QUESTION: 9

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host.
What is the most appropriate role that can be added to fullfil this requirement?

Remediation Manager
Real Time Responder Read Only Analyst
Falcon Analyst Read Only
Real Time Responder Active Responder

Answer(s): B

Explanation:

The Real Time Responder - Read Only Analyst only allows to run the commands "cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.

Reveal Solution Next Question

QUESTION: 10

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

USB Device Policy
Firewall Rule Group
Containment Policy
Machine Learning Exclusions

Answer(s): D

Explanation:

Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment. The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.

Reveal Solution Next Question

QUESTION: 11

How do you disable all detections for a host?

Create an exclusion rule and apply it to the machine or group of machines
Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
You cannot disable all detections on individual hosts as it would put them at risk
In Host Management, select the host and then choose the option to Disable Detections

Answer(s): D

Explanation:

The administrator can disable all detections for a host by selecting the host and then choosing the option to Disable Detections in the Host Management page. This will prevent the host from sending any detection events to the Falcon Cloud. The other options are either incorrect or not available.

Reference:

[CrowdStrike Falcon User Guide], page 32.

Reveal Solution Next Question

QUESTION: 12

To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
Using IOC management, import the list of hashes and IP addresses and set the action to No Action

Answer(s): A

Explanation:

IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".

Reveal Solution Next Question

Free CCFA-200 Exam Braindumps (page: 4)

QUESTION: 9

Explanation:

QUESTION: 10

Explanation:

QUESTION: 11

Explanation:

Reference:

QUESTION: 12

Explanation:

CCFA-200 Discussions & Posts