CrowdStrike Certified Falcon Administrator (CCFA) — Question 5

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

Answer options

• A. Remediation Manager
• B. Real Time Responder – Read Only Analyst
• C. Falcon Analyst – Read Only
• D. Real Time Responder – Active Responder

Correct answer: B

Explanation

The correct answer is B, as the Real Time Responder – Read Only Analyst role allows viewing files on compromised hosts while preventing file transfer. The other options either do not offer the required read-only access or provide additional capabilities that include file transfer, which is not permitted.