Free CCFA-200 Exam Braindumps (page: 14)

Page 13 of 39

What impact does disabling detections on a host have on an API?

  1. Endpoints with detections disabled will not alert on anything until detections are enabled again
  2. Endpoints cannot have their detections disabled individually
  3. DetectionSummaryEvent stops sending to the Streaming API for that host
  4. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

Answer(s): C

Explanation:

Disabling detections on a host will stop the DetectionSummaryEvent from sending to the Streaming API for that host. This means that the host will not send any detection events to the Streaming API, which is used to stream data from the Falcon Cloud to external applications or systems. The other options are either incorrect or not related to disabling detections on a host.


Reference:

[CrowdStrike Falcon User Guide], page 32.



Under which scenario can Sensor Tags be assigned?

  1. While triaging a detection
  2. While managing hosts in the Falcon console
  3. While updating a sensor in the Falcon console
  4. While installing a sensor

Answer(s): D

Explanation:

Check in documentation, there are two kind of tags, the Falcon Grouping Tags that can be managed in falcon console or API and the Sensor Grouping Tags that are configured as parameter in cli, that kind of tags can be diferentiated because it appears with the prefix SensorGroupingTags followed with the name of the tag. If you want to modify a sensor tag is necessary change a registry key value and reboot the device or waiting until the sensor is upgraded.



Custom IOA rules are defined using which syntax?

  1. Glob
  2. PowerShell
  3. Yara
  4. Regex

Answer(s): D

Explanation:

Regex guidelines https://falcon.crowdstrike.com/documentation/68/detection-and-prevention- policies#regex



With Custom Alerts, it is possible to __________.

  1. schedule the alert to run at any interval
  2. receive an alert in an email
  3. configure prevention actions for alerting
  4. be alerted to activity in real-time

Answer(s): B

Explanation:

The reporting interval is predefined and cannot be changed. You can only enable/disable the custom alert feature and add/remove recipient email client for the alert/detection.






Post your Comments and Discuss CrowdStrike CCFA-200 exam with other Community members:

CCFA-200 Discussions & Posts