crowdstrike ccfa-200 practice test

Exam Title: CrowdStrike Certified Falcon Administrator

Last update: Nov 27 ,2025
Question 1

How do you disable all detections for a host?

  • A. Create an exclusion rule and apply it to the machine or group of machines
  • B. Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)
  • C. You cannot disable all detections on individual hosts as it would put them at risk
  • D. In Host Management, select the host and then choose the option to Disable Detections
Answer:

D


Explanation:
The administrator can disable all detections for a host by selecting the host and then choosing the
option to Disable Detections in the Host Management page. This will prevent the host from sending
any detection events to the Falcon Cloud. The other options are either incorrect or not available.
Reference: [CrowdStrike Falcon User Guide], page 32.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 2

To enhance your security, you want to detect and block based on a list of domains and IP addresses.
How can you use IOC management to help this objective?

  • A. Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
  • B. Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
  • C. Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
  • D. Using IOC management, import the list of hashes and IP addresses and set the action to No Action
Answer:

A


Explanation:
IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore,
it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule
types based on Network Connection (configuring a remote IP address) and domains, and gives the
options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 3

Which role is required to manage groups and policies in Falcon?

  • A. Falcon Host Analyst
  • B. Falcon Host Administrator
  • C. Prevention Hashes Manager
  • D. Falcon Host Security Lead
Answer:

B


Explanation:
The Falcon Host Administrator role is required to manage groups and policies in Falcon. This role
allows users to create, edit and delete groups and policies, as well as assign them to hosts. The other
roles do not have this capability. Reference: [CrowdStrike Falcon User Guide], page 17.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 4

Which of the following can a Falcon Administrator edit in an existing user's profile?

  • A. First or Last name
  • B. Phone number
  • C. Email address
  • D. Working groups
Answer:

A


Explanation:
Roles are never called 'working groups' in the documentation. The only other option that can be
edited on a existing user is first and last name.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 5

You want the Falcon Cloud to push out sensor version changes but you also want to manually control
when the sensor version is upgraded or downgraded. In the Sensor Update policy, which is the best
Sensor version option to achieve these requirements?

  • A. Specific sensor version number
  • B. Auto - TEST-QA
  • C. Sensor version updates off
  • D. Auto - N-1
Answer:

A


Explanation:
The administrator can choose a specific sensor version number in the Sensor Update policy to
manually control when the sensor version is upgraded or downgraded. This will allow the Falcon
Cloud to push out sensor version changes, but only when the administrator changes the version
number in the policy. The other options will either automate the sensor version updates or turn
them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 6

What is the goal of a Network Containment Policy?

  • A. Increase the aggressiveness of the assigned prevention policy
  • B. Limit the impact of a compromised host on the network
  • C. Gain more visibility into network activities
  • D. Partition a network for privacy
Answer:

B


Explanation:
The goal of a Network Containment Policy is to limit the impact of a compromised host on the
network. This policy allows users to isolate a host from the network, while still allowing it to
communicate with the Falcon Cloud and other essential services. This can help prevent further
damage or data exfiltration from a compromised host. The other options are either incorrect or not
related to the policy. Reference: [CrowdStrike Falcon User Guide], page 40.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 7

Which of the following applies to Custom Blocking Prevention Policy settings?

  • A. Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy
  • B. Blocklisting applies to hashes, IP addresses, and domains
  • C. Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary
  • D. You can only blocklist hashes via the API
Answer:

A


Explanation:
Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to
the Configuration App, Prevention hashes window, and click on “Upload Hashes” in the upper right-
hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike
Falcon® API.
https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 8

How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

  • A. 1
  • B. 2
  • C. 0
  • D. 3
Answer:

D


Explanation:
There are three “Auto” sensor version update options available for Windows Sensor Update Policies:
Auto - N-1, Auto - TEST-QA and Auto - Latest. These options allow the administrator to automatically
update the sensor version to the previous stable version, the latest test version or the latest stable
version, respectively. Reference: [CrowdStrike Falcon User Guide], page 38.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 9

The alignment of a particular prevention policy to one or more host groups can be completed in
which of the following locations within Falcon?

  • A. Policy alignment is configured in the "Host Management" section in the Hosts application
  • B. Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window
  • C. Policy alignment is configured in the General Settings section under the Configuration menu
  • D. Policy alignment is configured in each policy in the "Assigned Host Groups" tab
Answer:

D


Explanation:
The alignment of a particular prevention policy to one or more host groups can be completed in each
policy in the “Assigned Host Groups” tab. This tab allows the administrator to select which host
groups will use the policy, as well as view the number of hosts and sensors assigned to each group.
The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide],
page 34.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 10

How long are detection events kept in Falcon?

  • A. Detection events are kept for 90 days
  • B. Detections events are kept for your subscribed data retention period
  • C. Detection events are kept for 7 days
  • D. Detection events are kept for 30 days
Answer:

A


Explanation:
" Data is only available in the Falcon UI for investigations, etc. through the company’s data retention
time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Page 1 out of 15
Viewing questions 1-10 out of 153
Go To
page 2