CCFA Exam QuestionsBrowse all questions from this exam
Go to Exam

CCFA Exam - Question 9

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

Show Answer
Correct Answer: B

To view files and file contents locally on compromised hosts without the ability to extract them, the 'Real Time Responder – Read Only Analyst' role is the most appropriate. This role grants permissions to run specific commands such as viewing file contents without permitting file extraction, which aligns with the requirement of being able to view files without the ability to take them off the host.

Discussion

12 comments
Sign in to comment
plantvastOption: B
Jan 20, 2023

Questions is talking about viewing files and contents on managed hosts which is only possible using Real-Time Response (RTR).

ShuliAbba
Jan 24, 2023

@plantvast - but which one?

ShuliAbbaOption: B
Jan 24, 2023

I think it would be Real Time Responder - Read Only Analyst. since the RTR admins are probably capable of everything with RTR and RTR Active Responder can extract files from the machine while in the question the ask not to.

andreiushuOption: B
Feb 21, 2023

B is the correct answer

BelroseOption: B
Mar 25, 2023

I Agree, the B is the correct answer. The Falcon Analyst do not have any RTR permission, so it is not able to connect to any host or list files, of course the real time download of files is not allowed. The Real Time Responder - Read Only Analyst only allows to run the commands "cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.

FerbOPOption: B
Apr 25, 2023

B is correct

FerbOP
Dec 14, 2023

to get into the system and see the files remotely you need RTR role

uday1985Option: B
May 9, 2023

B.. confirmed in portal

sbag0024Option: B
Jun 14, 2023

B is correct, checked in the docs

Soma7Option: B
Jun 28, 2023

B is correct answer

ManuneethiOption: C
Jul 16, 2023

C Only correct. The question itsellf mentioned Falcon Analyst, he needed additional rights to view all logs. So Falcon Analyst- Read Only Correct

ManuneethiOption: C
Jul 16, 2023

Also Falcon Analyst-Ready Only having more options then Real Time Responder-Read Only Analyst according to CrowdStrike Original Console note. You can Falcon Analyst-Read only as one more role. that's it.

crowdstrikerzOption: C
Nov 17, 2023

checked