What is the function of a single asterisk (*) in an ML exclusion pattern?
A. The single asterisk will match any number of characters, including none. It does include separator characters, such as or /, which separate portions of a file path
B. The single asterisk will match any number of chara...
CCFA EXAM QUESTIONS AND ANSWERS
What is the function of a single asterisk (*) in an ML exclusion pattern?
A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
C. The single asterisk is the insertion point for the variable list that follows the path
D. The single asterisk is only used to start an expression, and it represents the drive letter - Answer- B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of
a file path
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?
A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
D. Using IOC Management, add the hash of the binary in question and set the action to "No Action" - Answer- B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
What is the purpose of a containment policy?
A. To define which Falcon analysts can contain endpoints
B. To define the duration of Network Containment
C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
D. To define allowed IP addresses over which your hosts will communicate when contained - Answer- D. To define allowed IP addresses over which your hosts will communicate when contained
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
A. File exclusions are not aligned to groups or hosts
B. There is a limit of three groups of hosts applied to any exclusion
C. There is no limit and exclusions can be applied to any or all groups D. Each exclusion can be aligned to only one group of hosts - Answer- C. There is no limit and exclusions can be applied to any or all groups
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?
A. Real Time Responder
B. Endpoint Manager
C. Falcon Investigator
D. Remediation Manager - Answer- A. Real Time Responder
What must an admin do to reset a user's password?
A. From User Management, open the account details for the affected user and select "Generate New Password"
B. From User Management, select "Reset Password" from the three dot menu for the affected user account
C. From User Management, select "Update Account" and manually create a new password for the affected user account
D. From User Management, the administrator must rebuild the account as the certificate
for user specific private/public key generation is no longer valid - Answer- B. From User Management, select "Reset Password" from the three dot menu for the affected user account
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?
A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality" - Answer- C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
When creating new IOCs in IOC management, which of the following fields must be configured?
A. Hash, Description, Filename
B. Hash, Action and Expiry Date
C. Filename, Severity and Expiry Date
D. Hash, Platform and Action - Answer- D. Hash, Platform and Action Your CISO has decided all Falcon Analysts should also have the ability to view files and
file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?
A. Remediation Manager
B. Real Time Responder - Read Only Analyst
C. Falcon Analyst - Read Only
D. Real Time Responder - Active Responder - Answer- B. Real Time Responder - Read
Only Analyst
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?
A. USB Device Policy
B. Firewall Rule Group
C. Containment Policy
D. Machine Learning Exclusions - Answer- D. Machine Learning Exclusions
How do you disable all detections for a host?
A. Create an exclusion rule and apply it to the machine or group of machines
B. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
C. You cannot disable all detections on individual hosts as it would put them at risk
D. In Host Management, select the host and then choose the option to Disable Detections - Answer- D. In Host Management, select the host and then choose the option to Disable Detections
o enhance your security, you want to detect and block based on a list of domains and IP
addresses. How can you use IOC management to help this objective?
A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action - Answer- C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
Which role is required to manage groups and policies in Falcon?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller GEEKA. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.