%LOCALAPPDATA%\Logs
Where can you find a list of hosts that have not communicated with the CrowdStrike Cloud?
AInactive Sensors
BDisabled Sensors
CSensor Report
DCustom Reports
Where can you find the history of the successes and failures for any Fusion SOAR workflows?
AFalcon UI Audit Trail
BCustom Alert History
CWorkflow Audit log
DWorkflow Execution log
What is the purpose of the Machine-Learning Prevention Monitoring Audit Log?
AIt is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious
BIt is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks
CIt is designed to show malicious processes that would have been blocked in your environment based on different Machine-Learning Prevention settings
DIt is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined
What provides information about inactive sensors within the Falcon console?
ASensor Update Policies
BSensor Downloads
CSensor Health
DSensor Coverage Lookup
What best describes the relationship between Sensor Update policies and Operating Systems?
AA Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux)
BSensor Update polices are not Operating System specific; one policy can be applied to all Operating Systems
CWindows has its own Sensor Update polices; Mac and Linux share Sensor Update policies
DWindows and Mac share Sensor Update policies; Linux requires its own set of polices based on the different kernel versions
When an API client is created, what two pieces of information must be generated as a pair to successfully identify and validate your API integrations?
ACustomer ID and Integration ID
BClient ID and Secret
CCustomer ID and Secret
DClient ID and OAuth2 ID
What is the primary concern with Windows sensors going into Reduced Functionality Mode (RFM)?
AThe operating systems on these hosts have crashed
BThe hosts have been powered off or otherwise cannot communicate with the Falcon cloud
CThe sensors do not have full visibility into all events occurring on the host
DThe sensors are unable to report any of their recorded events
How can you search for multiple hostnames at the same time via Host Management?
AEnter the multiple hostnames in the Hostname filter separating each by a comma
BAdd the Hostname filter multiple times and enter separate hostnames into each filter
CEnter the multiple hostnames in the Hostname filter separating each by a decimal
DAdd the Multiple Hostnames filter and enter your list of hostnames
To test a new Falcon sensor version, you have created a new sensor update policy and two separate dynamic host groups. One group contains all test Windows servers. The other group contains all of your Windows servers. The new policy was applied to only the test Windows servers host group.
What is required to safely and successfully test your new sensor update policy on only your test Windows servers?
AThe new policy must be enabled and assigned a precedence that is lower when compared to the policy assigned to all Windows servers
BThe new policy must be enabled and assigned a precedence that is higher when compared to the policy assigned to all Windows servers
CThe new Falcon sensor version should be manually installed by you on every test Windows server before ever enabling and assigning the new policy
DThe new Falcon sensor version should be manually uninstalled by you on every test Windows server before ever enabling and assigning the new policy
Detections related to a penetration test on a particular server are currently generating thousands of entries in the console. Your leadership does not need to track the detections in Falcon.
What should you do to allow your team to focus on more relevant detections?
ADelete the detections in the console and contain the server undergoing the test
BTemporarily disable detections for the server in Host Management and reenable after the test is done
CCreate a Fusion Workflow to email the SOC team every time the penetration test generates a detection
DPermanently disable detections for the server in Host Management
From the Host management page, what is the best field to filter by for Domain Controllers to obtain sensor version information?
ASensor Version
BType
CPlatform
DOS Version
Where can you find hosts that have been offline for ten minutes or longer?
AHost Management
BHost Groups
CSensor Report
DSensor Coverage Dashboard
After successfully installing Falcon on a new employee’s laptop, you notice that the machine is assigned the default prevention policy instead of the custom prevention policy you created. You verify that the Falcon sensor is functioning properly, and you confirm that the custom policy is enabled and successfully running on more than 1,000 other Falcon hosts.
What is the likely cause of this issue?
AFalcon requires a 24-hour waiting period to apply custom policies to newly installed hosts
BA host-based firewall rule is preventing the custom policy from applying successfully
CThe laptop is not a member of a host group assigned to the custom policy
DA prompt to apply the new prevention policy was manually declined
What log would you use to investigate unusual activity involved with a script interfacing with the Falcon platform?
AAPI audit
BFalcon UI audit
CPrevention policy debug
DRTR session audit
Which role allows a Falcon user to create Real Time Response Custom Scripts?
Preview
