CCFA-200 Online Practice Questions and Answers

Correct Answer: B

The statement that some network configurations, such as deep packet inspection, interfere with certificate validation is true concerning Falcon sensor certificate validation. The Falcon sensor uses certificate pinning to defend against man-inthe-middle attacks, which means that it verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. Some network configurations, such as deep packet inspection, SSL inspection, or HTTPS interception, may attempt to modify or replace the server certificate, which will cause the sensor to reject the connection and generate an error3. References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Correct Answer: A

You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com

Correct Answer: B

The Unique Hosts Connecting to Countries Map helps an administrator to visualize global network communication. The map shows the number of unique hosts in your environment that have established network connections to different countries in the past 24 hours. You can use this map to identify unusual or suspicious network activity, such as connections to high-risk countries or regions, or connections from hosts that are not expected to communicate with external entities2. References: 2: Cybersecurity Resources | CrowdStrike

Correct Answer: D

Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that would have been blocked in your environment over the selected timeframe based on different Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).

Correct Answer: C

The maximum number of patterns that can be added when creating a new exclusion is one. Each exclusion can only have one pattern, which can be a file path, a hash, a command line or a user name. The other options are either incorrect or not related to creating exclusions. Reference: CrowdStrike Falcon User Guide, page 37.

Correct Answer: D

When performing targeted filtering for a host on the Host Management Page, the filter bar attribute that is not case-sensitive is Hostname. The Hostname attribute allows you to filter hosts by their computer name or DNS name. The Hostname filter is not case- sensitive, meaning that it will match hosts regardless of the capitalization of their names. For example, filtering by hostname=DESKTOP-1234 will match hosts with names such as DESKTOP-1234, desktop-1234, or Desktop12342. References: 2: Cybersecurity Resources | CrowdStrike

Correct Answer: D

The option that is true regarding disabling detections for a host is that the detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled. This option is essentially a repetition of question 127 and its answer. Disabling detections for a host will remove any existing detections for that host from the console and prevent any new detections from appearing in the console until detections are enabled again1. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Correct Answer: A

With EDR license, if you go to "Audit logs > Machine-learning prevention monitoring", three options appear: Cloud Anti-malware, Sensor Anti-malware and AdwareandPUP. Therefore, answer is A.

Correct Answer: D

From a command line, running the sc query csagent -version command is not a way to determine the sensor version installed on a specific endpoint. This command will only show the status of the csagent service, not the sensor version. The other options are valid ways to determine the sensor version installed on a specific endpoint using Falcon UI or API. You can use the Sensor Report, the Host Search, or the Host Management features to filter, search, or select the desired endpoint and view the sensor version information12. References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 2: How to Become a CrowdStrike Certified Falcon Administrator

Correct Answer: C

The information that the API Audit Trail Report provides is a list of actions taken via Falcon OAuth2-based APIs. The API Audit Trail Report allows you to view and audit the activity and usage of the Falcon APIs by different API clients and users in your organization. You can use this report to monitor who accessed what data, when, and how via the Falcon APIs2. References: 2: Cybersecurity Resources | CrowdStrike