CrowdStrike CCFA-200b Exam Questions Instant Access

Question 1

Where in the Falcon console can information about supported operating system versions be found?

AConfiguration module

BIntelligence module

CSupport module

DDiscover module

Answer : C

Information about supported operating system versions can be found in the Support module in the Falcon console. This module provides access to various support resources, such as documentation, downloads, FAQs, release notes and system status. One of the documents available in this module is the CrowdStrike Sensor Compatibility List, which lists the supported operating system versions for each sensor type and platform. The other options are either incorrect or not related to finding information about supported operating system versions. Reference:CrowdStrike Falcon User Guide, page 26.

Question 2

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

AReal Time Responder

BEndpoint Manager

CFalcon Investigator

DRemediation Manager

Answer : A

The Real Time Responder role allows users to use the ''Connect to Host'' feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference:CrowdStrike Falcon User Guide, page 18.

Question 3

What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

AFor - While statement(s)

BTrigger, condition(s) and action(s)

CEvent trigger(s)

DPredefined workflow template(s)

Answer : B

The model that is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform is trigger, condition(s) and action(s). This model allows you to specify what event will trigger the workflow, what condition(s) must be met for the workflow to execute, and what action(s) will be performed by the workflow. The other options are either incorrect or not related to creating workflows. Reference:CrowdStrike Falcon User Guide, page 56.

Question 4

How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?

ABy ensuring each user has set the 'pop-ups allowed' in their User Profile configuration page

BBy enabling 'Upload quarantined files' in the General Settings configuration page

CBy turning on the 'Notify End Users' setting at the top of the Prevention policy details configuration page

DBy selecting 'Enable pop-up messages' from the User configuration page

Answer : C

A Falcon Administrator can configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity by turning on the ''Notify End Users'' setting at the top of the Prevention policy details configuration page. This setting allows users to enable or disable end user notifications for prevention actions taken by Falcon on Windows hosts. The other options are either incorrect or not related to configuring pop-up messages. Reference:CrowdStrike Falcon User Guide, page 36.

Question 5

Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)?

AHost Dashboard

BHost Management > Filter for RFM

CInactive Sensor Report

DContainment Policy

Answer : B

The place in the console where you can find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM) is Host Management > Filter for RFM. The Host Management page allows you to view and manage all hosts in your environment that have Falcon sensors installed. You can use the filter bar to filter hosts by various attributes, such as status, platform, type, or group. You can also filter hosts by health events, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure.By filtering for RFM, you can see a list of all hosts that are in this mode1.

Question 6

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

AEdit the Default Response Policy, toggle the 'Real Time Response' switch off and assign the policy to the host group

BEdit the Default Response Policy and add the host group to the exceptions list under 'Real Time Functionality'

CCreate a new Response Policy, toggle the 'Real Time Response' switch off and assign the policy to the host group

DCreate a new Response Policy and add the host name to the exceptions list under 'Real Time Functionality'

Answer : C

The administrator can create a new Response Policy, toggle the ''Real Time Response'' switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result. Reference:CrowdStrike Falcon User Guide, page 35.

Question 7

Which role allows a user to connect to hosts using Real-Time Response?

AEndpoint Manager

BFalcon Administrator

CReal Time Responder -- Active Responder

DPrevention Hashes Manager

Answer : C

The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder -- Active Responder. This role allows users to use the ''Connect to Host'' feature to gather additional information from the host, as well as execute commands and scripts on the host. The other roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 18.

CrowdStrike Certified Falcon Administrator CCFA-200b Exam Questions