CrowdStrike CrowdStrike Certifications CCFA-200 Questions & Answers

• Question 81:

  Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

  A. Reduce Functionality Audit Report

  B. Sensor Health Report

  C. Sensor Coverage Lookup

  D. Inactive Sensor Report

  Correct Answer: C

  The report that lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported is Sensor Coverage Lookup. The Sensor Coverage Lookup report allows you to view and compare the sensor versions and coverage status for each operating system type in your environment. You can use this report to identify any sensors that are in RFM or are approaching end-of-life (EOL) support. You can also view the release date and EOL date for each sensor version3.

  References: 3: How to Become a CrowdStrike Certified Falcon Administrator

• Question 82:

  Which statement describes what is recommended for the Default Sensor Update policy?

  A. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible

  B. The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version

  C. Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required

  D. No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled

  Correct Answer: A

  The statement that describes what is recommended for the Default Sensor Update policy is that the Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the Default Sensor Update policy is a "catchall" policy that applies to any host that is not assigned to a specific Sensor Update policy. Therefore, it is recommended that the Default Sensor Update policy should align to your organization's overall sensor updating practice, such as how frequently and how quickly you want to update your sensors. It is also recommended that you leverage the Auto N-1 and Auto N-2 configurations, which allow you to automatically update your sensors to the latest or second-latest sensor version without requiring manual intervention1. References: 1: Falcon Administrator Learning Path | Infographic |

• Question 83:

  What three things does a workflow condition consist of?

  A. A parameter, an operator, and a value

  B. A beginning, a middle, and an end

  C. Triggers, actions, and alerts

  D. Notifications, alerts, and API's

  Correct Answer: A

  A workflow condition consists of a parameter, an operator, and a value. A workflow condition is a rule that defines when a workflow should be triggered based on certain criteria or filters. A parameter is a variable or attribute that can be used to filter or match detection events, such as severity, tactic, or host group. An operator is a symbol or word that specifies how to compare or evaluate the parameter and the value, such as equals, contains, or greater than. A value is a constant or expression that provides the expected or desired result for the parameter, such as high, credential dumping, or default group1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 84:

  Why is the ability to disable detections helpful?

  A. It gives users the ability to set up hosts to test detections and later remove them from the console

  B. It gives users the ability to uninstall the sensor from a host

  C. It gives users the ability to allowlist a false positive detection

  D. It gives users the ability to remove all data from hosts that have been uninstalled

  Correct Answer: A

  "Disable Detections. This is helpful for users who want to set up hosts to test detections in the Falcon console and who later want to remove those old test detections from the"

• Question 85:

  You have a new patch server that should be reachable while hosts in your environment are network contained. The server's IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this?

  A. Add an allowlist entry for the individual server's MAC address

  B. Add an allowlist entry containing the host group that the server belongs to

  C. Add an allowlist entry for the individual server's IP address

  D. Add an allowlist entry containing CIDR notation for the /24 network the server belongs to

  Correct Answer: C

  The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server's IP address. An allowlist

  entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server.

  If the server's IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range2.

  References: 2: Cybersecurity Resources | CrowdStrike

• Question 86:

  What impact does disabling detections on a host have on an API?

  A. Endpoints with detections disabled will not alert on anything until detections are enabled again

  B. Endpoints cannot have their detections disabled individually

  C. DetectionSummaryEvent stops sending to the Streaming API for that host

  D. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

  Correct Answer: C

  Disabling detections on a host will stop the DetectionSummaryEvent from sending to the Streaming API for that host. This means that the host will not send any detection events to the Streaming API, which is used to stream data from the Falcon Cloud to external applications or systems. The other options are either incorrect or not related to disabling detections on a host. Reference: [CrowdStrike Falcon User Guide], page 32.

• Question 87:

  When editing an existing IOA exclusion, what can NOT be edited?

  A. The IOA name

  B. All parts of the exclusion can be changed

  C. The exclusion name

  D. The hosts groups

  Correct Answer: A

  When editing an existing IOA exclusion, the IOA name cannot be edited. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. The IOA name is a predefined name that identifies the type of IOA behavior that you want to exclude, such as "Suspicious Process Execution

  - Script Interpreter Executing File". The IOA name cannot be changed when editing an existing IOA exclusion, as it is linked to a specific IOA rule in the Falcon platform. However, you can edit other parts of the IOA exclusion, such as the exclusion name, the hosts groups, and the filter criteria2. References: 2: Cybersecurity Resources | CrowdStrike

• Question 88:

  Why do Sensor Update policies need to be configured for each OS (Windows, Mac, Linux)?

  A. To bundle the Sensor and Prevention policies together into a deployment package

  B. Sensor Update policies are OS dependent

  C. To assist with auditing and change management

  D. This is false. One policy can be applied to all Operating Systems

  Correct Answer: B

  Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host.

  Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for

  each operating system type in your environment1.

  References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 89:

  You have been asked to troubleshoot why Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host. Which report can be used to determine if this is an issue with an old prevention policy?

  A. Host Update Status Report

  B. Custom Alerting Audit Trail

  C. Prevention Policy Debug

  D. SBEM Debug Report

  Correct Answer: C

  The report that can be used to determine if Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host due to an old prevention policy is Prevention Policy Debug. The Prevention Policy Debug report allows you to view and compare the prevention policy settings applied to each host in your environment. You can use this report to identify any hosts that have outdated or inconsistent prevention policy settings, such as SBEM, which is a feature that monitors and prevents malicious script execution on Windows systems1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

• Question 90:

  You have created a Sensor Update Policy for the Mac platform. Which other operating system(s) will this policy manage?

  A. *nix

  B. Windows

  C. Both Windows and *nix

  D. Only Mac

  Correct Answer: D

  A Sensor Update Policy for the Mac platform will only manage Mac operating systems. Sensor Update Policies are platform-specific, meaning that they only apply to hosts that have the same operating system as the policy. For example, a Sensor Update Policy for Windows will only manage Windows hosts, and a Sensor Update Policy for Linux will only manage Linux hosts. You cannot create a Sensor Update Policy that manages multiple operating systems at once2. References: 2: Cybersecurity Resources | CrowdStrike