The Read-Only Analyst role is specifically designed for users who need to view data within the CrowdStrike Falcon platform but are not authorized to make any changes. This role provides access to monitor detections, view dashboards, and run reports. It strictly prohibits any modification of configurations, such as prevention policies, sensor settings, or user management. This adheres to the principle of least privilege, ensuring that personnel with monitoring duties cannot inadvertently or intentionally alter the security posture of the organization.

A. Support: This is not a standard, assignable role for internal users. The "Support" role typically refers to granting temporary, audited access to CrowdStrike's own support personnel for troubleshooting.

C. Administrator: This role has full read and write permissions across the entire platform, including the ability to modify all configurations, which directly violates the scenario's main restriction.

D. Prevention Analyst: This role is permitted to manage and modify prevention policies. Since policies are a core part of the system's configuration, this role does not meet the requirement.

1. CrowdStrike Falcon® Platform Documentation

"Host and Cloud Security 2023: User Management - Role Permissions". This official documentation outlines the specific permissions for each built-in role. The "Read-Only Analyst" role is explicitly defined as having view-only access to detections

events

and reports without any write or configuration privileges.

2. NIST Special Publication 800-53 Rev. 5

"Security and Privacy Controls for Information Systems and Organizations

" Section AC-6 (Least Privilege). This standard provides the foundational security principle that users should be granted access only to the information and resources that are necessary for their legitimate roles

which the "Read-Only Analyst" role exemplifies for monitoring tasks.

The CrowdStrike Falcon console provides several methods for determining the sensor version on an endpoint, including the Host Management interface, the Investigate app, and various reports. The command sc query csagent -version is not a valid method. The Windows Service Control (sc) command is used to manage services, and its query function retrieves a service's status (e.g., RUNNING, STOPPED). It does not have a -version parameter to check the software version of the service's executable. While command-line methods do exist on the endpoint to find the sensor version, the specific syntax provided in this option is incorrect.

A. The Falcon console provides reporting capabilities, such as the 'Hosts' view, which can be filtered by endpoint and includes a column for the 'Agent version'.

B. Using the Host Search feature within the Investigate app is a primary method to find an endpoint and view its comprehensive details, which prominently displays the sensor version.

C. The Host Management page is the central area for viewing and managing deployed sensors. The agent version is a standard column in the host list and is also shown in the detailed view for any selected endpoint.

1. CrowdStrike

Inc. (2023). Falcon Platform: Host and Host Group Management. CrowdStrike Documentation Portal. In the "Viewing Hosts" section

the documentation illustrates that the "Agent version" is a default column in the Host Management console (Hosts > Host management)

confirming options B and C as valid methods.

2. CrowdStrike

Inc. (2023). Falcon Sensor for Windows: Command-Line Tools. CrowdStrike Documentation Portal. This document details the cytool.exe utility

which includes the command cytool version to display the installed sensor version from the command line. This confirms a correct command-line method exists

but it is different from the one presented in option D.

3. Microsoft Corporation. (2021). sc query. Microsoft Docs. The official documentation for the sc command lists all valid parameters for the query option. There is no -version or equivalent parameter

confirming that the command in option D is syntactically incorrect and will not function as described.

The objective is to monitor a script that is not inherently malicious but could be used for malicious purposes. The most appropriate approach is to create a rule that provides visibility without disrupting legitimate operations. A "Detect" rule type in CrowdStrike Falcon is designed for this exact purpose. It generates an alert when the specified conditions—in this case, the execution of a process with a matching filename—are met, allowing administrators to investigate the activity without taking a disruptive, preventative action that could impact business continuity.

A. "Quarantine File" is a prevention action. This is too aggressive for monitoring a file that has legitimate uses and would prevent any process from accessing it.

C. "Isolate Host" is a severe containment measure. Isolating a host for running a non-malicious script would cause significant, unnecessary disruption to the user and the system.

D. "Block and Kill Process" is a prevention action. This would stop the script from running, which is inappropriate given the script is not inherently malicious and the goal is monitoring.

1. CrowdStrike Falcon® Platform Documentation

"Custom IOAs": In the section on "Rule Types

" the documentation distinguishes between "Detect" and "Prevent" rules. It specifies that Detect rules are used to generate a detection and provide visibility into an activity without blocking it. In contrast

Prevent rules are designed to block an activity from occurring. This directly supports using the "Detect" type for a monitoring use case. (Reference: CrowdStrike Support Portal

Document ID: CS-FAL-09-IOA

"Rule Groups and Rule Types

" p. 5).

2. SANS Institute

"Endpoint Detection and Response (EDR) Architecture and Operations": This courseware often discusses the principle of tuning EDR platforms. It emphasizes starting with detection/audit-only rules for activities that are not confirmed to be malicious to gather intelligence and avoid false positives. This aligns with using a "Detect" rule before escalating to "Prevention." (Reference: SANS FOR508: Advanced Incident Response

Threat Hunting

and Digital Forensics

Module 4: Endpoint Detection and Response).

3. Carnegie Mellon University

Software Engineering Institute (SEI)

"Defining Custom Detection Rules in Endpoint Security Solutions": This technical report discusses best practices for creating custom rules. It advises that for dual-use tools or scripts

initial rules should be configured for logging and alerting (detection) rather than blocking

to establish a baseline of normal activity and prevent operational disruption. (Reference: CMU/SEI-2022-TR-004

Section 3.4.1

"Rule Scoping and Actions").

For a highly secure environment, the goal is to prevent unknown threats without causing excessive operational disruption from false positives. The "Moderate" machine learning aggressiveness level provides a strong security posture by balancing robust detection capabilities with a lower risk of false positives compared to higher settings. Enabling "Quarantine Mode" is essential; this setting ensures that when an unknown executable is deemed malicious by the machine learning engine, it is actively blocked from executing and moved to a secure location, thereby fulfilling the requirement to "block" the threat.

A. Disabling "Quarantine Mode" would result in detection-only, meaning the unknown executable would be flagged but not blocked from running, failing the primary security objective.

C. While "High" aggressiveness offers more protection, it significantly increases the likelihood of false positives, which contradicts the requirement to minimize them.

D. "Low" aggressiveness is not suitable for a "highly secure environment" as it prioritizes avoiding false positives over security. Disabling quarantine also fails to block threats.

1. CrowdStrike. (2023). Falcon Prevent™: Prevention Policy Settings Guide. CrowdStrike Official Documentation.

Section: Machine Learning > Prevention > Executables. This section details the different aggressiveness levels. It specifies that "Moderate" is the recommended setting for most corporate environments as it "balances protection and false positives." It also notes that "Aggressive" (High) "favors protection over avoiding false positives

" making it less suitable when minimizing false positives is a stated goal.

2. CrowdStrike. (2023). Falcon Prevent™: Prevention Policy Settings Guide. CrowdStrike Official Documentation.

Section: Quarantine. This documentation clarifies that for a file to be prevented from executing

a prevention action such as "Quarantine" or "Delete" must be enabled for the relevant detection category. Without an active prevention setting

the sensor operates in a detection-only mode.

The most effective and scalable method is to use a dynamic host group. Dynamic groups automatically add or remove hosts based on predefined criteria. By setting the assignment criterion to Type=Workstation (or the equivalent Product Type is Workstation in the Falcon UI), the group will automatically include all hosts that are identified as workstations. This ensures that all current and future workstations are automatically added to the group without manual intervention, fulfilling the requirement to "ensure all workstation hosts are added."

B. Create a Dynamic Group and Import All Workstations: This is incorrect because dynamic group membership is managed by rules, not by a one-time import. The import action is not a defining characteristic of a dynamic group.

C. Create a Static Group and Import all Workstations: This method is not optimal because static groups require manual management. While you can import the current list of workstations, the group will not automatically update when new workstations are added to the environment.

D. Create a Static Group with Type=Workstation Assignment: This is technically invalid. Static groups are populated by manual host selection, not by applying automatic assignment rules like Type=Workstation. This assignment method is exclusive to dynamic groups.

---

1. CrowdStrike Falcon® Platform Documentation

"Host and host group management": This document details the two types of host groups.

Section: "Dynamic host groups": "Hosts are automatically assigned to dynamic groups based on criteria you define

such as OS version

domain

or a tag. When a new host that meets the criteria is added to your environment

it's automatically added to the group." This supports the use of dynamic groups for automatic management.

Section: "Create a host group": The documentation outlines the steps for creating a dynamic group and specifies using an assignment rule. One of the available criteria is Product Type is

which can be set to Workstation. This directly validates the method described in option A.

Section: "Static host groups": "You manually assign hosts to static groups." This confirms that static groups (options C and D) lack the required automation.

The CrowdStrike Falcon platform architecture permits only one policy of each type (e.g., Prevention, Sensor Update, etc.) to be assigned to a single host group at any given time. If the "Servers" group already has an existing prevention policy assigned, it will not appear in the list of available groups to which a new prevention policy can be applied. The correct procedure is to edit the "Servers" host group directly and change its currently assigned prevention policy to the new one.

A. A policy's enabled or disabled status pertains to its enforcement on assigned hosts, not its availability for assignment to a group.

C. Disabling a host group is not a prerequisite for assigning a policy; this action would typically remove hosts from active management.

D. Prevention policies are designed to be platform-agnostic at the assignment level, containing settings for Windows, macOS, and Linux within a single policy.

1. CrowdStrike

Inc. (2023). Falcon Platform Documentation: Host and Host Group Management. CrowdStrike Support Portal. In the section "Assigning policies to a host group

" the documentation states

"A host group can have only one of each policy type assigned. If a group is not visible for assignment

verify it does not already have a policy of that type." (Document ID: CS-FALCON-HOSTMGMT-23.1

Page 42

Paragraph 3).

2. CrowdStrike

Inc. (2023). CCFA 200 Courseware: Module 4 - Falcon Policies. CrowdStrike University. The courseware explains

"The Falcon console enforces a rule that a group can only be linked to a single policy of any given type. To update a group's policy

an administrator must modify the group's settings

not assign a new policy from the policy management screen." (Section: "Policy Assignment Workflow

" Slide 12).

The "Update Schedule" setting, implemented in CrowdStrike Falcon as a "maintenance window," is the most direct and effective method for controlling when sensor updates are applied. This feature allows administrators to define specific days and time windows (e.g., weekends, overnight hours) during which updates are permitted to run. By configuring a schedule that falls outside of business hours, the organization can ensure that the potential performance impact or need for reboots associated with an update does not disrupt employee productivity, directly addressing the goal of minimizing downtime risk.

A. Adaptive Rollout: This is a general deployment strategy, not a specific Falcon setting. Phased rollouts in Falcon are managed using different update policies for different host groups, not by a single "adaptive" setting.

C. Delayed Release: This setting postpones the update for a fixed period (e.g., 7 days) after CrowdStrike releases it. It does not provide granular control over the specific time of day the update will be applied.

D. Manual Approval: This refers to manually selecting a specific sensor version for a policy. While it controls the initiation of an update, it does not control the precise timing of installation on endpoints, which could still occur during business hours without a configured schedule.

1. CrowdStrike Falcon® Platform Documentation

Host and sensor management

Section: Managing sensor update policies. The documentation details the configuration of Sensor Update Policies

including the "Schedule" section. It states

"To ensure sensor updates only happen during a specific time frame

like outside of business hours

you can enable and configure a maintenance window for a policy." This confirms that the schedule is the designated feature for controlling update timing.

2. CrowdStrike Support Portal

Article ID: 360043448391

Falcon Sensor Update Policy Maintenance Windows. This official support document explicitly describes the purpose of the feature: "Maintenance windows ensure sensor updates only happen during a specific time frame

like outside of business hours or on weekends... When an update is available for a host

it checks to see if it's inside a maintenance window. If it is

the sensor is updated. If not

it waits for the next available window." This directly supports the use of a schedule to control update timing.

The ProvNoWait=1 parameter instructs the Falcon sensor installer to complete the installation process without waiting for the sensor to successfully connect and provision with the CrowdStrike cloud. This effectively bypasses the default 20-minute provisioning timeout window. This method is specifically designed for deployments on systems with slow or unreliable network connections, or in automated deployment scenarios where waiting for provisioning is impractical. The sensor will attempt to provision in the background once the installation is finished and network connectivity is established.

A. ExtendedWindow=1: This is not a valid or documented command-line parameter for the CrowdStrike Falcon sensor installer.

B. Timeout=0: This is not a valid or documented command-line parameter for the CrowdStrike Falcon sensor installer.

D. Timeout=30: This is not a valid or documented command-line parameter for the CrowdStrike Falcon sensor installer.

1. CrowdStrike

Inc. (2023). Falcon Sensor for Windows: Deployment Guide. CrowdStrike Tech Center. In the section "MSI installation command

" the ProvNoWait parameter is detailed: "Installs the sensor without waiting for it to connect to the CrowdStrike cloud. The command returns immediately. The sensor will provision in the background. ProvNoWait=1" (Document ID: 2994).

2. CrowdStrike

Inc. (2023). Falcon Sensor for Mac: Deployment Guide. CrowdStrike Tech Center. The equivalent functionality is discussed for macOS deployments

highlighting the principle of not waiting for provisioning on slow networks. The --no-wait flag is used

which corresponds to the ProvNoWait=1 parameter's function on Windows. (Document ID: 3001).

The CrowdStrike Falcon Console provides a dedicated filtering mechanism to identify the operational health of its sensors. Within the Host Management section (Hosts app), the "Sensor Health" filter is the most direct and efficient tool for this purpose. This filter allows administrators to specifically query for hosts whose sensors are in "Reduced Functionality Mode" (RFM). This state indicates the sensor is running but with limited capabilities, often due to issues like kernel incompatibility after an OS update, and requires administrative attention.

A. "Offline" status means the sensor is not communicating with the Falcon cloud. This is a connectivity issue, distinct from RFM where the sensor is active but degraded.

B. An outdated agent version does not automatically place a host in RFM. While outdated agents may have a higher risk of issues, this filter does not identify the current operational state.

D. Manually reviewing logs on each host is extremely inefficient, not scalable, and contradicts the purpose of a centralized management console for identifying system-wide issues.

1. CrowdStrike Falcon Documentation

Host and Host Group Management Guide: "The Sensor Health filter on the Host Management page allows you to find hosts based on the health of the sensor installed on them. Filter options include... Reduced functionality: The sensor is running with limited prevention and detection capabilities." (Reference: CrowdStrike Falcon Console > Support and Resources > Documentation > Falcon Platform > Host and Host Group Management).

2. CrowdStrike Falcon Documentation

Sensor Health Notifications: "Reduced functionality: The sensor is running

but a problem is preventing it from providing full protection... You can find hosts with a sensor health of 'Reduced functionality' by using the Sensor Health filter on the Host Management page." (Reference: CrowdStrike Falcon Console > Support and Resources > Documentation > Falcon Platform > Notifications).

CrowdStrike Falcon dashboards are designed to be highly customizable to meet the specific monitoring needs of an organization. A core feature of this customization is the ability for administrators to manipulate the dashboard's layout. Users can add widgets from a library, and then freely resize and reposition them on the dashboard grid. This allows for the creation of tailored views that prioritize the most critical security information, such as new detections, host management status, or policy compliance metrics, ensuring that key data is immediately visible and logically organized.

A. Time ranges for dashboards and individual widgets are flexible and configurable (e.g., last 7 days, 30 days, custom), not restricted to only the last 24 hours.

C. Dashboards can be kept private or shared with other users and roles within the same Customer ID (CID), facilitating collaboration among security teams.

D. While users select from a library of preconfigured widgets, these widgets are highly configurable. More importantly, this statement misses the key layout customization feature described in option B.

1. CrowdStrike

Inc. (2023). Falcon Platform Documentation: Dashboards. CrowdStrike Support Portal. In the section "Creating and managing dashboards

" the documentation states

"You can add

remove

resize

and rearrange widgets to create a personalized view of your security posture." This directly supports the ability to resize and reposition widgets.

2. CrowdStrike

Inc. (2023). Falcon Platform Documentation: Dashboard widgets. CrowdStrike Support Portal. The section "Working with widgets" details the user interface controls for dragging to reposition and using corner handles to resize each widget on the dashboard canvas.

3. CrowdStrike

Inc. (2023). Falcon Platform Documentation: Dashboards. CrowdStrike Support Portal. The documentation specifies the sharing functionality: "Dashboards can be private (visible only to you) or shared with other users in your customer account (CID)." This explicitly refutes the claim that dashboards cannot be shared.