CrowdStrike CCFA-200 Exam Practice Test Instant Access

Question 1

You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?

AClone the workflow and replace the existing email with your CISO's email

BAdd a sequential action to send a custom email to your CISO

CAdd a parallel action to send a custom email to your CISO

DAdd the CISO's email to the existing action

Answer : C

The best way to update the workflow is to add a parallel action to send a custom email to your CISO. A parallel action allows you to perform multiple actions simultaneously when a workflow is triggered, without affecting the order or outcome of other actions. A sequential action, on the other hand, requires one action to complete before another action can start.By adding a parallel action, you can ensure that both the escalation team and your CISO receive an email notification as soon as possible1.

Question 2

What should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly?

ADeep packet inspection

BLinux Sub-System

CPowerShell

DWindows Proxy

Answer : A

The option that should be disabled on firewalls so that the sensor's man-in-the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor's certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor.If the certificate validation fails, the sensor will reject the connection and generate an error3.

Question 3

You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE?

ASystem monitoring will be unavailable

BEvent reporting will be unavailable

CPrevention patterns will not be triggered

DSome detection patterns and preventions will not be triggered

Answer : D

The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud. This means that some detection patterns and preventions that rely on telemetry, machine learning, or cloud analysis will not be triggered.

Question 4

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

AReal Time Responder

BEndpoint Manager

CFalcon Investigator

DRemediation Manager

Answer : A

The Real Time Responder role allows users to use the ''Connect to Host'' feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference:CrowdStrike Falcon User Guide, page 18.

Question 5

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

AContact support and request that they modify the Machine Learning settings to no longer include this detection

BUsing IOC Management, add the hash of the binary in question and set the action to 'Allow'

CUsing IOC Management, add the hash of the binary in question and set the action to 'Block, hide detection'

DUsing IOC Management, add the hash of the binary in question and set the action to 'No Action'

Answer : B

to match any number of characters including none while not matching beyond path separators (\ or /) and double asterisks are used to recursively match zero or more directories that fall under the current directory.

Question 6

What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform?

AFor - While statement(s)

BTrigger, condition(s) and action(s)

CEvent trigger(s)

DPredefined workflow template(s)

Answer : B

The model that is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon platform is trigger, condition(s) and action(s). This model allows you to specify what event will trigger the workflow, what condition(s) must be met for the workflow to execute, and what action(s) will be performed by the workflow. The other options are either incorrect or not related to creating workflows. Reference:CrowdStrike Falcon User Guide, page 56.

Question 7

How do you find a list of inactive sensors?

AThe Falcon platform does not provide reporting for inactive sensors

BA sensor is always considered active until removed by an Administrator

CRun the Inactive Sensor Report in the Host setup and management option

DRun the Sensor Aging Report within the Investigate option

Answer : C

The Inactive Sensor Report in the Host setup and management option allows you to view a list of hosts that have not communicated with the Falcon platform for a specified period of time. You can filter the report by sensor version, OS, and last seen date.This report can help you identify hosts that may have connectivity issues or need sensor updates1.

CrowdStrike Certified Falcon Administrator CCFA-200 Exam Practice Test