In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.
Question 2
You want to create a detection-only policy. How do you set this up in your policy's settings?
Options:
A.
Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.
B.
Select the "Detect-Only" template. Disable hash blocking and exclusions.
C.
You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.
D.
Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.
Answer:
D
Explanation:
Explanation:
The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy’s settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.
Question 3
What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?
Options:
A.
The detections for the host are removed from the console immediately and no new detections will display in the console going forward
B.
You cannot disable detections for a host
C.
Existing detections for the host remain, but no new detections will display in the console going forward
D.
Preventions will be disabled for the host
Answer:
A
Explanation:
Explanation:
The option that best describes what happens to detections in the console after clicking “Disable Detections” for a host from within the Host Management page is that the detections for the host are removed from the console immediately and no new detections will display in the console going forward. The “Disable Detections” feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.