CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 141:

  After enabling an IOA rule and its respective rule group, what else must be done for an IOA to be fully functional?

  A. Nothing else needs to be done; the rule should start working
  B. The rule group must be assigned to one or more prevention policies
  C. The rule needs to be manually triggered to ensure it works as intended
  D. You must individually select which hosts you would like to apply to rule to
  B. The rule group must be assigned to one or more prevention policies

  ---

  Explanation

• Question 142:

  The Logon Activities Report includes all of the following information for a particular user EXCEPT __________.

  A. the account type for the user (e.g. Domain Administrator, Local User)
  B. all hosts the user logged into
  C. the logon type (e.g. interactive, service)
  D. the last time the user's password was set
  B. all hosts the user logged into

  ---

  Explanation

  Checked in console, it returns only the last machine where the user logged on, so it will not return all the machines that the user was logged on in the desired search

• Question 143:

  Why would you use the Prevention Policy Debug Report?

  A. To confirm that prevention policy precedence was applied to hosts
  B. To confirm the number of detections on a host
  C. To confirm that prevention policy settings were applied to a host
  D. To confirm the number of host groups to which a policy was applied
  C. To confirm that prevention policy settings were applied to a host

  ---

  Explanation

• Question 144:

  With Custom Alerts, it is possible to __________.

  A. schedule the alert to run at any interval
  B. receive an alert in an email
  C. configure prevention actions for alerting
  D. be alerted to activity in real-time
  B. receive an alert in an email

  ---

  Explanation

  The reporting interval is predefined and cannot be changed. You can only enable/disable the custom alert feature and add/remove recipient email client for the alert/detection.

• Question 145:

  Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?

  A. .*badguydomain.com.*
  B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill
  C. badguydomain\.com.*
  D. Custom IOA rules cannot be created for domains
  A. .*badguydomain.com.*

  ---

  Explanation

  You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com

• Question 146:

  What is the purpose of a containment policy?

  A. To define which Falcon analysts can contain endpoints
  B. To define the duration of Network Containment
  C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
  D. To define allowed IP addresses over which your hosts will communicate when contained
  D. To define allowed IP addresses over which your hosts will communicate when contained

  ---

  Explanation

  In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.

• Question 147:

  What sensor update policy will a sensor receive if it does not have a host group assignment?

  A. Auto N-2 policy
  B. They don't get a policy
  C. The default policy
  D. Auto N-1 policy
  C. The default policy

  ---

  Explanation

• Question 148:

  After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

  A. Response Policy
  B. Containment Policy
  C. Maintenance Token
  D. IP Allowlist Management
  D. IP Allowlist Management

  ---

  Explanation

  The option that would need to be configured to allow remote connections from specified IP's after network containing a host is IP Allowlist Management. IP Allowlist Management allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing your incident response team or other authorized parties to remotely connect to the host for investigation or remediation purposes2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 149:

  What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

  A. For - While statement(s)
  B. Trigger, condition(s) and action(s)
  C. Event trigger(s)
  D. Predefined workflow template(s)
  B. Trigger, condition(s) and action(s)

  ---

  Explanation

  The model that is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform is trigger, condition(s) and action(s). This model allows you to specify what event will trigger the workflow, what condition(s) must be met for the workflow to execute, and what action(s) will be performed by the workflow. The other options are either incorrect or not related to creating workflows.

  CrowdStrike Falcon User Guide, page 56.

• Question 150:

  Where can you find information about all supported operating systems for the Falcon sensor?

  A. Documentation
  B. News
  C. Sensor Release Notes
  D. Sensor Downloads
  A. Documentation

  ---

  Explanation