• Home
  • Articles
  • [Nov 24, 2024] CCFA-200 Exam Dumps - 100% Marks In CCFA-200 Exam! [Q57-Q81]

[Nov 24, 2024] CCFA-200 Exam Dumps - 100% Marks In CCFA-200 Exam! [Q57-Q81]

Share

[Nov 24, 2024] CCFA-200 Exam Dumps - 100% Marks In CCFA-200 Exam!

Exam Dumps Use Real CrowdStrike Certified Falcon Administrator Dumps With 152 Questions!

NEW QUESTION # 57
You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

  • A. Additional User Mode Data
  • B. Script-based Execution Monitoring
  • C. Interpreter-Only
  • D. Engine (Full Visibility)

Answer: B

Explanation:
Explanation
Turn on the Script-Based Execution Monitoring prevention policy setting to enable the "Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts.
This setting does not kill or block scripts."
Scripting languages:
Excel 4.0 macros
JScript
VBA Macros
VBScript
The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.
References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]


NEW QUESTION # 58
How are user permissions set in Falcon?

  • A. Permissions are assigned to a User Group and then users are assigned to that group, thereby inheriting those permissions
  • B. An administrator selects individual granular permissions from the Falcon Permissions List during user creation
  • C. Pre-defined permissions are assigned to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments
  • D. Permissions are token-based. Users request access to a defined set of permissions and an administrator adds their token to the set of permissions

Answer: C


NEW QUESTION # 59
When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

  • A. Secret
  • B. Client name
  • C. Client ID
  • D. Base URL

Answer: A


NEW QUESTION # 60
What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

  • A. Event trigger(s)
  • B. For - While statement(s)
  • C. Predefined workflow template(s)
  • D. Trigger, condition(s) and action(s)

Answer: D

Explanation:
Explanation
The model that is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform is trigger, condition(s) and action(s). This model allows you to specify what event will trigger the workflow, what condition(s) must be met for the workflow to execute, and what action(s) will be performed by the workflow. The other options are either incorrect or not related to creating workflows. Reference: CrowdStrike Falcon User Guide, page 56.


NEW QUESTION # 61
You want to create a detection-only policy. How do you set this up in your policy's settings?

  • A. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of the other blocking or malware prevention options.
  • B. Select the "Detect-Only" template. Disable hash blocking and exclusions.
  • C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.
  • D. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows Defender.

Answer: A

Explanation:
Explanation
The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy's settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.


NEW QUESTION # 62
When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

  • A. The sensor would provide minimal protection
  • B. The sensor would provide protection as normal, without event telemetry
  • C. The sensor would function as normal
  • D. The sensor provides no protection, and only collects Sensor Heart Beat events

Answer: A

Explanation:
Explanation
When a Linux host is in Reduced Functionality Mode (RFM), the sensor would provide minimal protection.
RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Linux sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the /tmp directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 63
The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

  • A. Policy alignment is configured in the "Host Management" section in the Hosts application
  • B. Policy alignment is configured in the General Settings section under the Configuration menu
  • C. Policy alignment is configured in each policy in the "Assigned Host Groups" tab
  • D. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window

Answer: C


NEW QUESTION # 64
You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

  • A. Auto - N-1
  • B. Auto - TEST-QA
  • C. Specific sensor version number
  • D. Sensor version updates off

Answer: C

Explanation:
Explanation
The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.


NEW QUESTION # 65
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

  • A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
  • B. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
  • C. Using IOC Management, add the hash of the binary in question and set the action to "No Action"
  • D. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Answer: D


NEW QUESTION # 66
What is the goal of a Network Containment Policy?

  • A. Increase the aggressiveness of the assigned prevention policy
  • B. Partition a network for privacy
  • C. Limit the impact of a compromised host on the network
  • D. Gain more visibility into network activities

Answer: C

Explanation:
Explanation
The goal of a Network Containment Policy is to limit the impact of a compromised host on the network. This policy allows users to isolate a host from the network, while still allowing it to communicate with the Falcon Cloud and other essential services. This can help prevent further damage or data exfiltration from a compromised host. The other options are either incorrect or not related to the policy. Reference: [CrowdStrike Falcon User Guide], page 40.


NEW QUESTION # 67
Which Real Time Response role will allow you to see all analyst session details?

  • A. Real Time Response -Administrator
  • B. Real Time Response -Active Responder
  • C. None of the Real Time Response roles allows this
  • D. Real Time Response - Read-Only Analyst

Answer: A

Explanation:
Explanation
The Real Time Response role that will allow you to see all analyst session details is Real Time Response
-Administrator. A Real Time Response -Administrator is a role that has full access and control over the Real Time Response feature in Falcon, which allows you to remotely access and investigate hosts in real time. A Real Time Response -Administrator can view all analyst session details, such as session ID, host name, start and end time, commands executed, and output received. A Real Time Response -Administrator can also create, modify, delete, and assign scripts and commands to other analysts2.
References: 2: Cybersecurity Resources | CrowdStrike


NEW QUESTION # 68
Which of the following is TRUE of the Logon Activities Report?

  • A. It gives a detailed list of all logon activity for users
  • B. Shows a graphical view of user logon activity and the hosts the user connected to
  • C. The report can be filtered by computer name
  • D. It only gives a summary of the last logon activity for users

Answer: A


NEW QUESTION # 69
When the Notify End Users policy setting is turned on, which of the following is TRUE?

  • A. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist
  • B. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine
  • C. End-users receive a pop-up notification when a prevention action occurs
  • D. End users will be immediately notified via a pop-up that their machine is in-network isolation

Answer: C

Explanation:
Explanation
When the Notify End Users policy setting is turned on, end-users receive a pop-up notification when a prevention action occurs. This setting allows you to inform the end-users that the Falcon sensor has blocked or quarantined a malicious item on their system. The notification will also provide the name and path of the item, the reason for the prevention, and a link to contact support if needed1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 70
Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

  • A. *\Program Files\My Program\*\
  • B. \Program Files\My Program\My Files\*
  • C. \Program Files\My Program\*
  • D. *\*

Answer: B

Explanation:
Explanation
The exclusion pattern that will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe is \Program Files\My Program\My Files*. This pattern will match any file under the My Files folder, including program.exe, and exclude them from detections. The other patterns are either incorrect or too broad to prevent detections on this specific file. Reference: [CrowdStrike Falcon User Guide], page 37.


NEW QUESTION # 71
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?

  • A. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
  • B. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"
  • C. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
  • D. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"

Answer: A


NEW QUESTION # 72
What type of information is found in the Linux Sensors Dashboard?

  • A. Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified
  • B. Private Information Accessed, Archiving Tools - Exfil, Files Made Executable
  • C. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
  • D. Hidden File execution, Execution of file from the trash, Versions Running with Computer Names

Answer: A


NEW QUESTION # 73
Where can you find your company's Customer ID (CID)?

  • A. The CID is located at Hosts > Host Management
  • B. The CID is only available by calling support
  • C. The CID is a secret key used for Falcon communication and is never shared with the customer
  • D. The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum

Answer: D

Explanation:
Explanation
The CID (Customer ID) is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. The checksum is a value that verifies the integrity of the sensor download file. You can find your CID and checksum at the top of the Sensor Downloads page1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 74
Which of the following can a Falcon Administrator edit in an existing user's profile?

  • A. Working groups
  • B. Phone number
  • C. First or Last name
  • D. Email address

Answer: C

Explanation:
Explanation
Roles are never called 'working groups' in the documentation. The only other option that can be edited on a existing user is first and last name.


NEW QUESTION # 75
You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?

  • A. ExtendedWindow=1
  • B. Timeout=30
  • C. ProvNoWait=1
  • D. Timeout=0

Answer: C

Explanation:
Explanation
"ProvNoWait=1
The sensor does not abort installation if it can t connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20 minutes. After that, the host will automatically uninstall its sensor.)"
"ProvWaitTime=3600000
The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes)."


NEW QUESTION # 76
Once an exclusion is saved, what can be edited in the future?

  • A. Only the options to "Detect/Block" and/or "File Extraction" can be changed
  • B. All parts of the exclusion can be changed
  • C. The exclusion pattern cannot be changed
  • D. Only the selected groups and hosts to which the exclusion is applied can be changed

Answer: B

Explanation:
Explanation
Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions.
Reference: CrowdStrike Falcon User Guide, page 37.


NEW QUESTION # 77
Which option allows you to exclude behavioral detections from the detections page?

  • A. IOA Exclusion
  • B. Machine Learning Exclusion
  • C. Sensor Visibility Exclusion
  • D. IOC Exclusion

Answer: B


NEW QUESTION # 78
Why is the ability to disable detections helpful?

  • A. It gives users the ability to remove all data from hosts that have been uninstalled
  • B. It gives users the ability to allowlist a false positive detection
  • C. It gives users the ability to set up hosts to test detections and later remove them from the console
  • D. It gives users the ability to uninstall the sensor from a host

Answer: B


NEW QUESTION # 79
An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

  • A. Workflow Audit log
  • B. Workflow Execution log
  • C. Falcon UI Audit Trail
  • D. Custom Alert History

Answer: B

Explanation:
Explanation
The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 80
What is the purpose of the Default Sensor Policy?

  • A. Used to reset all sensor settings to Default.
  • B. Tests the sensor configuration settings before deployment.
  • C. Acts as a "catch all" policy if no other Sensor Policies are applied.
  • D. A mechanism to deploy the oldest supported version of the Falcon Sensor.

Answer: C

Explanation:
Explanation
The purpose of the Default Sensor Policy is that it acts as a "catch all" policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment.
However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a "catch-all" policy that is enabled by default and has the
"Malware Protection" feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 81
......


CrowdStrike CCFA-200 certification exam consists of 60 multiple-choice questions and has a time limit of 90 minutes. CCFA-200 exam covers a variety of topics, including the installation and configuration of CrowdStrike Falcon agents, the management of policies and rules, and the use of the Falcon console for incident response and threat hunting.

 

Pass Your CCFA-200 Exam Easily With 100% Exam Passing Guarantee: https://examtorrent.actualcollection.com/CCFA-200-exam-questions.html

Related Articles

more
CrowdStrike CCFA-200 Certification Practice Exam

Copyright © 2026 ActualCollection NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy