Real Time Responder Quiz

Questions and Answers

What type of user is C.Falcon Analyst considered?

Read Only User

Active Responder

Read Only Analyst (correct)

User with administrator privileges

What setting would effectively reduce false positives for development work stored in 'devcode'?

Application Whitelisting

Containment Policy (correct)

Firewall Rule Group

USB Device Policy

What action can you take to disable all detections for a host?

Reinstall the agent to reset its configuration

Request support to remove the machine from the detection list

Create an exclusion rule and apply it to the machine (correct)

Disable the notification settings on the agent

Which of the following options is least likely to reduce false positives during testing?

Direct implementation of SSL certificates

What is the primary role of an Active Responder in the context provided?

To respond to flagged security incidents with actions

Which policy would you implement if you wanted to prevent USB devices from being used?

USB Device Policy

What would happen if false positives are not managed in an enterprise application development environment?

The development process could be significantly delayed.

What is a drawback of contacting support to disable detections on a host?

It necessitates sharing sensitive identification information.

What is the only method to blocklist hashes?

Via the API

How many 'Auto' sensor version update options are available for Windows Sensor Update Policies?

0

Where can the alignment of a prevention policy to host groups be configured within Falcon?

In the 'Host Management' section

Which of the following options describes a misconception about Auto sensor update options?

There are a total of three options available.

What should be expected when trying to configure policy alignment in Falcon for a prevention policy?

It can be changed anytime in the 'Host Management' section.

Which of the following is NOT a valid location for configuring policy alignment?

Policies management

Which statement is true regarding auto updates for the Windows Sensor?

No auto updates are available for the Windows Sensor.

What is the misconception about the host group alignment configuration?

It can only be set at the time of initial policy creation.

What cannot be retrieved after it has been created?

API client secret

Which port and protocol is utilized by the sensor to communicate with the CrowdStrike Cloud?

TCP port 443 (HTTPS)

Where can you find the Windows sensor installer for CrowdStrike Falcon?

Hosts > Sensor Downloads in the console

What is the significance of TCP port 443 in relation to CrowdStrike's sensor?

It is used for secure communication with the CrowdStrike Cloud.

Why might sensor installers for CrowdStrike be unique to each customer?

Customization based on individual network requirements.

Which item must be saved immediately when creating an API client because it cannot be viewed again later?

Secret

What is the most likely cause for multiple Windows hosts to be in Reduced Functionality Mode (RFM)?

A patch was pushed overnight to all Windows systems

In what scenario would a 'Client ID' need to be saved during API client creation?

It allows the application to identify the client

When troubleshooting a system in Reduced Functionality Mode, which action would be least likely to resolve the issue?

Pushing additional patches to the systems

Which of the following best describes a consequence of a misconfigured Sensor Update Policy?

It may result in hosts entering RFM

What should you check if a host has been offline for over 24 hours concerning RFM?

If the host is connected to the network

What does Reduced Functionality Mode (RFM) often indicate about a system's health?

There are issues with software updates

Why is it crucial to properly configure a Sensor Update Policy?

To ensure all components receive appropriate updates

What must be enabled for effective malware protection in Windows?

Malware Protection and Windows Anti-Malware Execution Blocking

Why is it necessary to have separate sensor update policies for different operating systems?

It is an auditing requirement

How can you assign a policy to a specific group of hosts?

Using Static Assignment and adding groups in the Assigned Host Groups tab

What is a primary reason for using Behavior-Based Threat Prevention?

To detect and mitigate potential threats based on observed behavior

Which of the following is NOT a factor in assigning sensor update policies?

The geographical location of the hosts

What does enabling Advanced Remediation Actions typically involve?

Implementing post-infection recovery processes

What could be a consequence of not having separate sensor policies for each OS?

Incompatibilities leading to potential security vulnerabilities

What is the primary focus of Community voting distribution in policy management?

To determine the effectiveness of policies based on user input

Study Notes

Real Time Responder Roles

• Read Only Analyst includes roles like C.Falcon Analyst and D.Real Time Responder – Active Responder.
• Active Responder enables real-time detection and response actions.

Reducing False Positives

• Reduce false positives for code execution flagged during testing by using a Containment Policy.
• Development work must be stored in a designated file share, "devcode."

Disabling Detections on Hosts

• It's not permissible to disable all detections on individual hosts as it increases risk.

Windows Sensor Update Policies

• There are no "Auto" sensor version update options available for Windows Sensor.

Policy Management in Falcon

• Policy alignment is configured in the General Settings section under the Configuration menu.
• Prevention policies must be aligned with specific host groups for proper deployment.

Operating System Considerations

• Separate sensor update policies for Windows, Mac, and *nix are critical for auditing requirements.
• Each OS may have unique considerations impacting policy deployment and efficacy.

Assigning a Policy to Host Groups

• Assign policies to groups using tag assignments in Host Management to streamline management procedures.

Creating API Clients

• It is essential to immediately save the secret when creating an API client, as it cannot be viewed again.

Reduced Functionality Mode (RFM)

• Hosts may enter Reduced Functionality Mode if a host is offline for over 24 hours due to sensor communication issues.

Sensor Communication Settings

• The CrowdStrike Sensor communicates using TCP port 443 (HTTPS) for secure data transmission.

Obtaining Windows Sensor Installer

• Windows sensor installers are accessible via the Hosts > Sensor Downloads section in the Falcon interface.

Description

Test your knowledge on the Real Time Responder roles with this quiz. Analyze the different types of responders and the community's insights based on voting distribution. This quiz will help reinforce your understanding of read-only and active responder analysts.