New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

CCFA-200 CrowdStrike Certified Falcon Administrator Questions and Answers

Questions 4

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

Options:

A.

Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

B.

Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

C.

Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

D.

Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

Buy Now
Questions 5

What is the primary purpose of using glob syntax in an exclusion?

Options:

A.

To specify a Domain be excluded from detections

B.

To specify exclusion patterns to easily exclude files and folders and extensions from detections

C.

To specify exclusion patterns to easily add files and folders and extensions to be prevented

D.

To specify a network share be excluded from detections

Buy Now
Questions 6

A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause?

Options:

A.

The host has a user logged into it

B.

The domain controller is preventing the connection

C.

They do not have an RTR role assigned to them

D.

There is another analyst connected into it

Buy Now
Questions 7

Why would you assign hosts to a static group instead of a dynamic group?

Options:

A.

You do not want the group membership to change automatically

B.

You are managing more than 1000 hosts

C.

You need hosts to be automatically assigned to a group

D.

You want the group to contain hosts from multiple operating systems

Buy Now
Questions 8

You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?

Options:

A.

ExtendedWindow=1

B.

Timeout=0

C.

ProvNoWait=1

D.

Timeout=30

Buy Now
Questions 9

You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage?

Options:

A.

*nix

B.

Windows

C.

Both Windows and *nix

D.

Only Mac

Buy Now
Questions 10

In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

Options:

A.

Sensor version set to N-1 and Bulk maintenance mode is turned on

B.

Sensor version fixed and Uninstall and maintenance protection turned on

C.

Sensor version updates off and Uninstall and maintenance protection turned off

D.

Sensor version set to N-2 and Bulk maintenance mode is turned on

Buy Now
Questions 11

Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?

Options:

A.

Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor

B.

Install the Falcon package passing it the installation token in the command line

C.

Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access

D.

Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'

Buy Now
Questions 12

The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

Options:

A.

Policy alignment is configured in the "Host Management" section in the Hosts application

B.

Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window

C.

Policy alignment is configured in the General Settings section under the Configuration menu

D.

Policy alignment is configured in each policy in the "Assigned Host Groups" tab

Buy Now
Questions 13

When a user initiates a sensor installs, where can the logs be found?

Options:

A.

%SYSTEMROOT%\Logs

B.

%SYSTEMROOT%\Temp

C.

%LOCALAPPDATA%\Logs

D.

% LOCALAPP D ATA%\Tem p

Buy Now
Questions 14

What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

Options:

A.

Endpoint ID (EID)

B.

Agent ID (AID)

C.

Security ID (SID)

D.

Computer ID (CID)

Buy Now
Questions 15

Which of the following is TRUE of the Logon Activities Report?

Options:

A.

Shows a graphical view of user logon activity and the hosts the user connected to

B.

The report can be filtered by computer name

C.

It gives a detailed list of all logon activity for users

D.

It only gives a summary of the last logon activity for users

Buy Now
Questions 16

Where should you look to find the history of the successes and failures for any Falcon Fusion workflows?

Options:

A.

Workflow Execution log

B.

Falcon Ul Audit Trail

C.

Workflow Audit log

D.

Custom Alert History

Buy Now
Questions 17

To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

Options:

A.

Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead

B.

Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only

C.

Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block

D.

Using IOC management, import the list of hashes and IP addresses and set the action to No Action

Buy Now
Questions 18

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

Options:

A.

Remediation Manager

B.

Real Time Responder – Read Only Analyst

C.

Falcon Analyst – Read Only

D.

Real Time Responder – Active Responder

Buy Now
Questions 19

What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

Options:

A.

Falcon console updates are pending

B.

Falcon sensors installing an update

C.

Notifications have been disabled on that host sensor

D.

Microsoft updates

Buy Now
Questions 20

Which Real Time Response role will allow you to see all analyst session details?

Options:

A.

Real Time Response - Read-Only Analyst

B.

None of the Real Time Response roles allows this

C.

Real Time Response -Active Responder

D.

Real Time Response -Administrator

Buy Now
Questions 21

Why is it important to know your company's event data retention limits in the Falcon platform?

Options:

A.

This is not necessary; you simply select "All Time" in your query to search all data

B.

You will not be able to search event data into the past beyond your retention period

C.

Data such as process records are kept for a shorter time than event data

D.

Your query will require you to specify the data pool associated with the date you wish to search

Buy Now
Questions 22

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

Options:

A.

Next-Gen Antivirus (NGAV) protection

B.

Adware and Potentially Unwanted Program detection and prevention

C.

Real-time offline protection

D.

Identification and analysis of unknown executables

Buy Now
Questions 23

What is the purpose of precedence with respect to the Sensor Update policy?

Options:

A.

Precedence applies to the Prevention policy and not to the Sensor Update policy

B.

Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

C.

Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)

D.

Precedence ensures that conflicting policy settings are not set in the same policy

Buy Now
Questions 24

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

Options:

A.

Contact support and request that they modify the Machine Learning settings to no longer include this detection

B.

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

C.

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

D.

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Buy Now
Questions 25

When a host is placed in Network Containment, which of the following is TRUE?

Options:

A.

The host machine is unable to send or receive network traffic outside of the local network

B.

The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy

C.

The host machine is unable to send or receive any network traffic

D.

The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy

Buy Now
Questions 26

In order to quarantine files on the host, what prevention policy settings must be enabled?

Options:

A.

Malware Protection and Custom Execution Blocking must be enabled

B.

Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled

C.

Malware Protection and Windows Anti-Malware Execution Blocking must be enabled

D.

Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled

Buy Now
Questions 27

You need to export a list of all deletions for a specific Host Name in the last 24 hours. What is the best way to do this?

Options:

A.

Go to Host Management in the Host page. Select the host and use the Export Detections button

B.

Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section

C.

In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results

D.

Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section

Buy Now
Questions 28

The Customer ID (CID) is important in which of the following scenarios?

Options:

A.

When adding a user to the Falcon console under the Users application

B.

When performing the sensor installation process

C.

When setting up API keys

D.

When performing a Host Search

Buy Now
Questions 29

Which of the following best describes the Default Sensor Update policy?

Options:

A.

The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature

B.

The Default Sensor Update policy is only used for testing sensor updates

C.

The Default Sensor Update policy is a "catch-all" policy

D.

The Default Sensor Update policy is disabled by default

Buy Now
Questions 30

What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?

Options:

A.

The detections for the host are removed from the console immediately and no new detections will display in the console going forward

B.

You cannot disable detections for a host

C.

Existing detections for the host remain, but no new detections will display in the console going forward

D.

Preventions will be disabled for the host

Buy Now
Questions 31

When would the No Action option be assigned to a hash in IOC Management?

Options:

A.

When you want to save the indicator for later action, but do not want to block or allow it at this time

B.

Add the indicator to your allowlist and do not detect it

C.

There is no such option as No Action available in the Falcon console

D.

Add the indicator to your blocklist and show it as a detection

Buy Now
Questions 32

Once an exclusion is saved, what can be edited in the future?

Options:

A.

All parts of the exclusion can be changed

B.

Only the selected groups and hosts to which the exclusion is applied can be changed

C.

Only the options to "Detect/Block" and/or "File Extraction" can be changed

D.

The exclusion pattern cannot be changed

Buy Now
Questions 33

What is the goal of a Network Containment Policy?

Options:

A.

Increase the aggressiveness of the assigned prevention policy

B.

Limit the impact of a compromised host on the network

C.

Gain more visibility into network activities

D.

Partition a network for privacy

Buy Now
Questions 34

Which of the following is NOT an available action for an API Client?

Options:

A.

Edit an API Client

B.

Reset an API Client Secret

C.

Retrieve an API Client Secret

D.

Delete an API Client

Buy Now
Questions 35

What three things does a workflow condition consist of?

Options:

A.

A parameter, an operator, and a value

B.

A beginning, a middle, and an end

C.

Triggers, actions, and alerts

D.

Notifications, alerts, and API's

Buy Now
Questions 36

You have been asked to troubleshoot why Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host. Which report can be used to determine if this is an issue with an old prevention policy?

Options:

A.

Host Update Status Report

B.

Custom Alerting Audit Trail

C.

Prevention Policy Debug

D.

SBEM Debug Report

Buy Now
Questions 37

When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?

Options:

A.

Username

B.

Model

C.

Domain

D.

Hostname

Buy Now
Questions 38

Which of the following uses Regex to create a detection or take a preventative action?

Options:

A.

Custom IOC

B.

Machine Learning Exclusion

C.

Custom IOA

D.

Sensor Visibility Exclusion

Buy Now
Questions 39

On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform?

Options:

A.

Status

B.

Platform

C.

Hostname

D.

Type

Buy Now
Questions 40

With Custom Alerts, it is possible to __________.

Options:

A.

schedule the alert to run at any interval

B.

receive an alert in an email

C.

configure prevention actions for alerting

D.

be alerted to activity in real-time

Buy Now
Questions 41

How do you assign a Prevention policy to one or more hosts?

Options:

A.

Create a new policy and assign it directly to those hosts on the Host Management page

B.

Modify the users roles on the User Management page

C.

Ensure the hosts are in a group and assign that group to a custom Prevention policy

D.

Create a new policy and assign it directly to those hosts on the Prevention policy page

Buy Now
Questions 42

When creating new IOCs in IOC management, which of the following fields must be configured?

Options:

A.

Hash, Description, Filename

B.

Hash, Action and Expiry Date

C.

Filename, Severity and Expiry Date

D.

Hash, Platform and Action

Buy Now
Questions 43

The Logon Activities Report includes all of the following information for a particular user EXCEPT __________.

Options:

A.

the account type for the user (e.g. Domain Administrator, Local User)

B.

all hosts the user logged into

C.

the logon type (e.g. interactive, service)

D.

the last time the user's password was set

Buy Now
Questions 44

What is the function of a single asterisk (*) in an ML exclusion pattern?

Options:

A.

The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

B.

The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

C.

The single asterisk is the insertion point for the variable list that follows the path

D.

The single asterisk is only used to start an expression, and it represents the drive letter

Buy Now
Questions 45

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

Options:

A.

File exclusions are not aligned to groups or hosts

B.

There is a limit of three groups of hosts applied to any exclusion

C.

There is no limit and exclusions can be applied to any or all groups

D.

Each exclusion can be aligned to only one group of hosts

Buy Now
Exam Code: CCFA-200
Exam Name: CrowdStrike Certified Falcon Administrator
Last Update: Dec 26, 2024
Questions: 153
CCFA-200 pdf

CCFA-200 PDF

$25.5  $84.99
CCFA-200 Engine

CCFA-200 Testing Engine

$30  $99.99
CCFA-200 PDF + Engine

CCFA-200 PDF + Testing Engine

$40.5  $134.99