
CCFA-200 Free Exam Study Guide! (Updated 152 Questions)
CCFA-200 Dumps for CrowdStrike Certified Falcon Administrator Certified Exam Questions and Answer
NEW QUESTION # 84
How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?
- A. By enabling "Upload quarantined files" in the General Settings configuration page
- B. By selecting "Enable pop-up messages" from the User configuration page
- C. By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page
- D. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page
Answer: D
NEW QUESTION # 85
What information is provided in Logan Activities under Visibility Reports?
- A. A list of all logons for all users
- B. A list of last endpoints that a user logged in to
- C. A list of unique users who are remotely logged on to devices based on the country
- D. A list of users who are remotely logged on to devices based on local IP and local port
Answer: B
Explanation:
Explanation
The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to.
This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report. Reference: [CrowdStrike Falcon User Guide], page 50.
NEW QUESTION # 86
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?
- A. Create a Dynamic Group and Import All Workstations
- B. Create a Static Group and Import all Workstations
- C. Create a Dynamic Group with Type=Workstation Assignment
- D. Create a Static Group with Type=Workstation Assignment
Answer: C
Explanation:
Explanation
The best method to ensure all workstation hosts are added to the group is to create a Dynamic Group with Type=Workstation Assignment. A Dynamic Group is a group that automatically updates its membership based on certain criteria or filters. A Type=Workstation Assignment filter will match all hosts that have the workstation type assigned in their Active Directory domain. This way, any new or existing workstation hosts will be added to the group without manual intervention1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
NEW QUESTION # 87
Which of the following scenarios best describes when you would add IP addresses to the containment policy?
- A. You want to automate the Network Containment process based on the IP address of a host
- B. A new group of analysts need to be able to place hosts under Network Containment
- C. Your organization has resources that need to be accessible when hosts are network contained
- D. Your organization has additional IP addresses that need to be able to access the Falcon console
Answer: C
Explanation:
Explanation
The scenario that best describes when you would add IP addresses to the containment policy is that your organization has resources that need to be accessible when hosts are network contained. As explained in the previous question, adding IP addresses to the containment policy allows you to create an allowlist of trusted IP addresses that can communicate with your contained hosts. This can be useful when you need to isolate a host from the network due to a potential compromise or investigation, but still want to allow it to access certain resources or services that are essential for your organization's operations or security2.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 88
You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM?
- A. A host was offline for more than 24 hours
- B. A Sensor Update Policy was misconfigured
- C. A host was placed in network containment from a detection
- D. A patch was pushed overnight to all Windows systems
Answer: D
Explanation:
Explanation
The most likely culprit causing multiple Windows hosts to be in Reduced Functionality Mode (RFM) is a patch that was pushed overnight to all Windows systems. RFM occurs when the sensor detects a change in the operating system that requires a reboot to complete. A patch is one of the common causes of such a change.
The other options are either incorrect or not related to RFM. Reference: CrowdStrike Falcon User Guide, page
30.
NEW QUESTION # 89
Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?
- A. TCP port 443 (HTTPS)
- B. TCP port 22 (SSH)
- C. TCP UDP port 53 (DNS)
- D. TCP port 80 (HTTP)
Answer: A
Explanation:
Explanation
The sensor uses TCP port 443 (HTTPS) to communicate with the CrowdStrike Cloud. This port and protocol are used to securely send and receive data between the sensor and the cloud, such as detections, policies, updates, commands, etc. The other options are either incorrect or not used by the sensor.
Reference: CrowdStrike Falcon User Guide, page 28.
NEW QUESTION # 90
Which option allows you to exclude behavioral detections from the detections page?
- A. IOC Exclusion
- B. Sensor Visibility Exclusion
- C. IOA Exclusion
- D. Machine Learning Exclusion
Answer: D
NEW QUESTION # 91
You want to create a detection-only policy. How do you set this up in your policy's settings?
- A. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.
- B. Select the "Detect-Only" template. Disable hash blocking and exclusions.
- C. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.
- D. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.
Answer: A
Explanation:
Explanation
The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy's settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.
NEW QUESTION # 92
When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?
- A. Model
- B. Domain
- C. Hostname
- D. Username
Answer: C
Explanation:
Explanation
When performing targeted filtering for a host on the Host Management Page, the filter bar attribute that is not case-sensitive is Hostname. The Hostname attribute allows you to filter hosts by their computer name or DNS name. The Hostname filter is not case-sensitive, meaning that it will match hosts regardless of the capitalization of their names. For example, filtering by hostname=DESKTOP-1234 will match hosts with names such as DESKTOP-1234, desktop-1234, or Desktop-12342.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 93
What is the primary purpose of using glob syntax in an exclusion?
- A. To specify exclusion patterns to easily add files and folders and extensions to be prevented
- B. To specify a network share be excluded from detections
- C. To specify exclusion patterns to easily exclude files and folders and extensions from detections
- D. To specify a Domain be excluded from detections
Answer: C
Explanation:
Explanation
Glob syntax is used to specify exclusion patterns to easily exclude files and folders and extensions from detections. Glob syntax allows you to use wildcards (*) and ranges ([a-z]) to match multiple characters or values in a file path or name. For example, you can use glob syntax to exclude all files with .exe extension in a folder by using C:\Folder*.exe as an exclusion pattern2.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 94
Under which scenario can Sensor Tags be assigned?
- A. While triaging a detection
- B. While managing hosts in the Falcon console
- C. While installing a sensor
- D. While updating a sensor in the Falcon console
Answer: B
NEW QUESTION # 95
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group; however, when applying the new prevention policy this group is not appearing in the list of available groups. What is the most likely issue?
- A. The new prevention policy should be enabled first
- B. The "Servers" group must be disabled first
- C. The "Servers" group already has a policy applied to it
- D. Host type was not defined correctly within the prevention policy
Answer: C
Explanation:
Explanation
The most likely issue for not being able to apply a new prevention policy to the "Servers" group is that the
"Servers" group already has a policy applied to it. A prevention policy is a policy that defines the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign custom prevention policies to different hosts or groups in your environment. However, you can only assign one prevention policy per host or group at a time. If a host or group already has a prevention policy applied to it, you cannot apply another prevention policy to it unless you remove or replace the existing one2.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 96
When editing an existing IOA exclusion, what can NOT be edited?
- A. The exclusion name
- B. The IOA name
- C. The hosts groups
- D. All parts of the exclusion can be changed
Answer: B
Explanation:
Explanation
When editing an existing IOA exclusion, the IOA name cannot be edited. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. The IOA name is a predefined name that identifies the type of IOA behavior that you want to exclude, such as "Suspicious Process Execution
- Script Interpreter Executing File". The IOA name cannot be changed when editing an existing IOA exclusion, as it is linked to a specific IOA rule in the Falcon platform. However, you can edit other parts of the IOA exclusion, such as the exclusion name, the hosts groups, and the filter criteria2.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 97
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?
- A. Create a Dynamic Group and Import All Workstations
- B. Create a Static Group and Import all Workstations
- C. Create a Dynamic Group with Type=Workstation Assignment
- D. Create a Static Group with Type=Workstation Assignment
Answer: C
NEW QUESTION # 98
How does the Unique Hosts Connecting to Countries Map help an administrator?
- A. It displays intrusions from foreign countries
- B. It highlights countries with known malware
- C. It identifies connections containing threats
- D. It helps visualize global network communication
Answer: D
NEW QUESTION # 99
Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?
- A. Custom IOA rules cannot be created for domains
- B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill
- C. badguydomain\.com.*
- D. .*badguydomain.com.*
Answer: B
NEW QUESTION # 100
How are user permissions set in Falcon?
- A. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
- B. An administrator selects individual granular permissions from the Falcon Permissions List during user creation
- C. Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
- D. Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions
Answer: A
Explanation:
Explanation
User permissions are set in Falcon by assigning pre-defined permissions to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments. Roles are collections of permissions that define what users can see and do in Falcon. Permissions are granular actions that allow users to access specific features or functions in Falcon. For example, a user who is assigned both the Falcon Administrator role and the Falcon Investigator role will have all the permissions from both roles2.
References: 2: Cybersecurity Resources | CrowdStrike
NEW QUESTION # 101
Which of the following applies to Custom Blocking Prevention Policy settings?
- A. Blocklisting applies to hashes, IP addresses, and domains
- B. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary
- C. You can only blocklist hashes via the API
- D. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy
Answer: D
Explanation:
Explanation
Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on "Upload Hashes" in the upper right-hand corner.
Note that you can also automate the task of importing hashes with the CrowdStrike Falcon API.
https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/
NEW QUESTION # 102
......
Use Real CCFA-200 Dumps - 100% Free CCFA-200 Exam Dumps: https://www.prep4sureguide.com/CCFA-200-prep4sure-exam-guide.html
Realistic Verified CCFA-200 exam dumps Q&As - CCFA-200 Free Update: https://drive.google.com/open?id=12-3hNAQ_ofTr-vgzLwdZNdId_nH18G1S