
CrowdStrike CCFA-200 Practice Verified Answers - Pass Your Exams For Sure! [2024]
Valid Way To Pass CrowdStrike Certified Falcon Administrator's CCFA-200 Exam
NEW QUESTION # 45
Which is the correct order for manually installing a Falcon Package on a macOS system?
- A. Install the Falcon package, then register the Falcon Sensor via command line
- B. Register the Falcon Sensor via command line, then install the Falcon package
- C. Install the Falcon package, then register the Falcon Sensor via the registration package
- D. Register the Falcon Sensor via the registration package, then install the Falcon package
Answer: A
Explanation:
Explanation
The correct order for manually installing a Falcon Package on a macOS system is to install the Falcon package, then register the Falcon Sensor via command line. The Falcon package contains the sensor binary and the kernel extension, while the registration package contains the customer ID and the sensor group ID. The registration package is not required for macOS systems, as the registration information can be provided via command line after installing the Falcon package1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
NEW QUESTION # 46
Once an exclusion is saved, what can be edited in the future?
- A. All parts of the exclusion can be changed
- B. Only the selected groups and hosts to which the exclusion is applied can be changed
- C. The exclusion pattern cannot be changed
- D. Only the options to "Detect/Block" and/or "File Extraction" can be changed
Answer: A
NEW QUESTION # 47
Why is it critical to have separate sensor update policies for Windows/Mac/*nix?
- A. To assist with testing and tracking sensor rollouts
- B. It is an auditing requirement
- C. There may be special considerations for each OS
- D. The network protocols are different for each host OS
Answer: B
NEW QUESTION # 48
Which of the following controls the speed in which your sensors will receive automatic sensor updates?
- A. Channel File Update Throttling
- B. Sensor Update Policy
- C. Sensor Update Throttling
- D. Maintenance Tokens
Answer: C
Explanation:
Explanation
The option that controls the speed in which your sensors will receive automatic sensor updates is Sensor Update Throttling. Sensor Update Throttling allows you to limit the number of sensors that can download a new sensor version per hour. This way, you can avoid network congestion or bandwidth issues caused by simultaneous sensor updates. You can configure the Sensor Update Throttling setting in the Sensor Update Policy for each platform1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
NEW QUESTION # 49
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?
- A. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
- B. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
- C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- D. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
Answer: C
NEW QUESTION # 50
What are custom alerts based on?
- A. Predefined alert templates
- B. User defined Splunk queries
- C. Custom event based triggers
- D. Custom workflows
Answer: A
Explanation:
Explanation
Scheduling a Custom Alert for your environment consists of three steps: choosing the template you'd like to configure, previewing the search results, then scheduling the alert. Use Custom Alerts to configure email alerts using predefined templates so you're notified about specific activity in your environment. When an alert runs and finds results, it sends an email to specified recipients instead of generating a new detection. Custom Alerts let you set up email alerts based on predefined templates that cover a wide range of topics including Real Time Response session initiation, host containment, OS security settings, and more that are not yet covered by notification workflows.
NEW QUESTION # 51
Where can you find your company's Customer ID (CID)?
- A. The CID is only available by calling support
- B. The CID is located at Hosts > Host Management
- C. The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum
- D. The CID is a secret key used for Falcon communication and is never shared with the customer
Answer: C
Explanation:
Explanation
The CID (Customer ID) is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. The checksum is a value that verifies the integrity of the sensor download file. You can find your CID and checksum at the top of the Sensor Downloads page1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
NEW QUESTION # 52
What must an admin do to reset a user's password?
- A. From User Management, select "Reset Password" from the three dot menu for the affected user account
- B. From User Management, open the account details for the affected user and select "Generate New Password"
- C. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid
- D. From User Management, select "Update Account" and manually create a new password for the affected user account
Answer: A
NEW QUESTION # 53
Which role will allow someone to manage quarantine files?
- A. Falcon Analyst - Read Only
- B. Falcon Security Lead
- C. Detections Exceptions Manager
- D. Endpoint Manager
Answer: B
Explanation:
Explanation
The role that will allow someone to manage quarantine files is Falcon Security Lead. This role allows users to view and manage quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 19.
NEW QUESTION # 54
Which role is required to manage groups and policies in Falcon?
- A. Falcon Host Security Lead
- B. Falcon Host Administrator
- C. Prevention Hashes Manager
- D. Falcon Host Analyst
Answer: B
NEW QUESTION # 55
Once an exclusion is saved, what can be edited in the future?
- A. The exclusion pattern cannot be changed
- B. Only the selected groups and hosts to which the exclusion is applied can be changed
- C. Only the options to "Detect/Block" and/or "File Extraction" can be changed
- D. All parts of the exclusion can be changed
Answer: B
NEW QUESTION # 56
What is the purpose of a containment policy?
- A. To define the duration of Network Containment
- B. To define which Falcon analysts can contain endpoints
- C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
- D. To define allowed IP addresses over which your hosts will communicate when contained
Answer: D
Explanation:
Explanation
In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.
NEW QUESTION # 57
Once an exclusion is saved, what can be edited in the future?
- A. All parts of the exclusion can be changed
- B. Only the selected groups and hosts to which the exclusion is applied can be changed
- C. The exclusion pattern cannot be changed
- D. Only the options to "Detect/Block" and/or "File Extraction" can be changed
Answer: A
Explanation:
Explanation
Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions.
Reference: CrowdStrike Falcon User Guide, page 37.
NEW QUESTION # 58
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?
- A. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
- B. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
- C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
- D. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
Answer: C
Explanation:
Explanation
The administrator can create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result. Reference: CrowdStrike Falcon User Guide, page 35.
NEW QUESTION # 59
When the Notify End Users policy setting is turned on, which of the following is TRUE?
- A. End-users receive a pop-up notification when a prevention action occurs
- B. End users will be immediately notified via a pop-up that their machine is in-network isolation
- C. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine
- D. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist
Answer: A
Explanation:
Explanation
When the Notify End Users policy setting is turned on, end-users receive a pop-up notification when a prevention action occurs. This setting allows you to inform the end-users that the Falcon sensor has blocked or quarantined a malicious item on their system. The notification will also provide the name and path of the item, the reason for the prevention, and a link to contact support if needed1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike
NEW QUESTION # 60
In order to quarantine files on the host, what prevention policy settings must be enabled?
- A. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled
- B. Malware Protection and Custom Execution Blocking must be enabled
- C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
- D. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled
Answer: C
NEW QUESTION # 61
......
CrowdStrike CCFA-200 Pre-Exam Practice Tests | Free4Torrent: https://www.free4torrent.com/CCFA-200-braindumps-torrent.html
CCFA-200 practice test questions, answers, explanations: https://drive.google.com/open?id=1T1xncLUoblSZijKq8v72cdOBMVOwfTug