CrowdStrike CCFA-200 CrowdStrike Certified Falcon Administrator Exam Practice Test

When performing targeted filtering for a host on the Host Management Page, the filter bar attribute that is not case-sensitive is Hostname. The Hostname attribute allows you to filter hosts by their computer name or DNS name. The Hostname filter is not case-sensitive, meaning that it will match hosts regardless of the capitalization of their names. For example, filtering by hostname=DESKTOP-1234 will match hosts with names such as DESKTOP-1234, desktop-1234, or Desktop-12342.

References: 2: Cybersecurity Resources | CrowdStrike

When creating an API client, the secret must be saved immediately since it cannot be viewed again after the client is created. The secret is a randomly generated string that is used to authenticate the API client along with the client ID. The other options are either incorrect or can be viewed or modified later. Reference: CrowdStrike Falcon User Guide, page 54.

The option that best describes what happens to detections in the console after clicking “Enable Detections” for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The “Enable Detections” feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The administrator can create a new Response Policy, toggle the “Real Time Response” switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result. Reference: CrowdStrike Falcon User Guide, page 35.

The purpose of precedence with respect to the Sensor Update policy is that hosts assigned to multiple policies will assume the highest ranked policy in the list (policy with the lowest number). This means that if a host belongs to more than one group that has different Sensor Update policies assigned, it will use the policy that has the highest precedence (lowest number) among them. The other options are either incorrect or not related to precedence. Reference: CrowdStrike Falcon User Guide, page 38.

The administrator can modify settings to permit certain traffic during a containment period by creating or editing a Containment Policy. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.

The only place where create host groups is in " Host and setup management > host Groups> Create a group" In Sensor Update policies you can only asign a group of host to the policy not creating a group of hosts.

You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com

The purpose of using groups with Sensor Update policies in CrowdStrike Falcon is to allow the controlled assignment of sensor versions onto specific hosts. This allows users to manage the sensor updates for different hosts based on their needs and preferences, such as testing, staging or production. The other options are either incorrect or not related to using groups with Sensor Update policies. Reference: [CrowdStrike Falcon User Guide], page 38.

The scenario that best describes when you would add IP addresses to the containment policy is that your organization has resources that need to be accessible when hosts are network contained. As explained in the previous question, adding IP addresses to the containment policy allows you to create an allowlist of trusted IP addresses that can communicate with your contained hosts. This can be useful when you need to isolate a host from the network due to a potential compromise or investigation, but still want to allow it to access certain resources or services that are essential for your organization’s operations or security2.

References: 2: Cybersecurity Resources | CrowdStrike

The Quarantine Manager role can manage quarantined files to release and download. This role allows users to view and search quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 19.

The No Action option can be assigned to a hash in IOC Management when you want to save the indicator for later action, but do not want to block or allow it at this time. This option will neither detect nor prevent the execution of the hash, but will keep it in the IOC list for future reference. The other options are either incorrect or not related to the No Action option. Reference: CrowdStrike Falcon User Guide, page 44.

The option that should be disabled on firewalls so that the sensor’s man-in-the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor’s certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. If the certificate validation fails, the sensor will reject the connection and generate an error3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The exclusion pattern that will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe is \Program Files\My Program\My Files*. This pattern will match any file under the My Files folder, including program.exe, and exclude them from detections. The other patterns are either incorrect or too broad to prevent detections on this specific file. Reference: [CrowdStrike Falcon User Guide], page 37.

The most likely culprit causing multiple Windows hosts to be in Reduced Functionality Mode (RFM) is a patch that was pushed overnight to all Windows systems. RFM occurs when the sensor detects a change in the operating system that requires a reboot to complete. A patch is one of the common causes of such a change. The other options are either incorrect or not related to RFM. Reference: CrowdStrike Falcon User Guide, page 30.

According to documentation (documentation/detections/technique/sensor-based-ml-cst0007): CrowdStrike sensor-based machine learning (ML) identifies and analyzes unknown executables as they run on hosts. This technique is triggered by files and file attributes associated with known malware. This is similar to the [Cloud-based ML](/support/documentation/detections/technique/cloud-based-ml) technique. Cloud-based ML is informed by global analysis of executables that classifies and identifies malware. The key difference is that it doesn't run on hosts when they're offline.

The option that best describes the general process for installation of the Falcon Sensor on MacOS is to install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access. The Falcon package contains the sensor binary and the kernel extension, which can be installed by double-clicking on it or using a command-line tool such as installer. The falconctl tool is a command-line utility that allows you to configure and manage the sensor on MacOS systems. You can use falconctl to license the sensor by providing your Customer ID (CID) and optionally your Sensor Group ID (SGID). After licensing the sensor, you need to approve the system extension in the Security & Privacy settings of your system preferences, which will require a restart. Finally, you need to grant the sensor Full Disk Access in the Privacy settings of your system preferences, which will allow the sensor to monitor and protect your files and folders1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

When a Linux host is in Reduced Functionality Mode (RFM), the sensor would provide minimal protection. RFM is a mode that limits the sensor’s functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Linux sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the /tmp directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that would need to be configured to allow remote connections from specified IP’s after network containing a host is IP Allowlist Management. IP Allowlist Management allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing your incident response team or other authorized parties to remotely connect to the host for investigation or remediation purposes2.

References: 2: Cybersecurity Resources | CrowdStrike

The role that will allow someone to manage quarantine files is Falcon Security Lead. This role allows users to view and manage quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 19.

Disabling detections on a host will stop the DetectionSummaryEvent from sending to the Streaming API for that host. This means that the host will not send any detection events to the Streaming API, which is used to stream data from the Falcon Cloud to external applications or systems. The other options are either incorrect or not related to disabling detections on a host. Reference: [CrowdStrike Falcon User Guide], page 32.

The correct parameter to output the log directory to a specified file when troubleshooting the Falcon Sensor on Windows is /log log.txt. This parameter will create a log file named log.txt in the same folder where you run the sensor installation command. The log file will contain information about the sensor installation process, such as the parameters used, the actions performed, and any errors encountered3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The most likely cause for not being able to use Real-Time Response to start a session with a host that has a sensor installed is that they do not have an RTR role assigned to them. An RTR (Real Time Response) role is a role that grants access and permissions to use the Real Time Response feature in Falcon, which allows you to remotely access and investigate hosts in real time. There are three types of RTR roles: Real Time Response -Read-Only Analyst, Real Time Response -Active Responder, and Real Time Response -Administrator. You need to have at least one of these roles assigned to you in order to use Real Time Response2.

References: 2: Cybersecurity Resources | CrowdStrike

The syntax that would be best for detecting or preventing on all subdomains as well is *.baddomain.xyz|baddomain. xyz. This syntax will match any domain that ends with .baddomain.xyz or is exactly baddomain.xyz. The * wildcard will match any characters before the dot, and the | operator will match either side of the expression. This syntax can be used in a Custom IOC or a Custom IOA rule to detect or prevent network connections to malicious domains1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for each operating system type in your environment1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

A workflow condition consists of a parameter, an operator, and a value. A workflow condition is a rule that defines when a workflow should be triggered based on certain criteria or filters. A parameter is a variable or attribute that can be used to filter or match detection events, such as severity, tactic, or host group. An operator is a symbol or word that specifies how to compare or evaluate the parameter and the value, such as equals, contains, or greater than. A value is a constant or expression that provides the expected or desired result for the parameter, such as high, credential dumping, or default group1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.

The prevention policy setting that monitors contents of scripts and shells for execution of malicious content on compatible operating systems is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. You can enable or disable Script-based Execution Monitoring in the Prevention Policy for Windows hosts1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The page of the Falcon console where one can locate the Customer ID (CID) is API Clients and Keys. The API Clients and Keys page allows you to create and manage API clients and keys for accessing the Falcon platform programmatically. The Customer ID (CID) is a unique identifier for your organization that is required for authenticating your API requests. You can find your CID at the top of the API Clients and Keys page2.

References: 2: Cybersecurity Resources | CrowdStrike

While a host is Network contained, the administrator can allow the host to access internal network resources on specific IP addresses to perform patching and remediation by configuring a Containment Policy with the specific IP addresses. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.

The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to “Block” and ensure that the prevention policy these computers are using includes the option for “Custom Blocking” under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal. Reference: [CrowdStrike Falcon User Guide], page 44.

It is important to know your company’s event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits. Reference: CrowdStrike Falcon User Guide, page 48.

The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2.

References: 2: Cybersecurity Resources | CrowdStrike

The command that would tell you if a Falcon Sensor was running on a Windows host is sc.exe query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The report that lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported is Sensor Coverage Lookup. The Sensor Coverage Lookup report allows you to view and compare the sensor versions and coverage status for each operating system type in your environment. You can use this report to identify any sensors that are in RFM or are approaching end-of-life (EOL) support. You can also view the release date and EOL date for each sensor version3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Audit logs --> Machine-learning prevention monitoring It shows the count of ML expected detections based on the detection levels for a defined time period and the list of files that would be detected on each detection level.

The option that is true regarding disabling detections for a host is that the detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled. This option is essentially a repetition of question 127 and its answer. Disabling detections for a host will remove any existing detections for that host from the console and prevent any new detections from appearing in the console until detections are enabled again1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

An exclusion is a rule that tells the Falcon platform to ignore certain files, folders, processes, or registry keys when performing prevention or detection actions. An administrator can create an exclusion and apply it to one or more groups of hosts, or to all hosts in the organization. For example, an administrator can create an exclusion for a legitimate application that is causing false positives and apply it to the group of hosts that are running that application.

The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that should be used with extreme caution because it may introduce additional security risks such as malware or other attacks which would not be recorded, detected, or prevented based on the exclusion syntax is IOA Exclusions. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. However, using IOA exclusions may reduce the visibility and protection of the Falcon sensor, as it may allow malicious activity to bypass the sensor’s detection and prevention capabilities. Therefore, you should use IOA exclusions with extreme caution and only when necessary2.

References: 2: Cybersecurity Resources | CrowdStrike

Prevention Policies are created based on the OS (Windows, MAC and Linux policies). Once a prevention policy is created, three options appear on top: Settings, Assigned Host Groups and Assigned Custom IOAS (tested on Crowdstrike). Therefore, Host Groups and Custom IOAS are the two different types of groups a prevention policy can be aligned to.

Turn on the Script-Based Execution Monitoring prevention policy setting to enable the "Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting does not kill or block scripts."

Scripting languages:

Excel 4.0 macros

JScript

VBA Macros

VBScript

The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.

References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]

The Real Time Responder role allows users to use the “Connect to Host” feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 18.

"Disable Detections. This is helpful for users who want to set up hosts to test detections in the Falcon console and who later want to remove those old test detections from the"

An inactive host will remain visible within the Host Management or Trash pages for 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike