CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 121:

  What are the two triggers that cause a fusion workflow to run?

  A. Fusion workflows are manually ran
  B. Event and scheduled triggers Most Voted
  C. Condition and action triggers
  D. Incident and detections triggers
  B. Event and scheduled triggers Most Voted

  ---

  Explanation

• Question 122:

  Which of the following uses Regex to create a detection or take a preventative action?

  A. Custom IOC
  B. Machine Learning Exclusion
  C. Custom IOA
  D. Sensor Visibility Exclusion
  C. Custom IOA

  ---

  Explanation

  The option that uses regex to create a detection or take a preventative action is Custom IOA. A Custom IOA (indicator of attack) allows you to define custom rules for detecting or preventing suspicious behavior based on process execution, file write, network connection, or registry events. You can use regex syntax to create a Custom IOA rule that matches the event data that you want to monitor or block1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 123:

  Which of the following best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy?

  A. Prevents automatic updates of the sensor
  B. Prevents the sensor from entering Reduced Functionality Mode
  C. Prevents modification of sensor update policy
  D. Prevents unauthorized uninstallation of the sensor
  D. Prevents unauthorized uninstallation of the sensor

  ---

  Explanation

  The option that best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy is that it prevents unauthorized uninstallation of the sensor. The Uninstall and Maintenance Protection setting is a feature that adds an extra layer of security to the sensor by requiring a maintenance token to uninstall or update the sensor manually. The maintenance token is a unique code that can be generated by a Falcon Administrator or a Real Time Response -Administrator in the Falcon console. Without a valid maintenance token, the sensor cannot be uninstalled or updated by anyone, including local administrators or malware2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 124:

  On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform?

  A. Status
  B. Platform
  C. Hostname
  D. Type
  D. Type

  ---

  Explanation

  The filter that could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform on the Host Management page is Type. The Type filter allows you to filter hosts by their device type, such as workstation, server,

  or domain controller. The device type is assigned to each host based on their Active Directory domain structure. You can use the Type filter to quickly identify all hosts that have the workstation type assigned in their domain2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 125:

  Which command would tell you if a Falcon Sensor was running on a Windows host?

  A. cswindiag.exe -status
  B. netstat.exe -f
  C. sc.exe query csagent
  D. sc.exe query falcon
  C. sc.exe query csagent

  ---

  Explanation

  The command that would tell you if a Falcon Sensor was running on a Windows host is sc.exe query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3.

  References: 3: How to Become a CrowdStrike Certified Falcon Administrator

• Question 126:

  Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

  A. Aggressive
  B. Cautious
  C. Minimal
  D. Moderate
  B. Cautious

  ---

  Explanation

  The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor's ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low- confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive.

  References: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 127:

  Which of the following is TRUE regarding Falcon Next-Gen AntiVirus (NGAV)?

  A. Falcon NGAV relies on signature-based detections
  B. Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy
  C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders
  D. Falcon NGAV is not a replacement for Windows Defender or other antivirus programs
  C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders

  ---

  Explanation

  The Detection sliders cannot be set to a value less aggressive than the Prevention sliders in Falcon Next-Gen AntiVirus (NGAV). This is because prevention is a subset of detection, and it would not make sense to prevent threats that are not detected. The other options are either incorrect or not true of Falcon NGAV.

  [CrowdStrike Falcon User Guide], page 35.

• Question 128:

  What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?

  A. Enables custom detections for the host
  B. New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host
  C. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host
  D. Preventions will be enabled for the host
  C. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host

  ---

  Explanation

  The option that best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The "Enable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 129:

  Once an exclusion is saved, what can be edited in the future?

  A. All parts of the exclusion can be changed
  B. Only the selected groups and hosts to which the exclusion is applied can be changed
  C. Only the options to "Detect/Block" and/or "File Extraction" can be changed
  D. The exclusion pattern cannot be changed
  A. All parts of the exclusion can be changed

  ---

  Explanation

  Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions.

  CrowdStrike Falcon User Guide, page 37.

• Question 130:

  Which of the following can a Falcon Administrator edit in an existing user's profile?

  A. First or Last name
  B. Phone number
  C. Email address
  D. Working groups
  A. First or Last name

  ---

  Explanation

  Roles are never called 'working groups' in the documentation. The only other option that can be edited on a existing user is first and last name.