CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 151:

  What is the purpose of the Machine-Learning Prevention Monitoring Report?

  A. It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined
  B. It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious
  C. It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks
  D. It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings
  D. It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings

  ---

  Explanation

  Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that would have been blocked in your environment over the selected timeframe based on different Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).

• Question 152:

  Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

  A. \Program Files\My Program\My Files\*
  B. \Program Files\My Program\*
  C. *\*
  D. *\Program Files\My Program\*\
  A. \Program Files\My Program\My Files\*

  ---

  Explanation

  The exclusion pattern that will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe is \Program Files\My Program\My Files*. This pattern will match any file under the My Files folder, including program.exe, and exclude them from detections. The other patterns are either incorrect or too broad to prevent detections on this specific file.

  [CrowdStrike Falcon User Guide], page 37.

• Question 153:

  You have a member of your SECOPS team that is building custom scripts for your environment and they cannot save or share them in Falcon. What additional role do they need to be able accomplish this?

  A. Real Time Responde - Active Responder
  B. All Real Time Response roles can do this
  C. Falcon Scripts Manager
  D. Real Time Response - Administrator
  C. Falcon Scripts Manager

  ---

  Explanation

• Question 154:

  How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?

  A. Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors widget
  B. Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors"
  C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days
  D. Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days
  C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days

  ---

  Explanation

  The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available.

  [CrowdStrike Falcon User Guide], page 31.

• Question 155:

  When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

  A. The sensor would provide protection as normal, without event telemetry
  B. The sensor would provide minimal protection
  C. The sensor would function as normal
  D. The sensor provides no protection, and only collects Sensor Heart Beat events
  D. The sensor provides no protection, and only collects Sensor Heart Beat events

  ---

  Explanation

• Question 156:

  What default roles can view, create, and edit work ows?

  A. Falcon Administrator, Falcon Security Lead
  B. Falcon Administrator, Workflow Author
  C. Falcon Administrator, Falcon Security Lead, Workflow Author
  D. Falcon Administrator, Workflow Author, Falcon Security Lead, Falcon Investigator
  C. Falcon Administrator, Falcon Security Lead, Workflow Author

  ---

  Explanation

• Question 157:

  An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

  A. Custom Alert History
  B. Workflow Execution log
  C. Workflow Audit log
  D. Falcon UI Audit Trail
  B. Workflow Execution log

  ---

  Explanation

  The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 158:

  What will happen to a host if it is not assigned a Sensor Update policy?

  A. The host will uninstall the Sensor and provide an alert to the installation team
  B. The host will automatically update to the newest sensor version and auto-update to future release
  C. The host will automatically create a custom Sensor Update policy
  D. The host will use the Default Sensor Update policy
  D. The host will use the Default Sensor Update policy

  ---

  Explanation

  The option that describes what will happen to a host if it is not assigned a Sensor Update policy is that the host will use the Default Sensor Update policy. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. You can create and assign custom Sensor Update policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Update policy, it will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is a "catch-all" policy that is enabled by default and has the "Uninstall and Maintenance Protection" feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 159:

  What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?

  A. The detections for the host are removed from the console immediately and no new detections will display in the console going forward
  B. You cannot disable detections for a host
  C. Existing detections for the host remain, but no new detections will display in the console going forward
  D. Preventions will be disabled for the host
  A. The detections for the host are removed from the console immediately and no new detections will display in the console going forward

  ---

  Explanation

  The option that best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page is that the detections for the host are removed from the console immediately and no new detections will display in the console going forward. The "Disable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 160:

  When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

  A. Base URL
  B. Secret
  C. Client ID
  D. Client name
  B. Secret

  ---

  Explanation

  When creating an API client, the secret must be saved immediately since it cannot be viewed again after the client is created. The secret is a randomly generated string that is used to authenticate the API client along with the client ID. The other options are either incorrect or can be viewed or modified later.

  CrowdStrike Falcon User Guide, page 54.