Pass the CrowdStrike Falcon Certification Program CCFA-200 Questions and answers with ExamsMirror

"ProvNoWait=1

The sensor does not abort installation if it can't connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20 minutes. After that, the host will automatically uninstall its sensor.)"

"ProvWaitTime=3600000

The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes)."

The place where you can find the history of the successes and failures for any Falcon Fusion workflows is the Workflow Execution log. The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that may prevent a user from logging into Falcon via single sign-on (SSO) is that the SSO username doesn’t match their email address in Falcon. SSO is a feature that allows you to use an external identity provider (IdP) to authenticate and authorize users to access the Falcon platform. SSO simplifies and streamlines the login process, as users only need to remember one set of credentials for multiple applications. However, SSO requires that the username in the IdP matches the email address in Falcon for each user. If there is a mismatch between the username and the email address, the user will not be able to log into Falcon via SSO.

References: : [Cybersecurity Resources | CrowdStrike]

The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to “Block” and ensure that the prevention policy these computers are using includes the option for “Custom Blocking” under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal. Reference: [CrowdStrike Falcon User Guide], page 44.

The Inactive Sensor Report in the Host setup and management option allows you to view a list of hosts that have not communicated with the Falcon platform for a specified period of time. You can filter the report by sensor version, OS, and last seen date. This report can help you identify hosts that may have connectivity issues or need sensor updates1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that would have been blocked in your environment over the selected timeframe based on different Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).

The administrator can assign a Prevention policy to one or more hosts by ensuring the hosts are in a group and assigning that group to a custom Prevention policy. This allows users to apply different prevention settings and options to different groups of hosts based on their needs and preferences. The other options are either incorrect or not applicable to assigning a Prevention policy. Reference: [CrowdStrike Falcon User Guide], page 34.

The most likely issue for not being able to apply a new prevention policy to the “Servers” group is that the “Servers” group already has a policy applied to it. A prevention policy is a policy that defines the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign custom prevention policies to different hosts or groups in your environment. However, you can only assign one prevention policy per host or group at a time. If a host or group already has a prevention policy applied to it, you cannot apply another prevention policy to it unless you remove or replace the existing one2.

References: 2: Cybersecurity Resources | CrowdStrike

An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike