CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 91:

  Which statement describes what is recommended for the Default Sensor Update policy?

  A. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible
  B. The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version
  C. Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required
  D. No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled
  A. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible

  ---

  Explanation

• Question 92:

  Which of the following is NOT an available filter on the Hosts Management page?

  A. Hostname
  B. Username
  C. Group
  D. OS Version
  B. Username

  ---

  Explanation

  Username is not an available filter on the Hosts Management page. The Hosts Management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also perform actions such as assigning hosts to groups, updating sensor policies, uninstalling sensors, or isolating hosts1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 93:

  What information is provided in Logan Activities under Visibility Reports?

  A. A list of all logons for all users
  B. A list of last endpoints that a user logged in to
  C. A list of users who are remotely logged on to devices based on local IP and local port
  D. A list of unique users who are remotely logged on to devices based on the country
  B. A list of last endpoints that a user logged in to

  ---

  Explanation

  The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to. This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report.

  [CrowdStrike Falcon User Guide], page 50.

• Question 94:

  What is the purpose of precedence with respect to the Sensor Update policy?

  A. Precedence applies to the Prevention policy and not to the Sensor Update policy
  B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)
  C. Hosts assigned to multiple policies will assume the lowest ranked policy in the list (policy with the highest number)
  D. Precedence ensures that conflicting policy settings are not set in the same policy
  B. Hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number)

  ---

  Explanation

  The purpose of precedence with respect to the Sensor Update policy is that hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number). This means that if a host belongs to more than one group that has different Sensor Update policies assigned, it will use the policy that has the highest precedence (lowest number) among them. The other options are either incorrect or not related to precedence.

  CrowdStrike Falcon User Guide, page 38.

• Question 95:

  Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)?

  A. Host Dashboard
  B. Host Management > Filter for RFM
  C. Inactive Sensor Report
  D. Containment Policy
  B. Host Management > Filter for RFM

  ---

  Explanation

  The place in the console where you can find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM) is Host Management > Filter for RFM. The Host Management page allows you to view and manage all hosts in your environment that have Falcon sensors installed. You can use the filter bar to filter hosts by various attributes, such as status, platform, type, or group. You can also filter hosts by health events, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. By filtering for RFM, you can see a list of all hosts that are in this mode1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 96:

  The Customer ID (CID) is important in which of the following scenarios?

  A. When adding a user to the Falcon console under the Users application
  B. When performing the sensor installation process
  C. When setting up API keys
  D. When performing a Host Search
  B. When performing the sensor installation process

  ---

  Explanation

  The Customer ID (CID) is important in which of the following scenarios: when performing the sensor installation process and when setting up API keys. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. You need to provide your CID when installing the Falcon sensor on a host, either by using a command-line parameter or by using the falconctl tool. The CID is also required for setting up API keys, which are used for accessing the Falcon platform programmatically via the Falcon APIs. You need to provide your CID when creating an API client and key in the API Clients and Keys page in the Falcon console.

  References: : [Cybersecurity Resources | CrowdStrike]

• Question 97:

  Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts?

  A. Real Time Responder ?Administrator
  B. Real Time Responder ?Read Only Analyst
  C. Real Time Responder ?Script Developer
  D. Real Time Responder ?Active Responder
  A. Real Time Responder ?Administrator

  ---

  Explanation

  Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

• Question 98:

  You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive. After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?

  A. Prevention Policy Audit Trail
  B. Prevention Policy Debug
  C. Prevention Hashes Ignored
  D. Machine-Learning Prevention Monitoring
  D. Machine-Learning Prevention Monitoring

  ---

  Explanation

  Audit logs --> Machine-learning prevention monitoring It shows the count of ML expected detections based on the detection levels for a defined time period and the list of files that would be detected on each detection level.

• Question 99:

  What are custom alerts based on?

  A. Custom workflows
  B. Custom event based triggers
  C. Predefined alert templates
  D. User defined Splunk queries
  C. Predefined alert templates

  ---

  Explanation

  Scheduling a Custom Alert for your environment consists of three steps:

  choosing the template you'd like to configure, previewing the search results, then scheduling the alert. Use Custom Alerts to configure email alerts using predefined templates so you're notified about specific activity in your environment. When

  an alert runs and finds results, it sends an email to specified recipients instead of generating a new detection. Custom Alerts let you set up email alerts based on predefined templates that cover a wide range of topics including Real Time

  Response session initiation, host containment, OS security settings, and more that are not yet covered by notification workflows.

• Question 100:

  Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

  A. Remediation Manager
  B. Real Time Responder ?Read Only Analyst
  C. Falcon Analyst ?Read Only
  D. Real Time Responder ?Active Responder
  B. Real Time Responder ?Read Only Analyst

  ---

  Explanation

  The Real Time Responder - Read Only Analyst only allows to run the commands: "cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.