CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Exam Practice Test

Page: 1 / 14
Total 153 questions
Question 1

Which statement describes what is recommended for the Default Sensor Update policy?



Answer : A

The statement that describes what is recommended for the Default Sensor Update policy is that the Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the Default Sensor Update policy is a ''catch-all'' policy that applies to any host that is not assigned to a specific Sensor Update policy. Therefore, it is recommended that the Default Sensor Update policy should align to your organization's overall sensor updating practice, such as how frequently and how quickly you want to update your sensors.It is also recommended that you leverage the Auto N-1 and Auto N-2 configurations, which allow you to automatically update your sensors to the latest or second-latest sensor version without requiring manual intervention1.


Question 2

When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?



Answer : B

When a Linux host is in Reduced Functionality Mode (RFM), the sensor would provide minimal protection. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Linux sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the /tmp directory.The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1.


Question 3

What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?



Answer : C

The option that best describes what happens to detections in the console after clicking ''Enable Detections'' for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The ''Enable Detections'' feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console.When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.


Question 4

Which of the following pages provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System?



Answer : D

The page that provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System is Sensor Health. The Sensor Health page allows you to view and monitor the health and status of all sensors in your environment. You can use this page to identify any sensors that have issues or errors, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure.You can filter the sensors by operating system, sensor version, last seen date, health events, detections, and preventions3.


Question 5

How many days will an inactive host remain visible within the Host Management or Trash pages?



Answer : C

An inactive host will remain visible within the Host Management or Trash pages for 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform.You can restore an inactive host from the Trash page if it becomes active again within 90 days1.


Question 6

Which of the following scenarios best describes when you would add IP addresses to the containment policy?



Answer : D

The scenario that best describes when you would add IP addresses to the containment policy is that your organization has resources that need to be accessible when hosts are network contained. As explained in the previous question, adding IP addresses to the containment policy allows you to create an allowlist of trusted IP addresses that can communicate with your contained hosts.This can be useful when you need to isolate a host from the network due to a potential compromise or investigation, but still want to allow it to access certain resources or services that are essential for your organization's operations or security2.


Question 7

You have a new patch server that should be reachable while hosts in your environment are network contained. The server's IP address is static and does not change. Which of the following is the best approach to updating the Containment Policy to allow this?



Answer : C

The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server's IP address. An allowlist entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server.If the server's IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range2.


Page:    1 / 14   
Total 153 questions