Download CCFA-200 Study Questions To Pass CrowdStrike Certified Falcon Administrator

Jonnie Karnath2023-03-19T02:25:24+00:00

To pass the CrowdStrike Certified Falcon Administrator exam, candidates need to have a deep understanding of these topics and be able to apply their knowledge to real-world scenarios. Our CCFA-200 study questions will help you develop a strong understanding of the exam’s content and format, giving you the confidence you need to tackle any question that comes your way. Our CCFA-200 study questions will help you identify any knowledge gaps or weak areas in your exam preparation, so you can focus your study efforts on the areas that need improvement. By using our CCFA-200 study questions, you will be fully prepared to pass the exam with flying colors and achieve your certification goals.

Page 1 of 3

1. When the Notify End Users policy setting is turned on, which of the following is TRUE?

End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist

End users will be immediately notified via a pop-up that their machine is in-network isolation

End-users receive a pop-up notification when a prevention action occurs

End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

2. How are user permissions set in Falcon?

Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions

Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments

An administrator selects individual granular permissions from the Falcon Permissions List during user creation

Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions

3. Which is the correct order for manually installing a Falcon Package on a macOS system?

Install the Falcon package, then register the Falcon Sensor via the registration package

Install the Falcon package, then register the Falcon Sensor via command line

4. Which of the following is TRUE of the Logon Activities Report?

Shows a graphical view of user logon activity and the hosts the user connected to

The report can be filtered by computer name

It gives a detailed list of all logon activity for users

It only gives a summary of the last logon activity for users

5. Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

There may be special considerations for each OS

To assist with testing and tracking sensor rollouts

The network protocols are different for each host OS

It is an auditing requirement

6. How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?

By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page

By enabling "Upload quarantined files" in the General Settings configuration page

By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page

By selecting "Enable pop-up messages" from the User configuration page

7. What must an admin do to reset a user's password?

From User Management, open the account details for the affected user and select "Generate New Password"

From User Management, select "Reset Password" from the three dot menu for the affected user account

From User Management, select "Update Account" and manually create a new password for the affected user account

From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

8. You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this.

Which is the best way to accomplish this?

Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.

Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"

9. Which of the following best describes the Default Sensor Update policy?

The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature

The Default Sensor Update policy is only used for testing sensor updates

The Default Sensor Update policy is a "catch-all" policy

The Default Sensor Update policy is disabled by default

10. Where in the Falcon console can information about supported operating system versions be found?

Configuration module

Intelligence module

Support module

Discover module

Page 2 of 3

11. If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file?

Older versions of the sensor are not available for download

By emailing CrowdStrike support at [email protected]

By installing the current sensor and clicking the "downgrade" button during the install

By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads

12. What type of information is found in the Linux Sensors Dashboard?

Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage

Hidden File execution, Execution of file from the trash, Versions Running with Computer Names

Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified

Private Information Accessed, Archiving Tools C Exfil, Files Made Executable

13. When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

Custom IOA Rule Groups

Custom IOC Groups

Enterprise Groups

Operating System Groups

14. What is the goal of a Network Containment Policy?

Increase the aggressiveness of the assigned prevention policy

Limit the impact of a compromised host on the network

Gain more visibility into network activities

Partition a network for privacy

15. How does the Unique Hosts Connecting to Countries Map help an administrator?

It highlights countries with known malware

It helps visualize global network communication

It identifies connections containing threats

It displays intrusions from foreign countries

16. You need to export a list of all deletions for a specific Host Name in the last 24 hours.

What is the best way to do this?

Go to Host Management in the Host page. Select the host and use the Export Detections button

Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section

In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results

Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section

17. Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

Sensors are downloaded from the Hosts > Sensor Downloads

Sensor installers are unique to each customer and must be obtained from support

Sensor installers are downloaded from the Support section of the CrowdStrike website

Sensor installers are not used because sensors are deployed from within Falcon

18. You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints.

What is the best way to prevent these in the future?

Contact support and request that they modify the Machine Learning settings to no longer include this detection

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

19. When would the No Action option be assigned to a hash in IOC Management?

When you want to save the indicator for later action, but do not want to block or allow it at this time

Add the indicator to your allowlist and do not detect it

There is no such option as No Action available in the Falcon console

Add the indicator to your blocklist and show it as a detection

20. Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host.

What is the most appropriate role that can be added to fullfil this requirement?

Remediation Manager

Real Time Responder C Read Only Analyst

Falcon Analyst C Read Only

Real Time Responder C Active Responder

Page 3 of 3

21. On a Windows host, what is the best command to determine if the sensor is currently running?

sc query csagent

netstat -a

This cannot be accomplished with a command

ping falcon.crowdstrike.com

22. What is the purpose of precedence with respect to the Sensor Update policy?

Precedence applies to the Prevention policy and not to the Sensor Update policy

Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)

Precedence ensures that conflicting policy settings are not set in the same policy

23. What is the function of a single asterisk (*) in an ML exclusion pattern?

The single asterisk will match any number of characters, including none. It does include separator characters, such as or /, which separate portions of a file path

The single asterisk will match any number of characters, including none. It does not include separator characters, such as or /, which separate portions of a file path

The single asterisk is the insertion point for the variable list that follows the path

The single asterisk is only used to start an expression, and it represents the drive letter

24. When creating new IOCs in IOC management, which of the following fields must be configured?

Hash, Description, Filename

Hash, Action and Expiry Date

Filename, Severity and Expiry Date

Hash, Platform and Action

25. When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies?

Maintenance token

Customer ID (CID)

Bulk update key

Agent ID (AID)

26. Which role allows a user to connect to hosts using Real-Time Response?

Endpoint Manager

Falcon Administrator

Real Time Responder C Active Responder

Prevention Hashes Manager

27. Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

Sensor Report

Machine Learning Prevention Monitoring

Falcon UI Audit Trail

Machine Learning Debug

28. With Custom Alerts, it is possible to __________.

schedule the alert to run at any interval

receive an alert in an email

configure prevention actions for alerting

be alerted to activity in real-time

29. Which role will allow someone to manage quarantine files?

Falcon Security Lead

Detections Exceptions Manager

Falcon Analyst C Read Only

Endpoint Manager

Facebook Twitter LinkedIn Google + Email