CrowdStrike CCFA-200 Online Practice Questions and Exam Preparation

CrowdStrike CCFA-200 Online Questions & Answers

• Question 81:

  Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

  A. Sensors are downloaded from the Hosts > Sensor Downloads
  B. Sensor installers are unique to each customer and must be obtained from support
  C. Sensor installers are downloaded from the Support section of the CrowdStrike website
  D. Sensor installers are not used because sensors are deployed from within Falcon
  A. Sensors are downloaded from the Hosts > Sensor Downloads

  ---

  Explanation

  The Windows sensor installer for CrowdStrike Falcon can be downloaded from the Hosts > Sensor Downloads page in the Falcon console. This page allows you to download different sensor versions and installers for various operating systems and platforms, as well as view installation instructions and release notes. The other options are either incorrect or not available.

  CrowdStrike Falcon User Guide, page 27.

• Question 82:

  What may prevent a user from logging into Falcon via single sign-on (SSO)?

  A. The SSO username doesn't match their email address in Falcon
  B. The maintenance token has expired
  C. Falcon is in reduced functionality mode
  D. The user never configured their security questions
  A. The SSO username doesn't match their email address in Falcon

  ---

  Explanation

  The option that may prevent a user from logging into Falcon via single sign- on (SSO) is that the SSO username doesn't match their email address in Falcon. SSO is a feature that allows you to use an external identity provider (IdP) to

  authenticate and authorize users to access the Falcon platform. SSO simplifies and streamlines the login process, as users only need to remember one set of credentials for multiple applications. However, SSO requires that the username in

  the IdP matches the email address in Falcon for each user. If there is a mismatch between the username and the email address, the user will not be able to log into Falcon via SSO.

  References: : [Cybersecurity Resources | CrowdStrike]

• Question 83:

  What will happen to a host that is not part of any group which has a prevention policy assigned to it?

  A. The host will apply the default prevention policy
  B. The host will apply a sensor-based policy to prevent a majority of known threats
  C. The host will send a noti cation to the Falcon Administrator to assign a prevention policy
  D. The host will disable the falcon sensor
  A. The host will apply the default prevention policy

  ---

  Explanation

• Question 84:

  The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation?

  A. SSL inspection should be configured to occur on all Falcon traffic
  B. Some network configurations, such as deep packet inspection, interfere with certificate validation
  C. HTTPS interception should be enabled to proceed with certificate validation
  D. Common sources of interference with certificate pinning include protocol race conditions and resource contention
  B. Some network configurations, such as deep packet inspection, interfere with certificate validation

  ---

  Explanation

  The statement that some network configurations, such as deep packet inspection, interfere with certificate validation is true concerning Falcon sensor certificate validation. The Falcon sensor uses certificate pinning to defend against man-inthe-middle attacks, which means that it verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. Some network configurations, such as deep packet inspection, SSL inspection, or HTTPS interception, may attempt to modify or replace the server certificate, which will cause the sensor to reject the connection and generate an error3.

  References: 3: How to Become a CrowdStrike Certified Falcon Administrator

• Question 85:

  What is the best way to write an ML exclusion for any executable le at "C:\Program Files\Software\"?

  A. You cannot. You must list a specific le in an exclusion rule
  B. Program Files\Software\**
  C. Program Files\Software\.*
  D. Program Files\Software\*.exe
  D. Program Files\Software\*.exe

  ---

  Explanation

• Question 86:

  What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?

  A. Microsoft updates altering the kernel
  B. The host lost internet connectivity
  C. A misconfiguration in your prevention policy for the host
  D. A Sensor Update Policy was misconfigured
  B. The host lost internet connectivity

  ---

  Explanation

  The likely reason your Windows host would be in Reduced Functionality Mode (RFM) is that the host lost internet connectivity. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. Losing internet connectivity is a common cause of RFM, as it prevents the sensor from communicating with the Falcon cloud. A misconfiguration in your prevention policy or sensor update policy will not cause RFM, as these policies are applied by the Falcon cloud and do not affect the sensor's license, network, or certificate status. Microsoft updates altering the kernel may cause compatibility issues with the sensor, but not RFM3.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 3: How to Become a CrowdStrike Certified Falcon Administrator

• Question 87:

  When deploying the Falcon Sensor alongside an existing security solution, you enable the Quarantine prevention setting in Falcon.

  What is the recommended Configuration for both solutions?

  A. Disable or remove the other AV solution and con gure ODS Cloud Anti-Malware prevention in Falcon to Moderate or higher
  B. Disable or remove the other AV solution and con gure NGAV Sensor Machine Learning prevention in Falcon to Moderate or higher
  C. Disable or remove the other AV solution and con gure NGAV Sensor Machine Learning prevention in Falcon to Cautious
  D. Disable or remove the other AV solution and con gure NGAV Cloud Machine Learning prevention in Falcon to Extra-Aggressive
  B. Disable or remove the other AV solution and con gure NGAV Sensor Machine Learning prevention in Falcon to Moderate or higher

  ---

  Explanation

• Question 88:

  What would be the most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally?

  A. A Machine Learning exclusion
  B. A Sensor Visibility exclusion
  C. An IOA exclusion
  D. A Custom IOC entry
  B. A Sensor Visibility exclusion

  ---

  Explanation

• Question 89:

  When would the No Action option be assigned to a hash in IOC Management?

  A. When you want to save the indicator for later action, but do not want to block or allow it at this time
  B. Add the indicator to your allowlist and do not detect it
  C. There is no such option as No Action available in the Falcon console
  D. Add the indicator to your blocklist and show it as a detection
  A. When you want to save the indicator for later action, but do not want to block or allow it at this time

  ---

  Explanation

  The No Action option can be assigned to a hash in IOC Management when you want to save the indicator for later action, but do not want to block or allow it at this time. This option will neither detect nor prevent the execution of the hash, but will keep it in the IOC list for future reference. The other options are either incorrect or not related to the No Action option.

  CrowdStrike Falcon User Guide, page 44.

• Question 90:

  In order to quarantine files on the host, what prevention policy settings must be enabled?

  A. Malware Protection and Custom Execution Blocking must be enabled
  B. Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" must be enabled
  C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
  D. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled
  B. Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" must be enabled

  ---

  Explanation

  In order to quarantine files on the host, the administrator must enable the Next-Gen Antivirus Prevention sliders and "Quarantine and Security Center Registration" in the prevention policy settings. This will allow Falcon to quarantine malicious files and register them with Windows Security Center. The other options are either incorrect or not sufficient to enable quarantine.

  [CrowdStrike Falcon User Guide], page 36.