New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CCFA-200 Questions and Answers

Question # 6

What is the purpose of a containment policy?

A.

To define which Falcon analysts can contain endpoints

B.

To define the duration of Network Containment

C.

To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

D.

To define allowed IP addresses over which your hosts will communicate when contained

Full Access
Question # 7

How long are detection events kept in Falcon?

A.

Detection events are kept for 90 days

B.

Detections events are kept for your subscribed data retention period

C.

Detection events are kept for 7 days

D.

Detection events are kept for 30 days

Full Access
Question # 8

Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

A.

Sensors are downloaded from the Hosts > Sensor Downloads

B.

Sensor installers are unique to each customer and must be obtained from support

C.

Sensor installers are downloaded from the Support section of the CrowdStrike website

D.

Sensor installers are not used because sensors are deployed from within Falcon

Full Access
Question # 9

What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?

A.

Microsoft updates altering the kernel

B.

The host lost internet connectivity

C.

A misconfiguration in your prevention policy for the host

D.

A Sensor Update Policy was misconfigured

Full Access
Question # 10

What information does the API Audit Trail Report provide?

A.

A list of analyst login activity

B.

A list of specific changes to prevention policy

C.

A list of actions taken via Falcon OAuth2-based APIs

D.

A list of newly added hosts

Full Access
Question # 11

Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

A.

Sensor Report

B.

Machine Learning Prevention Monitoring

C.

Falcon UI Audit Trail

D.

Machine Learning Debug

Full Access
Question # 12

Why would you assign hosts to a static group instead of a dynamic group?

A.

You do not want the group membership to change automatically

B.

You are managing more than 1000 hosts

C.

You need hosts to be automatically assigned to a group

D.

You want the group to contain hosts from multiple operating systems

Full Access
Question # 13

An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

A.

Custom Alert History

B.

Workflow Execution log

C.

Workflow Audit log

D.

Falcon UI Audit Trail

Full Access
Question # 14

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

A.

Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

B.

Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

C.

Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

D.

Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Full Access
Question # 15

What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

A.

For - While statement(s)

B.

Trigger, condition(s) and action(s)

C.

Event trigger(s)

D.

Predefined workflow template(s)

Full Access
Question # 16

With Custom Alerts, it is possible to __________.

A.

schedule the alert to run at any interval

B.

receive an alert in an email

C.

configure prevention actions for alerting

D.

be alerted to activity in real-time

Full Access
Question # 17

How do you disable all detections for a host?

A.

Create an exclusion rule and apply it to the machine or group of machines

B.

Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)

C.

You cannot disable all detections on individual hosts as it would put them at risk

D.

In Host Management, select the host and then choose the option to Disable Detections

Full Access
Question # 18

What can the Quarantine Manager role do?

A.

Manage and change prevention settings

B.

Manage quarantined files to release and download

C.

Manage detection settings

D.

Manage roles and users

Full Access
Question # 19

What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

A.

Deep packet inspection

B.

Linux Sub-System

C.

PowerShell

D.

Windows Proxy

Full Access
Question # 20

What must an admin do to reset a user's password?

A.

From User Management, open the account details for the affected user and select "Generate New Password"

B.

From User Management, select "Reset Password" from the three dot menu for the affected user account

C.

From User Management, select "Update Account" and manually create a new password for the affected user account

D.

From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

Full Access
Question # 21

What three things does a workflow condition consist of?

A.

A parameter, an operator, and a value

B.

A beginning, a middle, and an end

C.

Triggers, actions, and alerts

D.

Notifications, alerts, and API's

Full Access
Question # 22

How can a API client secret be viewed after it has been created?

A.

Within the API management page, API client secrets can be accessed within the "edit client" functionality

B.

The API client secret must be reset or a new client created as the secret cannot be viewed after it has been created

C.

The API client secret can be provided by support via direct email request from a Falcon Administrator

D.

Selecting "show secret" within the 3-dot dropdown menu will reveal the secret for the selected api client

Full Access
Question # 23

What would be the most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally?

A.

A Machine Learning exclusion

B.

A Sensor Visibility exclusion

C.

An IOA exclusion

D.

A Custom IOC entry

Full Access
Question # 24
A.

Enable Behavior-Based Threat Prevention sliders and Advanced Remediation Actions

B.

Enable Malware Protection and Windows Anti-Malware Execution Blocking

C.

Enable Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration

D.

Enable Malware Protection and Custom Execution Blocking

Full Access
Question # 25

How are user permissions set in Falcon?

A.

Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions

B.

Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments

C.

An administrator selects individual granular permissions from the Falcon Permissions List during user creation

D.

Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions

Full Access
Question # 26

When a user initiates a sensor installs, where can the logs be found?

A.

%SYSTEMROOT%\Logs

B.

%SYSTEMROOT%\Temp

C.

%LOCALAPPDATA%\Logs

D.

% LOCALAPP D ATA%\Tem p

Full Access
Question # 27

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

A.

Real Time Responder

B.

Endpoint Manager

C.

Falcon Investigator

D.

Remediation Manager

Full Access
Question # 28

What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

A.

Falcon console updates are pending

B.

Falcon sensors installing an update

C.

Notifications have been disabled on that host sensor

D.

Microsoft updates

Full Access
Question # 29

Which statement is TRUE regarding disabling detections on a host?

A.

Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on lOA-based detections. It will remain that way until detections are enabled again

B.

Hosts with detections disabled will not alert on anything until detections are enabled again

C.

Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

D.

Hosts cannot have their detections disabled individually

Full Access
Question # 30

You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

A.

Script-based Execution Monitoring

B.

Interpreter-Only

C.

Additional User Mode Data

D.

Engine (Full Visibility)

Full Access
Question # 31

After agent installation, an agent opens a permanent___connection over port 443 and keeps that connection open until the endpoint is turned off or the network connection is terminated.

A.

SSH

B.

TLS

C.

HTTP

D.

TCP

Full Access
Question # 32

Which of the following prevention policy settings monitors contents of scripts and shells for execution of malicious content on compatible operating systems?

A.

Script-based Execution Monitoring

B.

FileSystem Visibility

C.

Engine (Full Visibility)

D.

Suspicious Scripts and Commands

Full Access
Question # 33

What is the purpose of the Machine-Learning Prevention Monitoring Report?

A.

It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined

B.

It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious

C.

It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks

D.

It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings

Full Access
Question # 34

Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

A.

\Program Files\My Program\My Files\*

B.

\Program Files\My Program\*

C.

*\*

D.

*\Program Files\My Program\*\

Full Access
Question # 35

What best describes the relationship between Sensor Update policies and Operating Systems?

A.

Windows and Mac share Sensor Update policies. Linux requires its own set of polices based on the different kernel versions

B.

Sensor Update polices are not Operating System specific. One policy can be applied to all Operating Systems

C.

Windows has its own Sensor Update polices. But Mac and Linux share Sensor Update policies

D.

A Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux)

Full Access
Question # 36

Which of the follow should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax?

A.

Sensor Visibility Exclusion

B.

Machine Learning Exclusions

C.

IOC Exclusions

D.

IOA Exclusions

Full Access
Question # 37

When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?

A.

Username

B.

Model

C.

Domain

D.

Hostname

Full Access
Question # 38

When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

A.

The sensor would provide protection as normal, without event telemetry

B.

The sensor would provide minimal protection

C.

The sensor would function as normal

D.

The sensor provides no protection, and only collects Sensor Heart Beat events

Full Access
Question # 39

After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

A.

Response Policy

B.

Containment Policy

C.

Maintenance Token

D.

IP Allowlist Management

Full Access
Question # 40

Custom IOA rules are defined using which syntax?

A.

Glob

B.

PowerShell

C.

Yara

D.

Regex

Full Access
Question # 41

When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

A.

Base URL

B.

Secret

C.

Client ID

D.

Client name

Full Access
Question # 42

In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

A.

Sensor version set to N-1 and Bulk maintenance mode is turned on

B.

Sensor version fixed and Uninstall and maintenance protection turned on

C.

Sensor version updates off and Uninstall and maintenance protection turned off

D.

Sensor version set to N-2 and Bulk maintenance mode is turned on

Full Access
Question # 43

Under which scenario can Sensor Tags be assigned?

A.

While triaging a detection

B.

While managing hosts in the Falcon console

C.

While updating a sensor in the Falcon console

D.

While installing a sensor

Full Access
Question # 44

How do you assign a Prevention policy to one or more hosts?

A.

Create a new policy and assign it directly to those hosts on the Host Management page

B.

Modify the users roles on the User Management page

C.

Ensure the hosts are in a group and assign that group to a custom Prevention policy

D.

Create a new policy and assign it directly to those hosts on the Prevention policy page

Full Access
Question # 45

Which of the following can a Falcon Administrator edit in an existing user's profile?

A.

First or Last name

B.

Phone number

C.

Email address

D.

Working groups

Full Access