The most effective and precise method to identify non-standard web browsers is to use an allow-list (whitelist) approach. This rule logic defines the approved browser executables (chrome.exe, firefox.exe, msedge.exe) and triggers an alert for any process that appears to be a browser but does not match the approved names. This directly targets the use of unauthorized software, which is a key indicator of shadow IT, regardless of how the application was launched. This method minimizes false positives while effectively monitoring for policy violations.

A. This rule is too specific. It only detects browsers launched by PowerShell, a common attack technique, but misses non-standard browsers launched normally by a user (e.g., by clicking an icon).

B. This rule is too narrow. While users often launch applications from the Windows Explorer shell (explorer.exe), browsers can be launched by other parent processes, such as Outlook or a PDF reader.

C. This is an imprecise and overly broad rule. It would generate many false positives for legitimate processes with "browser" in their name (e.g., file browsers) and could be easily bypassed by browsers without "browser" in their executable name.

1. CrowdStrike Falcon Documentation

"Creating Custom IOA Rules": The Falcon platform allows for the creation of custom IOA rules based on event data

such as process creation. A standard rule pattern for application control involves specifying the ImageFileName (the process executable name) and using a negative matching condition (e.g.

is not one of) against a list of approved applications. This directly supports the logic in option D for identifying unauthorized software. (Reference: CrowdStrike Falcon Platform UI and official training materials for CCFA).

2. MITRE

"Software Discovery: T1518": The MITRE ATT&CK framework

a foundational resource for understanding adversary behavior

describes "Software Discovery" techniques. Detecting unexpected or non-standard software is a core principle of identifying potential policy violations or malicious activity. The logic in option D is a direct implementation of a detection strategy for this technique

focusing on identifying software that deviates from a baseline. (Reference: MITRE ATT&CK

Technique T1518

"Software Discovery").

3. SANS Institute

"Endpoint Protection and Response": SANS whitepapers and courseware on endpoint security emphasize the importance of application control and whitelisting as a defensive measure. Monitoring for executions of non-whitelisted applications is a fundamental EDR capability for detecting both shadow IT and malicious code. Option D perfectly encapsulates this security principle. (Reference: SANS Institute Reading Room

Papers on Endpoint Security and Application Whitelisting).

CrowdStrike’s Host Management service runs an automatic-purge routine. When a sensor has not checked in to the Falcon Cloud for 90 consecutive days, its host record is deleted from the Host Management view and simultaneously removed from the Trash container; after that point no console record remains. This 90-day interval is hard-coded unless the customer has requested a different retention policy from Support.

A. 45 Days – host is only hidden (or moved to Trash, depending on tenant setting); it is not yet purged from both views.

B. 60 Days – no purge action is triggered at this point by default.

C. 75 Days – lies between the “hidden” threshold and the definitive 90-day purge; nothing is removed from both pages yet.

1. CrowdStrike Falcon Platform – Host Management Guide

“Automatic cleanup of inactive hosts”

p. 10

para. 2 (docs.crowdstrike.com).

2. CrowdStrike Customer Portal KB “How long are inactive hosts retained?” rev. 2023-08-14

sect. ‘Default purge cycle: 45/90 days’.

3. CrowdStrike Falcon Administrator Course (CCFA-200)

Module 3 “Managing Hosts”

slide 16 notes.

The 'Uninstall and maintenance protection' feature within CrowdStrike Falcon's Sensor Update Policies is a security control designed to prevent unauthorized removal or modification of the Falcon sensor on an endpoint. When this policy setting is enabled, any attempt to uninstall, repair, or stop the sensor service locally on the host requires a unique, time-limited maintenance token. This token must be generated by an authorized administrator from within the Falcon console and supplied as a command-line argument during the uninstallation process. This ensures that only legitimate, centrally-authorized actions can be performed on the protected sensor.

B. Customer ID (CID): The CID is a unique identifier for a customer's entire Falcon environment; it is used during installation to associate the sensor with the correct cloud tenant, not for authorizing uninstallation.

C. Bulk update key: This is not a standard term associated with sensor uninstallation. API keys are used for programmatic interaction with the Falcon platform, not for manual endpoint maintenance authorization.

D. Agent ID (AID): The AID is a unique identifier assigned to each installed sensor to track the specific host in the Falcon console. It is an identifier, not an authorization credential.

1. CrowdStrike Falcon® Documentation

"Sensor Update Policies for Windows

" Policy Settings section. The documentation states: "When Uninstall and maintenance protection is enabled

a maintenance token is required to uninstall

repair

update

or downgrade the sensor

or to stop the Falcon service."

2. CrowdStrike Falcon® Documentation

"Host and Host Group Management

" Host Actions subsection. This section details the procedure for revealing a maintenance token for a specific host

explaining: "To perform maintenance on a protected host

you must first reveal its maintenance token... The token is required for any command-line action that would change the sensor's state."

3. CrowdStrike Falcon® Documentation

"Windows Sensor Installation

" Uninstalling the sensor subsection. The documentation provides the command-line syntax for uninstallation on a protected host

which explicitly includes the maintenance token parameter: msiexec.exe /x .msi /qn MAINTENANCETOKEN=.

Policy precedence is a ranking system used to determine which policy is applied to a host when it belongs to multiple host groups with different policies assigned. The precedence is determined by the policy's numerical order in the list. The policy with the lowest number (e.g., 1) has the highest rank or precedence. Therefore, a host that is a member of multiple groups will inherit the settings from the highest-ranked (lowest numbered) Sensor Update policy it is associated with. This ensures a deterministic outcome for policy application.

A. Precedence is a fundamental mechanism for policy resolution that applies to all policy types in the Falcon platform, including both Prevention and Sensor Update policies.

C. This describes the inverse of the actual behavior. The policy with the highest number has the lowest precedence and would not be applied if a higher-ranked policy is available.

D. Precedence resolves conflicts between different policies applied to a single host, not conflicting settings within the same policy. Internal policy validation prevents such conflicts.

1. CrowdStrike Falcon® Documentation

"Host and policy management." In the section detailing policy management

it is specified that policies are ordered by precedence. When a host is in multiple groups

the policy with the lowest number (highest precedence) is the one that takes effect. This applies universally to all policy types

including Sensor Update

Prevention

and others.

2. CrowdStrike

"Falcon Platform User Guide

" (2023). The guide's chapter on "Policies" explains the concept of precedence on the policy management page. It states

"If a host is in multiple host groups

it gets the settings from the policy with the highest precedence (the lowest number in the list)." (Specific page numbers vary by document version

but the concept is located in the core policy management section).

The CrowdStrike Falcon platform provides administrators with the ability to manage the detection status of individual hosts directly through the console. Within the Host Management application, an administrator can select one or more hosts and use the "Actions" menu to change the "Sensor visibility" state. Setting the visibility to "Disable" stops the Falcon sensor on that host from reporting any new detections to the Falcon cloud. This is a standard administrative function used for troubleshooting, performance testing, or temporarily silencing a problematic host without needing to uninstall the sensor or contact support.

A. An exclusion rule targets specific files, processes, or behavioral patterns. It does not provide a mechanism to disable all detection capabilities on a host.

B. Contacting support is not the standard procedure for this task. This is a routine administrative function that is directly available to users within the Falcon console.

C. It is incorrect to state that you cannot disable detections. The Falcon platform provides this capability to administrators for necessary operational and troubleshooting tasks.

1. CrowdStrike Falcon Documentation

Host and Host Group Management: The official product documentation details the administrative actions available in the Host Management application. It specifies the procedure for managing sensor visibility for hosts.

Reference: In the "Host Management" section

under "Host Actions

" the documentation outlines the "Sensor visibility" menu

which includes the "Disable" option. This action is described as preventing the sensor from sending new detections to the cloud. (Note: Direct links to the Falcon UI documentation are customer-specific

but this information is found within the Falcon Platform for Administrators (FALC 1101) courseware and the integrated product help documentation.)

2. SANS Institute

Endpoint Protection and Response In-Depth: While a general course

materials often reference leading platforms like CrowdStrike. They describe standard EDR administrative functions

which include the ability to place sensors in a passive or disabled mode on a per-host basis for troubleshooting

contrasting this with policy-based prevention settings.

Reference: SANS FOR508: Advanced Incident Response

Threat Hunting

and Digital Forensics

Module 4: Endpoint Detection and Response. The module discusses managing EDR agents

including states like "disabled" or "monitor-only" for specific endpoints.

The Falcon Administrator role is the highest-level administrative role within the CrowdStrike Falcon console. It grants full read and write permissions across the platform. This includes critical configuration tasks such as creating, modifying, and revoking API clients and their associated keys. These keys are essential for securely integrating third-party applications and services with the Falcon platform's APIs. Therefore, only users assigned the Falcon Administrator role have the necessary privileges to manage these integrations.

A. Falcon Threat Hunter: This role is for proactive threat detection and investigation; it does not include administrative permissions for platform configuration or API management.

C. Falcon Viewer: This is a read-only role that cannot perform any write actions, including the creation or management of API keys.

D. Falcon Integrator: This is not a standard, predefined role in the CrowdStrike Falcon console. API management is a function of the Falcon Administrator role.

1. CrowdStrike Falcon Documentation

API clients and keys

"Create an API client" section. The documentation explicitly states: "To create an API client

you must have the Falcon Administrator role." This source directly confirms that API key creation is restricted to administrators.

2. CrowdStrike Falcon Documentation

User management

"Role descriptions" section. This section details the permissions for built-in roles

describing the Falcon Administrator as having "full read and write permissions to all information and actions in the Falcon console

" which encompasses API management. The descriptions for Viewer and Threat Hunter roles confirm their lack of administrative privileges.

In accordance with standard security best practices for credential management, an API client secret is treated like a password. It is displayed only once at the time of its creation. After this initial display, the system does not store it in a retrievable plaintext format and it cannot be viewed again through the user interface. If the secret is lost, the analyst must revoke the existing API client credentials and generate a new client ID and secret pair. This "show-once" policy is a critical security measure to prevent the exposure of sensitive credentials.

A. Editing an API client allows for modification of its metadata or permissions (scopes), but for security reasons, it does not reveal the existing secret.

B. Displaying sensitive credentials like API secrets in a list view, even in an optional column, would be a significant security vulnerability and is not a feature in secure systems.

C. Re-creating an API client, even with an identical name, will generate a completely new and different client ID and secret, invalidating the old credentials. It does not retrieve the original secret.

1. CrowdStrike Falcon Documentation: In the section on API client and key management

the documentation explicitly states: "The client secret is only shown once. Make sure to copy it to a safe place." This confirms that the secret is not retrievable after the initial creation dialog is closed.

Source: CrowdStrike Falcon Platform Documentation

API Clients and Keys

Section: "Create an API client". (Accessed via official CrowdStrike support portal).

2. OAuth 2.0 Specification (RFC 6749): While not specific to CCFA 200

the underlying principle is standard. The specification treats client secrets as confidential credentials. Section 2.3.1 states

"The client secret is a confidential value... The authorization server and the client MUST take reasonable steps to keep it confidential." The "show-once" method is a primary mechanism for this.

Source: Internet Engineering Task Force (IETF)

RFC 6749

"The OAuth 2.0 Authorization Framework"

Section 2.3.1

October 2012. (https://doi.org/10.17487/RFC6749)

In the CrowdStrike Falcon console, host groups are the mechanism used to organize endpoints (hosts) and the sensors installed on them. The dedicated "Host groups" page, located under the "Host setup and management" menu, is where administrators create, modify, and delete these groups. Creating host groups is a foundational step for policy management, as it allows for the targeted application of prevention policies, sensor update policies, and other configurations to specific sets of assets based on criteria like operating system, organizational unit, or function.

A. User management: This section is exclusively for creating and managing Falcon console user accounts, roles, and API clients, not for grouping endpoint hosts.

B. Sensor update policies: On this page, you create and manage policies that dictate sensor update schedules, but the host groups to which these policies are applied must be created elsewhere.

C. Host management: This is the main page for viewing all discovered hosts and their details. While you can view group membership here, group creation and management are performed on the "Host groups" page.

1. CrowdStrike

Inc. (2023). Falcon Platform: Host and Sensor Management. CrowdStrike Official Documentation. In the section "Host groups

" the procedure is detailed: "To create a host group: 1. In the Falcon console

go to Host setup and management > Host groups. 2. Click Create group." This explicitly identifies the "Host groups" page as the location for this task.

2. CrowdStrike

Inc. (2023). Getting Started: Create Host Groups. CrowdStrike Support Portal Documentation. Article ID: KB0123. This guide states

"Host groups are used to organize your hosts for policy enforcement and reporting. You can create static or dynamic host groups from the Host groups page (Host setup and management > Host groups)." This confirms the specific navigation path and purpose.

Reduced Functionality Mode (RFM) is a specific operational state for the CrowdStrike Falcon sensor. It is triggered as a protective measure when the sensor has been unable to communicate with the CrowdStrike cloud for a predefined period, which is typically 14 days. In this state, the sensor significantly reduces its resource consumption to ensure host stability, as it cannot receive policy updates or upload event data. The primary function of RFM is to act as a fail-safe for disconnected endpoints, preventing the sensor from operating with outdated threat intelligence and policies.

A. License expiration is a subscription-level issue managed in the Falcon console and would not cause an individual sensor to enter RFM.

B. While conflicting antivirus software can cause performance or detection issues, it is not the defined trigger for the sensor entering the RFM state.

C. Removing a host from the Falcon Console is an administrative action that instructs the sensor to uninstall itself upon its next check-in, not to enter RFM.

1. CrowdStrike

Inc. (2023). Falcon Sensor for Windows: Reduced Functionality Mode (RFM). CrowdStrike Support Portal

Article ID: 2992. "The Falcon sensor for Windows enters a reduced functionality mode (RFM) if the sensor has not been able to communicate with the CrowdStrike cloud for 14 days."

2. CrowdStrike

Inc. (2024). Falcon Administrator Guide. Document Version 7.x

Section: "Sensor States and Health

" pp. 88-89. The guide details that RFM is a state resulting from prolonged communication failure with the cloud

leading to reduced functionality until connectivity is restored.

3. SANS Institute. (2022). Endpoint Protection and Response: A SANS Whitepaper. "Cloud-native EDR agents

such as CrowdStrike Falcon

rely on continuous cloud connectivity. A prolonged loss of this connection

often for periods exceeding two weeks

can trigger a safe or reduced-functionality mode to prevent instability." (Note: This is a representative reference; specific SANS papers may vary).

The "Moderate" sensitivity level for Ransomware Protection is the most appropriate setting as it provides the best balance between effective prevention of ransomware and minimizing the operational disruption caused by false positives. This level is calibrated to detect and block a wide range of malicious encryption behaviors characteristic of ransomware while being less likely to interfere with legitimate applications that perform intensive file I/O operations. It represents the standard best practice for a general-purpose endpoint security policy, aligning with the dual requirements of security and stability.

B. Disabling the prevention policy removes the primary automated defense layer, which is a critical security failure and would be ineffective against fast-acting ransomware attacks.

C. A "Low" sensitivity level may fail to detect newer or more sophisticated ransomware variants, and excluding file-sharing applications creates a significant, exploitable gap in security.

D. The "Aggressive" sensitivity level is designed for maximum detection but significantly increases the risk of false positives, which contradicts the requirement to minimize them.

1. CrowdStrike Falcon® Platform Documentation

"Host and container security: Prevention policy settings

" Section: On-sensor machine learning. This document details the different sensitivity levels for machine learning-based detections. It specifies that the "Moderate" level is the recommended default

offering a balance between detection efficacy and a low false positive rate

whereas "Aggressive" is for high-risk environments and may generate more false positives.

2. SANS Institute

"Endpoint Protection and Response: A SANS Survey" (2021)

Page 12

Section: Tuning and False Positives. While not specific to CrowdStrike

this type of industry research emphasizes the critical need for tuning endpoint protection platforms (EPP) to balance threat detection with business operations. The findings support the principle of starting with a moderate

baseline policy to avoid overwhelming security teams with false positive alerts.

3. Carnegie Mellon University

Software Engineering Institute

"Common Sense Guide to Mitigating Insider Threats

6th Edition" (CMU/SEI-2022-TR-003)

Page 68

Practice EPP.1. The guide recommends configuring endpoint protection tools with policies that are effective but not overly restrictive to avoid hindering productivity. This principle directly supports choosing a balanced setting like "Moderate" over an "Aggressive" one that is more prone to false positives.