• Home
  • Articles
  • Latest [May 10, 2024] CCFA-200 Exam Dumps - Valid and Updated Dumps [Q80-Q104]

Latest [May 10, 2024] CCFA-200 Exam Dumps - Valid and Updated Dumps [Q80-Q104]

Share

Latest [May 10, 2024] CCFA-200 Exam Dumps - Valid and Updated Dumps

Free Sales Ending Soon - 100% Valid CCFA-200 Exam Dumps with 152 Questions

NEW QUESTION # 80
You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

  • A. Additional User Mode Data
  • B. Engine (Full Visibility)
  • C. Script-based Execution Monitoring
  • D. Interpreter-Only

Answer: C

Explanation:
Explanation
Turn on the Script-Based Execution Monitoring prevention policy setting to enable the "Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts.
This setting does not kill or block scripts."
Scripting languages:
Excel 4.0 macros
JScript
VBA Macros
VBScript
The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.
References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]


NEW QUESTION # 81
Custom IOA rules are defined using which syntax?

  • A. PowerShell
  • B. Regex
  • C. Yara
  • D. Glob

Answer: A


NEW QUESTION # 82
What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?

  • A. Enables custom detections for the host
  • B. Preventions will be enabled for the host
  • C. New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host
  • D. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host

Answer: D

Explanation:
Explanation
The option that best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The "Enable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 83
When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies?

  • A. Bulk update key
  • B. Agent ID (AID)
  • C. Customer ID (CID)
  • D. Maintenance token

Answer: D


NEW QUESTION # 84
Which is the correct order for manually installing a Falcon Package on a macOS system?

  • A. Register the Falcon Sensor via the registration package, then install the Falcon package
  • B. Install the Falcon package, then register the Falcon Sensor via command line
  • C. Register the Falcon Sensor via command line, then install the Falcon package
  • D. Install the Falcon package, then register the Falcon Sensor via the registration package

Answer: B

Explanation:
Explanation
The correct order for manually installing a Falcon Package on a macOS system is to install the Falcon package, then register the Falcon Sensor via command line. The Falcon package contains the sensor binary and the kernel extension, while the registration package contains the customer ID and the sensor group ID. The registration package is not required for macOS systems, as the registration information can be provided via command line after installing the Falcon package1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 85
An analyst has reported they are not receiving workflow triggered notifications in the past few days. Where should you first check for potential failures?

  • A. Workflow Execution log
  • B. Custom Alert History
  • C. Workflow Audit log
  • D. Falcon UI Audit Trail

Answer: A

Explanation:
Explanation
The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 86
The Logon Activities Report includes all of the following information for a particular user EXCEPT
__________.

  • A. the account type for the user (e.g. Domain Administrator, Local User)
  • B. the logon type (e.g. interactive, service)
  • C. all hosts the user logged into
  • D. the last time the user's password was set

Answer: C

Explanation:
Explanation
Checked in console, it returns only the last machine where the user logged on, so it will not return all the machines that the user was logged on in the desired search


NEW QUESTION # 87
If a user wanted to install an older version of the Falcon sensor, how would they find the older installer file?

  • A. By clicking on "Older versions" links under the Host setup and management > Deploy > Sensor downloads
  • B. Older versions of the sensor are not available for download
  • C. By installing the current sensor and clicking the "downgrade" button during the install
  • D. By emailing CrowdStrike support at [email protected]

Answer: A

Explanation:
Explanation
The way to find the older installer file for the Falcon sensor is to click on "Older versions" links under the Host setup and management > Deploy > Sensor downloads. The Sensor downloads page allows you to download the latest version of the Falcon sensor for different operating systems and platforms. However, if you need to install an older version of the sensor, you can click on the "Older versions" links below each sensor download button. This will open a new page where you can select and download any previous version of the sensor1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 88
Where can you modify settings to permit certain traffic during a containment period?

  • A. Firewall Settings
  • B. Prevention Policy
  • C. Host Settings
  • D. Containment Policy

Answer: D

Explanation:
Explanation
The administrator can modify settings to permit certain traffic during a containment period by creating or editing a Containment Policy. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.


NEW QUESTION # 89
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group; however, when applying the new prevention policy this group is not appearing in the list of available groups. What is the most likely issue?

  • A. The "Servers" group already has a policy applied to it
  • B. The "Servers" group must be disabled first
  • C. Host type was not defined correctly within the prevention policy
  • D. The new prevention policy should be enabled first

Answer: A

Explanation:
Explanation
The most likely issue for not being able to apply a new prevention policy to the "Servers" group is that the
"Servers" group already has a policy applied to it. A prevention policy is a policy that defines the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign custom prevention policies to different hosts or groups in your environment. However, you can only assign one prevention policy per host or group at a time. If a host or group already has a prevention policy applied to it, you cannot apply another prevention policy to it unless you remove or replace the existing one2.
References: 2: Cybersecurity Resources | CrowdStrike


NEW QUESTION # 90
Why is the ability to disable detections helpful?

  • A. It gives users the ability to remove all data from hosts that have been uninstalled
  • B. It gives users the ability to set up hosts to test detections and later remove them from the console
  • C. It gives users the ability to uninstall the sensor from a host
  • D. It gives users the ability to allowlist a false positive detection

Answer: D


NEW QUESTION # 91
Where in the console can you find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM)?

  • A. Inactive Sensor Report
  • B. Host Dashboard
  • C. Host Management > Filter for RFM
  • D. Containment Policy

Answer: C

Explanation:
Explanation
The place in the console where you can find a list of all hosts in your environment that are in Reduced Functionality Mode (RFM) is Host Management > Filter for RFM. The Host Management page allows you to view and manage all hosts in your environment that have Falcon sensors installed. You can use the filter bar to filter hosts by various attributes, such as status, platform, type, or group. You can also filter hosts by health events, such as RFM, which is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. By filtering for RFM, you can see a list of all hosts that are in this mode1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 92
What can exclusions be applied to?

  • A. Only the default host group
  • B. Only the groups selected by the administrator
  • C. Either all hosts or specified groups
  • D. Individual hosts selected by the administrator

Answer: C

Explanation:
Explanation
The option that describes what exclusions can be applied to is that exclusions can be applied to either all hosts or specified groups. An exclusion is a rule that defines what files, folders, processes, IP addresses, or domains should be excluded from detection or prevention by the Falcon sensor. You can create and manage exclusions in the Exclusions page in the Falcon console. You can apply exclusions to either all hosts in your environment or to specific host groups that you select. You cannot apply exclusions to individual hosts selected by the administrator.
References: : [Cybersecurity Resources | CrowdStrike]


NEW QUESTION # 93
When creating new IOCs in IOC management, which of the following fields must be configured?

  • A. Hash, Description, Filename
  • B. Hash, Action and Expiry Date
  • C. Hash, Platform and Action
  • D. Filename, Severity and Expiry Date

Answer: C

Explanation:
Explanation
When creating new IOCs in IOC management, the administrator must configure the Hash, Platform and Action fields. The Hash field is the value of the IOC, such as MD5, SHA1 or SHA256. The Platform field is the operating system that the IOC applies to, such as Windows, Linux or Mac. The Action field is the action that Falcon will take when detecting the IOC, such as Detect, Block or Allow. The other fields are either optional or not available. Reference: CrowdStrike Falcon User Guide, page 44


NEW QUESTION # 94
Which role allows a user to connect to hosts using Real-Time Response?

  • A. Prevention Hashes Manager
  • B. Real Time Responder - Active Responder
  • C. Falcon Administrator
  • D. Endpoint Manager

Answer: B

Explanation:
Explanation
The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder - Active Responder. This role allows users to use the "Connect to Host" feature to gather additional information from the host, as well as execute commands and scripts on the host. The other roles do not have this capability.
Reference: [CrowdStrike Falcon User Guide], page 18.


NEW QUESTION # 95
How do you disable all detections for a host?

  • A. You cannot disable all detections on individual hosts as it would put them at risk
  • B. Create an exclusion rule and apply it to the machine or group of machines
  • C. In Host Management, select the host and then choose the option to Disable Detections
  • D. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)

Answer: C

Explanation:
Explanation
The administrator can disable all detections for a host by selecting the host and then choosing the option to Disable Detections in the Host Management page. This will prevent the host from sending any detection events to the Falcon Cloud. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 32.


NEW QUESTION # 96
Which of the following is NOT an available filter on the Hosts Management page?

  • A. Username
  • B. Group
  • C. Hostname
  • D. OS Version

Answer: A


NEW QUESTION # 97
An analyst is asked to retrieve an API client secret from a previously generated key. How can they achieve this?

  • A. The API client secret can be viewed from the Edit API client pop-up box
  • B. Re-create the API client using the exact name to see the API client secret
  • C. Enable the Client Secret column to reveal the API client secret
  • D. The API client secret cannot be retrieved after it has been created

Answer: D

Explanation:
Explanation
The API client secret cannot be retrieved after it has been created. The secret is only displayed once when the API client is created, and it cannot be viewed or edited later. Therefore, it is important to save the secret securely and use it along with the client ID to authenticate the API client. The other options are either incorrect or not possible. Reference: CrowdStrike Falcon User Guide, page 54.


NEW QUESTION # 98
Which exclusion pattern will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe?

  • A. \Program Files\My Program\My Files\*
  • B. \Program Files\My Program\*
  • C. *\Program Files\My Program\*\
  • D. *\*

Answer: A


NEW QUESTION # 99
When creating a Host Group for all Workstations in an environment, what is the best method to ensure all workstation hosts are added to the group?

  • A. Create a Static Group with Type=Workstation Assignment
  • B. Create a Dynamic Group with Type=Workstation Assignment
  • C. Create a Dynamic Group and Import All Workstations
  • D. Create a Static Group and Import all Workstations

Answer: B

Explanation:
Explanation
The best method to ensure all workstation hosts are added to the group is to create a Dynamic Group with Type=Workstation Assignment. A Dynamic Group is a group that automatically updates its membership based on certain criteria or filters. A Type=Workstation Assignment filter will match all hosts that have the workstation type assigned in their Active Directory domain. This way, any new or existing workstation hosts will be added to the group without manual intervention1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 100
Where can you modify settings to permit certain traffic during a containment period?

  • A. Firewall Settings
  • B. Prevention Policy
  • C. Host Settings
  • D. Containment Policy

Answer: D


NEW QUESTION # 101
What is the purpose of the Default Sensor Policy?

  • A. Acts as a "catch all" policy if no other Sensor Policies are applied.
  • B. Tests the sensor configuration settings before deployment.
  • C. Used to reset all sensor settings to Default.
  • D. A mechanism to deploy the oldest supported version of the Falcon Sensor.

Answer: A

Explanation:
Explanation
The purpose of the Default Sensor Policy is that it acts as a "catch all" policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment.
However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a "catch-all" policy that is enabled by default and has the
"Malware Protection" feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 102
Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

  • A. Sensor Report
  • B. Machine Learning Debug
  • C. Falcon UI Audit Trail
  • D. Machine Learning Prevention Monitoring

Answer: D

Explanation:
Explanation
The Machine Learning Prevention Monitoring report in the Prevention Policy Management option allows you to monitor the impact of machine learning (ML) prevention settings on your environment. You can view the number of ML detections and preventions by severity, policy, and host group. You can also drill down into specific events and hosts to see more details. This report can help you determine the appropriate ML levels to set in a prevention policy based on your risk tolerance and security posture1.
References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike


NEW QUESTION # 103
What is the function of a single asterisk (*) in an ML exclusion pattern?

  • A. The single asterisk is the insertion point for the variable list that follows the path
  • B. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  • C. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  • D. The single asterisk is only used to start an expression, and it represents the drive letter

Answer: C


NEW QUESTION # 104
......

CCFA-200 Exam Dumps - 100% Marks In CCFA-200 Exam: https://www.pass4sures.top/CrowdStrike-Certified-Falcon-Administrator/CCFA-200-testking-braindumps.html

Verified CCFA-200 Exam Questions Certain Success: https://drive.google.com/open?id=1FKY2VRGMEAoXteqOxqIA1Xe-E9c6bX1g

Related Articles

more
CrowdStrike CCFA-200 Certification Practice Exam