Free CCFA Sample Questions — CrowdStrike Certified Falcon Administrator

What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud?

• A. falconcloud.net
• B. cloudprotect-cs.net
• C. cloudsink.net
• D. csfalcon.net

What is the best way to write an ML exclusion for any executable file at "C:\Program Files\Software\"?

• A. You cannot. You must list a specific file in an exclusion rule
• B. Program Files\Software\**
• C. Program Files\Software\.*
• D. Program Files\Software\*.exe

When performing targeted filtering for a host on the Host Management Page, which filter bar attribute is NOT case-sensitive?

• A. Username
• B. Hostname
• C. Domain
• D. Model

When creating new IOCs in IOC management, which of the following fields must be configured?

• A. Hash, Description, Filename
• B. Hash, Action and Expiry Date
• C. Filename, Severity and Expiry Date
• D. Hash, Platform and Action

Which Real Time Response role will allow you to see all analyst session details?

• A. None of the Real Time Response roles allows this
• B. Real Time Response - Active Responder
• C. Real Time Response - Read-Only Analyst
• D. Real Time Response - Administrator

To test a new Falcon sensor version, you have created a new sensor update policy and two separate dynamic host groups. One group contains all test Windows servers. The other group contains all of your Windows servers. The new policy was applied to only the test Windows servers host group. What is required to safely and successfully test your new sensor update policy on only your test Windows servers?

• A. The new Falcon sensor version should be manually installed by you on every test Windows server before ever enabling and assigning the new policy
• B. The new policy must be enabled and assigned a precedence that is higher when compared to the policy assigned to all Windows servers
• C. The new policy must be enabled and assigned a precedence that is lower when compared to the policy assigned to all Windows servers
• D. The new Falcon sensor version should be manually uninstalled by you on every test Windows server before ever enabling and assigning the new policy

When deploying the Falcon Sensor alongside an existing security solution, you enable the Quarantine prevention setting in Falcon. What is the recommended configuration for both solutions?

• A. Disable or remove the other AV solution and configure ODS Cloud Anti-Malware prevention in Falcon to Moderate or higher
• B. Disable or remove the other AV solution and configure NGAV Sensor Machine Learning prevention in Falcon to Moderate or higher
• C. Disable or remove the other AV solution and configure NGAV Sensor Machine Learning prevention in Falcon to Cautious
• D. Disable or remove the other AV solution and configure NGAV Cloud Machine Learning prevention in Falcon to Extra-Aggressive

On the Host management page which filter could be used to quickly identify all devices categorized as a "Workstation" by the Falcon Platform?

• A. Status
• B. Platform
• C. Hostname
• D. Type

The Logon Activities Report includes all of the following information for a particular user EXCEPT __________.

• A. the account type for the user (e.g. Domain Administrator, Local User)
• B. all hosts the user logged into
• C. the logon type (e.g. interactive, service)
• D. the last time the user's password was set

What are the three configurable parts of a machine learning exclusion?

• A. File paths, names, and extensions
• B. Drive letters, directories, and patterns
• C. Parameters, operators, and values
• D. Triggers, actions and alerts

Which of the following is NOT an available filter on the Hosts Management page?

• A. Hostname
• B. Username
• C. Group
• D. OS Version

When editing an existing IOA exclusion, what can NOT be edited?

• A. The exclusion name
• B. All parts of the exclusion can be changed
• C. The IOA name
• D. The hosts groups

What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

• A. Endpoint ID (EID)
• B. Agent ID (AID)
• C. Security ID (SID)
• D. Computer ID (CID)

Detections related to a penetration test on a particular server are currently generating thousands of entries in the console. Your leadership does not need to track the detections in Falcon. What should you do to allow your team to focus on more relevant detections?

• A. Delete the detections in the console and contain the server undergoing the test
• B. Permanently disable detections for the server in Host Management
• C. Temporarily disable detections for the server in Host Management and re-enable after the test is done
• D. Create a Fusion Workflow to email the SOC team every time the penetration test generates a detection

Your leadership wants controls in place for immediate action on any Overwatch detections. What should you do to ensure the host is contained quickly and notifies the appropriate staff?

• A. Create a Fusion SOAR workflow using the Overwatch playbook to contain the host and email the SOC team
• B. Create a Fusion SOAR workflow to create a detection for Overwatch and email the SOC team
• C. Create a Fusion SOAR workflow to contain the host and email the Overwatch team
• D. Create a Fusion SOAR workflow to trigger on an Overwatch detection and set it to block the detection

You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should be turned on within the Prevention policy settings?

• A. Script-based Execution Monitoring
• B. Interpreter-Only
• C. Additional User Mode Data
• D. Engine (Full Visibility)

You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?

• A. Clone the workflow and replace the existing email with your CISO's email
• B. Add a sequential action to send a custom email to your CISO
• C. Add a parallel action to send a custom email to your CISO
• D. Add the CISO's email to the existing action

Where can you find your company's Customer ID (CID)?

• A. The CID is located at Hosts setup and management > Deploy > Sensor Downloads and is listed along with the checksum
• B. The CID is located at Hosts > Host Management
• C. The CID is only available by calling support
• D. The CID is a secret key used for Falcon communication and is never shared with the customer

The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

• A. Policy alignment is configured in the "Host Management" section in the Hosts application
• B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window
• C. Policy alignment is configured in the General Settings section under the Configuration menu
• D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab

During a Windows system investigation via Real Time Response (RTR), an RTR Active Responder is unable to execute a custom powershell script for finding specific system artifacts. What is likely restricting the responder from executing the powershell script?

• A. Script-Based Execution Monitoring is not enabled in the prevention policy
• B. Custom Scripts is not enabled in the response policy
• C. The responder requires the RTR Administrator role
• D. Put-and-Run is not enabled in the response policy