[CrowdStrike] CCFA - CrowdStrike Falcon Admin Exam Dumps & Study Guide

Free [CrowdStrike] CCFA - CrowdStrike Falcon Admin Practice Questions Preview

• Question 1

  What is the function of a single asterisk (*) in an ML exclusion pattern?

  • A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  • B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  • C. The single asterisk is the insertion point for the variable list that follows the path
  • D. The single asterisk is only used to start an expression, and it represents the drive letter

  Correct Answer: B

  Explanation:

  The AI also suggests that the correct answer is B.
  Reasoning:
  The question asks about the function of a single asterisk (*) in an ML exclusion pattern. Based on standard globbing patterns and the discussion, a single asterisk matches any number of characters, except path separators. This behavior is consistent with file system wildcard implementations. It won't cross directory boundaries.
  
  Why other options are incorrect:
  A is incorrect because the single asterisk does not include separator characters.
  C is incorrect as the single asterisk is not an insertion point for a variable list.
  D is incorrect as the single asterisk is not only used to start an expression and does not represent the drive letter.
  

  Citations:
  • Glob (programming), https://en.wikipedia.org/wiki/Glob_(programming)

• Question 2

  You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

  • A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
  • B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
  • C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
  • D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

  Correct Answer: B

  Explanation:

  The AI assistant agrees with the suggested answer, which is B. The best approach to prevent future false positive detections from a specific binary is to explicitly allow it.
  Reasoning:
  Option B, "Using IOC Management, add the hash of the binary in question and set the action to 'Allow'," is the most effective solution because it tells the system to explicitly trust the binary. This prevents the machine learning algorithms from flagging it as malicious in the future, thereby reducing false positives. By setting the action to "Allow," the system recognizes the binary as safe, ensuring it won't trigger further alerts.
  Reasons for not choosing other options:

  • Option A: Contacting support to modify machine learning settings is a possible solution but is not as efficient or immediate as using IOC Management. It also relies on an external party and may not address the issue as quickly.
  • Option C: Blocking the binary and hiding the detection is counterproductive because the binary is known to be safe. This approach would prevent the legitimate use of the vendor's software.
  • Option D: Setting the action to "No Action" would mean the system continues to detect the binary, generating false positives, but takes no action. This does not resolve the problem of unwanted detections and clutters the detection logs.

  There are not any specific sources cited that directly support the use of IOC management for handling false positives in machine learning detections. However, the general principles of using whitelisting or allow-listing in security systems align with this approach. The use of threat intelligence platforms is an essential aspect for security operation, and we can use IOC management as part of threat intelligence platform.

  Citations:

  • Threat intelligence platforms: benefits and key components, https://www.ibm.com/topics/threat-intelligence-platforms

• Question 3

  What is the purpose of a containment policy?

  • A. To define which Falcon analysts can contain endpoints
  • B. To define the duration of Network Containment
  • C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
  • D. To define allowed IP addresses over which your hosts will communicate when contained

  Correct Answer: D

  Explanation:

  The AI agrees with the suggested answer D.
  Reasoning: A containment policy's primary purpose is to define which IP addresses or ranges a contained host can communicate with. This allows for continued essential functions while isolating a potentially compromised system. The online discussions confirm that the CrowdStrike Falcon containment policy lets administrators specify an allowlist of IP addresses for communication even when a host is contained. This is crucial for maintaining critical services or allowing remediation traffic.
  Reasons for not choosing the other options:

  • Option A is incorrect because containment policies do not define which Falcon analysts can contain endpoints. User permissions are typically managed through separate role-based access control (RBAC) mechanisms within the Falcon platform.
  • Option B is partially correct, but not the primary purpose. While a containment policy might include settings related to the duration of network containment, its core function extends beyond simply setting the duration. The policy is more about *what* a contained host can communicate with, rather than just *how long* it's contained.
  • Option C is related to response policies, not containment policies. Response policies determine the triggers for actions like containment. Containment policies determine what a contained host is allowed to communicate with.

  Citations:

  • CrowdStrike Falcon product documentation (details on containment policies): https://www.crowdstrike.com/

• Question 4

  An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

  • A. File exclusions are not aligned to groups or hosts
  • B. There is a limit of three groups of hosts applied to any exclusion
  • C. There is no limit and exclusions can be applied to any or all groups
  • D. Each exclusion can be aligned to only one group of hosts

  Correct Answer: C

  Explanation:

  The AI agrees with the suggested answer C.
  Reasoning: Based on the accumulated feedback and direct testing by users, there is no restriction on the number of host groups that can be assigned to an exclusion rule within the system. This implies that an administrator can apply an exclusion to any number of groups, ranging from specific subsets to all groups. The absence of a limitation offers flexibility in tailoring security policies and exceptions to meet specific organizational needs. This is crucial for managing diverse environments where different host groups require distinct exclusion configurations.
  Reasons for not choosing the other answers:
  

  • A: This statement is incorrect as file exclusions can indeed be aligned to groups or hosts.
  • B: This is incorrect as there is no limit of three groups of hosts applied to any exclusion
  • D: This is incorrect, as exclusions are not limited to only one group of hosts.

• Question 5

  Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host. Which role do you need added to your user account to have this capability?

  • A. Real Time Responder
  • B. Endpoint Manager
  • C. Falcon Investigator
  • D. Remediation Manager

  Correct Answer: A

  Explanation:

  The suggested answer is correct. To use the "Connect to Host" feature and gather additional information directly from the host within the CrowdStrike Falcon platform, the user account needs the Real Time Responder (RTR) role. The Falcon Administrator role, while having broad permissions, does not inherently grant access to real-time response capabilities.

  Reasoning:

  • The "Connect to Host" feature is part of CrowdStrike's Real Time Response (RTR) functionality, allowing administrators to directly interact with and gather data from endpoints.
  • The Real Time Responder role specifically grants users the permissions needed to initiate and conduct RTR sessions, including using commands to collect information and take actions on the host.

  Why other options are incorrect:

  • Endpoint Manager: This role typically focuses on managing and configuring endpoint security policies, not on direct host interaction for data gathering.
  • Falcon Investigator: This role is primarily for threat investigation and analysis within the Falcon console, not for connecting to hosts in real-time.
  • Remediation Manager: This role is related to managing and implementing remediation actions for identified threats, but it doesn't provide the direct host access granted by the RTR role.

  Citations:

  • CrowdStrike Falcon Real Time Response: https://www.crowdstrike.com/cybersecurity-101/endpoint-detection-and-response-edr/real-time-response-rtr/

• Question 6

  What must an admin do to reset a user's password?

  • A. From User Management, open the account details for the affected user and select "Generate New Password"
  • B. From User Management, select "Reset Password" from the three dot menu for the affected user account
  • C. From User Management, select "Update Account" and manually create a new password for the affected user account
  • D. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

  Correct Answer: B

  Explanation:

  Based on the question and discussion content, the AI suggests that option B is the correct answer.
  Reasoning:

  • The consensus from the discussion is that option B ("From User Management, select "Reset Password" from the three dot menu for the affected user account") is the correct method to reset a user's password.
  • Multiple users have confirmed this method's validity, with some mentioning they tested it in the UI (although specific UI details are not elaborated in the prompt itself).

  
  Reasons for not choosing other options:

  • Option A ("From User Management, open the account details for the affected user and select "Generate New Password"") might exist in some systems, but it is not the most direct or common approach, according to the information available.
  • Option C ("From User Management, select "Update Account" and manually create a new password for the affected user account") is less secure and not a standard password reset procedure. Manually creating passwords violates security best practices.
  • Option D ("From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid") is an extreme and unnecessary measure for a simple password reset. It indicates a misunderstanding of account management principles.

• Question 7

  Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

  • A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
  • B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
  • C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
  • D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

  Correct Answer: C

  Explanation:

  The AI agrees with the suggested answer C.
  The most effective method to disable Real Time Response (RTR) on a specific group of servers within Falcon, without affecting other servers, is to create a new Response Policy with RTR disabled and assign it to the relevant host group.

  Reasoning:
  Creating a new Response Policy provides granular control over specific host groups. This approach avoids modifying the Default Response Policy, which could inadvertently impact other systems. By creating a new policy with "Real Time Response" toggled off and assigning it to the designated host group, RTR will be effectively disabled only for those servers. The comments in the discussion thread support this approach.

  Why other options are incorrect:
  

  • A: Editing the Default Response Policy and assigning it to the host group is not recommended. The default policy should generally be left untouched to avoid unintended consequences on other hosts.
  • B: While adding the host group to the exceptions list under "Real Time Functionality" in the Default Response Policy might seem like a viable option, it's generally better to create a separate policy for specific exceptions to maintain a clearer and more organized configuration.
  • D: Creating a new Response Policy and adding the host name to the exceptions list under "Real Time Functionality" is not efficient. It is better to create host groups and manage them on the host group level.

  Therefore, creating a dedicated Response Policy for the servers requiring disabled RTR is the most appropriate and manageable solution.

  Suggested Answer: C

  • The suggested answer correctly identifies that creating a new response policy is the best approach.
  • The primary reason for selecting this answer is that it allows for targeted configuration changes without affecting other parts of the infrastructure.
  • The other answers were not selected because they involve modifying the default policy or are less efficient ways to manage a host group.

  
  

• Question 8

  When creating new IOCs in IOC management, which of the following fields must be configured?

  • A. Hash, Description, Filename
  • B. Hash, Action and Expiry Date
  • C. Filename, Severity and Expiry Date
  • D. Hash, Platform and Action

  Correct Answer: D

  Explanation:

  The AI agrees with the suggested answer of D. Hash, Platform and Action.
  The reason for choosing this answer is that these fields are typically essential for defining and acting upon an Indicator of Compromise (IOC). A hash (like MD5, SHA1, SHA256) uniquely identifies a file or piece of data. The platform specifies where this IOC is relevant (e.g., Windows, Linux). Action defines what should happen when the IOC is matched (e.g., block, alert). These three are fundamental for effective IOC management.
  Let's analyze why the other options are less suitable:

  • A. Hash, Description, Filename: While Hash and Filename are useful, 'Description' is typically optional and doesn't dictate how the IOC is handled. 'Action' is more critical.
  • B. Hash, Action and Expiry Date: 'Expiry Date' is important for IOC lifecycle, but 'Platform' is crucial for targeting the IOC effectively. Without knowing the platform, the 'Action' might not be applicable.
  • C. Filename, Severity and Expiry Date: 'Filename' alone is not as reliable as a 'Hash' for identifying malicious files (filenames can be easily changed). Severity is useful for prioritization but doesn't define the IOC itself. Platform is still missing.

  Therefore, option D provides the most fundamental elements required when creating a new IOC.

  Citations:

  • SANS Institute, Understanding Indicators of Compromise, https://www.sans.org/reading-room/whitepapers/incident/understanding-indicators-compromise-33901
  • NIST, Computer Security Incident Handling Guide, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

• Question 9

  Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

  • A. Remediation Manager
  • B. Real Time Responder – Read Only Analyst
  • C. Falcon Analyst – Read Only
  • D. Real Time Responder – Active Responder

  Correct Answer: B

  Explanation:

  The AI agrees with the suggested answer, B (Real Time Responder – Read Only Analyst).
  The reason for selecting this answer is that the question explicitly states the requirement for Falcon Analysts to view files and file contents locally on compromised hosts without the ability to take them off the host. The "Real Time Responder – Read Only Analyst" role is designed to provide exactly this level of access: the ability to connect to a host and examine files in real-time without the ability to download or modify them. This aligns perfectly with the CISO's requirement.
  The reasons for not choosing the other answers are:

  • A. Remediation Manager: This role typically focuses on taking action to remediate threats and vulnerabilities, which goes beyond the requirement of simply viewing files.
  • C. Falcon Analyst – Read Only: This role generally provides access to Falcon's detection and reporting capabilities but typically does not include the ability to directly access and view files on managed hosts.
  • D. Real Time Responder – Active Responder: This role grants the ability to take actions on the host, such as running commands and downloading files, which violates the requirement of not being able to take files off the host.

  Therefore, the "Real Time Responder – Read Only Analyst" role is the most appropriate choice as it provides the necessary file viewing capabilities without the ability to exfiltrate data.

  Citations:

  • CrowdStrike Falcon Roles, https://falcon.crowdstrike.com/support/documentation/83/user_management_and_roles

• Question 10

  One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  • A. USB Device Policy
  • B. Firewall Rule Group
  • C. Containment Policy
  • D. Machine Learning Exclusions

  Correct Answer: D

  Explanation:

  The AI agrees with the suggested answer.
  The suggested answer is D: Machine Learning Exclusions.
  Reasoning: The question asks for a setting to reduce false positives on a specific file path ("devcode"). Machine Learning Exclusions are designed precisely for this purpose. They allow you to configure specific paths or files to be excluded from scanning by the sensor's machine learning engine, thereby reducing false positive detections. This is particularly useful for development environments where code may exhibit behaviors that resemble malicious activity but are actually part of the legitimate development process.
  Reasons for not choosing other options:
  

  • A. USB Device Policy: This policy controls the use of USB devices on the system and does not directly address file path exclusions or false positive reduction related to code execution.
  • B. Firewall Rule Group: Firewall rules control network traffic and are not relevant to excluding specific file paths from machine learning analysis.
  • C. Containment Policy: Containment policies are used to isolate a machine that is suspected of being compromised. While containment might stop the flagged execution, it's a drastic measure and not appropriate for simply reducing false positives in a development environment. Also, containment focuses on isolating the machine, while the machine learning exclusion allows for self-service allowlisting.

  Citations:
  

  • CrowdStrike Falcon Machine Learning Exclusions, No specific title, https://falcon.crowdstrike.com/support/documentation/160/detection_exclusions