CrowdStrike Certified Falcon Administrator

Here you have the best CrowdStrike CCFA practice exam questions

  • You have 248 total questions across 50 pages (5 per page)
  • These questions were last updated on February 12, 2026
  • This site is not affiliated with or endorsed by CrowdStrike.
Question 1 of 248

What is the function of a single asterisk (*) in an ML exclusion pattern?
Answer

Suggested Answer

The suggested answer is B.

A single asterisk (*) in an ML exclusion pattern will match any number of characters, including none. This does not include separator characters, such as backslashes (\) or forward slashes (/), which are used to separate portions of a file path.

Community Votes9 votes
BSuggested
89%
A
11%
Question 2 of 248

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?
Answer

Suggested Answer

The suggested answer is B.

The best way to prevent future false positives caused by the custom binary is to use IOC (Indicator of Compromise) Management to add the hash of the binary and set the action to 'Allow'. This will ensure that the binary is recognized as safe and will not trigger false positives in the Machine Learning detections. This approach directly addresses the issue by specifying that this particular binary should be allowed, thus preventing further false alarms.

Community Votes7 votes
BSuggested
86%
D
14%
Question 3 of 248

What is the purpose of a containment policy?
Answer

Suggested Answer

The suggested answer is D.

The purpose of a containment policy is to define allowed IP addresses over which your hosts will communicate when contained. This ensures that even when a machine is put in Network Containment, it can still communicate with specific IP addresses or IP ranges as defined by the policy.

Community Votes27 votes
DSuggested
81%
C
19%
Question 4 of 248

An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
Answer

Suggested Answer

The suggested answer is C.

There is no limit and exclusions can be applied to any or all groups. Administrators are not restricted to a specific number of groups, allowing flexibility in managing exclusions across various hosts.

Community Votes12 votes
CSuggested
100%
Question 5 of 248

Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?
Answer

Suggested Answer

The suggested answer is A.

To use the 'Connect to Host' feature and gather additional information directly from the host in Falcon, the user needs the 'Real Time Responder' role. This role specifically grants the necessary permissions for real-time response actions, including connecting to a host for further investigation.

Community Votes10 votes
ASuggested
100%

About the CrowdStrike CCFA Certification Exam

About the Exam

The CrowdStrike CCFA (CrowdStrike Certified Falcon Administrator) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 248 practice questions across 50 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our CCFA questions are regularly updated to reflect the latest exam objectives.