CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Exam Practice Test

Page: 1 / 14
Total 153 questions
Question 1

What is the purpose of a containment policy?



Answer : D

In the Containment Policy page have the title 'Network traffic allowlist' and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.


Question 2

In order to quarantine files on the host, what prevention policy settings must be enabled?



Answer : B

In order to quarantine files on the host, the administrator must enable the Next-Gen Antivirus Prevention sliders and ''Quarantine & Security Center Registration'' in the prevention policy settings. This will allow Falcon to quarantine malicious files and register them with Windows Security Center. The other options are either incorrect or not sufficient to enable quarantine. Reference: [CrowdStrike Falcon User Guide], page 36.


Question 3

Where can you modify settings to permit certain traffic during a containment period?



Answer : C

The administrator can modify settings to permit certain traffic during a containment period by creating or editing a Containment Policy. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.


Question 4

When a user initiates a sensor installs, where can the logs be found?



Answer : B

When a user initiates a sensor install, the logs can be found in %SYSTEMROOT%\Temp. This folder contains temporary files and folders created by the system or applications, including the sensor installation logs. The sensor installation logs have names that start with CSFalconContainer and end with .log, such as CSFalconContainer-2023-08-31_11-23-21.log.These logs can help you troubleshoot any issues or errors that may occur during the sensor installation process3.


Question 5

Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts?



Answer : A

Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.


Question 6

You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the following parameters can be used to override the 20-minute default provisioning window?



Answer : C

'ProvNoWait=1

The sensor does not abort installation if it can't connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20 minutes. After that, the host will automatically uninstall its sensor.)'

'ProvWaitTime=3600000

The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes).'


Question 7

What command should be run to verify if a Windows sensor is running?



Answer : B

The command that should be run to verify if a Windows sensor is running is sc query csagent. This command will display the status and information of the csagent service, which is the Falcon sensor service. The other commands are either incorrect or not applicable to Windows sensors. Reference: [CrowdStrike Falcon User Guide], page 29.


Page:    1 / 14   
Total 153 questions