CrowdStrike CrowdStrike Certifications CCFA-200 Questions & Answers

• Question 121:

  After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

  A. Response Policy

  B. Containment Policy

  C. Maintenance Token

  D. IP Allowlist Management

  Correct Answer: D

  The option that would need to be configured to allow remote connections from specified IP's after network containing a host is IP Allowlist Management. IP Allowlist Management allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing your incident response team or other authorized parties to remotely connect to the host for investigation or remediation purposes2. References: 2: Cybersecurity Resources | CrowdStrike

• Question 122:

  What is the purpose of a containment policy?

  A. To define which Falcon analysts can contain endpoints

  B. To define the duration of Network Containment

  C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

  D. To define allowed IP addresses over which your hosts will communicate when contained

  Correct Answer: D

  In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.

• Question 123:

  One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  A. USB Device Policy

  B. Firewall Rule Group

  C. Containment Policy

  D. Machine Learning Exclusions

  Correct Answer: D

  Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment. The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.

• Question 124:

  Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)?

  A. Host Dashboard

  B. Host Management > Filter for RFM

  C. Inactive Sensor Report

  D. Containment Policy

  Correct Answer: B

  The place in the console where you can find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM) is Host Management > Filter for RFM. The Host Management page allows you to view and manage all hosts in your environment that have Falcon sensors installed. You can use the filter bar to filter hosts by various attributes, such as status, platform, type, or group. You can also filter hosts by health events, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. By filtering for RFM, you can see a list of all hosts that are in this mode1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 125:

  When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well?

  A. *\.baddomain\.xyz|baddomain\. xyz

  B. *baddomain\. xyz|baddomain\. xyz. *

  C. Custom IOA rules cannot be created for domains

  D. **baddomain\. xyz|baddomain\. xyz**

  Correct Answer: A

  The syntax that would be best for detecting or preventing on all subdomains as well is *.baddomain.xyz|baddomain. xyz. This syntax will match any domain that ends with .baddomain.xyz or is exactly baddomain.xyz. The * wildcard will match any characters before the dot, and the | operator will match either side of the expression. This syntax can be used in a Custom IOC or a Custom IOA rule to detect or prevent network connections to malicious domains1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 126:

  What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

  A. For - While statement(s)

  B. Trigger, condition(s) and action(s)

  C. Event trigger(s)

  D. Predefined workflow template(s)

  Correct Answer: B

  The model that is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform is trigger, condition(s) and action(s). This model allows you to specify what event will trigger the workflow, what condition(s) must be met for the workflow to execute, and what action(s) will be performed by the workflow. The other options are either incorrect or not related to creating workflows. Reference: CrowdStrike Falcon User Guide, page 56.

• Question 127:

  Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?

  A. TCP port 22 (SSH)

  B. TCP port 443 (HTTPS)

  C. TCP port 80 (HTTP)

  D. TCP UDP port 53 (DNS)

  Correct Answer: B

  The sensor uses TCP port 443 (HTTPS) to communicate with the CrowdStrike Cloud. This port and protocol are used to securely send and receive data between the sensor and the cloud, such as detections, policies, updates, commands, etc. The other options are either incorrect or not used by the sensor. Reference: CrowdStrike Falcon User Guide, page 28.

• Question 128:

  How do you assign a policy to a specific group of hosts?

  A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick "Add groups to policy." Select the desired Group(s).

  B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).

  C. Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and select criteria such as OU, OS, Hostname pattern, etc.

  D. On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if needed) and click Add.

  Correct Answer: A

  The administrator can assign a policy to a specific group of hosts by creating a group containing the desired hosts using "Static Assignment." Then, go to the Assigned Host Groups tab of the desired policy and click "Add groups to policy." Select the desired Group(s). This will apply the policy to the selected group(s) of hosts. The other options are either incorrect or not applicable to static assignment. Reference: [CrowdStrike Falcon User Guide], page 33.

• Question 129:

  What is the function of a single asterisk (*) in an ML exclusion pattern?

  A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

  B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

  C. The single asterisk is the insertion point for the variable list that follows the path

  D. The single asterisk is only used to start an expression, and it represents the drive letter

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/machine-learning

  The asterisk is a wildcard character that can be used in exclusion patterns to match any number of characters. However, it does not match separator characters, such as \ or /, which are used to separate portions of a file path. For example, the pattern C:\Windows\*\*.exe will match any executable file in any subfolder of the Windows folder, but not in the Windows folder itself.

  Reference: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 130:

  Which statement is TRUE regarding disabling detections on a host?

  A. Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on lOA-based detections. It will remain that way until detections are enabled again

  B. Hosts with detections disabled will not alert on anything until detections are enabled again

  C. Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

  D. Hosts cannot have their detections disabled individually

  Correct Answer: B

  The statement that is true regarding disabling detections on a host is that hosts with detections disabled will not alert on anything until detections are enabled again. As explained in question 127, disabling detections for a host will stop the sensor from sending any detection or prevention events to the Falcon console, and remove any existing events for that host from the console. This means that the host will not alert on anything, including blocklisted hashes, machine learning detections, or indicator of attack (IOA)- based detections. The host will remain in this state until detections are enabled again1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike