CrowdStrike CrowdStrike Falcon Certification Program CCFA-200 Questions & Answers
Question 1:
You need to export a list of all deletions for a specific Host Name in the last 24 hours. What is the best way to do this?
A. Go to Host Management in the Host page. Select the host and use the Export Detections button
B. Utilize the Detection Resolution Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detection Resolution History" section
C. In the Investigate module, access the Detection Activity page. Use the filters to focus on the appropriate hostname and time, then export the results
D. Utilize the Detection Activity Dashboard. Use the filters to focus on the appropriate hostname and time, then export the results from the "Detections by Host" section
Correct Answer: C
The best way to export a list of all deletions for a specific Host Name in the last 24 hours is to go to the Investigate module, access the Detection Activity page, use the filters to focus on the appropriate hostname and time, then export the results. This will allow you to download a CSV file that contains information about all the detections that were deleted for that host in that time period. The other options are either incorrect or not related to exporting deletions. Reference: CrowdStrike Falcon User Guide, page 49.
Question 2:
What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?
A. Deep packet inspection
B. Linux Sub-System
C. PowerShell
D. Windows Proxy
Correct Answer: A
The option that should be disabled on firewalls so that the sensor's man-in- the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor's certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. If the certificate validation fails, the sensor will reject the connection and generate an error3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator
Question 3:
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?
A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
Correct Answer: C
The administrator can create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result. Reference: CrowdStrike Falcon User Guide, page 35.
Question 4:
What will happen to a host if it is not assigned a Sensor Update policy?
A. The host will uninstall the Sensor and provide an alert to the installation team
B. The host will automatically update to the newest sensor version and auto-update to future release
C. The host will automatically create a custom Sensor Update policy
D. The host will use the Default Sensor Update policy
Correct Answer: D
The option that describes what will happen to a host if it is not assigned a Sensor Update policy is that the host will use the Default Sensor Update policy. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. You can create and assign custom Sensor Update policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Update policy, it will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is a "catch-all" policy that is enabled by default and has the "Uninstall and Maintenance Protection" feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Question 5:
When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?
A. Base URL
B. Secret
C. Client ID
D. Client name
Correct Answer: B
When creating an API client, the secret must be saved immediately since it cannot be viewed again after the client is created. The secret is a randomly generated string that is used to authenticate the API client along with the client ID. The other options are either incorrect or can be viewed or modified later. Reference: CrowdStrike Falcon User Guide, page 54.
Question 6:
To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?
A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action
Correct Answer: A
IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".
Question 7:
You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?
A. Specific sensor version number
B. Auto - TEST-QA
C. Sensor version updates off
D. Auto - N-1
Correct Answer: A
The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but
only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference:
[CrowdStrike Falcon User Guide], page 38.
Question 8:
When troubleshooting the Falcon Sensor on Windows, what is the correct parameter to output the log directory to a specified file?
A. LOG=log.txt
B. \log log.txt
C. C:\CSSensorlnstall\LogFiles
D. /log log.txt
Correct Answer: D
The correct parameter to output the log directory to a specified file when troubleshooting the Falcon Sensor on Windows is /log log.txt. This parameter will create a log file named log.txt in the same folder where you run the sensor installation command. The log file will contain information about the sensor installation process, such as the parameters used, the actions performed, and any errors encountered3. References: How to Become a CrowdStrike Certified Falcon Administrator
Question 9:
On which page of the Falcon console would you create sensor groups?
A. User management
B. Sensor update policies
C. Host management
D. Host groups
Correct Answer: D
The only place where create host groups is in " Host and setup management > host Groups> Create a group" In Sensor Update policies you can only asign a group of host to the policy not creating a group of hosts.
Question 10:
What would be the most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally?
A. A Machine Learning exclusion
B. A Sensor Visibility exclusion
C. An IOA exclusion
D. A Custom IOC entry
Correct Answer: D
The most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally is to create a Custom IOC entry. A Custom IOC (indicator of compromise) entry allows you to define custom rules for detecting or preventing malicious activity based on file hashes, file paths, IP addresses, or domains. You can use regex (regular expression) syntax to create a Custom IOC entry that matches the folder path that you want to block from being uploaded to the cloud1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFA-200 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.