A.  

The new prevention policy should be enabled first

B.  

The "Servers" group already has a policy applied to it

C.  

The "Servers" group must be disabled first

D.  

Host type was not defined correctly within the prevention policy

A.  

The Administrator cannot re-use the account email for a new account

B.  

You must have Falcon MFA enabled first

C.  

You must be a Falcon Security Lead

D.  

You must be a Falcon Administrator

A.  

Go to Host Management in the Host page. Select the host and use the Export Detections button

B.  

Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section

C.  

In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results

D.  

Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section

A.  

Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy

B.  

Blocklisting applies to hashes, IP addresses, and domains

C.  

Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary

D.  

You can only blocklist hashes via the API

A.  

The detections for the host are removed from the console immediately and no new detections will display in the console going forward

B.  

You cannot disable detections for a host

C.  

Existing detections for the host remain, but no new detections will display in the console going forward

D.  

Preventions will be disabled for the host

A.  

Enable Behavior-Based Threat Prevention sliders and Advanced Remediation Actions

B.  

Enable Malware Protection and Windows Anti-Malware Execution Blocking

C.  

Enable Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration

D.  

Enable Malware Protection and Custom Execution Blocking

A.  

Response Policy

B.  

Containment Policy

C.  

Maintenance Token

D.  

IP Allowlist Management

A.  

You do not want the group membership to change automatically

B.  

You are managing more than 1000 hosts

C.  

You need hosts to be automatically assigned to a group

D.  

You want the group to contain hosts from multiple operating systems

A.  

All parts of the exclusion can be changed

B.  

Only the selected groups and hosts to which the exclusion is applied can be changed

C.  

Only the options to "Detect/Block" and/or "File Extraction" can be changed

D.  

The exclusion pattern cannot be changed

A.  

Prevention Policy

B.  

Host Settings

C.  

Containment Policy

D.  

Firewall Settings

A.  

Maintenance token

B.  

Customer ID (CID)

C.  

Bulk update key

D.  

Agent ID (AID)

A.  

*\.baddomain\.xyz|baddomain\. xyz

B.  

*baddomain\. xyz|baddomain\. xyz. *

C.  

Custom IOA rules cannot be created for domains

D.  

**baddomain\. xyz|baddomain\. xyz**

A.  

The host has a user logged into it

B.  

The domain controller is preventing the connection

C.  

They do not have an RTR role assigned to them

D.  

There is another analyst connected into it

A.  

Policy alignment is configured in the "Host Management" section in the Hosts application

B.  

Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window

C.  

Policy alignment is configured in the General Settings section under the Configuration menu

D.  

Policy alignment is configured in each policy in the "Assigned Host Groups" tab

A.  

Custom Alert History

B.  

Workflow Execution log

C.  

Workflow Audit log

D.  

Falcon UI Audit Trail

A.  

After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled

B.  

After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search

C.  

The DetectionSummaryEvent continues being sent to the Streaming API for that host

D.  

The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled

A.  

For - While statement(s)

B.  

Trigger, condition(s) and action(s)

C.  

Event trigger(s)

D.  

Predefined workflow template(s)

A.  

Groups have no impact on sensor update policies

B.  

Sensors of hosts that belong to more than one group must be manually updated

C.  

The highest precedence policy from the most important group is applied to the host

D.  

All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host

A.  

10

B.  

0

C.  

1

D.  

5

A.  

Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead

B.  

Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only

C.  

Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block

D.  

Using IOC management, import the list of hashes and IP addresses and set the action to No Action

A.  

There may be special considerations for each OS

B.  

To assist with testing and tracking sensor rollouts

C.  

The network protocols are different for each host OS

D.  

It is an auditing requirement

A.  

Create a new policy and assign it directly to those hosts on the Host Management page

B.  

Modify the users roles on the User Management page

C.  

Ensure the hosts are in a group and assign that group to a custom Prevention policy

D.  

Create a new policy and assign it directly to those hosts on the Prevention policy page

A.  

Maintenance Tokens

B.  

Sensor Update Policy

C.  

Sensor Update Throttling

D.  

Channel File Update Throttling

A.  

Detection events are kept for 90 days

B.  

Detections events are kept for your subscribed data retention period

C.  

Detection events are kept for 7 days

D.  

Detection events are kept for 30 days

A.  

Falcon Host Analyst

B.  

Falcon Host Administrator

C.  

Prevention Hashes Manager

D.  

Falcon Host Security Lead

A.  

Configuration module

B.  

Intelligence module

C.  

Support module

D.  

Discover module

A.  

Real Time Response - Read-Only Analyst

B.  

None of the Real Time Response roles allows this

C.  

Real Time Response -Active Responder

D.  

Real Time Response -Administrator

A.  

Hostname

B.  

Username

C.  

Group

D.  

OS Version

A.  

Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on lOA-based detections. It will remain that way until detections are enabled again

B.  

Hosts with detections disabled will not alert on anything until detections are enabled again

C.  

Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

D.  

Hosts cannot have their detections disabled individually

A.  

To bundle the Sensor and Prevention policies together into a deployment package

B.  

Sensor Update policies are OS dependent

C.  

To assist with auditing and change management

D.  

This is false. One policy can be applied to all Operating Systems

A.  

Endpoint Manager

B.  

Falcon Administrator

C.  

Real Time Responder – Active Responder

D.  

Prevention Hashes Manager

A.  

You want to automate the Network Containment process based on the IP address of a host

B.  

Your organization has additional IP addresses that need to be able to access the Falcon console

C.  

A new group of analysts need to be able to place hosts under Network Containment

D.  

Your organization has resources that need to be accessible when hosts are network contained

A.  

*nix

B.  

Windows

C.  

Both Windows and *nix

D.  

Only Mac

A.  

The sensor would provide protection as normal, without event telemetry

B.  

The sensor would provide minimal protection

C.  

The sensor would function as normal

D.  

The sensor provides no protection, and only collects Sensor Heart Beat events

A.  

.*badguydomain.com.*

B.  

\Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill

C.  

badguydomain\.com.*

D.  

Custom IOA rules cannot be created for domains

A.  

Falcon NGAV relies on signature-based detections

B.  

Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy

C.  

The Detection sliders cannot be set to a value less aggressive than the Prevention sliders

D.  

Falcon NGAV is not a replacement for Windows Defender or other antivirus programs

A.  

Sensors are downloaded from the Hosts > Sensor Downloads

B.  

Sensor installers are unique to each customer and must be obtained from support

C.  

Sensor installers are downloaded from the Support section of the CrowdStrike website

D.  

Sensor installers are not used because sensors are deployed from within Falcon

A.  

Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

B.  

Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

C.  

Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

D.  

Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

A.  

Script-based Execution Monitoring

B.  

Interpreter-Only

C.  

Additional User Mode Data

D.  

Engine (Full Visibility)

A.  

User name

B.  

OU

C.  

BIOS Version

D.  

Locality

A.  

A parameter, an operator, and a value

B.  

A beginning, a middle, and an end

C.  

Triggers, actions, and alerts

D.  

Notifications, alerts, and API's

A.  

Host Update Status Report

B.  

Custom Alerting Audit Trail

C.  

Prevention Policy Debug

D.  

SBEM Debug Report

A.  

End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist

B.  

End users will be immediately notified via a pop-up that their machine is in-network isolation

C.  

End-users receive a pop-up notification when a prevention action occurs

D.  

End users will receive a pop-up allowing them to confirm or refuse a pending quarantine