CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 71:

  How long are detection events kept in Falcon?

  A. Detection events are kept for 90 days
  B. Detections events are kept for your subscribed data retention period
  C. Detection events are kept for 7 days
  D. Detection events are kept for 30 days
  A. Detection events are kept for 90 days

  ---

  Explanation

  " Data is only available in the Falcon UI for investigations, etc. through the company's data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year

• Question 72:

  Why is the ability to disable detections helpful?

  A. It gives users the ability to set up hosts to test detections and later remove them from the console
  B. It gives users the ability to uninstall the sensor from a host
  C. It gives users the ability to allowlist a false positive detection
  D. It gives users the ability to remove all data from hosts that have been uninstalled
  A. It gives users the ability to set up hosts to test detections and later remove them from the console

  ---

  Explanation

• Question 73:

  Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

  A. Real Time Responder
  B. Endpoint Manager
  C. Falcon Investigator
  D. Remediation Manager
  A. Real Time Responder

  ---

  Explanation

  The Real Time Responder role allows users to use the "Connect to Host" feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability.

  CrowdStrike Falcon User Guide, page 18.

• Question 74:

  How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?

  A. By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page
  B. By enabling "Upload quarantined files" in the General Settings configuration page
  C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page
  D. By selecting "Enable pop-up messages" from the User configuration page
  C. By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page

  ---

  Explanation

  A Falcon Administrator can configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity by turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page. This setting allows users to enable or disable end user notifications for prevention actions taken by Falcon on Windows hosts. The other options are either incorrect or not related to configuring pop-up messages.

  CrowdStrike Falcon User Guide, page 36.

• Question 75:

  While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation. Which configuration would you choose?

  A. Configure a Real Time Response policy allowlist with the specific IP addresses
  B. Configure a Containment Policy with the specific IP addresses
  C. Configure a Containment Policy with the entire internal IP CIDR block
  D. Configure the Host firewall to allowlist the specific IP addresses
  B. Configure a Containment Policy with the specific IP addresses

  ---

  Explanation

  While a host is Network contained, the administrator can allow the host to access internal network resources on specific IP addresses to perform patching and remediation by configuring a Containment Policy with the specific IP addresses. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment.

  [CrowdStrike Falcon User Guide], page 40.

• Question 76:

  Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?

  A. TCP port 22 (SSH)
  B. TCP port 443 (HTTPS)
  C. TCP port 80 (HTTP)
  D. TCP UDP port 53 (DNS)
  B. TCP port 443 (HTTPS)

  ---

  Explanation

  The sensor uses TCP port 443 (HTTPS) to communicate with the CrowdStrike Cloud. This port and protocol are used to securely send and receive data between the sensor and the cloud, such as detections, policies, updates, commands, etc. The other options are either incorrect or not used by the sensor.

  CrowdStrike Falcon User Guide, page 28.

• Question 77:

  Which is the correct order for manually installing a Falcon Package on a macOS system?

  A. Install the Falcon package, then register the Falcon Sensor via the registration package
  B. Install the Falcon package, then register the Falcon Sensor via command line
  C. Register the Falcon Sensor via command line, then install the Falcon package
  D. Register the Falcon Sensor via the registration package, then install the Falcon package
  B. Install the Falcon package, then register the Falcon Sensor via command line

  ---

  Explanation

  The correct order for manually installing a Falcon Package on a macOS system is to install the Falcon package, then register the Falcon Sensor via command line. The Falcon package contains the sensor binary and the kernel extension, while the registration package contains the customer ID and the sensor group ID. The registration package is not required for macOS systems, as the registration information can be provided via command line after installing the Falcon package1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 78:

  During a sensor installation, what unique identifier is given to each sensor?

  A. Agent ID (AID)
  B. Security ID (SID)
  C. Computer ID (CID)
  D. Endpoint ID (EID)
  A. Agent ID (AID)

  ---

  Explanation

• Question 79:

  Which of the following is NOT a way to determine the sensor version installed on a specific endpoint?

  A. Use the Sensor Report to filter to the specific endpoint
  B. Use the Investigate > Host Search to filter to the specific endpoint
  C. Use Host Management to select the desired endpoint. The agent version will be listed in the columns and details
  D. From a command line, run the sc query csagent -version command
  D. From a command line, run the sc query csagent -version command

  ---

  Explanation

  From a command line, running the sc query csagent -version command is not a way to determine the sensor version installed on a specific endpoint. This command will only show the status of the csagent service, not the sensor version. The other options are valid ways to determine the sensor version installed on a specific endpoint using Falcon UI or API. You can use the Sensor Report, the Host Search, or the Host Management features to filter, search, or select the desired endpoint and view the sensor version information12.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 2: How to Become a CrowdStrike Certified Falcon Administrator

• Question 80:

  When creating new IOCs in IOC management, which of the following fields must be configured?

  A. Hash, Description, Filename
  B. Hash, Action and Expiry Date
  C. Filename, Severity and Expiry Date
  D. Hash, Platform and Action
  D. Hash, Platform and Action

  ---

  Explanation

  When creating new IOCs in IOC management, the administrator must configure the Hash, Platform and Action fields. The Hash field is the value of the IOC, such as MD5, SHA1 or SHA256. The Platform field is the operating system that the IOC applies to, such as Windows, Linux or Mac. The Action field is the action that Falcon will take when detecting the IOC, such as Detect, Block or Allow. The other fields are either optional or not available.

  CrowdStrike Falcon User Guide, page 44