
Download CrowdStrike CCFA-200b Sample Questions [Apr-2026]
Real CCFA-200b Exam Questions and Answers FREE
CrowdStrike CCFA-200b Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 91
On which page of the Falcon console can one locate the Customer ID (CID)?
- A. API Clients and Keys
- B. Sensor Downloads
- C. Sensor Dashboard
- D. Hosts Management
Answer: A
Explanation:
The page of the Falcon console where one can locate the Customer ID (CID) is API Clients and Keys. The API Clients and Keys page allows you to create and manage API clients and keys for accessing the Falcon platform programmatically. The Customer ID (CID) is a unique identifier for your organization that is required for authenticating your API requests. You can find your CID at the top of the API Clients and Keys page.
NEW QUESTION # 92
Where in the Falcon platform can you confirm the sensor build version installed on a particular host?
- A. Host Management page by filtering for and selecting the host
- B. Dashboards by viewing the Executive Summary Dashboard
- C. Tool Downloads page by downloading the Sensor Reporting Tool
- D. Sensor Downloads page by filtering for a sensor build and selecting the host
Answer: A
NEW QUESTION # 93
You have a Windows host on your network in Reduced functionality mode (RFM). While the system is in RFM, which of the following is TRUE?
- A. System monitoring will be unavailable
- B. Some detection patterns and preventions will not be triggered
- C. Event reporting will be unavailable
- D. Prevention patterns will not be triggered
Answer: B
Explanation:
The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory.
The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud. This means that some detection patterns and preventions that rely on telemetry, machine learning, or cloud analysis will not be triggered.
NEW QUESTION # 94
You have been provided with a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers. They have asked you to ensure that they are not allowed to run in your environment. You have chosen to use Falcon to do this. Which is the best way to accomplish this?
- A. Using Custom Alerts in the Investigate App, create a new alert using the template "Process Execution" and within that rule, select the option to "Block Execution"
- B. Using the API, gather the list of SHA256 or MD5 hashes for each binary and then upload them, setting them all to "Never Allow"
- C. Using IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking.
- D. Using the Support Portal, create a support ticket and include the list of binary hashes, asking support to create an "Execution Prevention" rule to prevent these processes from running
Answer: C
Explanation:
The best way to ensure that a list of 100 hashes that are not malicious but your company has deemed to be inappropriate for work computers are not allowed to run in your environment is to use IOC Management, gather the list of SHA256 or MD5 hashes for each binary and then upload them. Set all hashes to "Block" and ensure that the prevention policy these computers are using includes the option for "Custom Blocking" under Execution Blocking. This will allow Falcon to block the execution of these hashes on the hosts using this policy. The other options are either incorrect or not efficient to achieve this goal.
NEW QUESTION # 95
Your organization wants to monitor the use of remote access software that is currently authorized. The executable is called remote.exe.
How would you trigger a detection for review of any process named remote.exe?
- A. Write a scheduled search looking for ProcessRollup2 events for remote.exe
- B. Create an exclusion for remote.exe and set a workflow to email you every time the exclusion is used
- C. Write an IOA rule to monitor process creation of .*\\remote\.exe
- D. Assign an aggressive detection level machine-learning prevention policy to the applicable hosts
Answer: C
NEW QUESTION # 96
Which role allows a user to connect to hosts using Real-Time Response?
- A. Falcon Administrator
- B. Real Time Responder ?Active Responder
- C. Endpoint Manager
- D. Prevention Hashes Manager
Answer: B
Explanation:
The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder ?Active Responder. This role allows users to use the "Connect to Host" feature to gather additional information from the host, as well as execute commands and scripts on the host. The other roles do not have this capability.
NEW QUESTION # 97
In order to quarantine files on the host, what prevention policy settings must be enabled?
- A. Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" must be enabled
- B. Behavior-Based Threat Prevention sliders and Advanced Remediation Actions must be enabled
- C. Malware Protection and Windows Anti-Malware Execution Blocking must be enabled
- D. Malware Protection and Custom Execution Blocking must be enabled
Answer: A
Explanation:
In order to quarantine files on the host, the administrator must enable the Next-Gen Antivirus Prevention sliders and "Quarantine & Security Center Registration" in the prevention policy settings. This will allow Falcon to quarantine malicious files and register them with Windows Security Center. The other options are either incorrect or not sufficient to enable quarantine.
NEW QUESTION # 98
Why is it important to know your company's event data retention limits in the Falcon platform?
- A. You will not be able to search event data into the past beyond your retention period
- B. This is not necessary; you simply select "All Time" in your query to search all data
- C. Data such as process records are kept for a shorter time than event data
- D. Your query will require you to specify the data pool associated with the date you wish to search
Answer: A
Explanation:
It is important to know your company's event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits.
NEW QUESTION # 99
How can you search for multiple hostnames at the same time via Host Management?
- A. Enter the multiple hostnames in the Hostname filter separating each by a comma
- B. Add the Multiple Hostnames filter and enter your list of hostnames
- C. Enter the multiple hostnames in the Hostname filter separating each by a decimal
- D. Add the Hostname filter multiple times and enter separate hostnames into each filter
Answer: D
NEW QUESTION # 100
When a user initiates a sensor install, where can the logs be found?
- A. %LOCALAPPDATA%\Logs
- B. %SYSTEMROOT%\Logs
- C. %SYSTEMROOT%\Temp
- D. %LOCALAPPDATA%\Temp
Answer: A
NEW QUESTION # 101
Where in the Falcon console can information about supported operating system versions be found?
- A. Configuration module
- B. Discover module
- C. Support module
- D. Intelligence module
Answer: C
Explanation:
Information about supported operating system versions can be found in the Support module in the Falcon console. This module provides access to various support resources, such as documentation, downloads, FAQs, release notes and system status. One of the documents available in this module is the CrowdStrike Sensor Compatibility List, which lists the supported operating system versions for each sensor type and platform. The other options are either incorrect or not related to finding information about supported operating system versions.
NEW QUESTION # 102
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?
- A. The host lost internet connectivity
- B. A Sensor Update Policy was misconfigured
- C. Microsoft updates altering the kernel
- D. A misconfiguration in your prevention policy for the host
Answer: A
Explanation:
The likely reason your Windows host would be in Reduced Functionality Mode (RFM) is that the host lost internet connectivity. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. Losing internet connectivity is a common cause of RFM, as it prevents the sensor from communicating with the Falcon cloud. A misconfiguration in your prevention policy or sensor update policy will not cause RFM, as these policies are applied by the Falcon cloud and do not affect the sensor's license, network, or certificate status. Microsoft updates altering the kernel may cause compatibility issues with the sensor, but not RFM.
NEW QUESTION # 103
From the Host management page, what is the best field to filter by for Domain Controllers to obtain sensor version information?
- A. Type
- B. OS Version
- C. Sensor Version
- D. Platform
Answer: A
NEW QUESTION # 104
What happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?
- A. The detections for the host are removed from the console immediately. No new detections will display in the console going forward.
- B. Existing detections for the host are removed from the console. The process that triggered them is allow-listed to prevent future alerts. Detections for other alerts are unaffected.
- C. Detections from the host are paused for 7 days. Existing detections from the host are removed from the console within 24 hours.
- D. Existing detections for the host remain. No new detections will display in the console going forward.
Answer: D
NEW QUESTION # 105
You want to add an additional layer of security to high-risk RTR commands for your environment.
Where would you configure MFA for RTR within the UI?
- A. General settings
- B. Host group
- C. Response policies
- D. Containment policy
Answer: C
NEW QUESTION # 106
What are the two automated triggers that cause a Fusion SOAR workflow to run?
- A. Event and scheduled triggers
- B. Incident and detections triggers
- C. Condition and action triggers
- D. Event and action triggers
Answer: A
NEW QUESTION # 107
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?
- A. Remediation Manager
- B. Falcon Analyst ?Read Only
- C. Real Time Responder ?Read Only Analyst
- D. Real Time Responder ?Active Responder
Answer: C
Explanation:
The Real Time Responder - Read Only Analyst only allows to run the commands
"cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.
NEW QUESTION # 108
Which statement describes what is recommended for the Default Sensor Update policy?
- A. Since the Default Sensor Update policy is pre-configured with recommend settings out of the box, configuration of the Default Sensor Update policy is not required
- B. The Default Sensor Update should be configured to always automatically upgrade to the latest sensor version
- C. No configuration is required. Once a Custom Sensor Update policy is created the Default Sensor Update policy is disabled
- D. The Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible
Answer: D
Explanation:
The statement that describes what is recommended for the Default Sensor Update policy is that the Default Sensor Update policy should align to an organization's overall sensor updating practice while leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the Default Sensor Update policy is a "catch-all" policy that applies to any host that is not assigned to a specific Sensor Update policy. Therefore, it is recommended that the Default Sensor Update policy should align to your organization's overall sensor updating practice, such as how frequently and how quickly you want to update your sensors. It is also recommended that you leverage the Auto N-1 and Auto N-2 configurations, which allow you to automatically update your sensors to the latest or second-latest sensor version without requiring manual intervention.
NEW QUESTION # 109
Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?
- A. badguydomain\.com.*
- B. \Device\HarddiskVolume2\*.exe -SingleArgument www.badguydomain.com /kill
- C. Custom IOA rules cannot be created for domains
- D. .*badguydomain.com.*
Answer: D
Explanation:
You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com.
NEW QUESTION # 110
......
Truly Beneficial For Your CrowdStrike Exam: https://www.pass4guide.com/CCFA-200b-exam-guide-torrent.html
View All CCFA-200b Actual Exam Questions, Answers and Explanations for Free: https://drive.google.com/open?id=10OMP-0mpp7hlwPTsvZHhQuLRyiPEe-jZ