CrowdStrike Certified Falcon Administrator (CCFA-200) Free Practice Test

Question 1

Custom IOA rules are defined using which syntax?

A. Regex

B. PowerShell

C. Yara

D. Glob

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

What is the purpose of the Machine-Learning Prevention Monitoring Report?

A. It is the dashboard used by an analyst to view all items quarantined and to release any items deemed non-malicious

B. It is designed to show malware that would have been blocked in your environment based on different Machine-Learning Prevention settings

C. It is designed to give an administrator a quick overview of machine-learning aggressiveness settings as well as the numbers of items actually quarantined

D. It is the dashboard used to see machine-learning preventions, and it is used to identify spikes in activity and possible targeted attacks

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

What can the Quarantine Manager role do?

A. Manage and change prevention settings

B. Manage detection settings

C. Manage quarantined files to release and download

D. Manage roles and users

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

A. 3

B. 0

C. 1

D. 2

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

What impact does disabling detections on a host have on an API?

A. Endpoints cannot have their detections disabled individually

B. Endpoints with detections disabled will not alert on anything until detections are enabled again

C. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

D. DetectionSummaryEvent stops sending to the Streaming API for that host

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

A. Falcon Investigator

B. Endpoint Manager

C. Remediation Manager

D. Real Time Responder

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

How do you find a list of inactive sensors?

A. Run the Sensor Aging Report within the Investigate option

B. A sensor is always considered active until removed by an Administrator

C. Run the Inactive Sensor Report in the Host setup and management option

D. The Falcon platform does not provide reporting for inactive sensors

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

A. Workflow Audit log

B. Workflow Execution log

C. Falcon UI Audit Trail

D. Custom Alert History

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

A. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

B. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

D. Contact support and request that they modify the Machine Learning settings to no longer include this detection

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

Where can you modify settings to permit certain traffic during a containment period?

A. Firewall Settings

B. Prevention Policy

C. Host Settings

D. Containment Policy

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 11

Which of the following can a Falcon Administrator edit in an existing user's profile?

A. Email address

B. Phone number

C. First or Last name

D. Working groups

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

What information is provided in Logan Activities under Visibility Reports?

A. A list of unique users who are remotely logged on to devices based on the country

B. A list of last endpoints that a user logged in to

C. A list of users who are remotely logged on to devices based on local IP and local port

D. A list of all logons for all users

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 13

Under the "Next-Gen Antivirus: Cloud Machine Learning" setting there are two categories, one of them is
"Cloud Anti-Malware" and the other is:

A. Execution Blocking

B. Sensor Anti-Malware

C. Advanced Machine Learning

D. Adware & PUP

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 14

Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

A. Sensor Coverage Lookup

B. Sensor Health Report

C. Inactive Sensor Report

D. Reduce Functionality Audit Report

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 15

You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

A. Sensor version updates off

B. Auto - TEST-QA

C. Auto - N-1

D. Specific sensor version number

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

CrowdStrike Certified Falcon Administrator (CCFA-200) Free Practice Test