CrowdStrike

CCFA-200b Exam
CrowdStrike Certification

Questions & Answers

(Demo Version - Limited Content)

Thank you for Downloading CCFA-200b exam PDF Demo

Get Full File:

https://validquestions.com/exam/ccfa-200b-questions/
Questions & Answers PDF Page 2

Question: 1

Which of the following scenarios is a valid use case for disabling detections on a host?

A. To completely isolate the host from external networks.

B. To allow malware to run without detection for forensic purposes.
C. To troubleshoot application compatibility issues.
D. To reduce system resource usage during high CPU load.

Answer: C
Explanation:

Option A: Disabling detections does not isolate the host from external networks. Network isolation is
managed through other CrowdStrike features or network policies.
Option B: While disabling detections could theoretically allow malware to run without being blocked,
this is not a recommended or valid use case. Forensic analysis should be conducted in controlled
environments, such as sandboxing solutions.
Option C: Disabling detections is often used during troubleshooting to identify whether the Falcon
sensor is interfering with an application or system process. Once the issue is resolved, detections should
be re-enabled to ensure full protection.
Option D: The Falcon sensor is designed to have minimal impact on system resources. Disabling
detections to reduce CPU load is not a recommended practice.

Question: 2

What conditions must be met for administrators to restore a quarantined file in CrowdStrike Falcon?

A. The file must be whitelisted in the policy settings.

B. The file must pass CrowdStrike's automated machine learning analysis.
C. The administrator must have appropriate permissions, and the file must be deemed safe.
D. The file must have a verified checksum in the threat intelligence database.

Answer: C
Explanation:

Option A: Whitelisting a file in policy settings prevents it from being quarantined in the future but does
not impact the restoration process of files already quarantined.
Option B: While Falcon uses machine learning for detection, restoring quarantined files is a manual
process handled by administrators after evaluating the file. It does not depend on machine learning
reanalysis.
Option C: Restoring quarantined files requires an administrator with the appropriate permissions to
evaluate and confirm the file’s safety. This ensures that restoration decisions are deliberate and secure,
minimizing risks.
Option D: While checksum comparisons may aid in identifying malicious files, restoration decisions are
based on administrative review rather than direct reliance on threat intelligence checksums.

www.validquestions.com
Questions & Answers PDF Page 3

Question: 3

Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence
malicious items?

A. Aggressive
B. Cautious
C. Minimal
D. Moderate

Answer: B
Explanation:

The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is
Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon
sensor’s ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious
setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing
low-confidence events to run without interference. This setting will also generate less noise and false
positives than higher settings, such as Moderate or Extra Aggressive1.
Reference: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Question: 4

You are tasked with implementing CID-wide management rules in CrowdStrike Falcon. Which of the
following accurately explains the behavior of CID-wide rules configured in General Settings when host
groups have pre-existing conflicting rules?

A. CID-wide rules automatically override all host group configurations without exception.
B. CID-wide rules only apply to newly added hosts; pre-existing host groups retain their original
settings.
C. Host group rules take precedence over CID-wide rules to ensure tailored configurations.
D. CID-wide rules override conflicting host group rules but allow for exclusions where explicitly
configured.

Answer: D
Explanation:

Option A: CID-wide rules have a higher precedence, but they do not override host group settings
indiscriminately. Exclusions can be configured to retain host group-specific rules.
Option B: CID-wide rules apply universally across the CID, including pre-existing host groups, unless
exclusions are explicitly configured.
Option C: CID-wide rules take precedence to ensure uniformity across the environment. Host group rules
are secondary unless explicitly excluded.
Option D: CID-wide rules are designed to enforce consistency and standardization across all hosts in the
CID. However, they can be fine-tuned to exclude specific host groups or devices, allowing for exceptions
to the overarching rules where necessary.

www.validquestions.com
Questions & Answers PDF Page 4

Question: 5

An organization needs to uninstall the CrowdStrike Falcon sensor from a specific endpoint. Which of the
following conditions must be met before the uninstallation can proceed?

A. Disable Tamper Protection and ensure the user has local administrative privileges.
B. Use the CrowdStrike Falcon Sensor Cleanup Tool after logging in as a standard user.
C. Ensure the endpoint is in a network with internet access to retrieve the uninstall key from the
CrowdStrike cloud.
D. Obtain local administrative privileges on the endpoint and contact CrowdStrike support for a
removal token.

Answer: A
Explanation:

Option A: Disabling Tamper Protection is a critical prerequisite to allow modifications to the sensor.
Additionally, local administrative privileges are required to execute the uninstallation process
successfully.
Option B: The cleanup tool requires administrative privileges to execute and will not work if the user
lacks these permissions. Additionally, Tamper Protection must be disabled first.
Option C: The uninstall key is stored locally in the Windows Registry and does not require internet
access to retrieve, making this step unnecessary.
Option D: While administrative privileges are necessary, contacting CrowdStrike support for a removal
token is not typically required unless Tamper Protection cannot be disabled due to specific restrictions.

Question: 6

A security team notices that several endpoints are in Reduced Functionality Mode (RFM) within the
Falcon console. They want to understand why this issue is occurring and how it can be resolved
effectively. What is the most likely cause for an endpoint to enter Reduced Functionality Mode (RFM)?

A. The Falcon sensor's kernel extension was disabled manually by the endpoint administrator.
B. The endpoint's Falcon sensor lost communication with the Falcon cloud for more than 30 days.
C. The Falcon agent version installed on the endpoint has reached its End of Life (EOL).
D. The Falcon agent was installed on an endpoint running an unsupported operating system.

Answer: B
Explanation:

Option A: Disabling the kernel extension would render the sensor non-functional or severely limited but
does not explicitly trigger RFM. It could cause the endpoint to lose protection entirely.
Option B: Reduced Functionality Mode (RFM) occurs when the Falcon sensor cannot maintain
communication with the Falcon cloud. If an endpoint has been offline or unable to connect for 30
consecutive days, it enters RFM. This is a security measure to ensure that outdated or potentially
compromised sensors cannot operate in a fully functional state. Re-establishing communication with the

www.validquestions.com
Questions & Answers PDF Page 5

Falcon cloud resolves this issue.

Option C: End-of-life sensors may fail to receive updates or lose functionality, but this situation does not
directly cause RFM. Updating the sensor to a supported version typically resolves EOL issues.
Option D: While the Falcon agent cannot be installed on unsupported operating systems, this does not
trigger RFM. Instead, the installation would fail or the sensor would not initialize properly.

Question: 7

When the Notify End Users policy setting is turned on, which of the following is TRUE?

A. End users will not be notified as we would not want to notify a malicious actor of a detection. This
setting does not exist
B. End users will be immediately notified via a pop-up that their machine is in-network isolation
C. End-users receive a pop-up notification when a prevention action occurs
D. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

Answer: C
Explanation:

When the Notify End Users policy setting is turned on, end-users receive a pop-up notification when a
prevention action occurs. This setting allows you to inform the end-users that the Falcon sensor has
blocked or quarantined a malicious item on their system. The notification will also provide the name and
path of the item, the reason for the prevention, and a link to contact support if needed1.
Reference: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Question: 8

A cybersecurity administrator has configured policies in the CrowdStrike Falcon Console. They have a
policy for "Finance Department" with strict settings and a global policy with moderate settings. A host in
the Finance Department is experiencing unexpected behavior, which leads the administrator to investigate
which policy is being applied. Which policy will be applied to the host in the Finance Department if both
the "Finance Department" policy and the global policy exist?

A. The "Finance Department" policy, because it is more specific than the global policy.
B. The global policy, because it overrides department-specific policies.
C. A merged policy, combining the settings from both policies with preference given to the stricter
setting for each control.
D. The policy with the most recent modification timestamp, regardless of scope.

Answer: A
Explanation:

Option A: CrowdStrike policies follow a hierarchy where more specific policies (e.g., department-level)
take precedence over broader policies (e.g., global). This ensures targeted configurations are enforced for
specific groups, minimizing the risk of less restrictive global settings overriding department needs.

www.validquestions.com
Questions & Answers PDF Page 6

Option B: Global policies serve as a fallback and are overridden by more specific policies when they
exist. A common misconception is that global policies take precedence, but this is incorrect.
Option C: Policies are not merged in CrowdStrike; a single policy is applied based on precedence.
Assuming a "merge" could lead to misconfigurations or incorrect expectations.
Option D: The modification timestamp does not influence policy application. Policy scope and
precedence are the deciding factors.

Question: 9

Your team is deploying the Falcon sensor across multiple workloads in your environment. To ensure
proper security coverage, which default Falcon policy should be reviewed and possibly adjusted before
deployment?

A. Prevention Policy
B. Data Retention Policy
C. Network Quarantine Policy
D. Sensor Update Policy

Answer: A
Explanation:

Option A: The Prevention Policy determines the level of protection applied to workloads, including
settings for malware prevention, exploit blocking, and indicator-based detection. Reviewing and
customizing this policy ensures the workloads have the appropriate balance between security and
performance for your environment.
Option B: Data retention policies govern how long detection and event data are stored but do not directly
impact sensor deployment or functionality. This is typically reviewed after deployment.
Option C: While network quarantine policies are relevant for containment actions during incidents, they
are not part of the default configuration reviewed during initial sensor deployment.
Option D: Sensor updates are handled automatically by the CrowdStrike platform, and manual
adjustments to the update policy are not required before deployment unless specific constraints exist.

Question: 10

After disabling detections for a specific host using the Falcon Console, what is the expected behavior of
the Falcon sensor on that host?

A. The sensor stops sending data to the CrowdStrike cloud entirely.

B. The sensor continues to operate but does not trigger any detections.
C. The sensor is uninstalled from the host until detections are re-enabled.
D. The sensor logs detections locally but does not report them to the Falcon Console.

Answer: B
Explanation:

www.validquestions.com
Questions & Answers PDF Page 7

Option A: The sensor does not stop sending data to the CrowdStrike cloud; it only stops generating
detections. Other functionalities, such as event collection, may still operate depending on the policy
configuration.
Option B: When detections are disabled for a host, the Falcon sensor remains operational and continues
monitoring. However, it does not trigger detections or generate alerts in the Falcon Console. This allows
for troubleshooting without disabling the sensor entirely.
Option C: Disabling detections does not uninstall the sensor. The sensor remains active and retains its
configuration.
Option D: The sensor does not log detections locally when detections are disabled. It ceases to generate
detections entirely.

Question: 11

Which of the following is TRUE of the Logon Activities Report?

A. Shows a graphical view of user logon activity and the hosts the user connected to
B. The report can be filtered by computer name
C. It gives a detailed list of all logon activity for users
D. It only gives a summary of the last logon activity for users

Answer: D
Explanation:

The Logon Activities Report shows a graphical view of user logon activity and the hosts the user
connected to, but it only gives a summary of the last logon activity for users. It does not give a detailed
list of all logon activity for users, nor can it be filtered by computer name. The other options are either
incorrect or not true of the report.
Reference: CrowdStrike Falcon User Guide, page 50.

Question: 12

You are creating a new role in CrowdStrike Falcon for the IT team, which requires access to manage
sensor updates but should not have the ability to modify user account settings. Which combination of
permissions should you assign to the role?

A. Sensor Management and Dashboard Access

B. Sensor Management and Threat Hunting
C. Sensor Management and User Management
D. Sensor Management only

Answer: D
Explanation:

Option A: While "Dashboard Access" enables viewing general system information, it does not provide
functionality related to sensor updates and adds unnecessary permissions.

www.validquestions.com
Questions & Answers PDF Page 8

Option B: Adding "Threat Hunting" grants unnecessary access beyond managing sensors, potentially
violating the principle of least privilege.
Option C: Including the "User Management" permission would allow users assigned to this role to
modify user account settings, which contradicts the stated requirement.
Option D: This permission provides the specific ability to manage sensor updates while ensuring no
access to unrelated areas, such as user account settings.

Question: 13

Which of the following system requirements must be verified before deploying the Falcon sensor on a
Linux system?

A. Configure a cron job to start the sensor service after each reboot.
B. Install Python 3.6 or higher before deploying the sensor.
C. Confirm that the Linux kernel version is supported by CrowdStrike Falcon.
D. Ensure SELinux is disabled to allow the Falcon sensor to operate.

Answer: C
Explanation:

Option A: The Falcon sensor service starts automatically upon installation and system reboots. There is
no need to create a cron job for this purpose.
Option B: The Falcon sensor does not rely on Python or any version of it for its operation. This is not a
valid prerequisite.
Option C: The Falcon sensor supports specific Linux kernel versions, and it is critical to verify that the
system’s kernel version is compatible before deployment. Unsupported kernel versions may lead to
installation failure or sensor malfunction.
Option D: Disabling SELinux is not a requirement. CrowdStrike Falcon can operate with SELinux
enabled, provided proper configurations are made if needed.

Question: 14

As the administrator of your organization's CrowdStrike Falcon environment, you are tasked with
configuring CID-wide prevention policies to ensure consistent application across all endpoints in your
tenant. Which of the following steps is necessary to apply a prevention policy across your entire CID?

A. Apply the prevention policy through the "Sensor Update" menu to enforce CID-wide rules.
B. Configure the prevention policy within the "Host Settings" tab and assign it to all hosts.
C. Navigate to the "Policies" section and assign the prevention policy to a specific host group.
D. Enable "Inheritance" under the CID-wide settings and apply the prevention policy globally.

Answer: D
Explanation:

Option A: The "Sensor Update" menu is used for managing sensor versions and updates, not for applying
prevention policies CID-wide.
www.validquestions.com
Questions & Answers PDF Page 9

Option B: The "Host Settings" tab is used for individual or group-specific configurations, not for CID-
wide management.
Option C: Assigning the policy to a specific host group does not apply it CID-wide, as it targets only the
specified group. CID-wide management needs broader application.
Option D: CID-wide management requires enabling inheritance in the general settings to ensure the
prevention policy is applied across all endpoints within the CID. This allows for a consistent security
posture.

Question: 15

Why is the ability to disable detections helpful?

A. It gives users the ability to set up hosts to test detections and later remove them from the console
B. It gives users the ability to uninstall the sensor from a host
C. It gives users the ability to allowlist a false positive detection
D. It gives users the ability to remove all data from hosts that have been uninstalled

Answer: A
Explanation:

"Disable Detections. This is helpful for users who want to set up hosts to test detections in the Falcon
console and who later want to remove those old test detections from the Console"

Question: 16

Which of the following reports should an administrator use to determine if all endpoints in the
environment are protected by the latest sensor version?

A. Policy Assignment Report

B. Sensor Update Report
C. Detection Activity Report
D. Endpoint Inventory Report

Answer: B
Explanation:

Option A: This report is used to verify which endpoints have specific policies assigned to them, such as
prevention or detection policies. It is not related to sensor versioning or updates.
Option B: The Sensor Update Report provides a detailed overview of the versioning of all deployed
sensors in the environment. It highlights endpoints with outdated sensors and those that require
immediate updates. This report ensures compliance with the latest version, which is critical for
maintaining security posture and accessing new features or patches.
Option C: This report focuses on detections of suspicious activities or threats on endpoints. It does not
provide any details about sensor versions or update statuses.
Option D: While this report shows the list of endpoints, it does not include information about the sensor
version installed on each endpoint. It is more focused on endpoint discovery and coverage.
www.validquestions.com
Questions & Answers PDF Page 10

Question: 17

Which requirement must be met for a quarantined file to be restored in CrowdStrike Falcon?

A. The restoration process must be initiated by the endpoint user.

B. The file must have been quarantined for less than 7 days.
C. The quarantined file must be located on a system running the latest OS version.
D. The file must be approved by a user with appropriate permissions.

Answer: D
Explanation:

Option A: Endpoint users cannot directly restore quarantined files. Restoration must be performed by an
administrator with appropriate permissions to maintain security oversight.
Option B: The duration of quarantine does not impact the ability to restore a file. Files can remain
quarantined until reviewed by an administrator regardless of time elapsed.
Option C: While it is recommended to keep systems up-to-date, the OS version does not directly affect
the restoration of quarantined files in CrowdStrike Falcon.
Option D: CrowdStrike Falcon requires administrative approval to restore quarantined files. This step
ensures that only authorized individuals can assess the risk and determine whether the file should be
restored. This measure prevents accidental reintroduction of malicious files into the environment.

Question: 18

Which role allows a user to connect to hosts using Real-Time Response?

A. Endpoint Manager
B. Falcon Administrator
C. Real Time Responder – Active Responder
D. Prevention Hashes Manager

Answer: C
Explanation:

The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder –
Active Responder. This role allows users to use the “Connect to Host” feature to gather additional
information from the host, as well as execute commands and scripts on the host. The other roles do not
have this capability.
Reference: [CrowdStrike Falcon User Guide], page 18.

Question: 19

When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance
protection' setting is enabled within the Sensor Update Policies?

www.validquestions.com
Questions & Answers PDF Page 11

A. Maintenance token
B. Customer ID (CID)
C. Bulk update key
D. Agent ID (AID)

Answer: A
Explanation:

When uninstalling a sensor, a maintenance token is required if the ‘Uninstall and maintenance protection’
setting is enabled within the Sensor Update Policies. This setting prevents unauthorized or accidental
uninstallation of sensors by requiring a token that can be generated from the Falcon console. The other
options are either incorrect or not related to uninstalling a sensor.
Reference: CrowdStrike Falcon User Guide, page 29.

Question: 20

An analyst has reported they are not receiving workflow triggered notifications in the past few days.
Where should you first check for potential failures?

A. Custom Alert History

B. Workflow Execution log
C. Workflow Audit log
D. Falcon UI Audit Trail

Answer: B
Explanation:

The Workflow Execution log in the Workflow Management option allows you to view the status and
results of workflow executions triggered by detection events. You can filter the log by workflow name,
status, start and end time, and detection ID. You can also view the details of each execution, including the
actions performed, the output received, and any errors encountered. This log can help you troubleshoot
potential failures or issues with your workflows1.
Reference: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

www.validquestions.com
 Thank You for trying CCFA-200b PDF Demo

https://validquestions.com/exam/ccfa-200b-questions/

Start Your CCFA-200b Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount the purchase of PDF file. Test your
CCFA-200b preparation with actual exam questions

www.validquestions.com