Weekend Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Exam Practice Test

Page: 1 / 15
Total 153 questions

CrowdStrike Certified Falcon Administrator Questions and Answers

Question 1

When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?

Options:

A.

Username

B.

Model

C.

Domain

D.

Hostname

Question 2

When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

Options:

A.

Base URL

B.

Secret

C.

Client ID

D.

Client name

Question 3

What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?

Options:

A.

Enables custom detections for the host

B.

New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host

C.

New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host

D.

Preventions will be enabled for the host

Question 4

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

Options:

A.

Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

B.

Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

C.

Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

D.

Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Question 5

What is the purpose of precedence with respect to the Sensor Update policy?

Options:

A.

Precedence applies to the Prevention policy and not to the Sensor Update policy

B.

Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

C.

Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)

D.

Precedence ensures that conflicting policy settings are not set in the same policy

Question 6

Where can you modify settings to permit certain traffic during a containment period?

Options:

A.

Prevention Policy

B.

Host Settings

C.

Containment Policy

D.

Firewall Settings

Question 7

On which page of the Falcon console would you create sensor groups?

Options:

A.

User management

B.

Sensor update policies

C.

Host management

D.

Host groups

Question 8

Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?

Options:

A.

.*badguydomain.com.*

B.

\Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill

C.

badguydomain\.com.*

D.

Custom IOA rules cannot be created for domains

Question 9

What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

Options:

A.

To group hosts with others in the same business unit

B.

To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time

C.

To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion

D.

To allow the controlled assignment of sensor versions onto specific hosts

Question 10

Which of the following scenarios best describes when you would add IP addresses to the containment policy?

Options:

A.

You want to automate the Network Containment process based on the IP address of a host

B.

Your organization has additional IP addresses that need to be able to access the Falcon console

C.

A new group of analysts need to be able to place hosts under Network Containment

D.

Your organization has resources that need to be accessible when hosts are network contained

Question 11

What can the Quarantine Manager role do?

Options:

A.

Manage and change prevention settings

B.

Manage quarantined files to release and download

C.

Manage detection settings

D.

Manage roles and users

Question 12

When would the No Action option be assigned to a hash in IOC Management?

Options:

A.

When you want to save the indicator for later action, but do not want to block or allow it at this time

B.

Add the indicator to your allowlist and do not detect it

C.

There is no such option as No Action available in the Falcon console

D.

Add the indicator to your blocklist and show it as a detection

Question 13

What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

Options:

A.

Deep packet inspection

B.

Linux Sub-System

C.

PowerShell

D.

Windows Proxy

Question 14

Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

Options:

A.

\Program Files\My Program\My Files\*

B.

\Program Files\My Program\*

C.

*\*

D.

*\Program Files\My Program\*\

Question 15

You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM?

Options:

A.

A Sensor Update Policy was misconfigured

B.

A host was offline for more than 24 hours

C.

A patch was pushed overnight to all Windows systems

D.

A host was placed in network containment from a detection

Question 16

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

Options:

A.

Next-Gen Antivirus (NGAV) protection

B.

Adware and Potentially Unwanted Program detection and prevention

C.

Real-time offline protection

D.

Identification and analysis of unknown executables

Question 17

Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?

Options:

A.

Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor

B.

Install the Falcon package passing it the installation token in the command line

C.

Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access

D.

Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'

Question 18

When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

Options:

A.

The sensor would provide protection as normal, without event telemetry

B.

The sensor would provide minimal protection

C.

The sensor would function as normal

D.

The sensor provides no protection, and only collects Sensor Heart Beat events

Question 19

After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

Options:

A.

Response Policy

B.

Containment Policy

C.

Maintenance Token

D.

IP Allowlist Management

Question 20

Which role will allow someone to manage quarantine files?

Options:

A.

Falcon Security Lead

B.

Detections Exceptions Manager

C.

Falcon Analyst – Read Only

D.

Endpoint Manager

Question 21

What impact does disabling detections on a host have on an API?

Options:

A.

Endpoints with detections disabled will not alert on anything until detections are enabled again

B.

Endpoints cannot have their detections disabled individually

C.

DetectionSummaryEvent stops sending to the Streaming API for that host

D.

Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

Question 22

When troubleshooting the Falcon Sensor on Windows, what is the correct parameter to output the log directory to a specified file?

Options:

A.

LOG=log.txt

B.

\log log.txt

C.

C:\CSSensorlnstall\LogFiles

D.

/log log.txt

Question 23

A Falcon Administrator is trying to use Real-Time Response to start a session with a host that has a sensor installed but they are unable to connect. What is the most likely cause?

Options:

A.

The host has a user logged into it

B.

The domain controller is preventing the connection

C.

They do not have an RTR role assigned to them

D.

There is another analyst connected into it

Question 24

When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well?

Options:

A.

*\.baddomain\.xyz|baddomain\. xyz

B.

*baddomain\. xyz|baddomain\. xyz. *

C.

Custom IOA rules cannot be created for domains

D.

**baddomain\. xyz|baddomain\. xyz**

Question 25

Why do Sensor Update policies need to be configured for each OS (Windows, Mac, Linux)?

Options:

A.

To bundle the Sensor and Prevention policies together into a deployment package

B.

Sensor Update policies are OS dependent

C.

To assist with auditing and change management

D.

This is false. One policy can be applied to all Operating Systems

Question 26

What three things does a workflow condition consist of?

Options:

A.

A parameter, an operator, and a value

B.

A beginning, a middle, and an end

C.

Triggers, actions, and alerts

D.

Notifications, alerts, and API's

Question 27

You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

Options:

A.

Specific sensor version number

B.

Auto - TEST-QA

C.

Sensor version updates off

D.

Auto - N-1

Question 28

Which of the following prevention policy settings monitors contents of scripts and shells for execution of malicious content on compatible operating systems?

Options:

A.

Script-based Execution Monitoring

B.

FileSystem Visibility

C.

Engine (Full Visibility)

D.

Suspicious Scripts and Commands

Question 29

On which page of the Falcon console can one locate the Customer ID (CID)?

Options:

A.

Hosts Management

B.

API Clients and Keys

C.

Sensor Dashboard

D.

Sensor Downloads

Question 30

While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose?

Options:

A.

Configure a Real Time Response policy allowlist with the specific IP addresses

B.

Configure a Containment Policy with the specific IP addresses

C.

Configure a Containment Policy with the entire internal IP CIDR block

D.

Configure the Host firewall to allowlist the specific IP addresses

Question 31

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

Options:

A.

Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

B.

Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

C.

Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

D.

Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

Question 32

Why is it important to know your company's event data retention limits in the Falcon platform?

Options:

A.

This is not necessary; you simply select "All Time" in your query to search all data

B.

You will not be able to search event data into the past beyond your retention period

C.

Data such as process records are kept for a shorter time than event data

D.

Your query will require you to specify the data pool associated with the date you wish to search

Question 33

Which of the following is NOT an available action for an API Client?

Options:

A.

Edit an API Client

B.

Reset an API Client Secret

C.

Retrieve an API Client Secret

D.

Delete an API Client

Question 34

Which command would tell you if a Falcon Sensor was running on a Windows host?

Options:

A.

cswindiag.exe -status

B.

netstat.exe -f

C.

sc.exe query csagent

D.

sc.exe query falcon

Question 35

Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

Options:

A.

Reduce Functionality Audit Report

B.

Sensor Health Report

C.

Sensor Coverage Lookup

D.

Inactive Sensor Report

Question 36

You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?

Options:

A.

Prevention Policy Audit Trail

B.

Prevention Policy Debug

C.

Prevention Hashes Ignored

D.

Machine-Learning Prevention Monitoring

Question 37

Which of the following is TRUE regarding disabling detections for a host?

Options:

A.

After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled

B.

After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search

C.

The DetectionSummaryEvent continues being sent to the Streaming API for that host

D.

The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled

Question 38

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

Options:

A.

File exclusions are not aligned to groups or hosts

B.

There is a limit of three groups of hosts applied to any exclusion

C.

There is no limit and exclusions can be applied to any or all groups

D.

Each exclusion can be aligned to only one group of hosts

Question 39

An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

Options:

A.

Custom Alert History

B.

Workflow Execution log

C.

Workflow Audit log

D.

Falcon UI Audit Trail

Question 40

Which of the follow should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax?

Options:

A.

Sensor Visibility Exclusion

B.

Machine Learning Exclusions

C.

IOC Exclusions

D.

IOA Exclusions

Question 41

When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

Options:

A.

Custom IOA Rule Groups

B.

Custom IOC Groups

C.

Enterprise Groups

D.

Operating System Groups

Question 42

You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

Options:

A.

Script-based Execution Monitoring

B.

Interpreter-Only

C.

Additional User Mode Data

D.

Engine (Full Visibility)

Question 43

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

Options:

A.

Real Time Responder

B.

Endpoint Manager

C.

Falcon Investigator

D.

Remediation Manager

Question 44

Why is the ability to disable detections helpful?

Options:

A.

It gives users the ability to set up hosts to test detections and later remove them from the console

B.

It gives users the ability to uninstall the sensor from a host

C.

It gives users the ability to allowlist a false positive detection

D.

It gives users the ability to remove all data from hosts that have been uninstalled

Question 45

How many days will an inactive host remain visible within the Host Management or Trash pages?

Options:

A.

45 days

B.

15 days

C.

90 days

D.

120 days

Page: 1 / 15
Total 153 questions