CCFA-200 CrowdStrike Certified Falcon Administrator Questions and Answers

The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor’s functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud. This means that some detection patterns and preventions that rely on telemetry, machine learning, or cloud analysis will not be triggered.

References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]

Regex guidelines https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#regex

When uninstalling a sensor, a maintenance token is required if the ‘Uninstall and maintenance protection’ setting is enabled within the Sensor Update Policies. This setting prevents unauthorized or accidental uninstallation of sensors by requiring a token that can be generated from the Falcon console. The other options are either incorrect or not related to uninstalling a sensor. Reference: CrowdStrike Falcon User Guide, page 29.

The statement that some network configurations, such as deep packet inspection, interfere with certificate validation is true concerning Falcon sensor certificate validation. The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks, which means that it verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. Some network configurations, such as deep packet inspection, SSL inspection, or HTTPS interception, may attempt to modify or replace the server certificate, which will cause the sensor to reject the connection and generate an error3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The No Action option can be assigned to a hash in IOC Management when you want to save the indicator for later action, but do not want to block or allow it at this time. This option will neither detect nor prevent the execution of the hash, but will keep it in the IOC list for future reference. The other options are either incorrect or not related to the No Action option. Reference: CrowdStrike Falcon User Guide, page 44.

The purpose of the Default Sensor Policy is that it acts as a “catch all” policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a “catch-all” policy that is enabled by default and has the “Malware Protection” feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The reason why you would assign hosts to a static group instead of a dynamic group is that you do not want the group membership to change automatically. A Static Group is a group that requires manual assignment or removal of hosts. A Static Group will not update its membership based on any criteria or filters. This way, you can have more control over which hosts belong to the group and prevent any unwanted changes1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 31.

The correct parameter to output the log directory to a specified file when troubleshooting the Falcon Sensor on Windows is /log log.txt. This parameter will create a log file named log.txt in the same folder where you run the sensor installation command. The log file will contain information about the sensor installation process, such as the parameters used, the actions performed, and any errors encountered3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The API client secret cannot be retrieved after it has been created. The secret is only displayed once when the API client is created, and it cannot be viewed or edited later. Therefore, it is important to save the secret securely and use it along with the client ID to authenticate the API client. The other options are either incorrect or not possible. Reference: CrowdStrike Falcon User Guide, page 54.

The filter that could be used to quickly identify all devices categorized as a “Workstation” by the Falcon Platform on the Host Management page is Type. The Type filter allows you to filter hosts by their device type, such as workstation, server, or domain controller. The device type is assigned to each host based on their Active Directory domain structure. You can use the Type filter to quickly identify all hosts that have the workstation type assigned in their domain2.

References: 2: Cybersecurity Resources | CrowdStrike

Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions. Reference: CrowdStrike Falcon User Guide, page 37.

The syntax that would be best for detecting or preventing on all subdomains as well is *.baddomain.xyz|baddomain. xyz. This syntax will match any domain that ends with .baddomain.xyz or is exactly baddomain.xyz. The * wildcard will match any characters before the dot, and the | operator will match either side of the expression. This syntax can be used in a Custom IOC or a Custom IOA rule to detect or prevent network connections to malicious domains1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

 In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, the administrator should set the Sensor version to fixed and turn on the Uninstall and maintenance protection setting in the Sensor Update Policy. This will allow the administrator to specify which sensor version will be used by the hosts using this policy, and also require a maintenance token to uninstall or upgrade the sensor. The other options are either incorrect or not sufficient to meet this criteria. Reference: CrowdStrike Falcon User Guide, page 38.

On a Windows host, the best command to determine if the sensor is currently running is sc query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Scheduling a Custom Alert for your environment consists of three steps: choosing the template you’d like to configure, previewing the search results, then scheduling the alert. Use Custom Alerts to configure email alerts using predefined templates so you're notified about specific activity in your environment. When an alert runs and finds results, it sends an email to specified recipients instead of generating a new detection. Custom Alerts let you set up email alerts based on predefined templates that cover a wide range of topics including Real Time Response session initiation, host containment, OS security settings, and more that are not yet covered by notification workflows.

While a host is Network contained, the administrator can allow the host to access internal network resources on specific IP addresses to perform patching and remediation by configuring a Containment Policy with the specific IP addresses. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.

The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor’s ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to “Block” and ensure that the prevention policy these computers are using includes the option for “Custom Blocking” under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal. Reference: [CrowdStrike Falcon User Guide], page 44.

The most likely issue for not being able to apply a new prevention policy to the “Servers” group is that the “Servers” group already has a policy applied to it. A prevention policy is a policy that defines the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign custom prevention policies to different hosts or groups in your environment. However, you can only assign one prevention policy per host or group at a time. If a host or group already has a prevention policy applied to it, you cannot apply another prevention policy to it unless you remove or replace the existing one2.

References: 2: Cybersecurity Resources | CrowdStrike

The Customer ID (CID) is important in which of the following scenarios: when performing the sensor installation process and when setting up API keys. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. You need to provide your CID when installing the Falcon sensor on a host, either by using a command-line parameter or by using the falconctl tool. The CID is also required for setting up API keys, which are used for accessing the Falcon platform programmatically via the Falcon APIs. You need to provide your CID when creating an API client and key in the API Clients and Keys page in the Falcon console.

References: : [Cybersecurity Resources | CrowdStrike]

A Falcon Administrator can configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity by turning on the “Notify End Users” setting at the top of the Prevention policy details configuration page. This setting allows users to enable or disable end user notifications for prevention actions taken by Falcon on Windows hosts. The other options are either incorrect or not related to configuring pop-up messages. Reference: CrowdStrike Falcon User Guide, page 36.

The scenario that best describes when you would add IP addresses to the containment policy is that your organization has resources that need to be accessible when hosts are network contained. As explained in the previous question, adding IP addresses to the containment policy allows you to create an allowlist of trusted IP addresses that can communicate with your contained hosts. This can be useful when you need to isolate a host from the network due to a potential compromise or investigation, but still want to allow it to access certain resources or services that are essential for your organization’s operations or security2.

References: 2: Cybersecurity Resources | CrowdStrike

The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.

When performing targeted filtering for a host on the Host Management Page, the filter bar attribute that is not case-sensitive is Hostname. The Hostname attribute allows you to filter hosts by their computer name or DNS name. The Hostname filter is not case-sensitive, meaning that it will match hosts regardless of the capitalization of their names. For example, filtering by hostname=DESKTOP-1234 will match hosts with names such as DESKTOP-1234, desktop-1234, or Desktop-12342.

References: 2: Cybersecurity Resources | CrowdStrike

The type of information that is found in the Linux Sensors Dashboard is Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage. The Linux Sensors Dashboard is a dashboard that provides an overview of the Linux hosts in your environment that have Falcon sensors installed. You can use this dashboard to monitor the health and activity of your Linux hosts, such as their kernel versions, root shell usage, network communication, detections, and preventions3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Disabling detections on a host will stop the DetectionSummaryEvent from sending to the Streaming API for that host. This means that the host will not send any detection events to the Streaming API, which is used to stream data from the Falcon Cloud to external applications or systems. The other options are either incorrect or not related to disabling detections on a host. Reference: [CrowdStrike Falcon User Guide], page 32.

" Data is only available in the Falcon UI for investigations, etc. through the company’s data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year

The only place where create host groups is in " Host and setup management > host Groups> Create a group" In Sensor Update policies you can only asign a group of host to the policy not creating a group of hosts.

Roles are never called 'working groups' in the documentation. The only other option that can be edited on a existing user is first and last name.

The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The administrator can create a detection-only policy by setting the Next-Gen Antivirus detection settings to the desired detection level and all the prevention sliders to disabled in the policy’s settings. This will allow Falcon to detect but not prevent threats on the hosts using this policy. Do not activate any of the other blocking or malware prevention options, as they will enable prevention actions. The other options are either incorrect or not related to creating a detection-only policy. Reference: [CrowdStrike Falcon User Guide], page 35.

The option that should be disabled on firewalls so that the sensor’s man-in-the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor’s certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. If the certificate validation fails, the sensor will reject the connection and generate an error3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

 The way an API client secret can be viewed after it has been created is that the API client secret must be reset or a new client created as the secret cannot be viewed after it has been created. As explained in question 137, an API client secret is only displayed once during creation for security reasons. If you lose or forget your API client secret, you cannot view it again in the Falcon console. You have two options to resolve this issue: either reset your API client secret or create a new API client. Resetting your API client secret will generate a new secret for your existing API client, which will invalidate any previous secret. Creating a new API client will generate a new API client ID and secret, which will require you to update any applications or scripts that use the Falcon APIs2.

References: 2: Cybersecurity Resources | CrowdStrike

There are three “Auto” sensor version update options available for Windows Sensor Update Policies: Auto - N-1, Auto - TEST-QA and Auto - Latest. These options allow the administrator to automatically update the sensor version to the previous stable version, the latest test version or the latest stable version, respectively. Reference: [CrowdStrike Falcon User Guide], page 38.

OU (organizational unit) is a filter within the Host setup and management > Host management page. The Host management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also filter by OU, which is a logical grouping of hosts based on their Active Directory domain structure1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The reporting interval is predefined and cannot be changed. You can only enable/disable the custom alert feature and add/remove recipient email client for the alert/detection.

Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment. The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.

With EDR license, if you go to "Audit logs > Machine-learning prevention monitoring", three options appear: Cloud Anti-malware, Sensor Anti-malware and Adware&PUP. Therefore, answer is A.

The correct order for manually installing a Falcon Package on a macOS system is to install the Falcon package, then register the Falcon Sensor via command line. The Falcon package contains the sensor binary and the kernel extension, while the registration package contains the customer ID and the sensor group ID. The registration package is not required for macOS systems, as the registration information can be provided via command line after installing the Falcon package1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that describes how sensor update precedence is determined when a host belongs to more than one host group is that all of the host’s groups are examined in aggregate and the policy with highest precedence is applied to the host. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. You can create and assign custom Sensor Update policies to different hosts or groups in your environment. Each Sensor Update policy has a precedence value, which determines its priority over other policies. The higher the precedence value, the higher the priority. If a host belongs to more than one host group, each with a different Sensor Update policy assigned, then all of the host’s groups are examined in aggregate and the policy with highest precedence among them is applied to the host.

References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]