Certified Falcon Administrator

Here you have the best CrowdStrike CCFA practice exam questions

  • You have 142 total questions to study from
  • Each page has 5 questions, making a total of 29 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on November 15, 2024
Question 1 of 142

What is the function of a single asterisk (*) in an ML exclusion pattern?

    Correct Answer: B

    A single asterisk (*) in an ML exclusion pattern will match any number of characters, including none. This does not include separator characters, such as backslashes (\) or forward slashes (/), which are used to separate portions of a file path.

Question 2 of 142

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

    Correct Answer: B

    The best way to prevent future false positives caused by the custom binary is to use IOC (Indicator of Compromise) Management to add the hash of the binary and set the action to 'Allow'. This will ensure that the binary is recognized as safe and will not trigger false positives in the Machine Learning detections. This approach directly addresses the issue by specifying that this particular binary should be allowed, thus preventing further false alarms.

Question 3 of 142

What is the purpose of a containment policy?

    Correct Answer: D

    The purpose of a containment policy is to define allowed IP addresses over which your hosts will communicate when contained. This ensures that even when a machine is put in Network Containment, it can still communicate with specific IP addresses or IP ranges as defined by the policy.

Question 4 of 142

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

    Correct Answer: C

    There is no limit and exclusions can be applied to any or all groups. Administrators are not restricted to a specific number of groups, allowing flexibility in managing exclusions across various hosts.

Question 5 of 142

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

    Correct Answer: A

    To use the 'Connect to Host' feature and gather additional information directly from the host in Falcon, the user needs the 'Real Time Responder' role. This role specifically grants the necessary permissions for real-time response actions, including connecting to a host for further investigation.