CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Online Training
CrowdStrike CCFA-200 Online Training
The questions for CCFA-200 were last updated at Nov 22,2024.
- Exam Code: CCFA-200
- Exam Name: CrowdStrike Certified Falcon Administrator
- Certification Provider: CrowdStrike
- Latest update: Nov 22,2024
An analyst has reported they are not receiving workflow triggered notifications in the past few days.
Where should you first check for potential failures?
- A . Custom Alert History
- B . Workflow Execution log
- C . Workflow Audit log
- D . Falcon UI Audit Trail
How are user permissions set in Falcon?
- A . Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
- B . Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
- C . An administrator selects individual granular permissions from the Falcon Permissions List during user creation
- D . Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions
When creating new IOCs in IOC management, which of the following fields must be configured?
- A . Hash, Description, Filename
- B . Hash, Action and Expiry Date
- C . Filename, Severity and Expiry Date
- D . Hash, Platform and Action
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group.
What is the next step to disable RTR only on these hosts?
- A . Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- B . Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
- C . Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- D . Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
Which exclusion pattern will prevent detections on a file at C:Program FilesMy ProgramMy Filesprogram.exe?
- A . Program FilesMy ProgramMy Files*
- B . Program FilesMy Program*
- C . **
- D . *Program FilesMy Program*
Once an exclusion is saved, what can be edited in the future?
- A . All parts of the exclusion can be changed
- B . Only the selected groups and hosts to which the exclusion is applied can be changed
- C . Only the options to "Detect/Block" and/or "File Extraction" can be changed
- D . The exclusion pattern cannot be changed
Why is the ability to disable detections helpful?
- A . It gives users the ability to set up hosts to test detections and later remove them from the console
- B . It gives users the ability to uninstall the sensor from a host
- C . It gives users the ability to allowlist a false positive detection
- D . It gives users the ability to remove all data from hosts that have been uninstalled
What impact does disabling detections on a host have on an API?
- A . Endpoints with detections disabled will not alert on anything until detections are enabled again
- B . Endpoints cannot have their detections disabled individually
- C . DetectionSummaryEvent stops sending to the Streaming API for that host
- D . Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed
What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?
- A . To group hosts with others in the same business unit
- B . To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time
- C . To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion
- D . To allow the controlled assignment of sensor versions onto specific hosts
What command should be run to verify if a Windows sensor is running?
- A . regedit myfile.reg
- B . sc query csagent
- C . netstat -f
- D . ps -ef | grep falcon