Free CCFA-200 Actual Exam Questions s - Question 7 Discussion
Falcon platform. The security team needs to determine which actions were performed by the
compromised account, including configuration changes and rule modifications. Which audit log should
the team use to gather this information?
I’m thinking B might be worth considering too since System Events could log broader admin-level changes, not just user login or host management. Could it capture config changes at the system level?
It’s A since Host Management Audit Log would most likely include changes to system configurations and admin-level activities, which fits better for tracking config changes and rule mods by that account.
C imo since it focuses on tracking user actions, it should capture specific admin changes like rule modifications better than system or detection logs. Host Management logs feel more about device-level stuff.
Option A could be worth considering since Host Management logs might capture changes related to system configurations, but I’m not sure if it covers user-specific actions like rule modifications.
C imo