CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 101:

  Which of the following is TRUE of the Logon Activities Report?

  A. Shows a graphical view of user logon activity and the hosts the user connected to
  B. The report can be filtered by computer name
  C. It gives a detailed list of all logon activity for users
  D. It only gives a summary of the last logon activity for users
  D. It only gives a summary of the last logon activity for users

  ---

  Explanation

  The Logon Activities Report shows a graphical view of user logon activity and the hosts the user connected to, but it only gives a summary of the last logon activity for users. It does not give a detailed list of all logon activity for users, nor can it be filtered by computer name. The other options are either incorrect or not true of the report.

  CrowdStrike Falcon User Guide, page 50.

• Question 102:

  You want to create a detection-only policy. How do you set this up in your policy's settings?

  A. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.
  B. Select the "Detect-Only" template. Disable hash blocking and exclusions.
  C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.
  D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.
  D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

  ---

  Explanation

  The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy's settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy.

  [CrowdStrike Falcon User Guide], page 35.

• Question 103:

  Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the detection, you see that it's triggering only on a specific Falcon IOA. What would be the best course of action for this situation?

  A. Create a sensor visibility exclusion for "C:\Users\Bob\DevCode\felix.dll"
  B. Create an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll"
  C. Create a Custom IOC and set it to "Allow" for "C:\Users\Bob\DevCode\felix.dll"
  D. Manually turn off the built-in IOA through prevention policies
  B. Create an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll"

  ---

  Explanation

• Question 104:

  Which of the following controls the speed in which your sensors will receive automatic sensor updates?

  A. Maintenance Tokens
  B. Sensor Update Policy
  C. Sensor Update Throttling
  D. Channel File Update Throttling
  C. Sensor Update Throttling

  ---

  Explanation

  The option that controls the speed in which your sensors will receive automatic sensor updates is Sensor Update Throttling. Sensor Update Throttling allows you to limit the number of sensors that can download a new sensor version per hour. This way, you can avoid network congestion or bandwidth issues caused by simultaneous sensor updates. You can configure the Sensor Update Throttling setting in the Sensor Update Policy for each platform1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 105:

  How would an installation token be configured if the Falcon Sensor was installed on a Red Hat Enterprise Linux host?

  A. You will be prompted to enter the installation token during the install if it is required
  B. sudo yum install --cid= --provisioning-token=ABCD1234
  C. sudo /opt/CrowdStrike/falconctl -s -t ABCD1234
  D. sudo /opt/CrowdStrike/falconctl -s --cid= --provisioning-token=ABCD1234
  D. sudo /opt/CrowdStrike/falconctl -s --cid= --provisioning-token=ABCD1234

  ---

  Explanation

• Question 106:

  A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after how many days?

  A. 45 Days
  B. 60 Days
  C. 30 Days
  D. 90 Days
  D. 90 Days

  ---

  Explanation

  A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after 90 days. A sensor that has not contacted the Falcon cloud for more than seven days is considered inactive and will be moved from the Host Management page to the Trash page. An inactive sensor will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive sensor from the Trash page if it contacts the Falcon cloud again within 90 days.

  References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]

• Question 107:

  How are user permissions set in Falcon?

  A. Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
  B. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
  C. An administrator selects individual granular permissions from the Falcon Permissions List during user creation
  D. Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions
  B. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments

  ---

  Explanation

  User permissions are set in Falcon by assigning pre-defined permissions to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments. Roles are collections of permissions that define what users can see and do in Falcon. Permissions are granular actions that allow users to access specific features or functions in Falcon. For example, a user who is assigned both the Falcon Administrator role and the Falcon Investigator role will have all the permissions from both roles2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 108:

  The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud?

  A. Proxy information
  B. Deep packet inspection
  C. NMAP scanning
  D. TCP inspection
  B. Deep packet inspection

  ---

  Explanation

• Question 109:

  One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  A. USB Device Policy
  B. Firewall Rule Group
  C. Containment Policy
  D. Machine Learning Exclusions
  D. Machine Learning Exclusions

  ---

  Explanation

  Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment. The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.

• Question 110:

  What is the primary purpose of using glob syntax in an exclusion?

  A. To specify a Domain be excluded from detections
  B. To specify exclusion patterns to easily exclude files and folders and extensions from detections
  C. To specify exclusion patterns to easily add files and folders and extensions to be prevented
  D. To specify a network share be excluded from detections
  B. To specify exclusion patterns to easily exclude files and folders and extensions from detections

  ---

  Explanation

  Glob syntax is used to specify exclusion patterns to easily exclude files and folders and extensions from detections. Glob syntax allows you to use wildcards (*) and ranges ([a-z]) to match multiple characters or values in a file path or name.

  For example, you can use glob syntax to exclude all files with .exe extension in a folder by using

  C:\Folder*.exe as an exclusion pattern2.

  References: 2: Cybersecurity Resources | CrowdStrike