CrowdStrike CCFA-200b - CrowdStrike Certified Falcon Administrator Exam
Page: 1 / 12
Total 60 questions
Question #1 (Topic: Exam A)
Where would you apply a configuration to allow IP addresses over which your hosts will always be allowed to communicate, even if a host is contained?
A. IP Allowlist Management
B. Containment Policy
C. Response Policies
D. Maintenance Token
Answer: A
Question #2 (Topic: Exam A)
An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after how many days?
A. 75 Days
B. 60 Days
C. 90 Days
D. 45 Days
Answer: C
Question #3 (Topic: Exam A)
What prevention policy setting prevents sensor-related files, folders, and registry objects from being renamed or deleted?
A. Host Modification Protection
B. System Configuration Protection
C. Sensor Tampering Protection
D. Sensor Modification Protection
Answer: D
Question #4 (Topic: Exam A)
There are a significant number of false positive detections from your developers that are getting blocked and quarantined by Falcon.
What Indicator of Compromise (IOC) action would be the best option?
What Indicator of Compromise (IOC) action would be the best option?
A. No_action (displayed as None in the console)
B. Prevent (displayed as Blocked in the console)
C. Detect Only (displayed as Detect only in the console)
D. Allow (displayed as Allow in the console)
Answer: C
Question #5 (Topic: Exam A)
During a Windows system investigation via Real Time Response (RTR), and RTR Active Responder is unable to execute a custom powershell script for finding specific system artifacts.
What is likely restricting the responder from executing the powershell script?
What is likely restricting the responder from executing the powershell script?
A. Custom Scripts is not enabled in the response policy
B. Put-and-Run is not enabled in the response policy
C. The responder requires the RTR Administrator role
D. Script-Based Execution Monitoring is not enabled in the response policy
Answer: A
