• Home
  • Blogs
  • Real CrowdStrike CCFA-200 Exam Questions Study Guide [Q70-Q87]

Real CrowdStrike CCFA-200 Exam Questions Study Guide [Q70-Q87]

Share

Real CrowdStrike CCFA-200 Exam Questions Study Guide

Updated and Accurate CCFA-200 Questions for passing the exam Quickly

NEW QUESTION # 70
What are custom alerts based on?

  • A. Custom workflows
  • B. User defined Splunk queries
  • C. Custom event based triggers
  • D. Predefined alert templates

Answer: C


NEW QUESTION # 71
Once an exclusion is saved, what can be edited in the future?

  • A. Only the selected groups and hosts to which the exclusion is applied can be changed
  • B. The exclusion pattern cannot be changed
  • C. Only the options to "Detect/Block" and/or "File Extraction" can be changed
  • D. All parts of the exclusion can be changed

Answer: D


NEW QUESTION # 72
Under which scenario can Sensor Tags be assigned?

  • A. While updating a sensor in the Falcon console
  • B. While triaging a detection
  • C. While installing a sensor
  • D. While managing hosts in the Falcon console

Answer: D


NEW QUESTION # 73
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

  • A. Sensor version set to N-2 and Bulk maintenance mode is turned on
  • B. Sensor version updates off and Uninstall and maintenance protection turned off
  • C. Sensor version set to N-1 and Bulk maintenance mode is turned on
  • D. Sensor version fixed and Uninstall and maintenance protection turned on

Answer: D

Explanation:
Explanation
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, the administrator should set the Sensor version to fixed and turn on the Uninstall and maintenance protection setting in the Sensor Update Policy. This will allow the administrator to specify which sensor version will be used by the hosts using this policy, and also require a maintenance token to uninstall or upgrade the sensor. The other options are either incorrect or not sufficient to meet this criteria. Reference: CrowdStrike Falcon User Guide, page 38.


NEW QUESTION # 74
Which of the following is NOT an available action for an API Client?

  • A. Retrieve an API Client Secret
  • B. Delete an API Client
  • C. Reset an API Client Secret
  • D. Edit an API Client

Answer: A

Explanation:
Explanation
The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2.
References: 2: Cybersecurity Resources | CrowdStrike


NEW QUESTION # 75
When creating an API client, which of the following must be saved immediately since it cannot be viewed again after the client is created?

  • A. Secret
  • B. Client ID
  • C. Client name
  • D. Base URL

Answer: A


NEW QUESTION # 76
In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

  • A. Sensor version set to N-2 and Bulk maintenance mode is turned on
  • B. Sensor version updates off and Uninstall and maintenance protection turned off
  • C. Sensor version set to N-1 and Bulk maintenance mode is turned on
  • D. Sensor version fixed and Uninstall and maintenance protection turned on

Answer: D


NEW QUESTION # 77
Which role is required to manage groups and policies in Falcon?

  • A. Prevention Hashes Manager
  • B. Falcon Host Security Lead
  • C. Falcon Host Administrator
  • D. Falcon Host Analyst

Answer: C

Explanation:
Explanation
The Falcon Host Administrator role is required to manage groups and policies in Falcon. This role allows users to create, edit and delete groups and policies, as well as assign them to hosts. The other roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 17.


NEW QUESTION # 78
Where do you obtain the Windows sensor installer for CrowdStrike Falcon?

  • A. Sensors are downloaded from the Hosts > Sensor Downloads
  • B. Sensor installers are downloaded from the Support section of the CrowdStrike website
  • C. Sensor installers are not used because sensors are deployed from within Falcon
  • D. Sensor installers are unique to each customer and must be obtained from support

Answer: D


NEW QUESTION # 79
How do you find a list of inactive sensors?

  • A. Run the Inactive Sensor Report in the Host setup and management option
  • B. A sensor is always considered active until removed by an Administrator
  • C. The Falcon platform does not provide reporting for inactive sensors
  • D. Run the Sensor Aging Report within the Investigate option

Answer: D


NEW QUESTION # 80
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  • A. Machine Learning Exclusions
  • B. Containment Policy
  • C. Firewall Rule Group
  • D. USB Device Policy

Answer: A

Explanation:
Explanation
Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment.
The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.


NEW QUESTION # 81
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

  • A. Falcon Investigator
  • B. Real Time Responder
  • C. Endpoint Manager
  • D. Remediation Manager

Answer: B

Explanation:
Explanation
The Real Time Responder role allows users to use the "Connect to Host" feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability. Reference: CrowdStrike Falcon User Guide, page 18.


NEW QUESTION # 82
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

  • A. Using IOC Management, add the hash of the binary in question and set the action to "No Action"
  • B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
  • C. Contact support and request that they modify the Machine Learning settings to no longer include this detection
  • D. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Answer: B


NEW QUESTION # 83
Which option allows you to exclude behavioral detections from the detections page?

  • A. Sensor Visibility Exclusion
  • B. Machine Learning Exclusion
  • C. IOA Exclusion
  • D. IOC Exclusion

Answer: C

Explanation:
Explanation
IOA Exclusion says - Stop all behavioral detections and preventions for an IOA that's based on a CrowdStrike-generated detection. Source:
https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#exclusions


NEW QUESTION # 84
You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?

  • A. Clone the workflow and replace the existing email with your CISO's email
  • B. Add a sequential action to send a custom email to your CISO
  • C. Add a parallel action to send a custom email to your CISO
  • D. Add the CISO's email to the existing action

Answer: B


NEW QUESTION # 85
When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

  • A. Custom IOC Groups
  • B. Custom IOA Rule Groups
  • C. Enterprise Groups
  • D. Operating System Groups

Answer: D


NEW QUESTION # 86
Which report can assist in determining the appropriate Machine Learning levels to set in a Prevention Policy?

  • A. Machine Learning Debug
  • B. Machine Learning Prevention Monitoring
  • C. Falcon UI Audit Trail
  • D. Sensor Report

Answer: B


NEW QUESTION # 87
......

Prepare Important Exam with CCFA-200 Exam Dumps: https://www.trainingquiz.com/CCFA-200-practice-quiz.html

Download Real CCFA-200 Exam Dumps for candidates. 100% Free Dump Files: https://drive.google.com/open?id=1G-2j5OwsxMJLM3c_K1jveOj9tcLIYDNC

Related Blogs

more
CrowdStrike CCFA-200 Certification Practice Exam

The best professional training material for preparing for your quiz & actual test. Most candidates study and prepare efficiently with practice quiz materials of TrainingQuiz and pass exam soon.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TRAININGQUIZ.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy