CrowdStrike CrowdStrike Certifications CCFA-200 Questions & Answers

• Question 131:

  What must an admin do to reset a user's password?

  A. From User Management, open the account details for the affected user and select "Generate New Password"

  B. From User Management, select "Reset Password" from the three dot menu for the affected user account

  C. From User Management, select "Update Account" and manually create a new password for the affected user account

  D. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

  Correct Answer: B

  The administrator can reset a user's password by selecting "Reset Password" from the three dot menu for the affected user account in the User Management page. This will generate a new password and send it to the user's email address. The other options are either incorrect or not available. Reference: CrowdStrike Falcon User Guide, page 25.

• Question 132:

  How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

  A. 1

  B. 2

  C. 0

  D. 3

  Correct Answer: D

  There are three "Auto" sensor version update options available for Windows Sensor Update Policies: Auto - N-1, Auto - TEST-QA and Auto - Latest. These options allow the administrator to automatically update the sensor version to the

  previous stable version, the latest test version or the latest stable version, respectively. Reference:

  [CrowdStrike Falcon User Guide], page 38.

• Question 133:

  What is the primary purpose of using glob syntax in an exclusion?

  A. To specify a Domain be excluded from detections

  B. To specify exclusion patterns to easily exclude files and folders and extensions from detections

  C. To specify exclusion patterns to easily add files and folders and extensions to be prevented

  D. To specify a network share be excluded from detections

  Correct Answer: B

  Glob syntax is used to specify exclusion patterns to easily exclude files and folders and extensions from detections. Glob syntax allows you to use wildcards (*) and ranges ([a-z]) to match multiple characters or values in a file path or name.

  For example, you can use glob syntax to exclude all files with .exe extension in a folder by using

  C:\Folder*.exe as an exclusion pattern2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 134:

  You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM?

  A. A Sensor Update Policy was misconfigured

  B. A host was offline for more than 24 hours

  C. A patch was pushed overnight to all Windows systems

  D. A host was placed in network containment from a detection

  Correct Answer: C

  The most likely culprit causing multiple Windows hosts to be in Reduced Functionality Mode (RFM) is a patch that was pushed overnight to all Windows systems. RFM occurs when the sensor detects a change in the operating system that requires a reboot to complete. A patch is one of the common causes of such a change. The other options are either incorrect or not related to RFM. Reference: CrowdStrike Falcon User Guide, page 30.

• Question 135:

  Why would you assign hosts to a static group instead of a dynamic group?

  A. You do not want the group membership to change automatically

  B. You are managing more than 1000 hosts

  C. You need hosts to be automatically assigned to a group

  D. You want the group to contain hosts from multiple operating systems

  Correct Answer: A

  The reason why you would assign hosts to a static group instead of a dynamic group is that you do not want the group membership to change automatically. A Static Group is a group that requires manual assignment or removal of hosts. A Static Group will not update its membership based on any criteria or filters. This way, you can have more control over which hosts belong to the group and prevent any unwanted changes1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 136:

  You want to create a detection-only policy. How do you set this up in your policy's settings?

  A. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.

  B. Select the "Detect-Only" template. Disable hash blocking and exclusions.

  C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.

  D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

  Correct Answer: D

  The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy's settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.

• Question 137:

  How many days will an inactive host remain visible within the Host Management or Trash pages?

  A. 45 days

  B. 15 days

  C. 90 days

  D. 120 days

  Correct Answer: C

  An inactive host will remain visible within the Host Management or Trash pages for 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 138:

  What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

  A. To group hosts with others in the same business unit

  B. To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time

  C. To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion

  D. To allow the controlled assignment of sensor versions onto specific hosts

  Correct Answer: D

  The purpose of using groups with Sensor Update policies in CrowdStrike Falcon is to allow the controlled assignment of sensor versions onto specific hosts. This allows users to manage the sensor updates for different hosts based on their needs and preferences, such as testing, staging or production. The other options are either incorrect or not related to using groups with Sensor Update policies. Reference: [CrowdStrike Falcon User Guide], page 38.

• Question 139:

  What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

  A. Endpoint ID (EID)

  B. Agent ID (AID)

  C. Security ID (SID)

  D. Computer ID (CID)

  Correct Answer: B

  The name for the unique host identifier in Falcon assigned to each sensor during sensor installation is Agent ID (AID). The AID is a 32-character hexadecimal string that uniquely identifies each sensor and host in the Falcon platform. The other options are either incorrect or not related to the sensor identifier. Reference: CrowdStrike Falcon User Guide, page 28.

• Question 140:

  Which of the following is TRUE regarding disabling detections for a host?

  A. After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled

  B. After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search

  C. The DetectionSummaryEvent continues being sent to the Streaming API for that host

  D. The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled

  Correct Answer: D

  The option that is true regarding disabling detections for a host is that the detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled. This option is essentially a repetition of question 127 and its answer. Disabling detections for a host will remove any existing detections for that host from the console and prevent any new detections from appearing in the console until detections are enabled again1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike