CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 131:

  Why is it important to know your company's event data retention limits in the Falcon platform?

  A. This is not necessary; you simply select "All Time" in your query to search all data
  B. You will not be able to search event data into the past beyond your retention period
  C. Data such as process records are kept for a shorter time than event data
  D. Your query will require you to specify the data pool associated with the date you wish to search
  B. You will not be able to search event data into the past beyond your retention period

  ---

  Explanation

  It is important to know your company's event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits.

  CrowdStrike Falcon User Guide, page 48.

• Question 132:

  How do you assign a policy to a specific group of hosts?

  A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s).
  B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).
  C. Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and select criteria such as OU, OS, Hostname pattern, etc.
  D. On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if needed) and click Add.
  A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s).

  ---

  Explanation

  The administrator can assign a policy to a specific group of hosts by creating a group containing the desired hosts using "Static Assignment." Then, go to the Assigned Host Groups tab of the desired policy and click "Add groups to policy." Select the desired Group(s). This will apply the policy to the selected group(s) of hosts. The other options are either incorrect or not applicable to static assignment.

  [CrowdStrike Falcon User Guide], page 33.

• Question 133:

  When editing an existing IOA exclusion, what can NOT be edited?

  A. The IOA name
  B. All parts of the exclusion can be changed
  C. The exclusion name
  D. The hosts groups
  A. The IOA name

  ---

  Explanation

  When editing an existing IOA exclusion, the IOA name cannot be edited. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. The IOA name is a predefined name that identifies the type of IOA behavior that you want to exclude, such as "Suspicious Process Execution

  - Script Interpreter Executing File". The IOA name cannot be changed when editing an existing IOA exclusion, as it is linked to a specific IOA rule in the Falcon platform. However, you can edit other parts of the IOA exclusion, such as the exclusion name, the hosts groups, and the filter criteria.

  References: Cybersecurity Resources | CrowdStrike

• Question 134:

  Which statement is TRUE regarding disabling detections on a host?

  A. Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on lOA-based detections. It will remain that way until detections are enabled again
  B. Hosts with detections disabled will not alert on anything until detections are enabled again
  C. Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed
  D. Hosts cannot have their detections disabled individually
  B. Hosts with detections disabled will not alert on anything until detections are enabled again

  ---

  Explanation

• Question 135:

  The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

  A. Policy alignment is configured in the "Host Management" section in the Hosts application
  B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window
  C. Policy alignment is configured in the General Settings section under the Configuration menu
  D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab
  D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab

  ---

  Explanation

  The alignment of a particular prevention policy to one or more host groups can be completed in each policy in the "Assigned Host Groups" tab. This tab allows the administrator to select which host groups will use the policy, as well as view the number of hosts and sensors assigned to each group. The other options are either incorrect or not available.

  [CrowdStrike Falcon User Guide], page 34.

• Question 136:

  After agent installation, an agent opens a permanent___connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.

  A. SSH
  B. TLS
  C. HTTP
  D. TCP
  B. TLS

  ---

  Explanation

  After agent installation, an agent opens a permanent TLS connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated. TLS (Transport Layer Security) is a protocol that

  provides secure and encrypted communication between the agent and the Falcon cloud. Port 443 is the standard port for HTTPS (Hypertext Transfer Protocol Secure) traffic. The agent uses this connection to send and receive data,

  commands, policies, and updates from the Falcon cloud2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 137:

  Which role allows a user to connect to hosts using Real-Time Response?

  A. Endpoint Manager
  B. Falcon Administrator
  C. Real Time Responder ?Active Responder
  D. Prevention Hashes Manager
  C. Real Time Responder ?Active Responder

  ---

  Explanation

  The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder ?Active Responder. This role allows users to use the "Connect to Host" feature to gather additional information from the host, as well as

  execute commands and scripts on the host. The other roles do not have this capability.

  [CrowdStrike Falcon User Guide], page 18.

• Question 138:

  The Remote Access Graph in Visibility Reports displays:

  A. a bar chart where a bar represents a daily count of remote connections
  B. a geographical chart showing the geo-location of remote IP address
  C. a graph showing connections between hosts and users
  D. a pie chart showing a count per remote logon type
  C. a graph showing connections between hosts and users

  ---

  Explanation

  Remote Access Graph: Provides a graphical representation of relationships between users and systems that have been remotely accessed. This allows you to search for users who are remotely logged on to devices based on logon type. You can search for either Terminal Server logons (Type 10, for example, RDP) or Network Server (Type 3) logons.

• Question 139:

  To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

  A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
  B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
  C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
  D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action
  A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead

  ---

  Explanation

  IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".

• Question 140:

  You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage?

  A. *nix
  B. Windows
  C. Both Windows and *nix
  D. Only Mac
  D. Only Mac

  ---

  Explanation

  A Sensor Update Policy for the Mac platform will only manage Mac operating systems. Sensor Update Policies are platform-specific, meaning that they only apply to hosts that have the same operating system as the policy. For example, a Sensor Update Policy for Windows will only manage Windows hosts, and a Sensor Update Policy for Linux will only manage Linux hosts. You cannot create a Sensor Update Policy that manages multiple operating systems at once2.

  References: 2: Cybersecurity Resources | CrowdStrike