CCFA Study
Which of the following is TRUE of the Logon Activities Report?
A. The report can be filtered by computer name
B. It only gives a summary of the last logon activity for users
C. Shows a graphical view of user logon activity and hosts the user connected to
D. It gives a detailed list of all logon activity for users - ANSWER: B. It only gives a
summary of the last logon activity for users
When creating an API client, which of the following must be saved immediately since it
cannot be viewed again after the client is created?
A. Client name
B. Base URL
C. Secret
D. Client ID - ANSWER: C. Secret
Which RTR role is automatically assigned to the Falcon Administrator?
A. No RTR roles are automatically assigned to the Falcon Admin
B. Active responder
C. Read Only Analyst
D. Administrator - ANSWER: A. No RTR roles are automatically assigned to the Falcon
Admin
What are custom alerts based on?
A. Custom event based triggers
B. User defined Splunk queries
C. Predefined alert templates
D. Custom workflows - ANSWER: C. Predefined alert templates
What must an admin do to reset a user's password? - ANSWER: User Management ->
Reset Password on 3 dot menu
What is true about sensor install files?
A. Once a sensor is installed once, it never needs to be updated again
B. New install files are made available every Tuesday
C. The same sensor executable is used in all environments
D. A new installer executable is made available for each new version - ANSWER: D. A
new installer executable is made available for each new version
You are attempting to install the Falcon sensor on a host with a slow internet, and install
fails after 20 mins, Which of the following parameters can be used to override the 20
minute default provisioning window?
, A. Timeout=0
B. ExtendedWindow=1
C. Timeout=30
D. ProvNoWait=1 - ANSWER: D. ProvNoWait=1
What role will allow someone to manage quarantine files? - ANSWER: Falcon Security
Lead
When sensor grouping tags applied? - ANSWER: At sensor installation
What is the correct order for manually installing a Falcon Package on a macOS system?
- ANSWER: Install the Falcon package, then register the Falcon Sensor via command
line
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two
categories, one of them is "Cloud Anti-Malware" and the other is:
A. Adware and PUP
B. Execution Blocking
C. Anti-Malware Sensor
D. Advanced machine learning - ANSWER: D. Advanced machine learning
Provided with a list of 100 hashes that are not malicious but your company has deemed
them to be inappropriate for work computers. They have asked you to ensure that they
are not allowed to run in your environment. You have chosen to use Falcon to do this.
What is the best way to accomplish this? - ANSWER: Under IOC management, gather
the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes
to "block" and ensure that the prevention policy these computers are using includes the
option for "custom blocking" under execution blocking
You are evaluating the most appropriate Prevention Policy Machine Learning slider
settings for your environment. In your testing phase, you configure the Detection slider
as Aggressive. After running the sensor with this configuration for 1 week of testing,
which Audit report should you review to determine the best Machine Learning slider
settings for your organization? - ANSWER: Machine-Learning Prevention Monitoring
When installing the sensor, what should you ensure for it to complete the provisioning
process? - ANSWER: The host can communicate with the Falcon Cloud regardless of
the OS platform
How can a Falcon Admin configure a popup message to be displayed on a host when
the Falcon sensor blocks, kills, or quarantines an activity?
A. By selecting "enable popup messages" from the User config page
B. By ensuring each user as set the "popups allowed" in their user profile config page
C. By enabling "upload quarantined files" in the General Settings configuration page
Which of the following is TRUE of the Logon Activities Report?
A. The report can be filtered by computer name
B. It only gives a summary of the last logon activity for users
C. Shows a graphical view of user logon activity and hosts the user connected to
D. It gives a detailed list of all logon activity for users - ANSWER: B. It only gives a
summary of the last logon activity for users
When creating an API client, which of the following must be saved immediately since it
cannot be viewed again after the client is created?
A. Client name
B. Base URL
C. Secret
D. Client ID - ANSWER: C. Secret
Which RTR role is automatically assigned to the Falcon Administrator?
A. No RTR roles are automatically assigned to the Falcon Admin
B. Active responder
C. Read Only Analyst
D. Administrator - ANSWER: A. No RTR roles are automatically assigned to the Falcon
Admin
What are custom alerts based on?
A. Custom event based triggers
B. User defined Splunk queries
C. Predefined alert templates
D. Custom workflows - ANSWER: C. Predefined alert templates
What must an admin do to reset a user's password? - ANSWER: User Management ->
Reset Password on 3 dot menu
What is true about sensor install files?
A. Once a sensor is installed once, it never needs to be updated again
B. New install files are made available every Tuesday
C. The same sensor executable is used in all environments
D. A new installer executable is made available for each new version - ANSWER: D. A
new installer executable is made available for each new version
You are attempting to install the Falcon sensor on a host with a slow internet, and install
fails after 20 mins, Which of the following parameters can be used to override the 20
minute default provisioning window?
, A. Timeout=0
B. ExtendedWindow=1
C. Timeout=30
D. ProvNoWait=1 - ANSWER: D. ProvNoWait=1
What role will allow someone to manage quarantine files? - ANSWER: Falcon Security
Lead
When sensor grouping tags applied? - ANSWER: At sensor installation
What is the correct order for manually installing a Falcon Package on a macOS system?
- ANSWER: Install the Falcon package, then register the Falcon Sensor via command
line
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two
categories, one of them is "Cloud Anti-Malware" and the other is:
A. Adware and PUP
B. Execution Blocking
C. Anti-Malware Sensor
D. Advanced machine learning - ANSWER: D. Advanced machine learning
Provided with a list of 100 hashes that are not malicious but your company has deemed
them to be inappropriate for work computers. They have asked you to ensure that they
are not allowed to run in your environment. You have chosen to use Falcon to do this.
What is the best way to accomplish this? - ANSWER: Under IOC management, gather
the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes
to "block" and ensure that the prevention policy these computers are using includes the
option for "custom blocking" under execution blocking
You are evaluating the most appropriate Prevention Policy Machine Learning slider
settings for your environment. In your testing phase, you configure the Detection slider
as Aggressive. After running the sensor with this configuration for 1 week of testing,
which Audit report should you review to determine the best Machine Learning slider
settings for your organization? - ANSWER: Machine-Learning Prevention Monitoring
When installing the sensor, what should you ensure for it to complete the provisioning
process? - ANSWER: The host can communicate with the Falcon Cloud regardless of
the OS platform
How can a Falcon Admin configure a popup message to be displayed on a host when
the Falcon sensor blocks, kills, or quarantines an activity?
A. By selecting "enable popup messages" from the User config page
B. By ensuring each user as set the "popups allowed" in their user profile config page
C. By enabling "upload quarantined files" in the General Settings configuration page
