Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home CrowdStrike CCFA

CrowdStrike CCFA Exam Practice Questions (P. 1)

  • Full Access (185 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #1
What is the function of a single asterisk (*) in an ML exclusion pattern?
  1. A
    The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  2. B
    The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  3. C
    The single asterisk is the insertion point for the variable list that follows the path
  4. D
    The single asterisk is only used to start an expression, and it represents the drive letter

Correct Answer:
B
chatbot-img GPT-4o - Answer
When configuring ML exclusion patterns, using a single asterisk (*) plays a specific role—it matches any number of characters, but crucially, it doesn’t span directory separators like backslash (\) or forward slash (/). This is essential for precisely defining exclusions without unintentionally crossing into undesired directories or file paths. Double asterisks would be used if you needed to cross directory boundaries. This distinction is pivotal in ensuring that the exclusions are accurately implemented according to the intended file path scopes.

Question #2
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?
  1. A
    Contact support and request that they modify the Machine Learning settings to no longer include this detection
  2. B
    Using IOC Management, add the hash of the binary in question and set the action to "Allow"
  3. C
    Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
  4. D
    Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Correct Answer:
B
chatbot-img GPT-4o - Answer
The correct approach, as specified, involves using IOC Management to "Allow" the binary's hash, thereby ensuring it won't trigger false positives in Machine Learning detections. The "Allow" action does not log the detection, making it an ideal solution for handling benign, custom-written binaries identified incorrectly as threats. This approach focuses on maintaining operational efficiency without unnecessary alerts, preserving the integrity of threat detection systems. While there was mention of other possible actions in IOC management, like "No Action," opting for "Allow" directly prevents these unnecessary detections from surfacing.

Question #3
What is the purpose of a containment policy?
  1. A
    To define which Falcon analysts can contain endpoints
  2. B
    To define the duration of Network Containment
  3. C
    To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
  4. D
    To define allowed IP addresses over which your hosts will communicate when contained

Correct Answer:
C
chatbot-img GPT-4o - Answer
The purpose of a containment policy in Falcon is primarily to specify the conditions that trigger Network Containment, such as a critical detection. This is crucial for ensuring that only authorized entities can communicate with the contained host during a security incident, thus preventing the spread of threats and maintaining essential business functions. While it's true user comments advocate for choice D, referring to IP allowlisting during containment, the core function of the policy indeed revolves around defining containment conditions.

Question #4
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
  1. A
    File exclusions are not aligned to groups or hosts
  2. B
    There is a limit of three groups of hosts applied to any exclusion
  3. C
    There is no limit and exclusions can be applied to any or all groups
  4. D
    Each exclusion can be aligned to only one group of hosts

Correct Answer:
B
chatbot-img GPT-4o - Answer
For configuring exclusions in CrowdStrike, the interface clearly defines a cap at three host groups per exclusion. This aligns with observed functionality where attempts to add a fourth group are restricted. Although there might be some confusion about unlimited group assignment, the system's design prohibits this to maintain structured and manageable exclusion deployments.

Question #5
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?
  1. A
    Real Time Responder
  2. B
    Endpoint Manager
  3. C
    Falcon Investigator
  4. D
    Remediation Manager

Correct Answer:
C
chatbot-img GPT-4o - Answer
The correct role required for accessing the "Connect to Host" feature in CrowdStrike Falcon is indeed the Real Time Responder role. This role is specifically designed to enable administrators to engage directly with hosts in real-time, allowing them to execute commands and gather necessary information that isn't available otherwise. This feature is crucial for responsive and immediate threat investigations on remote endpoints.

Next Questions

All Pages