CrowdStrike CCFA-200 Exam Practice Test Instant Access

Question 1

With Custom Alerts, it is possible to __________.

Aschedule the alert to run at any interval

Breceive an alert in an email

Cconfigure prevention actions for alerting

Dbe alerted to activity in real-time

Answer : B

The reporting interval is predefined and cannot be changed. You can only enable/disable the custom alert feature and add/remove recipient email client for the alert/detection.

Question 2

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

AReal Time Responder

BEndpoint Manager

CFalcon Investigator

DRemediation Manager

Answer : A

The Real Time Responder role allows users to use the ''Connect to Host'' feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference:CrowdStrike Falcon User Guide, page 18.

Question 3

When a host is placed in Network Containment, which of the following is TRUE?

AThe host machine is unable to send or receive network traffic outside of the local network

BThe host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy

CThe host machine is unable to send or receive any network traffic

DThe host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy

Answer : D

When a host is placed in Network Containment, the host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy. This allows users to isolate a host from the network, while still allowing it to communicate with the Falcon Cloud and other essential services. The other options are either incorrect or not true of Network Containment. Reference:CrowdStrike Falcon User Guide, page 40.

Question 4

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

Answer : D

There are three ''Auto'' sensor version update options available for Windows Sensor Update Policies: Auto - N-1, Auto - TEST-QA and Auto - Latest. These options allow the administrator to automatically update the sensor version to the previous stable version, the latest test version or the latest stable version, respectively. Reference: [CrowdStrike Falcon User Guide], page 38.

Question 5

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

ANext-Gen Antivirus (NGAV) protection

BAdware and Potentially Unwanted Program detection and prevention

CReal-time offline protection

DIdentification and analysis of unknown executables

Answer : D

According to documentation (documentation/detections/technique/sensor-based-ml-cst0007): CrowdStrike sensor-based machine learning (ML) identifies and analyzes unknown executables as they run on hosts. This technique is triggered by files and file attributes associated with known malware. This is similar to the [Cloud-based ML](/support/documentation/detections/technique/cloud-based-ml) technique. Cloud-based ML is informed by global analysis of executables that classifies and identifies malware. The key difference is that it doesn't run on hosts when they're offline.

Question 6

You want to create a detection-only policy. How do you set this up in your policy's settings?

AEnable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.

BSelect the 'Detect-Only' template. Disable hash blocking and exclusions.

CYou can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.

DSet the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.

Answer : D

The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy's settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.

Question 7

What statement is TRUE about managing a user's role?

AThe Administrator cannot re-use the account email for a new account

BYou must have Falcon MFA enabled first

CYou must be a Falcon Security Lead

DYou must be a Falcon Administrator

Answer : D

The statement that is true about managing a user's role is that you must be a Falcon Administrator. A Falcon Administrator is a role that has full access and control over all features and functions in Falcon, including user management. A Falcon Administrator can create, modify, delete, and assign roles to other users in Falcon.A Falcon Administrator can also re-use the account email for a new account, enable Falcon MFA (multi-factor authentication), and assign other roles such as Falcon Security Lead or Falcon Investigator2.

CrowdStrike Certified Falcon Administrator CCFA-200 Exam Practice Test