Real CrowdStrike Certified Falcon Administrator (CCFA) CCFA-200 Test Questions

Eleanor2024-10-14T15:17:51+00:00

By Eleanor CCFA, CrowdStrike

The CrowdStrike Certified Falcon Administrator (CCFA) certification offers a great opportunity for beginners or professionals to advance their careers. They can learn new in-demand skills and upgrade their knowledge. Real CCFA-200 test questions are available online, you can have the real questions and precise answers for regular practice before the actual exam. We are quite confident that with the ITPrepare real CCFA-200 test questions you will get everything that you needed to prepare and pass the challenging CCFA-200 exam with good scores.

Also, you can have a chance to feel the free CrowdStrike CCFA-200 demo questions first:

Page 1 of 3

1. What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

To group hosts with others in the same business unit

To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time

To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion

To allow the controlled assignment of sensor versions onto specific hosts

2. What command should be run to verify if a Windows sensor is running?

regedit myfile.reg

sc query csagent

netstat -f

ps -ef | grep falcon

3. Which role will allow someone to manage quarantine files?

Falcon Security Lead

Detections Exceptions Manager

Falcon Analyst C Read Only

Endpoint Manager

4. What is the purpose of precedence with respect to the Sensor Update policy?

Precedence applies to the Prevention policy and not to the Sensor Update policy

Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)

Precedence ensures that conflicting policy settings are not set in the same policy

5. Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:

Adware & PUP

Advanced Machine Learning

Sensor Anti-Malware

Execution Blocking

6. When creating new IOCs in IOC management, which of the following fields must be configured?

Hash, Description, Filename

Hash, Action and Expiry Date

Filename, Severity and Expiry Date

Hash, Platform and Action

7. Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host.

What is the most appropriate role that can be added to fullfil this requirement?

Remediation Manager

Real Time Responder C Read Only Analyst

Falcon Analyst C Read Only

Real Time Responder C Active Responder

8. Which of the following is TRUE of the Logon Activities Report?

Shows a graphical view of user logon activity and the hosts the user connected to

The report can be filtered by computer name

It gives a detailed list of all logon activity for users

It only gives a summary of the last logon activity for users

9. Where can you modify settings to permit certain traffic during a containment period?

Prevention Policy

Host Settings

Containment Policy

Firewall Settings

10. Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group.

What is the next step to disable RTR only on these hosts?

Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Page 2 of 3

11. When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?

Create a Dynamic Group with Type=Workstation Assignment

Create a Dynamic Group and Import All Workstations

Create a Static Group and Import all Workstations

Create a Static Group with Type=Workstation Assignment

12. Which is the correct order for manually installing a Falcon Package on a macOS system?

Install the Falcon package, then register the Falcon Sensor via the registration package

Install the Falcon package, then register the Falcon Sensor via command line

13. Which exclusion pattern will prevent detections on a file at C:Program FilesMy ProgramMy Filesprogram.exe?

Program FilesMy ProgramMy Files*

Program FilesMy Program*

*Program FilesMy Program*

14. When a host is placed in Network Containment, which of the following is TRUE?

The host machine is unable to send or receive network traffic outside of the local network

The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy

The host machine is unable to send or receive any network traffic

The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy

15. How do you disable all detections for a host?

Create an exclusion rule and apply it to the machine or group of machines

Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)

You cannot disable all detections on individual hosts as it would put them at risk

In Host Management, select the host and then choose the option to Disable Detections

16. Which role allows a user to connect to hosts using Real-Time Response?

Endpoint Manager

Falcon Administrator

Real Time Responder C Active Responder

Prevention Hashes Manager

17. What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

Falcon console updates are pending

Falcon sensors installing an update

Notifications have been disabled on that host sensor

Microsoft updates

18. 1.An analyst has reported they are not receiving workflow triggered notifications in the past few days.

Where should you first check for potential failures?

Custom Alert History

Workflow Execution log

Workflow Audit log

Falcon UI Audit Trail

19. You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes.

Which of the following parameters can be used to override the 20 minute default provisioning window?

ExtendedWindow=1

Timeout=0

ProvNoWait=1

Timeout=30

20. How are user permissions set in Falcon?

Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions

Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments

An administrator selects individual granular permissions from the Falcon Permissions List during user creation

Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions

Page 3 of 3

21. You have created a Sensor Update Policy for the Mac platform.

Which other operating system(s) will this policy manage?

*nix

Windows

Both Windows and *nix

Only Mac

22. You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints.

What is the best way to prevent these in the future?

Contact support and request that they modify the Machine Learning settings to no longer include this detection

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

23. What is the maximum number of patterns that can be added when creating a new exclusion?

24. Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

Aggressive

Cautious

Minimal

Moderate

25. Once an exclusion is saved, what can be edited in the future?

All parts of the exclusion can be changed

Only the selected groups and hosts to which the exclusion is applied can be changed

Only the options to "Detect/Block" and/or "File Extraction" can be changed

The exclusion pattern cannot be changed

26. Why is the ability to disable detections helpful?

It gives users the ability to set up hosts to test detections and later remove them from the console

It gives users the ability to uninstall the sensor from a host

It gives users the ability to allowlist a false positive detection

It gives users the ability to remove all data from hosts that have been uninstalled

27. What impact does disabling detections on a host have on an API?

Endpoints with detections disabled will not alert on anything until detections are enabled again

Endpoints cannot have their detections disabled individually

DetectionSummaryEvent stops sending to the Streaming API for that host

Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

28. When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies?

Maintenance token

Customer ID (CID)

Bulk update key

Agent ID (AID)

29. In order to quarantine files on the host, what prevention policy settings must be enabled?

Malware Protection and Custom Execution Blocking must be enabled

Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled

Malware Protection and Windows Anti-Malware Execution Blocking must be enabled

Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled

30. Which option allows you to exclude behavioral detections from the detections page?

Machine Learning Exclusion

IOA Exclusion

IOC Exclusion

Sensor Visibility Exclusion

Real CrowdStrike Certified Falcon Administrator (CCFA) CCFA-200 Test Questions

Real CrowdStrike Certified Falcon Administrator (CCFA) CCFA-200 Test Questions

Also, you can have a chance to feel the free CrowdStrike CCFA-200 demo questions first:

Share this post

Author