CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 161:

  Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

  A. Next-Gen Antivirus (NGAV) protection
  B. Adware and Potentially Unwanted Program detection and prevention
  C. Real-time offline protection
  D. Identification and analysis of unknown executables
  D. Identification and analysis of unknown executables

  ---

  Explanation

  According to documentation (documentation/detections/technique/sensor- based-ml-cst0007): CrowdStrike sensor-based machine learning (ML) identifies and analyzes unknown executables as they run on hosts. This technique is triggered by files and file attributes associated with known malware. This is similar to the [Cloud-based ML](/support/documentation/detections/technique/cloud-based-ml) technique. Cloud-based ML is informed by global analysis of executables that classifies and identifies malware. The key difference is that it doesn't run on hosts when they're offline.

• Question 162:

  You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?

  A. ExtendedWindow=1
  B. Timeout=0
  C. ProvNoWait=1
  D. Timeout=30
  C. ProvNoWait=1

  ---

  Explanation

  "ProvNoWait=1

  The sensor does not abort installation if it can't connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20

  minutes. After that, the host will automatically uninstall its sensor.)"

  "ProvWaitTime=3600000

  The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes)."

• Question 163:

  How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?

  A. Disabled Sensors
  B. Inactive Sensors
  C. Custom Reports
  D. Sensor Report
  B. Inactive Sensors

  ---

  Explanation

• Question 164:

  How does the Unique Hosts Connecting to Countries Map help an administrator?

  A. It highlights countries with known malware
  B. It helps visualize global network communication
  C. It identifies connections containing threats
  D. It displays intrusions from foreign countries
  B. It helps visualize global network communication

  ---

  Explanation

  The Unique Hosts Connecting to Countries Map helps an administrator to visualize global network communication. The map shows the number of unique hosts in your environment that have established network connections to different countries in the past 24 hours. You can use this map to identify unusual or suspicious network activity, such as connections to high-risk countries or regions, or connections from hosts that are not expected to communicate with external entities2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 165:

  When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well?

  A. .*\.baddomain\.xyz|baddomain\.xyz
  B. **baddomain\.xyz|baddomain\.xyz**
  C. .*baddomain\.xyz|baddomain\.xyz.*
  D. Custom IOA rules cannot be created for domains
  A. .*\.baddomain\.xyz|baddomain\.xyz

  ---

  Explanation

• Question 166:

  What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

  A. To group hosts with others in the same business unit
  B. To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time
  C. To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion
  D. To allow the controlled assignment of sensor versions onto specific hosts
  D. To allow the controlled assignment of sensor versions onto specific hosts

  ---

  Explanation

  The purpose of using groups with Sensor Update policies in CrowdStrike Falcon is to allow the controlled assignment of sensor versions onto specific hosts. This allows users to manage the sensor updates for different hosts based on their needs and preferences, such as testing, staging or production. The other options are either incorrect or not related to using groups with Sensor Update policies.

  [CrowdStrike Falcon User Guide], page 38.

• Question 167:

  When troubleshooting the Falcon Sensor on Windows, what is the correct parameter to output the log directory to a specified file?

  A. LOG=log.txt
  B. \log log.txt
  C. C:\CSSensorlnstall\LogFiles
  D. /log log.txt
  D. /log log.txt

  ---

  Explanation

  The correct parameter to output the log directory to a specified file when troubleshooting the Falcon Sensor on Windows is /log log.txt. This parameter will create a log file named log.txt in the same folder where you run the sensor installation command. The log file will contain information about the sensor installation process, such as the parameters used, the actions performed, and any errors encountered3.

  References: How to Become a CrowdStrike Certified Falcon Administrator

• Question 168:

  Which of the following is TRUE regarding disabling detections for a host?

  A. After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled
  B. After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search
  C. The DetectionSummaryEvent continues being sent to the Streaming API for that host
  D. The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled
  D. The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled

  ---

  Explanation

• Question 169:

  You have a new patch server that should be reachable while hosts in your environment are network contained. The server's IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this?

  A. Add an allowlist entry for the individual server's MAC address
  B. Add an allowlist entry containing the host group that the server belongs to
  C. Add an allowlist entry for the individual server's IP address
  D. Add an allowlist entry containing CIDR notation for the /24 network the server belongs to
  C. Add an allowlist entry for the individual server's IP address

  ---

  Explanation

  The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server's IP address. An allowlist

  entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server.

  If the server's IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range.

  References: Cybersecurity Resources | CrowdStrike

• Question 170:

  You have been asked to troubleshoot why Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host. Which report can be used to determine if this is an issue with an old prevention policy?

  A. Host Update Status Report
  B. Custom Alerting Audit Trail
  C. Prevention Policy Debug
  D. SBEM Debug Report
  C. Prevention Policy Debug

  ---

  Explanation

  The report that can be used to determine if Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host due to an old prevention policy is Prevention Policy Debug. The Prevention Policy Debug report allows you to view and compare the prevention policy settings applied to each host in your environment. You can use this report to identify any hosts that have outdated or inconsistent prevention policy settings, such as SBEM, which is a feature that monitors and prevents malicious script execution on Windows systems1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike