CrowdStrike CCFA-200 Exam Practice Test Instant Access

Question 1

Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

ASensors are downloaded from the Hosts > Sensor Downloads

BSensor installers are unique to each customer and must be obtained from support

CSensor installers are downloaded from the Support section of the CrowdStrike website

DSensor installers are not used because sensors are deployed from within Falcon

Answer : A

The Windows sensor installer for CrowdStrike Falcon can be downloaded from the Hosts > Sensor Downloads page in the Falcon console. This page allows you to download different sensor versions and installers for various operating systems and platforms, as well as view installation instructions and release notes. The other options are either incorrect or not available. Reference:CrowdStrike Falcon User Guide, page 27.

Question 2

Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

AThere may be special considerations for each OS

BTo assist with testing and tracking sensor rollouts

CThe network protocols are different for each host OS

DIt is an auditing requirement

Answer : A

https://www.crowdstrike.com/blog/tech-center/how-to-manage-policies-in-falcon/

Question 3

Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

AAggressive

BCautious

CMinimal

DModerate

Answer : B

The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor's ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference.This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive1.

Question 4

What is the function of a single asterisk (*) in an ML exclusion pattern?

AThe single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

BThe single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

CThe single asterisk is the insertion point for the variable list that follows the path

DThe single asterisk is only used to start an expression, and it represents the drive letter

Answer : B

The asterisk is a wildcard character that can be used in exclusion patterns to match any number of characters. However, it does not match separator characters, such as \ or /, which are used to separate portions of a file path. For example, the patternC:\Windows\*\*.exewill match any executable file in any subfolder of the Windows folder, but not in the Windows folder itself.

Question 5

On which page of the Falcon console can one locate the Customer ID (CID)?

AHosts Management

BAPI Clients and Keys

CSensor Dashboard

DSensor Downloads

Answer : B

The page of the Falcon console where one can locate the Customer ID (CID) is API Clients and Keys. The API Clients and Keys page allows you to create and manage API clients and keys for accessing the Falcon platform programmatically. The Customer ID (CID) is a unique identifier for your organization that is required for authenticating your API requests.You can find your CID at the top of the API Clients and Keys page2.

Question 6

Why is it important to know your company's event data retention limits in the Falcon platform?

AThis is not necessary; you simply select 'All Time' in your query to search all data

BYou will not be able to search event data into the past beyond your retention period

CData such as process records are kept for a shorter time than event data

DYour query will require you to specify the data pool associated with the date you wish to search

Answer : B

It is important to know your company's event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits. Reference:CrowdStrike Falcon User Guide, page 48.

Question 7

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

AContact support and request that they modify the Machine Learning settings to no longer include this detection

BUsing IOC Management, add the hash of the binary in question and set the action to 'Allow'

CUsing IOC Management, add the hash of the binary in question and set the action to 'Block, hide detection'

DUsing IOC Management, add the hash of the binary in question and set the action to 'No Action'

Answer : B

to match any number of characters including none while not matching beyond path separators (\ or /) and double asterisks are used to recursively match zero or more directories that fall under the current directory.

CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Exam Practice Test