CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 111:

  Why do Sensor Update policies need to be configured for each OS (Windows, Mac, Linux)?

  A. To bundle the Sensor and Prevention policies together into a deployment package
  B. Sensor Update policies are OS dependent
  C. To assist with auditing and change management
  D. This is false. One policy can be applied to all Operating Systems
  B. Sensor Update policies are OS dependent

  ---

  Explanation

  Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host.

  Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for

  each operating system type in your environment1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 112:

  Which user role will NOT enable the user to connect to a host using Real Time Response?

  A. Real Time Response -Administrator
  B. Real Time Response - Active Responder
  C. Real Time Response - Read-Only Analyst
  D. Falcon Administrator
  D. Falcon Administrator

  ---

  Explanation

• Question 113:

  Which Real Time Response role will allow you to see all analyst session details?

  A. Real Time Response - Read-Only Analyst
  B. None of the Real Time Response roles allows this
  C. Real Time Response -Active Responder
  D. Real Time Response -Administrator
  D. Real Time Response -Administrator

  ---

  Explanation

  The Real Time Response role that will allow you to see all analyst session details is Real Time Response -Administrator. A Real Time Response -Administrator is a role that has full access and control over the Real Time Response feature in Falcon, which allows you to remotely access and investigate hosts in real time. A Real Time Response - Administrator can view all analyst session details, such as session ID, host name, start and end time, commands executed, and output received. A Real Time Response -Administrator can also create, modify, delete, and assign scripts and commands to other analysts2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 114:

  What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

  A. Deep packet inspection
  B. Linux Sub-System
  C. PowerShell
  D. Windows Proxy
  A. Deep packet inspection

  ---

  Explanation

  The option that should be disabled on firewalls so that the sensor's man-in- the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor's certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. If the certificate validation fails, the sensor will reject the connection and generate an error3.

  References: 3: How to Become a CrowdStrike Certified Falcon Administrator

• Question 115:

  Which of the following includes all that can be configured to alert as a Custom IOC (Indicator of Compromise) in IOC Management?

  A. Hash, Domain, Filename
  B. Hash
  C. Hash, Domain
  D. Hash, Domain, IP Address
  D. Hash, Domain, IP Address

  ---

  Explanation

• Question 116:

  A member of your SECOPS team currently has the role of Falcon Security Lead to be able to Manage detections, quarantine files and reset user credentials. Which additional role is required to also allow them to view and modify remediation actions?

  A. Detections Exception Manager
  B. Remediation Manager
  C. Endpoint Manager
  D. Quarantine Manager
  B. Remediation Manager

  ---

  Explanation

• Question 117:

  What statement is TRUE about managing a user's role?

  A. The Administrator cannot re-use the account email for a new account
  B. You must have Falcon MFA enabled first
  C. You must be a Falcon Security Lead
  D. You must be a Falcon Administrator
  D. You must be a Falcon Administrator

  ---

  Explanation

  The statement that is true about managing a user's role is that you must be a Falcon Administrator. A Falcon Administrator is a role that has full access and control over all features and functions in Falcon, including user management. A Falcon Administrator can create, modify, delete, and assign roles to other users in Falcon. A Falcon Administrator can also re-use the account email for a new account, enable Falcon MFA (multi-factor authentication), and assign other roles such as Falcon Security Lead or Falcon Investigator.

  References: Cybersecurity Resources | CrowdStrike

• Question 118:

  Which of the follow should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax?

  A. Sensor Visibility Exclusion
  B. Machine Learning Exclusions
  C. IOC Exclusions
  D. IOA Exclusions
  A. Sensor Visibility Exclusion

  ---

  Explanation

• Question 119:

  What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

  A. Falcon console updates are pending
  B. Falcon sensors installing an update
  C. Notifications have been disabled on that host sensor
  D. Microsoft updates
  D. Microsoft updates

  ---

  Explanation

  The most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM) is Microsoft updates. RFM occurs when the sensor detects a change in the operating system that requires a reboot to complete. Microsoft updates are one of the common causes of such a change. The other options are either incorrect or not related to RFM.

  CrowdStrike Falcon User Guide, page 30.

• Question 120:

  What is the purpose of the Default Sensor Policy?

  A. A mechanism to deploy the oldest supported version of the Falcon Sensor.
  B. Tests the sensor configuration settings before deployment.
  C. Used to reset all sensor settings to Default.
  D. Acts as a "catch all" policy if no other Sensor Policies are applied.
  D. Acts as a "catch all" policy if no other Sensor Policies are applied.

  ---

  Explanation

  The purpose of the Default Sensor Policy is that it acts as a "catch all" policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a "catchall" policy that is enabled by default and has the "Malware Protection" feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike