CCFA1.pdf

Full Transcript

5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

Get PDF for CrowdStrike CCFA Exam
Including Answers & Discussions

Download PDF - $29.99

 Custom View Settings

Topic 1 - Exam A

Question #1 Topic 1

What is the function of a single asterisk (*) in an ML exclusion pattern?

A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which

separate portions of a file path

B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which

separate portions of a file path Most Voted

C. The single asterisk is the insertion point for the variable list that follows the path

D. The single asterisk is only used to start an expression, and it represents the drive letter

Correct Answer: B

Community vote distribution
B (100%)

Question #2 Topic 1

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a

single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in

the future?

A. Contact support and request that they modify the Machine Learning settings to no longer include this detection

B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Correct Answer: B

Community vote distribution
B (80%) D (20%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 1/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 1

What is the purpose of a containment policy?

A. To define which Falcon analysts can contain endpoints

B. To define the duration of Network Containment

C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

D. To define allowed IP addresses over which your hosts will communicate when contained Most Voted

Correct Answer: C

Community vote distribution
D (100%)

Question #4 Topic 1

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

A. File exclusions are not aligned to groups or hosts

B. There is a limit of three groups of hosts applied to any exclusion

C. There is no limit and exclusions can be applied to any or all groups Most Voted

D. Each exclusion can be aligned to only one group of hosts

Correct Answer: B

Community vote distribution
C (100%)

Question #5 Topic 1

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information

which is only available on the host. Which role do you need added to your user account to have this capability?

A. Real Time Responder Most Voted

B. Endpoint Manager

C. Falcon Investigator

D. Remediation Manager

Correct Answer: C

Community vote distribution
A (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 2/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 1

What must an admin do to reset a user's password?

A. From User Management, open the account details for the affected user and select "Generate New Password"

B. From User Management, select "Reset Password" from the three dot menu for the affected user account

C. From User Management, select "Update Account" and manually create a new password for the affected user account

D. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no

longer valid

Correct Answer: B

Community vote distribution
B (100%)

Question #7 Topic 1

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have

these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Correct Answer: C

Community vote distribution
C (100%)

Question #8 Topic 1

When creating new IOCs in IOC management, which of the following fields must be configured?

A. Hash, Description, Filename

B. Hash, Action and Expiry Date

C. Filename, Severity and Expiry Date

D. Hash, Platform and Action

Correct Answer: D

Community vote distribution
D (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 3/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 1

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without

the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

A. Remediation Manager

B. Real Time Responder – Read Only Analyst Most Voted

C. Falcon Analyst – Read Only

D. Real Time Responder – Active Responder

Correct Answer: C

Community vote distribution
B (83%) C (17%)

Question #10 Topic 1

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection

during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false

positives on this file path?

A. USB Device Policy

B. Firewall Rule Group

C. Containment Policy

D. Machine Learning Exclusions Most Voted

Correct Answer: C

Community vote distribution
D (100%)

Question #11 Topic 1

How do you disable all detections for a host?

A. Create an exclusion rule and apply it to the machine or group of machines

B. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID

(CID)

C. You cannot disable all detections on individual hosts as it would put them at risk

D. In Host Management, select the host and then choose the option to Disable Detections

Correct Answer: D

Community vote distribution
D (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 4/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 1

To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help

this objective?

A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead Most Voted

B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only

C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block

D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action

Correct Answer: C

Community vote distribution
A (87%) 13%

Question #13 Topic 1

Which role is required to manage groups and policies in Falcon?

A. Falcon Host Analyst

B. Falcon Host Administrator

C. Prevention Hashes Manager

D. Falcon Host Security Lead

Correct Answer: B

Community vote distribution
B (100%)

Question #14 Topic 1

Which of the following can a Falcon Administrator edit in an existing user's profile?

A. First or Last name Most Voted

B. Phone number

C. Email address

D. Working groups

Correct Answer: D

Community vote distribution
A (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 5/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 1

You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or

downgraded. In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

A. Specific sensor version number Most Voted

B. Auto - TEST-QA

C. Sensor version updates off

D. Auto - N-1

Correct Answer: A

Community vote distribution
A (100%)

Question #16 Topic 1

What is the goal of a Network Containment Policy?

A. Increase the aggressiveness of the assigned prevention policy

B. Limit the impact of a compromised host on the network Most Voted

C. Gain more visibility into network activities

D. Partition a network for privacy

Correct Answer: B

Community vote distribution
B (100%)

Question #17 Topic 1

Which of the following applies to Custom Blocking Prevention Policy settings?

A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy Most Voted

B. Blocklisting applies to hashes, IP addresses, and domains

C. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary

D. You can only blocklist hashes via the API

Correct Answer: C

Community vote distribution
A (50%) C (20%) D (20%) 10%

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 6/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 1

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

A. 1

B. 2

C. 0

D. 3 Most Voted

Correct Answer: C

Community vote distribution
D (100%)

Question #19 Topic 1

The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

A. Policy alignment is configured in the "Host Management" section in the Hosts application

B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window

C. Policy alignment is configured in the General Settings section under the Configuration menu

D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab Most Voted

Correct Answer: D

Community vote distribution
D (89%) 11%

Question #20 Topic 1

How long are detection events kept in Falcon?

A. Detection events are kept for 90 days

B. Detections events are kept for your subscribed data retention period

C. Detection events are kept for 7 days

D. Detection events are kept for 30 days

Correct Answer: B

Community vote distribution
A (75%) B (25%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 7/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #21 Topic 1

What information is provided in Logan Activities under Visibility Reports?

A. A list of all logons for all users

B. A list of last endpoints that a user logged in to

C. A list of users who are remotely logged on to devices based on local IP and local port

D. A list of unique users who are remotely logged on to devices based on the country

Correct Answer: B

Community vote distribution
B (100%)

Question #22 Topic 1

What can the Quarantine Manager role do?

A. Manage and change prevention settings

B. Manage quarantined files to release and download

C. Manage detection settings

D. Manage roles and users

Correct Answer: B

Community vote distribution
B (100%)

Question #23 Topic 1

What command should be run to verify if a Windows sensor is running?

A. regedit myfile.reg

B. sc query csagent Most Voted

C. netstat -f

D. ps -ef | grep falcon

Correct Answer: B

Community vote distribution
B (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 8/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 1

When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

A. Custom IOA Rule Groups Most Voted

B. Custom IOC Groups

C. Enterprise Groups

D. Operating System Groups

Correct Answer: D

Community vote distribution
A (90%) 10%

Question #25 Topic 1

Which role allows a user to connect to hosts using Real-Time Response?

A. Endpoint Manager

B. Falcon Administrator

C. Real Time Responder – Active Responder

D. Prevention Hashes Manager

Correct Answer: C

Community vote distribution
C (100%)

Question #26 Topic 1

You are attempting to install the Falcon sensor on a host with a slow Internet connection and the installation fails after 20 minutes. Which of the

following parameters can be used to override the 20 minute default provisioning window?

A. ExtendedWindow=1

B. Timeout=0

C. ProvNoWait=1 Most Voted

D. Timeout=30

Correct Answer: D

Community vote distribution
C (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 9/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 1

How can you find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days?

A. Under Dashboards and reports, choose the Sensor Report. Set the "Last Seen" dropdown to 30 days and reference the Inactive Sensors

widget

B. Under Host setup and management, choose the Host Management page. Set the group filter to "Inactive Sensors"

C. Under Host setup and management > Managed endpoints > Inactive Sensors. Change the time range to 30 days

D. Under Host setup and management, choose the Disabled Sensors Report. Change the time range to 30 days

Correct Answer: C

Community vote distribution
C (100%)

Question #28 Topic 1

In order to quarantine files on the host, what prevention policy settings must be enabled?

A. Malware Protection and Custom Execution Blocking must be enabled

B. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled Most Voted

C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled

D. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled

Correct Answer: C

Community vote distribution
B (100%)

Question #29 Topic 1

Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

A. There may be special considerations for each OS

B. To assist with testing and tracking sensor rollouts

C. The network protocols are different for each host OS

D. It is an auditing requirement

Correct Answer: D

Community vote distribution
A (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 10/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 1

How do you assign a policy to a specific group of hosts?

A. Create a group containing the desired hosts using "Static Assignment." Go to the Assigned Host Groups tab of the desired policy and dick

"Add groups to policy." Select the desired Group(s). Most Voted

B. Assign a tag to the desired hosts in Host Management. Create a group with an assignment rule based on that tag. Go to the Assignment

tab of the desired policy and click "Add Groups to Policy." Select the desired Group(s).

C. Create a group containing the desired hosts using "Dynamic Assignment." Go to the Assigned Host Groups tab of the desired policy and

select criteria such as OU, OS, Hostname pattern, etc.

D. On the Assignment tab of the desired policy, select "Static" assignment. From the next window, select the desired hosts (using fitters if

needed) and click Add.

Correct Answer: C

Community vote distribution
A (63%) B (38%)

Question #31 Topic 1

You want to create a detection-only policy. How do you set this up in your policy's settings?

A. Enable the detection sliders and disable the prevention sliders. Then ensure that Next Gen Antivirus is enabled so it will disable Windows

Defender.

B. Select the "Detect-Only" template. Disable hash blocking and exclusions.

C. You can't create a policy that detects but does not prevent. Use Custom IOA rules to detect.

D. Set the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled. Do not activate any of

the other blocking or malware prevention options.

Correct Answer: D

Community vote distribution
D (100%)

Question #32 Topic 1

Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?

A..*badguydomain\.com.*

B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill

C. badguydomain\.com.*

D. Custom IOA rules cannot be created for domains

Correct Answer: B

Community vote distribution
A (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 11/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #33 Topic 1

Where can you modify settings to permit certain traffic during a containment period?

A. Prevention Policy

B. Host Settings

C. Containment Policy

D. Firewall Settings

Correct Answer: C

Community vote distribution
C (100%)

Question #34 Topic 1

Which option allows you to exclude behavioral detections from the detections page?

A. Machine Learning Exclusion

B. IOA Exclusion Most Voted

C. IOC Exclusion

D. Sensor Visibility Exclusion

Correct Answer: A

Community vote distribution
B (73%) A (27%)

Question #35 Topic 1

What are custom alerts based on?

A. Custom workflows

B. Custom event based triggers

C. Predefined alert templates Most Voted

D. User defined Splunk queries

Correct Answer: B

Community vote distribution
C (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 12/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 1

When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

A. Base URL

B. Secret

C. Client ID

D. Client name

Correct Answer: B

Community vote distribution
B (100%)

Question #37 Topic 1

You notice there are multiple Windows hosts in Reduced functionality mode (RFM). What is the most likely culprit causing these hosts to be in

RFM?

A. A Sensor Update Policy was misconfigured

B. A host was offline for more than 24 hours

C. A patch was pushed overnight to all Windows systems

D. A host was placed in network containment from a detection

Correct Answer: C

Community vote distribution
C (100%)

Question #38 Topic 1

Which of the following is TRUE of the Logon Activities Report?

A. Shows a graphical view of user logon activity and the hosts the user connected to

B. The report can be filtered by computer name

C. It gives a detailed list of all logon activity for users

D. It only gives a summary of the last logon activity for users Most Voted

Correct Answer: C

Community vote distribution
D (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 13/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #39 Topic 1

Which of the following roles allows a Falcon user to create Real Time Response Custom Scripts?

A. Real Time Responder – Administrator Most Voted

B. Real Time Responder – Read Only Analyst

C. Real Time Responder – Script Developer

D. Real Time Responder – Active Responder

Correct Answer: C

Community vote distribution
A (100%)

Question #40 Topic 1

What model is used to create workflows that would allow you to create custom notifications based on particular events which occur in the Falcon

platform?

A. For - While statement(s)

B. Trigger, condition(s) and action(s) Most Voted

C. Event trigger(s)

D. Predefined workflow template(s)

Correct Answer: B

Community vote distribution
B (100%)

Question #41 Topic 1

An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this?

A. The API client secret can be viewed from the Edit API client pop-up box

B. Enable the Client Secret column to reveal the API client secret

C. Re-create the API client using the exact name to see the API client secret

D. The API client secret cannot be retrieved after it has been created Most Voted

Correct Answer: B

Community vote distribution
D (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 14/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #42 Topic 1

Which port and protocol does the sensor use to communicate with the CrowdStrike Cloud?

A. TCP port 22 (SSH)

B. TCP port 443 (HTTPS)

C. TCP port 80 (HTTP)

D. TCP UDP port 53 (DNS)

Correct Answer: B

Community vote distribution
B (100%)

Question #43 Topic 1

Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

A. Sensors are downloaded from the Hosts > Sensor Downloads Most Voted

B. Sensor installers are unique to each customer and must be obtained from support

C. Sensor installers are downloaded from the Support section of the CrowdStrike website

D. Sensor installers are not used because sensors are deployed from within Falcon

Correct Answer: B

Community vote distribution
A (100%)

Question #44 Topic 1

What is the most common cause of a Windows Sensor entering Reduced Functionality Mode (RFM)?

A. Falcon console updates are pending

B. Falcon sensors installing an update

C. Notifications have been disabled on that host sensor

D. Microsoft updates Most Voted

Correct Answer: C

Community vote distribution
D (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 15/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #45 Topic 1

On which page of the Falcon console would you create sensor groups?

A. User management

B. Sensor update policies

C. Host management

D. Host groups Most Voted

Correct Answer: D

Community vote distribution
D (86%) 14%

Question #46 Topic 1

While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching

and remediation. Which configuration would you choose?

A. Configure a Real Time Response policy allowlist with the specific IP addresses

B. Configure a Containment Policy with the specific IP addresses Most Voted

C. Configure a Containment Policy with the entire internal IP CIDR block

D. Configure the Host firewall to allowlist the specific IP addresses

Correct Answer: D

Community vote distribution
B (86%) 14%

Question #47 Topic 1

Which of the following is TRUE regarding Falcon Next-Gen AntiVirus (NGAV)?

A. Falcon NGAV relies on signature-based detections

B. Activating Falcon NGAV will also enable all detection and prevention settings in the entire policy

C. The Detection sliders cannot be set to a value less aggressive than the Prevention sliders Most Voted

D. Falcon NGAV is not a replacement for Windows Defender or other antivirus programs

Correct Answer: D

Community vote distribution
C (100%)

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 16/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #48 Topic 1

What is the purpose of using groups with Sensor Update policies in CrowdStrike Falcon?

A. To group hosts with others in the same business unit

B. To group hosts according to the order in which Falcon was installed, so that updates are installed in the same order every time

C. To prioritize the order in which Falcon updates are installed, so that updates are not installed all at once leading to network congestion

D. To allow the controlled assignment of sensor versions onto specific hosts

Correct Answer: D

Community vote distribution
D (100%)

Question #49 Topic 1

What impact does disabling detections on a host have on an API?

A. Endpoints with detections disabled will not alert on anything until detections are enabled again

B. Endpoints cannot have their detections disabled individually

C. DetectionSummaryEvent stops sending to the Streaming API for that host Most Voted

D. Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

Correct Answer: D

Community vote distribution
C (100%)

Question #50 Topic 1

Under which scenario can Sensor Tags be assigned?

A. While triaging a detection

B. While managing hosts in the Falcon console

C. While updating a sensor in the Falcon console

D. While installing a sensor Most Voted

Correct Answer: B

Community vote distribution
D (100%)

Next Questions 

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 17/18
5/28/24, 6:24 PM CCFA Exam - Free Actual Q&As, Page 1 | ExamTopics

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple
registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

Start Learning for free

https://www.examtopics.com/exams/crowdstrike/ccfa/view/ 18/18