New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CrowdStrike > CrowdStrike Falcon Certification Program > CCFA-200

CCFA-200 CrowdStrike Certified Falcon Administrator Question and Answers

Question # 4

What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

A.

Falcon console updates are pending

B.

Falcon sensors installing an update

C.

Notifications have been disabled on that host sensor

D.

Microsoft updates

Full Access
Question # 5

Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

A.

Sensor Report

B.

Machine Learning Prevention Monitoring

C.

Falcon UI Audit Trail

D.

Machine Learning Debug

Full Access
Question # 6

When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

A.

Custom IOA Rule Groups

B.

Custom IOC Groups

C.

Enterprise Groups

D.

Operating System Groups

Full Access
Question # 7
A.

Enable Behavior-Based Threat Prevention sliders and Advanced Remediation Actions

B.

Enable Malware Protection and Windows Anti-Malware Execution Blocking

C.

Enable Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration

D.

Enable Malware Protection and Custom Execution Blocking

Full Access
Question # 8

Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

A.

Reduce Functionality Audit Report

B.

Sensor Health Report

C.

Sensor Coverage Lookup

D.

Inactive Sensor Report

Full Access
Question # 9

What is the purpose of precedence with respect to the Sensor Update policy?

A.

Precedence applies to the Prevention policy and not to the Sensor Update policy

B.

Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

C.

Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)

D.

Precedence ensures that conflicting policy settings are not set in the same policy

Full Access
Question # 10

Which option allows you to exclude behavioral detections from the detections page?

A.

Machine Learning Exclusion

B.

IOA Exclusion

C.

IOC Exclusion

D.

Sensor Visibility Exclusion

Full Access
Question # 11

Which of the following is NOT an available action for an API Client?

A.

Edit an API Client

B.

Reset an API Client Secret

C.

Retrieve an API Client Secret

D.

Delete an API Client

Full Access
Question # 12

Why is it important to know your company's event data retention limits in the Falcon platform?

A.

This is not necessary; you simply select "All Time" in your query to search all data

B.

You will not be able to search event data into the past beyond your retention period

C.

Data such as process records are kept for a shorter time than event data

D.

Your query will require you to specify the data pool associated with the date you wish to search

Full Access
Question # 13

With Custom Alerts, it is possible to __________.

A.

schedule the alert to run at any interval

B.

receive an alert in an email

C.

configure prevention actions for alerting

D.

be alerted to activity in real-time

Full Access
Question # 14

Which of the following pages provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System?

A.

Support and resources

B.

Activity Overview

C.

Hosts Overview

D.

Sensor Health

Full Access
Question # 15

You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?

A.

ExtendedWindow=1

B.

Timeout=0

C.

ProvNoWait=1

D.

Timeout=30

Full Access
Question # 16

When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?

A.

Username

B.

Model

C.

Domain

D.

Hostname

Full Access
Question # 17

What information does the API Audit Trail Report provide?

A.

A list of analyst login activity

B.

A list of specific changes to prevention policy

C.

A list of actions taken via Falcon OAuth2-based APIs

D.

A list of newly added hosts

Full Access
Question # 18

Which statement is TRUE regarding disabling detections on a host?

A.

Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on lOA-based detections. It will remain that way until detections are enabled again

B.

Hosts with detections disabled will not alert on anything until detections are enabled again

C.

Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

D.

Hosts cannot have their detections disabled individually

Full Access
Question # 19

After agent installation, an agent opens a permanent___connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.

A.

SSH

B.

TLS

C.

HTTP

D.

TCP

Full Access
Question # 20

Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

A.

Aggressive

B.

Cautious

C.

Minimal

D.

Moderate

Full Access
Question # 21

What three things does a workflow condition consist of?

A.

A parameter, an operator, and a value

B.

A beginning, a middle, and an end

C.

Triggers, actions, and alerts

D.

Notifications, alerts, and API's

Full Access
Question # 22

What is the function of a single asterisk (*) in an ML exclusion pattern?

A.

The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

B.

The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

C.

The single asterisk is the insertion point for the variable list that follows the path

D.

The single asterisk is only used to start an expression, and it represents the drive letter

Full Access
Question # 23

Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?

A.

Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor

B.

Install the Falcon package passing it the installation token in the command line

C.

Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access

D.

Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'

Full Access
Question # 24

You want to create a detection-only policy. How do you set this up in your policy's settings?

A.

Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.

B.

Select the "Detect-Only" template. Disable hash blocking and exclusions.

C.

You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.

D.

Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

Full Access
Question # 25

When would the No Action option be assigned to a hash in IOC Management?

A.

When you want to save the indicator for later action, but do not want to block or allow it at this time

B.

Add the indicator to your allowlist and do not detect it

C.

There is no such option as No Action available in the Falcon console

D.

Add the indicator to your blocklist and show it as a detection

Full Access
Question # 26

When a user initiates a sensor installs, where can the logs be found?

A.

%SYSTEMROOT%\Logs

B.

%SYSTEMROOT%\Temp

C.

%LOCALAPPDATA%\Logs

D.

% LOCALAPP D ATA%\Tem p

Full Access
Question # 27

How can a API client secret be viewed after it has been created?

A.

Within the API management page, API client secrets can be accessed within the "edit client" functionality

B.

The API client secret must be reset or a new client created as the secret cannot be viewed after it has been created

C.

The API client secret can be provided by support via direct email request from a Falcon Administrator

D.

Selecting "show secret" within the 3-dot dropdown menu will reveal the secret for the selected api client

Full Access
Question # 28

When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

A.

The sensor would provide protection as normal, without event telemetry

B.

The sensor would provide minimal protection

C.

The sensor would function as normal

D.

The sensor provides no protection, and only collects Sensor Heart Beat events

Full Access
Question # 29

You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

A.

Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

B.

Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

C.

Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

D.

Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

Full Access
Question # 30

Which of the following is NOT a way to determine the sensor version installed on a specific endpoint?

A.

Use the Sensor Report to filter to the specific endpoint

B.

Use the Investigate > Host Search to filter to the specific endpoint

C.

Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details

D.

From a command line, run the sc query csagent -version command

Full Access
Question # 31

Which role allows a user to connect to hosts using Real-Time Response?

A.

Endpoint Manager

B.

Falcon Administrator

C.

Real Time Responder – Active Responder

D.

Prevention Hashes Manager

Full Access
Question # 32

What is the maximum number of patterns that can be added when creating a new exclusion?

A.

10

B.

0

C.

1

D.

5

Full Access
Question # 33

You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?

A.

Prevention Policy Audit Trail

B.

Prevention Policy Debug

C.

Prevention Hashes Ignored

D.

Machine-Learning Prevention Monitoring

Full Access
Question # 34

You are beginning the rollout of the Falcon Sensor for the first time side-by-side with your existing security solution. You need to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions during the testing phase. What settings do you choose?

A.

Detection slider: Extra Aggressive

Prevention slider: Cautious

B.

Detection slider: Moderate

Prevention slider: Disabled

C.

Detection slider: Cautious

Prevention slider: Cautious

D.

Detection slider: Disabled

Prevention slider: Disabled

Full Access
Question # 35

Why would you assign hosts to a static group instead of a dynamic group?

A.

You do not want the group membership to change automatically

B.

You are managing more than 1000 hosts

C.

You need hosts to be automatically assigned to a group

D.

You want the group to contain hosts from multiple operating systems

Full Access
Question # 36

After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

A.

Response Policy

B.

Containment Policy

C.

Maintenance Token

D.

IP Allowlist Management

Full Access
Question # 37

What may prevent a user from logging into Falcon via single sign-on (SSO)?

A.

The SSO username doesn't match their email address in Falcon

B.

The maintenance token has expired

C.

Falcon is in reduced functionality mode

D.

The user never configured their security questions

Full Access
Question # 38

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

A.

Next-Gen Antivirus (NGAV) protection

B.

Adware and Potentially Unwanted Program detection and prevention

C.

Real-time offline protection

D.

Identification and analysis of unknown executables

Full Access
Question # 39

You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

A.

Specific sensor version number

B.

Auto - TEST-QA

C.

Sensor version updates off

D.

Auto - N-1

Full Access
Question # 40

Where should you look to find the history of the successes and failures for any Falcon Fusion workflows?

A.

Workflow Execution log

B.

Falcon Ul Audit Trail

C.

Workflow Audit log

D.

Custom Alert History

Full Access
Question # 41

How do you assign a policy to a specific group of hosts?

A.

Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s).

B.

Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).

C.

Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and select criteria such as OU, OS, Hostname pattern, etc.

D.

On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if needed) and click Add.

Full Access
Question # 42

When editing an existing IOA exclusion, what can NOT be edited?

A.

The IOA name

B.

All parts of the exclusion can be changed

C.

The exclusion name

D.

The hosts groups

Full Access
Question # 43

Why is the ability to disable detections helpful?

A.

It gives users the ability to set up hosts to test detections and later remove them from the console

B.

It gives users the ability to uninstall the sensor from a host

C.

It gives users the ability to allowlist a false positive detection

D.

It gives users the ability to remove all data from hosts that have been uninstalled

Full Access
Question # 44

How does the Unique Hosts Connecting to Countries Map help an administrator?

A.

It highlights countries with known malware

B.

It helps visualize global network communication

C.

It identifies connections containing threats

D.

It displays intrusions from foreign countries

Full Access
Question # 45

When a host belongs to more than one host group, how is sensor update precedence determined?

A.

Groups have no impact on sensor update policies

B.

Sensors of hosts that belong to more than one group must be manually updated

C.

The highest precedence policy from the most important group is applied to the host

D.

All of the host's groups are examined in aggregate and the policy with highest precedence is applied to the host

Full Access