CrowdStrike CCFA-200 Real Exam Questions
The questions for CCFA-200 were last updated at Nov 20,2024.
- Exam Code: CCFA-200
- Exam Name: CrowdStrike Certified Falcon Administrator
- Certification Provider: CrowdStrike
- Latest update: Nov 20,2024
When a host is placed in Network Containment, which of the following is TRUE?
- A . The host machine is unable to send or receive network traffic outside of the local network
- B . The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and traffic allowed in the Firewall Policy
- C . The host machine is unable to send or receive any network traffic
- D . The host machine is unable to send or receive network traffic except to/from the Falcon Cloud and any resources allowlisted in the Containment Policy
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host.
Which role do you need added to your user account to have this capability?
- A . Real Time Responder
- B . Endpoint Manager
- C . Falcon Investigator
- D . Remediation Manager
Which option allows you to exclude behavioral detections from the detections page?
- A . Machine Learning Exclusion
- B . IOA Exclusion
- C . IOC Exclusion
- D . Sensor Visibility Exclusion
What is the primary purpose of using glob syntax in an exclusion?
- A . To specify a Domain be excluded from detections
- B . To specify exclusion patterns to easily exclude files and folders and extensions from detections
- C . To specify exclusion patterns to easily add files and folders and extensions to be prevented
- D . To specify a network share be excluded from detections
How long are detection events kept in Falcon?
- A . Detection events are kept for 90 days
- B . Detections events are kept for your subscribed data retention period
- C . Detection events are kept for 7 days
- D . Detection events are kept for 30 days
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?
- A . Aggressive
- B . Cautious
- C . Minimal
- D . Moderate
What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?
- A . Falcon console updates are pending
- B . Falcon sensors installing an update
- C . Notifications have been disabled on that host sensor
- D . Microsoft updates
Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is "Cloud Anti-Malware" and the other is:
- A . Adware & PUP
- B . Advanced Machine Learning
- C . Sensor Anti-Malware
- D . Execution Blocking
What impact does disabling detections on a host have on an API?
- A . Endpoints with detections disabled will not alert on anything until detections are enabled again
- B . Endpoints cannot have their detections disabled individually
- C . DetectionSummaryEvent stops sending to the Streaming API for that host
- D . Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group.
What is the next step to disable RTR only on these hosts?
- A . Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- B . Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
- C . Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- D . Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"