CCFA-200B Exam Questions

You want to create a detection-only policy. How do you set this up in your policy's settings?

Which of the following is an effective Custom IOA rule pattern to kill any process attempting to

Where can you modify settings to permit certain traffic during a containment period?

The Remote Access Graph in Visibility Reports displays:

What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud?

Why would you use the Prevention Policy Debug Report?

What is the earliest version of Windows Server that a Sensor is compatible with?

The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud?

Which of the following tools developed by CrowdStrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor?

Assume the Falcon Sensor was installed on a Virtual Machine template using the installation parameter NO_START=1. Afterward, the Virtual Machine template is rebooted. What is the e...

Which option best describes the general process for a manual installation of the Falcon Sensor on MacOS?

What critical prevention policy setting prevents sensor-related files, folders, and registry objects from being renamed or deleted?

After enabling an IOA rule and its respective rule group, what else must be done for an IOA to be fully functional?

How do user permissions function in Falcon?

If you are not able to update your Falcon sensors on a regular basis, what is the maximum recommended aging period before updating your sensors?

What is the purpose of the "Auto - Latest" setting in a sensor update policy?

Which of the following steps are required to delete a sensor update policy?

Which of the following would give you information about inactive sensors within the Falcon console?

What kind of hosts can be contained in Falcon?

Which of the following policies allowlist network traffic even while a host is Network Contained?

Which of the following can be found in the Falcon UI Audit Trail Report?

Which user role will NOT enable the user to connect to a host using Real Time Response?

What will happen to a host that is not part of any group which has a prevention policy assigned to it?

During a sensor installation, what unique identifier is given to each sensor?

Where can you find information about all supported operating systems for the Falcon sensor?

What sensor update policy will a sensor receive if it does not have a host group assignment?

How would an installation token be configured if the Falcon Sensor was installed on a Red Hat Enterprise Linux host?

What is the best way to write an ML exclusion for any executable file at "C:\Program Files\Software\"?

Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the de...

When deploying the Falcon Sensor alongside an existing security solution, you enable the Quarantine prevention setting in Falcon. What is the recommended configuration for both sol...

What are the two triggers that cause a fusion workflow to run?

What default roles can view, create, and edit workflows?

What are the three configurable parts of a machine learning exclusion?

Where in the Falcon platform can you confirm the sensor build version installed on a particular host?

When a user initiates a sensor install, where can the logs be found?

Certain services are required to be running to install the Windows Falcon sensor. What may cause the LMHost service to be disabled?

You have a member of your SECOPS team that is building custom scripts for your environment and they cannot save or share them in Falcon. What additional role do they need to be abl...

A member of your SECOPS team currently has the role of Falcon Security Lead to be able to Manage detections, quarantine files and reset user credentials. Which additional role is r...

Which of the following includes all that can be configured to alert as a Custom IOC (Indicator of Compromise) in IOC Management?

You are the Falcon Administrator for your organization, and you want to ensure you have accountability for the actions your Falcon users take. What is the retention period of the a...

When creating your own Fusion SOAR workflow based on an Event trigger, which additional option will refine the trigger?

Your leadership wants controls in place for immediate action on any Overwatch detections. What should you do to ensure the host is contained quickly and notifies the appropriate st...

During a Windows system investigation via Real Time Response (RTR), an RTR Active Responder is unable to execute a custom powershell script for finding specific system artifacts. W...

What least privilege role should be given to a user who needs to extract files with RTR?

In order to prevent duplicate Agent IDs, what install parameter should be used on VMs to be used as persistent clones?

Your organization wants to monitor the use of remote access software that is currently authorized. The executable is called remote.exe. How would you trigger a detection for review...

Which report in Falcon can be used to determine the volume of blocked activity at a different prevention policy setting?

Your organization has determined that your cybersecurity architect needs to be notified via email whenever Falcon generates detections of a medium severity or higher. Additionally,...

What is an example of when you will need to refer to your Customer ID+ Checksum (CIDC)?

You are tasked with creating a group for hosts running Windows 10. What kind of group should you create to make sure all applicable hosts are included in your environment?