How do you assign a Prevention policy to one or more hosts?
Answer : C
The administrator can assign a Prevention policy to one or more hosts by ensuring the hosts are in a group and assigning that group to a custom Prevention policy. This allows users to apply different prevention settings and options to different groups of hosts based on their needs and preferences. The other options are either incorrect or not applicable to assigning a Prevention policy. Reference: [CrowdStrike Falcon User Guide], page 34.
Question 2
What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?
Answer : A
The option that should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor's certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor.If the certificate validation fails, the sensor will reject the connection and generate an error3.
Question 3
With Custom Alerts, it is possible to __________.
Answer : B
The reporting interval is predefined and cannot be changed. You can only enable/disable the custom alert feature and add/remove recipient email client for the alert/detection.
Question 4
Which statement is TRUE regarding disabling detections on a host?
Answer : B
The statement that is true regarding disabling detections on a host is that hosts with detections disabled will not alert on anything until detections are enabled again. As explained in question 127, disabling detections for a host will stop the sensor from sending any detection or prevention events to the Falcon console, and remove any existing events for that host from the console. This means that the host will not alert on anything, including blocklisted hashes, machine learning detections, or indicator of attack (IOA)-based detections.The host will remain in this state until detections are enabled again1.
Question 5
Which of the following best describes the Default Sensor Update policy?
Answer : C
The Default Sensor Update policy is a ''catch-all'' policy. This means that any host that is not assigned to a specific sensor update policy will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is enabled by default and has the ''Uninstall and maintenance protection'' feature turned on.You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it2.
Question 6
You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?
Answer : A
The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.
Question 7
How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?
Answer : C
The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 31.
All Official Question Types