Use VCE Exam Simulator to open VCE files
CCFA CrowdStrike Practice Test Questions and Exam Dumps
Question 1:
What is the function of a single asterisk (*) in an ML exclusion pattern?
A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
C. The single asterisk is the insertion point for the variable list that follows the path
D. The single asterisk is only used to start an expression, and it represents the drive letter
Answer: B
Explanation:
In the context of ML (machine learning) exclusion patterns, the asterisk () functions as a wildcard character used for matching filenames or paths based on certain criteria. Specifically, a single asterisk () is used to represent "any number of characters," including zero characters. However, it's important to note that this matching process does not include separator characters such as backslashes () or forward slashes (/), which are used to separate different levels of a file path.
Option B correctly describes this behavior: the single asterisk will match any number of characters, including none, but it will not match path separators, such as backslashes or forward slashes, which are typically used to denote directory structures. This means that when a pattern is applied, the asterisk will match characters within a specific directory or filename, but it won't "cross" directory boundaries.
Here’s why the other options are not correct:
A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path – This option is incorrect because the single asterisk does not match directory separators like backslashes or forward slashes. Asterisks only match characters within a specific segment of the path.
C. The single asterisk is the insertion point for the variable list that follows the path – This is incorrect. The asterisk does not serve as a placeholder for a variable list in an exclusion pattern. It is purely a wildcard used for matching characters within filenames or paths.
D. The single asterisk is only used to start an expression, and it represents the drive letter – This is incorrect. The asterisk does not specifically represent the drive letter or any part of the expression related to it. Instead, it serves as a wildcard for matching characters within a path or filename.
In summary, the correct function of the single asterisk in an ML exclusion pattern is to match any number of characters (including none) within a portion of a file path, but it does not match path separators. Therefore, B is the correct answer.
Question 2:
You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?
A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"
Answer: B – Using IOC Management, add the hash of the binary in question and set the action to "Allow"
Explanation:
In this scenario, the detections are false positives triggered by a legitimate, custom-written binary. The objective is to prevent the security system from flagging this binary as malicious in the future while keeping the security protections in place for other potential threats. The best way to achieve this is by utilizing IOC Management (Indicator of Compromise Management) to specifically add the hash of the custom binary and then configure the action to "Allow."
Here’s why B is the correct answer:
B. Using IOC Management, add the hash of the binary in question and set the action to "Allow" – Correct. By adding the hash of the binary in the IOC Management system and marking it as "Allow," you effectively tell the security system to exclude this binary from triggering detections in the future. This approach prevents the custom-written binary from being flagged as a false positive while maintaining the integrity of the overall security system for other, potentially malicious files. It ensures the system will not erroneously treat the legitimate binary as a threat again, thus preventing the false positive issue.
Let’s review why the other options are incorrect:
A. Contact support and request that they modify the Machine Learning settings to no longer include this detection – Incorrect. While it may seem like contacting support to modify the Machine Learning settings could resolve the issue, this option is generally less effective than directly managing the hash of the binary within the IOC system. Changing Machine Learning settings might be a broader solution, but it’s not the most precise method for handling a specific file causing false positives. The preferred method is to add the file hash to the IOC system with the appropriate action.
C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection" – Incorrect. Setting the action to "Block, hide detection" would prevent the binary from being executed or running, which is the opposite of what is needed in this scenario. Since the binary is custom-written and legitimate, blocking it would disrupt normal business operations. The correct approach is to allow the binary to run without raising false alarms, not to block it.
D. Using IOC Management, add the hash of the binary in question and set the action to "No Action" – Incorrect. Selecting "No Action" essentially means the system will ignore the presence of the binary. While this might prevent false positives, it also defeats the purpose of using IOC management as a preventive measure. If the binary is not explicitly allowed, there’s a risk that it may still be flagged in future scans, or new detections could be missed. The correct action is to explicitly allow the binary so that the detection system doesn’t trigger false alarms for it.
To summarize, the best way to handle false positives caused by a custom-written binary is to use IOC Management to add the hash of the binary and set the action to "Allow." This ensures the system recognizes the binary as legitimate and avoids flagging it in future scans while keeping the overall detection system intact for other threats.
Therefore, the correct answer is B – Using IOC Management, add the hash of the binary in question and set the action to "Allow".
Question 3:
What is the purpose of a containment policy?
A. To define which Falcon analysts can contain endpoints
B. To define the duration of Network Containment
C. To define the trigger under which a machine is put in Network Containment (e.g., a critical detection)
D. To define allowed IP addresses over which your hosts will communicate when contained
Answer: C
Explanation:
A containment policy is primarily designed to establish the conditions or triggers under which a machine or endpoint is placed into network containment. Network containment is a security measure used to isolate compromised or potentially harmful systems from the broader network to prevent the spread of threats. The policy ensures that the containment action occurs in response to specific conditions, typically defined by critical detections or other security indicators. For example, if a machine exhibits signs of a security breach or malicious activity, a containment policy can dictate that the machine is isolated from the network to prevent further damage or data exfiltration.
Here’s why the other options are incorrect:
A. To define which Falcon analysts can contain endpoints – While access control is important, a containment policy does not typically define who can take containment actions. Rather, it focuses on when and why containment should occur, based on specific security events.
B. To define the duration of Network Containment – While defining the duration of containment is important, the primary focus of a containment policy is on the triggering event that leads to containment, not the duration of that containment. The duration may be managed separately, but the containment policy mainly dictates the conditions for initiating containment.
D. To define allowed IP addresses over which your hosts will communicate when contained – While controlling network communication may be part of the containment procedure, the primary goal of the containment policy is to define the triggering conditions for containment. Containment policies typically focus on ensuring that a machine is isolated based on the detection of a threat, rather than controlling the specific IP addresses involved in that communication.
In conclusion, the purpose of a containment policy is to define the trigger or criteria for when a machine is placed into network containment. This is to ensure that potentially harmful or compromised machines are isolated from the network to prevent further risk or damage. Therefore, C is the correct answer.
Question 4:
An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?
A. File exclusions are not aligned to groups or hosts
B. There is a limit of three groups of hosts applied to any exclusion
C. There is no limit and exclusions can be applied to any or all groups
D. Each exclusion can be aligned to only one group of hosts
Answer: C – There is no limit and exclusions can be applied to any or all groups
Explanation:
When managing security configurations, such as exclusions in antivirus or endpoint protection systems, administrators often have the ability to create rules or exclusions that specify which systems or hosts are exempt from certain actions, like scans or detections. The key question here is how many groups of hosts these exclusions can be applied to.
In many modern security management tools, exclusions can be applied broadly across multiple groups or to all groups within the environment. This flexibility allows administrators to fine-tune their security settings and ensure that legitimate processes or systems do not trigger unnecessary alarms or slowdowns.
Here’s why C is the correct answer:
C. There is no limit and exclusions can be applied to any or all groups – Correct. In many security management platforms, administrators are allowed to apply exclusions to as many groups of hosts as necessary. There is typically no limit to the number of groups that can be involved, allowing for highly customizable configurations. Administrators can apply a single exclusion across multiple groups of hosts or even across the entire environment, depending on the needs of the system.
Let’s review why the other options are incorrect:
A. File exclusions are not aligned to groups or hosts – Incorrect. This option suggests that exclusions are not linked to specific groups or hosts, which is generally not true. Most security platforms do allow administrators to apply exclusions based on groups of hosts or specific machines. Therefore, file exclusions are usually tied to specific groups or hosts for precision in managing exclusions.
B. There is a limit of three groups of hosts applied to any exclusion – Incorrect. This option suggests a strict limitation of three groups of hosts for exclusions, which is not typical in modern systems. Many platforms allow for exclusions to be applied to any number of groups of hosts, so this is too restrictive.
D. Each exclusion can be aligned to only one group of hosts – Incorrect. This option would severely limit the flexibility of exclusions. In most systems, exclusions are not restricted to just one group of hosts, as the needs of the environment often require exclusions to be applied to multiple groups or to all hosts in the environment.
To summarize, exclusions in security management systems are typically highly flexible, allowing administrators to apply them to any or all groups of hosts without significant limitations. This approach helps ensure that exclusions are applied in a manner that meets the needs of the organization while maintaining security coverage.
Therefore, the correct answer is C – There is no limit and exclusions can be applied to any or all groups.
Question 5:
Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?
A. Real Time Responder
B. Endpoint Manager
C. Falcon Investigator
D. Remediation Manager
Answer: A
Explanation:
The "Connect to Host" feature in Falcon is used to gather additional information directly from the host machine. This is typically done to investigate further details about the system's state or behavior in real-time. While being a Falcon Administrator gives you broad administrative capabilities, access to specific features such as "Connect to Host" requires the Real Time Responder role.
The Real Time Responder role is specifically designed to allow users to interact with and respond to threats in real-time on endpoints. This includes connecting to hosts for live investigation, controlling and responding to events on the endpoint, and gathering real-time data from the affected machines.
Here’s why the other options are not correct:
B. Endpoint Manager – The Endpoint Manager role is focused on the management and configuration of endpoint settings, such as policies and configurations. This role does not grant access to real-time interaction with the endpoints, which is required for the "Connect to Host" feature.
C. Falcon Investigator – While the Falcon Investigator role allows for access to investigation and analysis tools, it does not specifically grant real-time interaction with hosts. This role provides access to the necessary data to perform investigations, but not the ability to interact with the host directly in real time.
D. Remediation Manager – The Remediation Manager role is focused on performing actions to mitigate or remediate security issues found on endpoints. While remediation is a critical part of the security response, this role does not grant the ability to connect directly to a host for live investigation.
In summary, to gain the ability to use the "Connect to Host" feature and perform real-time actions on the host, you would need to be assigned the Real Time Responder role. Therefore, A is the correct answer.
Question 6:
What must an admin do to reset a user's password?
A. From User Management, open the account details for the affected user and select "Generate New Password"
B. From User Management, select "Reset Password" from the three dot menu for the affected user account
C. From User Management, select "Update Account" and manually create a new password for the affected user account
D. From User Management, the administrator must rebuild the account as the certificate for user-specific private/public key generation is no longer valid
Answer: B – From User Management, select "Reset Password" from the three dot menu for the affected user account
Explanation:
When an administrator needs to reset a user's password, the most common method in user management systems is to navigate to the User Management interface, find the affected user account, and use the system’s built-in reset feature to initiate the process. The process generally involves either generating a new password automatically or triggering a password reset request.
Here’s why B is the correct answer:
B. From User Management, select "Reset Password" from the three dot menu for the affected user account – Correct. This option represents the typical way to reset a user's password in modern user management systems. It involves finding the user account in the User Management dashboard, clicking on the associated menu (often represented by three dots or an ellipsis), and selecting the "Reset Password" option. This process usually sends the user an email with a link to reset their password or generates a temporary new password for them to use. This is a common approach in platforms like cloud services, enterprise IT systems, or even email management systems.
Let’s review why the other options are incorrect:
A. From User Management, open the account details for the affected user and select "Generate New Password" – Incorrect. While this option seems reasonable, it’s less common as a direct method for resetting a password. Most systems will not automatically "generate" a new password in the user account interface for security reasons. The typical reset method involves a system-generated password reset process (e.g., via email or a security link), not just generating a new password manually through the account interface.
C. From User Management, select "Update Account" and manually create a new password for the affected user account – Incorrect. While manually creating a new password could technically reset the password, this is not a common practice because it can be insecure. Manually creating a password for a user might not follow best practices, especially if the admin is not following proper password guidelines (e.g., complexity, length). Most systems prefer an automated password reset process for consistency and security reasons.
D. From User Management, the administrator must rebuild the account as the certificate for user-specific private/public key generation is no longer valid – Incorrect. This option is only applicable in very specific systems that rely on certificate-based authentication, such as systems with public/private key pairs for cryptographic access. Resetting a password does not typically require rebuilding an account or dealing with certificates, except in highly specialized or secure environments. This option is unnecessarily complicated for most password reset procedures.
To summarize, the standard and most efficient way to reset a user’s password is through a simple option in the User Management interface, such as selecting "Reset Password" from the menu. This process is typically automated and ensures that security practices are followed, making it the best choice for most environments.
Therefore, the correct answer is B – From User Management, select "Reset Password" from the three dot menu for the affected user account.
Question 7:
Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?
A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"
Answer: C
Explanation:
In order to disable Real Time Response (RTR) on a specific group of hosts, the proper procedure is to create a new Response Policy and then assign that policy to the host group. Within the policy, the Real Time Response feature should be toggled off for these specific hosts. The Response Policy allows administrators to configure and manage which hosts or groups can utilize certain response functionalities like RTR.
Here’s why C is the correct answer:
By creating a new Response Policy and toggling the Real Time Response switch off, you ensure that RTR is disabled for the targeted host group.
The Response Policy can then be assigned to the specific host group you have created for these servers.
This approach allows you to specifically target this set of servers without affecting other hosts in your environment.
Let’s analyze why the other options are incorrect:
A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group – While this option involves toggling the "Real Time Response" switch off, modifying the Default Response Policy is generally not the best practice, as it might apply changes universally to all hosts under that default policy. It's better to create a new policy to avoid unintended changes to other hosts.
B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality" – This approach involves adding the host group to an exceptions list, but it does not guarantee that the RTR feature will be fully disabled for those hosts. Rather, the best method is to explicitly turn off RTR in the policy itself, as done in option C.
D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality" – This option suggests adding individual host names to the exceptions list, but this may not be as efficient as assigning the policy to the host group directly. The method in C is cleaner and more scalable because it targets the entire host group at once.
In summary, the best approach to disabling RTR on specific hosts is to create a new Response Policy, toggle off the RTR feature, and assign this policy to the host group that contains the servers you wish to exclude from remote access. Therefore, C is the correct answer.
Question 8:
When creating new IOCs in IOC management, which of the following fields must be configured?
A. Hash, Description, Filename
B. Hash, Action and Expiry Date
C. Filename, Severity and Expiry Date
D. Hash, Platform and Action
Answer: D – Hash, Platform and Action
Explanation:
In IOC (Indicator of Compromise) management, IOCs are used to identify potentially malicious files, processes, or activities in a network. When adding a new IOC, certain key fields must be configured to ensure that the indicator is useful and actionable.
Here’s why D is the correct answer:
D. Hash, Platform and Action – Correct. The hash is an essential component of the IOC because it uniquely identifies a file. The platform indicates where the IOC applies, whether it's a specific operating system, network, or environment. The action specifies what action should be taken when this IOC is encountered (e.g., block, allow, alert). These fields are critical for defining the specific behavior and scope of the IOC and ensuring that the security system can appropriately respond when the IOC is detected.
Now, let's review why the other options are incorrect:
A. Hash, Description, Filename – Incorrect. While the hash is a required field to identify a specific file, the description and filename are not necessarily required for the IOC to be actionable. A description is useful but not mandatory in many systems, and the filename may not always be needed since the IOC can be tied to a hash (which uniquely identifies the file) and other attributes. The filename is more of an optional field for extra context.
B. Hash, Action and Expiry Date – Incorrect. While the hash and action are important, the expiry date is not always required when creating an IOC. An expiry date could be useful in certain contexts (e.g., when you want to automatically remove or expire an IOC after a certain period), but it’s not a mandatory field in most IOC management systems. The platform would typically be more relevant than an expiry date.
C. Filename, Severity and Expiry Date – Incorrect. While severity and expiry date can be useful for context, the filename is not always a required field, as IOCs often rely on hashes to uniquely identify files. The severity and expiry date fields are important for managing IOCs but aren't universally required to create a basic IOC. The key components for most systems are the hash, platform, and action.
To summarize, when creating new IOCs in IOC management, the critical fields that must be configured are the hash (for file identification), platform (for context and scope), and action (to specify the response). This combination ensures that the IOC is precise and can trigger the appropriate security actions.
Therefore, the correct answer is D – Hash, Platform and Action.
Question 9:
Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fulfill this requirement?
A. Remediation Manager
B. Real Time Responder – Read Only Analyst
C. Falcon Analyst – Read Only
D. Real Time Responder – Active Responder
Answer: B
Explanation:
The Real Time Responder – Read Only Analyst role is the most appropriate role to meet the CISO's requirement of allowing Falcon Analysts to view files and file contents locally on compromised hosts, but without giving them the ability to take the files off the host.
Here’s why B is the correct answer:
The Real Time Responder – Read Only Analyst role grants read-only access to the Real Time Response (RTR) feature, which allows analysts to view files and file contents on compromised hosts, but it does not grant the ability to take or export these files from the host.
This role gives analysts the necessary level of access to perform file inspection and gather information locally on the host without the risk of making any changes or removing data from the system.
It satisfies the CISO's requirement for analysts to be able to access information on compromised hosts but restricts them from taking files off the host, ensuring better security controls.
Now, let’s review the other options:
A. Remediation Manager – The Remediation Manager role is typically focused on performing remediation actions on hosts, such as quarantining or containing hosts. It is not specifically designed for viewing files or performing read-only tasks on compromised systems. Additionally, this role may grant more privileges than necessary for simply viewing file contents.
C. Falcon Analyst – Read Only – The Falcon Analyst – Read Only role is a restricted role that provides read-only access to analysis features and data. While this role is appropriate for analysis purposes, it does not specifically grant the ability to access files on compromised hosts through Real Time Response, which is a core feature in this case. Therefore, this role would not meet the specific requirement of viewing files and file contents locally on the host.
D. Real Time Responder – Active Responder – The Real Time Responder – Active Responder role allows the user to take real-time actions on compromised hosts, such as terminating processes, isolating machines, or executing other remediation actions. This role provides more privileges than the Read Only Analyst role and would grant the ability to take actions that go beyond merely viewing files. Since the CISO specifically wanted to restrict the ability to take files off the host, this role would not be the most appropriate choice.
In conclusion, the Real Time Responder – Read Only Analyst role is the most appropriate role for granting Falcon Analysts the ability to view files and file contents locally on compromised hosts without the ability to export or remove those files. Therefore, B is the correct answer.
Question 10:
One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?
A. USB Device Policy
B. Firewall Rule Group
C. Containment Policy
D. Machine Learning Exclusions
Answer: D – Machine Learning Exclusions
Explanation:
When dealing with false positives, particularly in security platforms like Falcon (which uses advanced machine learning to detect threats), it's essential to take specific actions to avoid blocking legitimate development work or code. The development team's code is being flagged due to its execution, even though it's legitimate and necessary for testing. In this scenario, the most appropriate approach is to reduce the chances of these legitimate files being flagged as threats by excluding them from machine learning-based detections.
Here’s why D is the correct answer:
D. Machine Learning Exclusions – Correct. Machine learning-based detection systems like Falcon use algorithms to identify suspicious patterns in files and activities. However, they may occasionally flag legitimate files or actions as threats, especially when dealing with custom or unrecognized code (like development work). By setting machine learning exclusions, you can specifically exclude the "devcode" folder or certain file paths from being flagged by the machine learning models used by Falcon, thereby preventing false positives during development and testing. This allows the development process to continue smoothly without unnecessary interruptions from security alerts.
Now, let’s review why the other options are incorrect:
A. USB Device Policy – Incorrect. A USB Device Policy generally deals with controlling how USB devices are handled within the security framework. It is focused on managing the security of external storage devices and does not relate to excluding specific file paths or preventing false positives for code execution. Therefore, it would not help in this scenario where a development folder is being flagged.
B. Firewall Rule Group – Incorrect. A Firewall Rule Group is used to manage network traffic and communication rules within the firewall. It’s unrelated to detecting or excluding files on a system’s file path. This option would not be relevant for managing false positives related to files being flagged as malicious during the development of an application.
C. Containment Policy – Incorrect. A Containment Policy generally refers to actions taken to isolate or contain a potential threat after it has been detected. This could involve quarantining suspicious files or processes to prevent further harm, but it does not focus on preventing false positives or exclusions for specific file paths like the "devcode" folder in this case. Containment is more about responding to threats than excluding files from detection.
To summarize, in this case, where legitimate development code is being flagged as a detection during testing, the most effective solution is to use Machine Learning Exclusions. This would allow you to exclude specific file paths (like the "devcode" folder) from the detection models, reducing false positives and ensuring that the development team can continue their work without unnecessary interruptions.
Therefore, the correct answer is D – Machine Learning Exclusions.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
