CrowdStrike Certified Falcon Administrator

Here you have the best CrowdStrike CCFA practice exam questions

You have 235 total questions to study from
Each page has 5 questions, making a total of 47 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 26, 2025
This site is not affiliated with or endorsed by CrowdStrike.

Question 1 of 235

What is the function of a single asterisk (*) in an ML exclusion pattern?

The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

The single asterisk is the insertion point for the variable list that follows the path

The single asterisk is only used to start an expression, and it represents the drive letter

Correct Answer: B

A single asterisk (*) in an ML exclusion pattern will match any number of characters, including none. This does not include separator characters, such as backslashes (\) or forward slashes (/), which are used to separate portions of a file path.

Question 2 of 235

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

Contact support and request that they modify the Machine Learning settings to no longer include this detection

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Correct Answer: B

The best way to prevent future false positives caused by the custom binary is to use IOC (Indicator of Compromise) Management to add the hash of the binary and set the action to 'Allow'. This will ensure that the binary is recognized as safe and will not trigger false positives in the Machine Learning detections. This approach directly addresses the issue by specifying that this particular binary should be allowed, thus preventing further false alarms.

Question 3 of 235

What is the purpose of a containment policy?

To define which Falcon analysts can contain endpoints

To define the duration of Network Containment

To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

To define allowed IP addresses over which your hosts will communicate when contained

Correct Answer: D

The purpose of a containment policy is to define allowed IP addresses over which your hosts will communicate when contained. This ensures that even when a machine is put in Network Containment, it can still communicate with specific IP addresses or IP ranges as defined by the policy.

Question 4 of 235

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

File exclusions are not aligned to groups or hosts

There is a limit of three groups of hosts applied to any exclusion

There is no limit and exclusions can be applied to any or all groups

Each exclusion can be aligned to only one group of hosts

Correct Answer: C

There is no limit and exclusions can be applied to any or all groups. Administrators are not restricted to a specific number of groups, allowing flexibility in managing exclusions across various hosts.

Question 5 of 235

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

Real Time Responder

Endpoint Manager

Falcon Investigator

Remediation Manager

Correct Answer: A

To use the 'Connect to Host' feature and gather additional information directly from the host in Falcon, the user needs the 'Real Time Responder' role. This role specifically grants the necessary permissions for real-time response actions, including connecting to a host for further investigation.