[Nov-2023] CCFA-200 Free Sample Questions to Practice One Year Update [Q66-Q84]

Share

[Nov-2023] CCFA-200 Free Sample Questions to Practice One Year Update

Download CCFA-200 exam with CrowdStrike CCFA-200 Real Exam Questions


CrowdStrike CCFA-200 (CrowdStrike Certified Falcon Administrator) exam is a certification program designed for IT professionals who want to validate their skills and expertise in managing and administering the CrowdStrike Falcon platform. CrowdStrike is a leading provider of cloud-based endpoint protection, threat intelligence, and incident response services. The CCFA-200 exam is a comprehensive test that covers a wide range of topics, including Falcon platform administration, agent deployment and management, incident response, and threat hunting.

 

NEW QUESTION # 66
To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?

  • A. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
  • B. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
  • C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
  • D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action

Answer: B

Explanation:
Explanation
IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor",
"Detect" and "Kill Process", being the late one the closest to "block".


NEW QUESTION # 67
What impact does disabling detections on a host have on an API?

  • A. DetectionSummaryEvent stops sending to the Streaming API for that host
  • B. Endpoints cannot have their detections disabled individually
  • C. Endpoints with detections disabled will not alert on anything until detections are enabled again
  • D. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

Answer: D


NEW QUESTION # 68
You have a new patch server that should be reachable while hosts in your environment are network contained.
The server's IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this?

  • A. Add an allowlist entry containing CIDR notation for the /24 network the server belongs to
  • B. Add an allowlist entry for the individual server's MAC address
  • C. Add an allowlist entry containing the host group that the server belongs to
  • D. Add an allowlist entry for the individual server's IP address

Answer: D

Explanation:
Explanation
The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server's IP address. An allowlist entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server. If the server's IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range2.
References: 2: Cybersecurity Resources | CrowdStrike


NEW QUESTION # 69
Which is a filter within the Host setup and management > Host management page?

  • A. BIOS Version
  • B. Locality
  • C. User name
  • D. OU

Answer: D

Explanation:
Explanation
OU (organizational unit) is a filter within the Host setup and management > Host management page. The Host management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also filter by OU, which is a logical grouping of hosts based on their Active Directory domain structure1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 70
Which option best describes the general process Whereinstallation of the Falcon Sensor on MacOS?

  • A. Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access
  • B. Grant the Falcon Package Full Disk Access, install the Falcon package, use falconctl to license the sensor
  • C. Install the Falcon package passing it the installation token in the command line
  • D. Grant the Falcon Package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'

Answer: A

Explanation:
Explanation
The option that best describes the general process for installation of the Falcon Sensor on MacOS is to install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access. The Falcon package contains the sensor binary and the kernel extension, which can be installed by double-clicking on it or using a command-line tool such as installer. The falconctl tool is a command-line utility that allows you to configure and manage the sensor on MacOS systems. You can use falconctl to license the sensor by providing your Customer ID (CID) and optionally your Sensor Group ID (SGID). After licensing the sensor, you need to approve the system extension in the Security & Privacy settings of your system preferences, which will require a restart. Finally, you need to grant the sensor Full Disk Access in the Privacy settings of your system preferences, which will allow the sensor to monitor and protect your files and folders1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 71
What information is provided in Logan Activities under Visibility Reports?

  • A. A list of unique users who are remotely logged on to devices based on the country
  • B. A list of users who are remotely logged on to devices based on local IP and local port
  • C. A list of all logons for all users
  • D. A list of last endpoints that a user logged in to

Answer: D


NEW QUESTION # 72
You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in RFM?

  • A. A Sensor Update Policy was misconfigured
  • B. A host was placed in network containment from a detection
  • C. A host was offline for more than 24 hours
  • D. A patch was pushed overnight to all Windows systems

Answer: D


NEW QUESTION # 73
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?

  • A. Create a Static Group with Type=Workstation Assignment
  • B. Create a Dynamic Group with Type=Workstation Assignment
  • C. Create a Dynamic Group and Import All Workstations
  • D. Create a Static Group and Import all Workstations

Answer: B


NEW QUESTION # 74
Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

  • A. Reduce Functionality Audit Report
  • B. Inactive Sensor Report
  • C. Sensor Health Report
  • D. Sensor Coverage Lookup

Answer: D

Explanation:
Explanation
The report that lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported is Sensor Coverage Lookup. The Sensor Coverage Lookup report allows you to view and compare the sensor versions and coverage status for each operating system type in your environment. You can use this report to identify any sensors that are in RFM or are approaching end-of-life (EOL) support. You can also view the release date and EOL date for each sensor version3.
References: 3: How to Become a CrowdStrike Certified Falcon Administrator


NEW QUESTION # 75
You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

  • A. Auto - TEST-QA
  • B. Auto - N-1
  • C. Specific sensor version number
  • D. Sensor version updates off

Answer: C


NEW QUESTION # 76
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

  • A. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
  • B. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"
  • C. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"
  • D. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running

Answer: A

Explanation:
Explanation
The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal. Reference: [CrowdStrike Falcon User Guide], page 44.


NEW QUESTION # 77
The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. Which statement is TRUE concerning Falcon sensor certificate validation?

  • A. Common sources of interference with certificate pinning include protocol race conditions and resource contention
  • B. SSL inspection should be configured to occur on all Falcon traffic
  • C. HTTPS interception should be enabled to proceed with certificate validation
  • D. Some network configurations, such as deep packet inspection, interfere with certificate validation

Answer: D


NEW QUESTION # 78
How does the Unique Hosts Connecting to Countries Map help an administrator?

  • A. It displays intrusions from foreign countries
  • B. It highlights countries with known malware
  • C. It helps visualize global network communication
  • D. It identifies connections containing threats

Answer: C


NEW QUESTION # 79
What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

  • A. Security ID (SID)
  • B. Computer ID (CID)
  • C. Endpoint ID (EID)
  • D. Agent ID (AID)

Answer: D

Explanation:
Explanation
The name for the unique host identifier in Falcon assigned to each sensor during sensor installation is Agent ID (AID). The AID is a 32-character hexadecimal string that uniquely identifies each sensor and host in the Falcon platform. The other options are either incorrect or not related to the sensor identifier.
Reference: CrowdStrike Falcon User Guide, page 28.


NEW QUESTION # 80
Which statement describes what is recommended for the Default Sensor Update policy?

  • A. No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled
  • B. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible
  • C. The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version
  • D. Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required

Answer: B

Explanation:
Explanation
The statement that describes what is recommended for the Default Sensor Update policy is that the Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the Default Sensor Update policy is a "catch-all" policy that applies to any host that is not assigned to a specific Sensor Update policy.
Therefore, it is recommended that the Default Sensor Update policy should align to your organization's overall sensor updating practice, such as how frequently and how quickly you want to update your sensors. It is also recommended that you leverage the Auto N-1 and Auto N-2 configurations, which allow you to automatically update your sensors to the latest or second-latest sensor version without requiring manual intervention1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 81
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after how many days?

  • A. 45 Days
  • B. 90 Days
  • C. 30 Days
  • D. 60 Days

Answer: B

Explanation:
Explanation
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after 90 days.
A sensor that has not contacted the Falcon cloud for more than seven days is considered inactive and will be moved from the Host Management page to the Trash page. An inactive sensor will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive sensor from the Trash page if it contacts the Falcon cloud again within 90 days.
References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]


NEW QUESTION # 82
Which of the following best describes the Default Sensor Update policy?

  • A. The Default Sensor Update policy is disabled by default
  • B. The Default Sensor Update policy is a "catch-all" policy
  • C. The Default Sensor Update policy does not have the "Uninstall and maintenance protection" feature
  • D. The Default Sensor Update policy is only used for testing sensor updates

Answer: B

Explanation:
Explanation
The Default Sensor Update policy is a "catch-all" policy. This means that any host that is not assigned to a specific sensor update policy will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is enabled by default and has the "Uninstall and maintenance protection" feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it2.
References: 2: Cybersecurity Resources | CrowdStrike


NEW QUESTION # 83
What information is provided in Logan Activities under Visibility Reports?

  • A. A list of unique users who are remotely logged on to devices based on the country
  • B. A list of users who are remotely logged on to devices based on local IP and local port
  • C. A list of all logons for all users
  • D. A list of last endpoints that a user logged in to

Answer: D

Explanation:
Explanation
The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to.
This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report. Reference: [CrowdStrike Falcon User Guide], page 50.


NEW QUESTION # 84
......

Real exam questions are provided for CrowdStrike Certified Falcon Administrator tests, which can make sure you 100% pass: https://www.troytecdumps.com/CCFA-200-troytec-exam-dumps.html

CCFA-200 Exam with Guarantee Updated 152 Questions: https://drive.google.com/open?id=1FcQTrUgvq9m1w3QnldaQT7iCXofvEknh