CrowdStrike CCFA-200

CrowdStrike Certified Falcon Administrator

Enrolling now you will get access to 96 questions in a unique set of

Question 1
What is the function of a single asterisk (*) in an ML exclusion pattern?

Options:

A. The single asterisk will match any number of characters, including none. It does include
separator

characters, such as \ or /, which separate portions of a file path

B. The single asterisk will match any number of characters, including none. It does not include

separator characters, such as \ or /, which separate portions of a file path

C. The single asterisk is the insertion point for the variable list that follows the path

D. The single asterisk is only used to start an expression, and it represents the drive letter

Answer: B

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/machine-learning

Question 2
You have determined that you have numerous Machine Learning detections in your environment
that are false positives. They are caused by a single binary that was custom written by a vendor for
you and that binary is running on many endpoints. What is the best way to prevent these in the
future?

Options:

A. Contact support and request that they modify the Machine Learning settings to no longer
include

https://www.certification-questions.com
CrowdStrike CCFA-200

this detection

B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

C. Using IOC Management, add the hash of the binary in question and set the action to "Block,
hide

detection"

D. Using IOC Management, add the hash of the binary in question and set the action to "No
Action"

Answer: B

Question 3
What is the purpose of a containment policy?

Options:

A. To define which Falcon analysts can contain endpoints

B. To define the duration of Network Containment

C. To define the trigger under which a machine is put in Network Containment (e.g. a critical

detection)

D. To define allowed IP addresses over which your hosts will communicate when contained

Answer: C

Question 4
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

Options:

A. File exclusions are not aligned to groups or hosts

B. There is a limit of three groups of hosts applied to any exclusion

C. There is no limit and exclusions can be applied to any or all groups

D. Each exclusion can be aligned to only one group of hosts

Answer: B

Question 5

https://www.certification-questions.com
CrowdStrike CCFA-200

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to
Host" feature to gather additional information which is only available on the host. Which role do you
need added to your user account to have this capability?

Options:

A. Real Time Responder

B. Endpoint Manager

C. Falcon Investigator

D. Remediation Manager

Answer: C

Question 6
What must an admin do to reset a user's password?

Options:

A. From User Management, open the account details for the affected user and select "Generate
New

Password"

B. From User Management, select "Reset Password" from the three dot menu for the affected
user

account

C. From User Management, select "Update Account" and manually create a new password for the

affected user account

D. From User Management, the administrator must rebuild the account as the certificate for user

specific private/public key generation is no longer valid

Answer: B

Question 7

https://www.certification-questions.com
CrowdStrike CCFA-200

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real
Time Response (RTR). You already have these servers in their own Falcon host group. What is the
next step to disable RTR only on these hosts?

Options:

A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the
policy

to the host group

B. Edit the Default Response Policy and add the host group to the exceptions list under "Real
Time

Functionality"

C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the
policy to

the host group

D. Create a new Response Policy and add the host name to the exceptions list under "Real Time

Functionality"

Answer: C

Question 8
When creating new IOCs in IOC management, which of the following fields must be configured?

Options:

A. Hash, Description, Filename

B. Hash, Action and Expiry Date

C. Filename, Severity and Expiry Date

D. Hash, Platform and Action

Answer: D

Question 9
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents
locally on compromised hosts, but without the ability to take them off the host. What is the most
appropriate role that can be added to fullfil this requirement?

https://www.certification-questions.com
CrowdStrike CCFA-200

Options:

A. Remediation Manager

B. Real Time Responder – Read Only Analyst

C. Falcon Analyst – Read Only

D. Real Time Responder – Active Responder

Answer: C

Question 10
One of your development teams is working on code for a new enterprise application but Falcon
continually flags the execution as a detection during testing. All development work is required to be
stored on a file share in a folder called "devcode." What setting can you use to reduce false positives
on this file path?

Options:

A. USB Device Policy

B. Firewall Rule Group

C. Containment Policy

D. Machine Learning Exclusions

Answer: C

Would you like to see more? Don't miss our CCFA-200

https://www.certification-questions.com