An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures? Custom Alert History Workflow Execution log Workflow Audit log Falcon UI Audit Trail.
How are user permissions set in Falcon? Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments An administrator selects individual granular permissions from the Falcon Permissions List during user creation Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions.
When creating new IOCs in IOC management, which of the following fields must be configured? Hash, Description, Filename Hash, Action and Expiry Date Filename, Severity and Expiry Date Hash, Platform and Action.
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts? Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality" Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality".
Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe? \Program Files\My Program\My Files\* \Program Files\My Program\* *\* *\Program Files\My Program\*\.
Once an exclusion is saved, what can be edited in the future? All parts of the exclusion can be changed Only the selected groups and hosts to which the exclusion is applied can be changed Only the options to "Detect/Block" and/or "File Extraction" can be changed The exclusion pattern cannot be changed.
Why is the ability to disable detections helpful? It gives users the ability to set up hosts to test detections and later remove them from the console It gives users the ability to uninstall the sensor from a host It gives users the ability to allowlist a false positive detection It gives users the ability to remove all data from hosts that have been uninstalled.
What impact does disabling detections on a host have on an API? Endpoints with detections disabled will not alert on anything until detections are enabled again Endpoints cannot have their detections disabled individually DetectionSummaryEvent stops sending to the Streaming API for that host Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed.
What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon? To group hosts with others in the same business unit To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion To allow the controlled assignment of sensor versions onto specific hosts.
What command should be run to verify if a Windows sensor is running? regedit myfile.reg sc query csagent netstat -f ps -ef | grep falcon.
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is: Adware and PUP Advanced Machine Learning Sensor Anti-Malware Execution Blocking.
What is the purpose of precedence with respect to the Sensor Update policy? Precedence applies to the Prevention policy and not to the Sensor Update policy Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number) Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number) Precedence ensures that conflicting policy settings are not set in the same policy.
Which is the correct order for manually installing a Falcon Package on a macOS system? Install the Falcon package, then register the Falcon Sensor via the registration package Install the Falcon package, then register the Falcon Sensor via command line Register the Falcon Sensor via command line, then install the Falcon package Register the Falcon Sensor via the registration package, then install the Falcon package.
When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies? Maintenance token Customer ID (CID) Bulk update key Agent ID (AID).
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items? Aggressive Cautious Minimal Moderate.
You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20 minute default provisioning window? ExtendedWindow=1 Timeout=0 ProvNoWait=1 Timeout=30.
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement? Remediation Manager Real Time Responder – Read Only Analyst Falcon Analyst – Read Only Real Time Responder – Active Responder.
Which option allows you to exclude behavioral detections from the detections page? Machine Learning Exclusion IOA Exclusion IOC Exclusion Sensor Visibility Exclusion.
Which role will allow someone to manage quarantine files? Falcon Security Lead Detections Exceptions Manager Falcon Analyst – Read Only Endpoint Manager.
When a host is placed in Network Containment, which of the following is TRUE? The host machine is unable to send or receive network traffic outside of the local network The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy The host machine is unable to send or receive any network traffic The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy.
How do you disable all detections for a host? Create an exclusion rule and apply it to the machine or group of machines Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID) You cannot disable all detections on individual hosts as it would put them at risk In Host Management, select the host and then choose the option to Disable Detections.
In order to quarantine files on the host, what prevention policy settings must be enabled? Malware Protection and Custom Execution Blocking must be enabled Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" must be enabled Malware Protection and Windows Anti-Malware Execution Blocking must be enabled Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled.
What is the maximum number of patterns that can be added when creating a new exclusion? 10 0 1 5.
Which of the following is TRUE of the Logon Activities Report? Shows a graphical view of user logon activity and the hosts the user connected to The report can be filtered by computer name It gives a detailed list of all logon activity for users It only gives a summary of the last logon activity for users.
You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage? *nix Windows Both Windows and *nix Only Mac.
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future? Contact support and request that they modify the Machine Learning settings to no longer include this detection Using IOC Management, add the hash of the binary in question and set the action to "Allow" Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection" Using IOC Management, add the hash of the binary in question and set the action to "No Action".
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)? Falcon console updates are pending Falcon sensors installing an update Notifications have been disabled on that host sensor Microsoft updates.
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group? Create a Dynamic Group with Type=Workstation Assignment Create a Dynamic Group and Import All Workstations Create a Static Group and Import all Workstations Create a Static Group with Type=Workstation Assignment.
Which role allows a user to connect to hosts using Real-Time Response? Endpoint Manager Falcon Administrator Real Time Responder – Active Responder Prevention Hashes Manager.
Where can you modify settings to permit certain traffic during a containment period? Prevention Policy Host Settings Containment Policy Firewall Settings.
Which of the following is a valid step when troubleshooting sensor installation failure? Confirm all required services are running on the system Enable the Windows firewall Disable SSL and TLS on the host Delete any available application crash log files.
How many "Auto" sensor version update options are available for Windows Sensor Update Policies? 1 2 0 3.
Where in the Falcon console can information about supported operating system versions be found? Configuration module Intelligence module Support module Discover module.
Under which scenario can Sensor Tags be assigned? While triaging a detection While managing hosts in the Falcon console While updating a sensor in the Falcon console While installing a sensor.
How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity? By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page By enabling "Upload quarantined files" in the General Settings configuration page By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page By selecting "Enable pop-up messages" from the User configuration page.
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path? USB Device Policy Firewall Rule Group Containment Policy Machine Learning Exclusions.
What is the primary purpose of using glob syntax in an exclusion? To specify a Domain be excluded from detections To specify exclusion patterns to easily exclude files and folders and extensions from detections To specify exclusion patterns to easily add files and folders and extensions to be prevented To specify a network share be excluded from detections.
Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)? Next-Gen Antivirus (NGAV) protection Aware and Potentially Unwanted Program detection and prevention Real-time offline protection Identification and analysis of unknown executables.
On a Windows host, what is the best command to determine if the sensor is currently running? sc query csagent netstat -a This cannot be accomplished with a command ping falcon.crowdstrike.com.
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability? Real Time Responder Endpoint Manager Falcon Investigator Remediation Manager.
Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud? TCP port 22 (SSH) TCP port 443 (HTTPS) TCP port 80 (HTTP) TCP UDP port 53 (DNS).
What type of information is found in the Linux Sensors Dashboard? Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage Hidden File execution, Execution of file from the trash, Versions Running with Computer Names Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified Private Information Accessed, Archiving Tools – Exfil, Files Made Executable.
How long are detection events kept in Falcon? Detection events are kept for 90 days Detections events are kept for your subscribed data retention period Detection events are kept for 7 days Detection events are kept for 30 days.
What can the Quarantine Manager role do? Manage and change prevention settings Manage quarantined files to release and download Manage detection settings Manage roles and users.
How do you find a list of inactive sensors? The Falcon platform does not provide reporting for inactive sensors A sensor is always considered active until removed by an Administrator Run the Inactive Sensor Report in the Host setup and management option Run the Sensor Aging Report within the Investigate option.
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation? SSL inspection should be configured to occur on all Falcon traffic Some network configurations, such as deep packet inspection, interfere with certificate validation HTTPS interception should be enabled to proceed with certificate validation Common sources of interference with certificate pinning include protocol race conditions and resource contention.
You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow? Clone the workflow and replace the existing email with your CISO's email Add a sequential action to send a custom email to your CISO Add a parallel action to send a custom email to your CISO Add the CISO's email to the existing action.
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this? Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution" Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow".
Which is a filter within the Host setup and management > Host management page? User name OU BIOS Version Locality.
How do you assign a Prevention policy to one or more hosts? Create a new policy and assign it directly to those hosts on the Host Management page Modify the users roles on the User Management page Ensure the hosts are in a group and assign that group to a custom Prevention policy Create a new policy and assign it directly to those hosts on the Prevention policy page.
Where do you obtain the Windows sensor installer for CrowdStrike Falcon? Sensors are downloaded from the Hosts > Sensor Downloads Sensor installers are unique to each customer and must be obtained from support Sensor installers are downloaded from the Support section of the CrowdStrike website Sensor installers are not used because sensors are deployed from within Falcon.
Which of the following applies to Custom Blocking Prevention Policy settings? Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy Blocklisting applies to hashes, IP addresses, and domains Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary You can only blocklist hashes via the API.
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts? File exclusions are not aligned to groups or hosts There is a limit of three groups of hosts applied to any exclusion There is no limit and exclusions can be applied to any or all groups Each exclusion can be aligned to only one group of hosts.
Why is it critical to have separate sensor update policies for Windows/Mac/*nix? There may be special considerations for each OS To assist with testing and tracking sensor rollouts The network protocols are different for each host OS It is an auditing requirement.
What information is provided in Logan Activities under Visibility Reports? A list of all logons for all users A list of last endpoints that a user logged in to A list of users who are remotely logged on to devices based on local IP and local port A list of unique users who are remotely logged on to devices based on the country.
If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file? Older versions of the sensor are not available for download By emailing CrowdStrike support at support@crowdstrike.com By installing the current sensor and clicking the "downgrade" button during the install By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads.
Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com? .*badguydomain.com.* \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill badguydomain\.com.* Custom IOA rules cannot be created for domains.
Custom IOA rules are defined using which syntax? Glob PowerShell Yara Regex.
With Custom Alerts, it is possible to. schedule the alert to run at any interval receive an alert in an email configure prevention actions for alerting be alerted to activity in real-time.
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days? Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors widget Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors" Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days.
|
