CCFA-200 Practice Exam Questions with Answers CrowdStrike Certified Falcon Administrator Certification

The type of information that is found in the Linux Sensors Dashboard is Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage. The Linux Sensors Dashboard is a dashboard that provides an overview of the Linux hosts in your environment that have Falcon sensors installed. You can use this dashboard to monitor the health and activity of your Linux hosts, such as their kernel versions, root shell usage, network communication, detections, and preventions3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The report that lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported is Sensor Coverage Lookup. The Sensor Coverage Lookup report allows you to view and compare the sensor versions and coverage status for each operating system type in your environment. You can use this report to identify any sensors that are in RFM or are approaching end-of-life (EOL) support. You can also view the release date and EOL date for each sensor version3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for each operating system type in your environment1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

According to documentation (documentation/detections/technique/sensor-based-ml-cst0007): CrowdStrike sensor-based machine learning (ML) identifies and analyzes unknown executables as they run on hosts. This technique is triggered by files and file attributes associated with known malware. This is similar to the [Cloud-based ML](/support/documentation/detections/technique/cloud-based-ml) technique. Cloud-based ML is informed by global analysis of executables that classifies and identifies malware. The key difference is that it doesn't run on hosts when they're offline.

The best method to ensure all workstation hosts are added to the group is to create a Dynamic Group with Type=Workstation Assignment. A Dynamic Group is a group that automatically updates its membership based on certain criteria or filters. A Type=Workstation Assignment filter will match all hosts that have the workstation type assigned in their Active Directory domain. This way, any new or existing workstation hosts will be added to the group without manual intervention1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that may prevent a user from logging into Falcon via single sign-on (SSO) is that the SSO username doesn’t match their email address in Falcon. SSO is a feature that allows you to use an external identity provider (IdP) to authenticate and authorize users to access the Falcon platform. SSO simplifies and streamlines the login process, as users only need to remember one set of credentials for multiple applications. However, SSO requires that the username in the IdP matches the email address in Falcon for each user. If there is a mismatch between the username and the email address, the user will not be able to log into Falcon via SSO.

References: : [Cybersecurity Resources | CrowdStrike]

Scheduling a Custom Alert for your environment consists of three steps: choosing the template you’d like to configure, previewing the search results, then scheduling the alert. Use Custom Alerts to configure email alerts using predefined templates so you're notified about specific activity in your environment. When an alert runs and finds results, it sends an email to specified recipients instead of generating a new detection. Custom Alerts let you set up email alerts based on predefined templates that cover a wide range of topics including Real Time Response session initiation, host containment, OS security settings, and more that are not yet covered by notification workflows.

 In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, the administrator should set the Sensor version to fixed and turn on the Uninstall and maintenance protection setting in the Sensor Update Policy. This will allow the administrator to specify which sensor version will be used by the hosts using this policy, and also require a maintenance token to uninstall or upgrade the sensor. The other options are either incorrect or not sufficient to meet this criteria. Reference: CrowdStrike Falcon User Guide, page 38.

Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions. Reference: CrowdStrike Falcon User Guide, page 37.

The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2.

References: 2: Cybersecurity Resources | CrowdStrike

The Quarantine Manager role can manage quarantined files to release and download. This role allows users to view and search quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 19.

The Logon Activities Report shows a graphical view of user logon activity and the hosts the user connected to, but it only gives a summary of the last logon activity for users. It does not give a detailed list of all logon activity for users, nor can it be filtered by computer name. The other options are either incorrect or not true of the report. Reference: CrowdStrike Falcon User Guide, page 50.

You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com

Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

When the Notify End Users policy setting is turned on, end-users receive a pop-up notification when a prevention action occurs. This setting allows you to inform the end-users that the Falcon sensor has blocked or quarantined a malicious item on their system. The notification will also provide the name and path of the item, the reason for the prevention, and a link to contact support if needed1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

On a Windows host, the best command to determine if the sensor is currently running is sc query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The Default Sensor Update policy is a “catch-all” policy. This means that any host that is not assigned to a specific sensor update policy will inherit the settings from the Default Sensor Update policy. The Default Sensor Update policy is enabled by default and has the “Uninstall and maintenance protection” feature turned on. You can modify the settings of the Default Sensor Update policy, but you cannot delete or disable it2.

References: 2: Cybersecurity Resources | CrowdStrike

The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to. This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report. Reference: [CrowdStrike Falcon User Guide], page 50.

In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.

The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.

When creating an API client, the secret must be saved immediately since it cannot be viewed again after the client is created. The secret is a randomly generated string that is used to authenticate the API client along with the client ID. The other options are either incorrect or can be viewed or modified later. Reference: CrowdStrike Falcon User Guide, page 54.

The purpose of using groups with Sensor Update policies in CrowdStrike Falcon is to allow the controlled assignment of sensor versions onto specific hosts. This allows users to manage the sensor updates for different hosts based on their needs and preferences, such as testing, staging or production. The other options are either incorrect or not related to using groups with Sensor Update policies. Reference: [CrowdStrike Falcon User Guide], page 38.

The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The statement that describes what is recommended for the Default Sensor Update policy is that the Default Sensor Update policy should align to an organization’s overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the Default Sensor Update policy is a “catch-all” policy that applies to any host that is not assigned to a specific Sensor Update policy. Therefore, it is recommended that the Default Sensor Update policy should align to your organization’s overall sensor updating practice, such as how frequently and how quickly you want to update your sensors. It is also recommended that you leverage the Auto N-1 and Auto N-2 configurations, which allow you to automatically update your sensors to the latest or second-latest sensor version without requiring manual intervention1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Username is not an available filter on the Hosts Management page. The Hosts Management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also perform actions such as assigning hosts to groups, updating sensor policies, uninstalling sensors, or isolating hosts1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The page of the Falcon console where one can locate the Customer ID (CID) is API Clients and Keys. The API Clients and Keys page allows you to create and manage API clients and keys for accessing the Falcon platform programmatically. The Customer ID (CID) is a unique identifier for your organization that is required for authenticating your API requests. You can find your CID at the top of the API Clients and Keys page2.

References: 2: Cybersecurity Resources | CrowdStrike

Disabling detections on a host will stop the DetectionSummaryEvent from sending to the Streaming API for that host. This means that the host will not send any detection events to the Streaming API, which is used to stream data from the Falcon Cloud to external applications or systems. The other options are either incorrect or not related to disabling detections on a host. Reference: [CrowdStrike Falcon User Guide], page 32.

The way to find the older installer file for the Falcon sensor is to click on “Older versions” links under the Host setup and management > Deploy > Sensor downloads. The Sensor downloads page allows you to download the latest version of the Falcon sensor for different operating systems and platforms. However, if you need to install an older version of the sensor, you can click on the “Older versions” links below each sensor download button. This will open a new page where you can select and download any previous version of the sensor1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on “Upload Hashes” in the upper right-hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike Falcon® API.

https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/

The option that controls the speed in which your sensors will receive automatic sensor updates is Sensor Update Throttling. Sensor Update Throttling allows you to limit the number of sensors that can download a new sensor version per hour. This way, you can avoid network congestion or bandwidth issues caused by simultaneous sensor updates. You can configure the Sensor Update Throttling setting in the Sensor Update Policy for each platform1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The report that can be used to determine if Script Based Execution Monitoring (SBEM) is not enabled on a Falcon host due to an old prevention policy is Prevention Policy Debug. The Prevention Policy Debug report allows you to view and compare the prevention policy settings applied to each host in your environment. You can use this report to identify any hosts that have outdated or inconsistent prevention policy settings, such as SBEM, which is a feature that monitors and prevents malicious script execution on Windows systems1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

User permissions are set in Falcon by assigning pre-defined permissions to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments. Roles are collections of permissions that define what users can see and do in Falcon. Permissions are granular actions that allow users to access specific features or functions in Falcon. For example, a user who is assigned both the Falcon Administrator role and the Falcon Investigator role will have all the permissions from both roles2.

References: 2: Cybersecurity Resources | CrowdStrike

https://www.crowdstrike.com/blog/tech-center/how-to-manage-policies-in-falcon/

The option that describes what exclusions can be applied to is that exclusions can be applied to either all hosts or specified groups. An exclusion is a rule that defines what files, folders, processes, IP addresses, or domains should be excluded from detection or prevention by the Falcon sensor. You can create and manage exclusions in the Exclusions page in the Falcon console. You can apply exclusions to either all hosts in your environment or to specific host groups that you select. You cannot apply exclusions to individual hosts selected by the administrator.

References: : [Cybersecurity Resources | CrowdStrike]

Information about supported operating system versions can be found in the Support module in the Falcon console. This module provides access to various support resources, such as documentation, downloads, FAQs, release notes and system status. One of the documents available in this module is the CrowdStrike Sensor Compatibility List, which lists the supported operating system versions for each sensor type and platform. The other options are either incorrect or not related to finding information about supported operating system versions. Reference: CrowdStrike Falcon User Guide, page 26.

The option that best describes what happens to detections in the console after clicking “Disable Detections” for a host from within the Host Management page is that the detections for the host are removed from the console immediately and no new detections will display in the console going forward. The “Disable Detections” feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The Machine Learning Prevention Monitoring report in the Prevention Policy Management option allows you to monitor the impact of machine learning (ML) prevention settings on your environment. You can view the number of ML detections and preventions by severity, policy, and host group. You can also drill down into specific events and hosts to see more details. This report can help you determine the appropriate ML levels to set in a prevention policy based on your risk tolerance and security posture1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The Real Time Responder - Read Only Analyst only allows to run the commands "cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.

The option that is true regarding disabling detections for a host is that the detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled. This option is essentially a repetition of question 127 and its answer. Disabling detections for a host will remove any existing detections for that host from the console and prevent any new detections from appearing in the console until detections are enabled again1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The page that provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System is Sensor Health. The Sensor Health page allows you to view and monitor the health and status of all sensors in your environment. You can use this page to identify any sensors that have issues or errors, such as RFM, which is a mode that limits the sensor’s functionality due to license expiration, network connectivity loss, or certificate validation failure. You can filter the sensors by operating system, sensor version, last seen date, health events, detections, and preventions3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator