New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium CrowdStrike CCFA-200 Dumps Questions Answers

Page: 1 / 11
Total 153 questions

CrowdStrike Certified Falcon Administrator Questions and Answers

Question 1

How do you disable all detections for a host?

Options:

A.

Create an exclusion rule and apply it to the machine or group of machines

B.

Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)

C.

You cannot disable all detections on individual hosts as it would put them at risk

D.

In Host Management, select the host and then choose the option to Disable Detections

Buy Now
Question 2

On which page of the Falcon console can one locate the Customer ID (CID)?

Options:

A.

Hosts Management

B.

API Clients and Keys

C.

Sensor Dashboard

D.

Sensor Downloads

Question 3

When creating new IOCs in IOC management, which of the following fields must be configured?

Options:

A.

Hash, Description, Filename

B.

Hash, Action and Expiry Date

C.

Filename, Severity and Expiry Date

D.

Hash, Platform and Action

Question 4

Where can you find your company's Customer ID (CID)?

Options:

A.

The CID is a secret key used for Falcon communication and is never shared with the customer

B.

The CID is only available by calling support

C.

The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the

checksum

D.

The CID is located at Hosts > Host Management

Question 5

Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

Options:

A.

Aggressive

B.

Cautious

C.

Minimal

D.

Moderate

Question 6

Which is the correct order for manually installing a Falcon Package on a macOS system?

Options:

A.

Install the Falcon package, then register the Falcon Sensor via the registration package

B.

Install the Falcon package, then register the Falcon Sensor via command line

C.

Register the Falcon Sensor via command line, then install the Falcon package

D.

Register the Falcon Sensor via the registration package, then install the Falcon package

Question 7

You want to create a detection-only policy. How do you set this up in your policy's settings?

Options:

A.

Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.

B.

Select the "Detect-Only" template. Disable hash blocking and exclusions.

C.

You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.

D.

Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

Question 8

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

Options:

A.

1

B.

2

C.

0

D.

3

Question 9

Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

Options:

A.

Sensors are downloaded from the Hosts > Sensor Downloads

B.

Sensor installers are unique to each customer and must be obtained from support

C.

Sensor installers are downloaded from the Support section of the CrowdStrike website

D.

Sensor installers are not used because sensors are deployed from within Falcon

Question 10

What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?

Options:

A.

The detections for the host are removed from the console immediately and no new detections will display in the console going forward

B.

You cannot disable detections for a host

C.

Existing detections for the host remain, but no new detections will display in the console going forward

D.

Preventions will be disabled for the host

Question 11

Where can you modify settings to permit certain traffic during a containment period?

Options:

A.

Prevention Policy

B.

Host Settings

C.

Containment Policy

D.

Firewall Settings

Question 12

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

Options:

A.

Next-Gen Antivirus (NGAV) protection

B.

Adware and Potentially Unwanted Program detection and prevention

C.

Real-time offline protection

D.

Identification and analysis of unknown executables

Question 13

What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

Options:

A.

Endpoint ID (EID)

B.

Agent ID (AID)

C.

Security ID (SID)

D.

Computer ID (CID)

Question 14

An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

Options:

A.

Custom Alert History

B.

Workflow Execution log

C.

Workflow Audit log

D.

Falcon UI Audit Trail

Question 15

Which of the following can a Falcon Administrator edit in an existing user's profile?

Options:

A.

First or Last name

B.

Phone number

C.

Email address

D.

Working groups

Question 16

With Custom Alerts, it is possible to __________.

Options:

A.

schedule the alert to run at any interval

B.

receive an alert in an email

C.

configure prevention actions for alerting

D.

be alerted to activity in real-time

Question 17

What is the purpose of a containment policy?

Options:

A.

To define which Falcon analysts can contain endpoints

B.

To define the duration of Network Containment

C.

To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

D.

To define allowed IP addresses over which your hosts will communicate when contained

Question 18

Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?

Options:

A.

Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor

B.

Install the Falcon package passing it the installation token in the command line

C.

Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access

D.

Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'

Question 19

Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:

Options:

A.

Adware & PUP

B.

Advanced Machine Learning

C.

Sensor Anti-Malware

D.

Execution Blocking

Question 20

What must an admin do to reset a user's password?

Options:

A.

From User Management, open the account details for the affected user and select "Generate New Password"

B.

From User Management, select "Reset Password" from the three dot menu for the affected user account

C.

From User Management, select "Update Account" and manually create a new password for the affected user account

D.

From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

Question 21

Which of the following is NOT a way to determine the sensor version installed on a specific endpoint?

Options:

A.

Use the Sensor Report to filter to the specific endpoint

B.

Use the Investigate > Host Search to filter to the specific endpoint

C.

Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details

D.

From a command line, run the sc query csagent -version command

Question 22

How do you find a list of inactive sensors?

Options:

A.

The Falcon platform does not provide reporting for inactive sensors

B.

A sensor is always considered active until removed by an Administrator

C.

Run the Inactive Sensor Report in the Host setup and management option

D.

Run the Sensor Aging Report within the Investigate option

Question 23

Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

Options:

A.

Sensor Report

B.

Machine Learning Prevention Monitoring

C.

Falcon UI Audit Trail

D.

Machine Learning Debug

Question 24

What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

Options:

A.

Deep packet inspection

B.

Linux Sub-System

C.

PowerShell

D.

Windows Proxy

Question 25

What would be the most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally?

Options:

A.

A Machine Learning exclusion

B.

A Sensor Visibility exclusion

C.

An IOA exclusion

D.

A Custom IOC entry

Question 26

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

Options:

A.

Real Time Responder

B.

Endpoint Manager

C.

Falcon Investigator

D.

Remediation Manager

Question 27

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

Options:

A.

USB Device Policy

B.

Firewall Rule Group

C.

Containment Policy

D.

Machine Learning Exclusions

Question 28

Which of the following scenarios best describes when you would add IP addresses to the containment policy?

Options:

A.

You want to automate the Network Containment process based on the IP address of a host

B.

Your organization has additional IP addresses that need to be able to access the Falcon console

C.

A new group of analysts need to be able to place hosts under Network Containment

D.

Your organization has resources that need to be accessible when hosts are network contained

Question 29

What can exclusions be applied to?

Options:

A.

Individual hosts selected by the administrator

B.

Either all hosts or specified groups

C.

Only the default host group

D.

Only the groups selected by the administrator

Question 30

How does the Unique Hosts Connecting to Countries Map help an administrator?

Options:

A.

It highlights countries with known malware

B.

It helps visualize global network communication

C.

It identifies connections containing threats

D.

It displays intrusions from foreign countries

Question 31

After agent installation, an agent opens a permanent___connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.

Options:

A.

SSH

B.

TLS

C.

HTTP

D.

TCP

Question 32

When the Notify End Users policy setting is turned on, which of the following is TRUE?

Options:

A.

End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist

B.

End users will be immediately notified via a pop-up that their machine is in-network isolation

C.

End-users receive a pop-up notification when a prevention action occurs

D.

End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

Question 33

Under which scenario can Sensor Tags be assigned?

Options:

A.

While triaging a detection

B.

While managing hosts in the Falcon console

C.

While updating a sensor in the Falcon console

D.

While installing a sensor

Question 34

What is the maximum number of patterns that can be added when creating a new exclusion?

Options:

A.

10

B.

0

C.

1

D.

5

Question 35

Which role will allow someone to manage quarantine files?

Options:

A.

Falcon Security Lead

B.

Detections Exceptions Manager

C.

Falcon Analyst – Read Only

D.

Endpoint Manager

Question 36

Options:

A.

Enable Behavior-Based Threat Prevention sliders and Advanced Remediation Actions

B.

Enable Malware Protection and Windows Anti-Malware Execution Blocking

C.

Enable Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration

D.

Enable Malware Protection and Custom Execution Blocking

Question 37

What is the function of a single asterisk (*) in an ML exclusion pattern?

Options:

A.

The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

B.

The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

C.

The single asterisk is the insertion point for the variable list that follows the path

D.

The single asterisk is only used to start an expression, and it represents the drive letter

Question 38

In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

Options:

A.

Sensor version set to N-1 and Bulk maintenance mode is turned on

B.

Sensor version fixed and Uninstall and maintenance protection turned on

C.

Sensor version updates off and Uninstall and maintenance protection turned off

D.

Sensor version set to N-2 and Bulk maintenance mode is turned on

Question 39

What may prevent a user from logging into Falcon via single sign-on (SSO)?

Options:

A.

The SSO username doesn't match their email address in Falcon

B.

The maintenance token has expired

C.

Falcon is in reduced functionality mode

D.

The user never configured their security questions

Question 40

Why would you assign hosts to a static group instead of a dynamic group?

Options:

A.

You do not want the group membership to change automatically

B.

You are managing more than 1000 hosts

C.

You need hosts to be automatically assigned to a group

D.

You want the group to contain hosts from multiple operating systems

Question 41

Which of the following tools developed by Crowdstrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor?

Options:

A.

CrowdStrikeRemovalTool.exe

B.

UninstallTool.exe

C.

CSUninstallTool.exe

D.

FalconUninstall.exe

Question 42

An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this?

Options:

A.

The API client secret can be viewed from the Edit API client pop-up box

B.

Enable the Client Secret column to reveal the API client secret

C.

Re-create the API client using the exact name to see the API client secret

D.

The API client secret cannot be retrieved after it has been created

Question 43

You have a new patch server that should be reachable while hosts in your environment are network contained. The server's IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this?

Options:

A.

Add an allowlist entry for the individual server's MAC address

B.

Add an allowlist entry containing the host group that the server belongs to

C.

Add an allowlist entry for the individual server's IP address

D.

Add an allowlist entry containing CIDR notation for the /24 network the server belongs to

Question 44

While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose?

Options:

A.

Configure a Real Time Response policy allowlist with the specific IP addresses

B.

Configure a Containment Policy with the specific IP addresses

C.

Configure a Containment Policy with the entire internal IP CIDR block

D.

Configure the Host firewall to allowlist the specific IP addresses

Question 45

Which of the following applies to Custom Blocking Prevention Policy settings?

Options:

A.

Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy

B.

Blocklisting applies to hashes, IP addresses, and domains

C.

Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary

D.

You can only blocklist hashes via the API

Page: 1 / 11
Total 153 questions