CCFA-200 CrowdStrike Certified Falcon Administrator Questions and Answers

The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 31.

The only place where create host groups is in " Host and setup management > host Groups> Create a group" In Sensor Update policies you can only asign a group of host to the policy not creating a group of hosts.

The exclusion pattern that will prevent detections on a file at C:\Program Files\My Program\My Files\program.exe is \Program Files\My Program\My Files*. This pattern will match any file under the My Files folder, including program.exe, and exclude them from detections. The other patterns are either incorrect or too broad to prevent detections on this specific file. Reference: [CrowdStrike Falcon User Guide], page 37.

The information that the API Audit Trail Report provides is a list of actions taken via Falcon OAuth2-based APIs. The API Audit Trail Report allows you to view and audit the activity and usage of the Falcon APIs by different API clients and users in your organization. You can use this report to monitor who accessed what data, when, and how via the Falcon APIs2.

References: 2: Cybersecurity Resources | CrowdStrike

The tool developed by Crowdstrike that is intended to help with removal of the CrowdStrike Windows Falcon Sensor is CSUninstallTool.exe. This tool is a command-line utility that can uninstall the Falcon sensor from a Windows system without requiring user interaction or network connectivity. The tool can also bypass the Uninstall and Maintenance Protection feature if enabled in the Sensor Update Policy2.

References: 2: Cybersecurity Resources | CrowdStrike

A valid step when troubleshooting sensor installation failure is to confirm all required services are running on the system. This can help identify if there are any issues with the sensor service, the Windows Management Instrumentation service, or the Windows Remote Management service, which are required for the sensor to function properly. The other options are either incorrect or not helpful for troubleshooting sensor installation failure. Reference: CrowdStrike Falcon User Guide, page 29.

The Workflow Execution log in the Workflow Management option allows you to view the status and results of workflow executions triggered by detection events. You can filter the log by workflow name, status, start and end time, and detection ID. You can also view the details of each execution, including the actions performed, the output received, and any errors encountered. This log can help you troubleshoot potential failures or issues with your workflows1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The statement that is true about managing a user’s role is that you must be a Falcon Administrator. A Falcon Administrator is a role that has full access and control over all features and functions in Falcon, including user management. A Falcon Administrator can create, modify, delete, and assign roles to other users in Falcon. A Falcon Administrator can also re-use the account email for a new account, enable Falcon MFA (multi-factor authentication), and assign other roles such as Falcon Security Lead or Falcon Investigator2.

References: 2: Cybersecurity Resources | CrowdStrike

Turn on the Script-Based Execution Monitoring prevention policy setting to enable the "Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting does not kill or block scripts."

Scripting languages:

Excel 4.0 macros

JScript

VBA Macros

VBScript

The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious script execution on Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform actions within the documents, but they can also be abused by attackers to deliver malware or execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks by monitoring the contents of VBA macros for execution of malicious content.

References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]

When editing an existing IOA exclusion, the IOA name cannot be edited. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. The IOA name is a predefined name that identifies the type of IOA behavior that you want to exclude, such as “Suspicious Process Execution - Script Interpreter Executing File”. The IOA name cannot be changed when editing an existing IOA exclusion, as it is linked to a specific IOA rule in the Falcon platform. However, you can edit other parts of the IOA exclusion, such as the exclusion name, the hosts groups, and the filter criteria2.

References: 2: Cybersecurity Resources | CrowdStrike

The best settings to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions during the testing phase are Cautious for both Detection and Prevention sliders. This setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

"ProvNoWait=1

The sensor does not abort installation if it can't connect to the CrowdStrike cloud within 20 minutes (10 minutes, in Falcon sensor version 6.21 and earlier). (By default, if the host can't contact our cloud, it will retry the connection for 20 minutes. After that, the host will automatically uninstall its sensor.)"

"ProvWaitTime=3600000

The sensor waits for 1 hour to connect to the CrowdStrike cloud when installing (the default is 20 minutes)."

The administrator can assign a policy to a specific group of hosts by creating a group containing the desired hosts using “Static Assignment.” Then, go to the Assigned Host Groups tab of the desired policy and click “Add groups to policy.” Select the desired Group(s). This will apply the policy to the selected group(s) of hosts. The other options are either incorrect or not applicable to static assignment. Reference: [CrowdStrike Falcon User Guide], page 33.

Prevention Policies are created based on the OS (Windows, MAC and Linux policies). Once a prevention policy is created, three options appear on top: Settings, Assigned Host Groups and Assigned Custom IOAS (tested on Crowdstrike). Therefore, Host Groups and Custom IOAS are the two different types of groups a prevention policy can be aligned to.

When creating an API client, the secret must be saved immediately since it cannot be viewed again after the client is created. The secret is a randomly generated string that is used to authenticate the API client along with the client ID. The other options are either incorrect or can be viewed or modified later. Reference: CrowdStrike Falcon User Guide, page 54.

The page that provides a count of sensors in Reduced Functionality Mode (RFM) by Operating System is Sensor Health. The Sensor Health page allows you to view and monitor the health and status of all sensors in your environment. You can use this page to identify any sensors that have issues or errors, such as RFM, which is a mode that limits the sensor’s functionality due to license expiration, network connectivity loss, or certificate validation failure. You can filter the sensors by operating system, sensor version, last seen date, health events, detections, and preventions3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The Windows sensor installer for CrowdStrike Falcon can be downloaded from the Hosts > Sensor Downloads page in the Falcon console. This page allows you to download different sensor versions and installers for various operating systems and platforms, as well as view installation instructions and release notes. The other options are either incorrect or not available. Reference: CrowdStrike Falcon User Guide, page 27.

A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list after 90 days. A sensor that has not contacted the Falcon cloud for more than seven days is considered inactive and will be moved from the Host Management page to the Trash page. An inactive sensor will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive sensor from the Trash page if it contacts the Falcon cloud again within 90 days.

References: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]

The command that should be run to verify if a Windows sensor is running is sc query csagent. This command will display the status and information of the csagent service, which is the Falcon sensor service. The other commands are either incorrect or not applicable to Windows sensors. Reference: [CrowdStrike Falcon User Guide], page 29.

The most appropriate action to take if you wanted to prevent a folder from being uploaded to the cloud without disabling uploads globally is to create a Custom IOC entry. A Custom IOC (indicator of compromise) entry allows you to define custom rules for detecting or preventing malicious activity based on file hashes, file paths, IP addresses, or domains. You can use regex (regular expression) syntax to create a Custom IOC entry that matches the folder path that you want to block from being uploaded to the cloud1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Regex guidelines https://falcon.crowdstrike.com/documentation/68/detection-and-prevention-policies#regex

" Data is only available in the Falcon UI for investigations, etc. through the company’s data retention time frame; detection information is kept for 90 days regardless; UI audits are available for 1 year

Once an exclusion is saved, all parts of the exclusion can be changed in the future. The administrator can edit an existing exclusion by selecting it from the Exclusions page and modifying any of its fields, such as pattern, type, option, group or host. The other options are either incorrect or not true of editing exclusions. Reference: CrowdStrike Falcon User Guide, page 37.

Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

The option that uses regex to create a detection or take a preventative action is Custom IOA. A Custom IOA (indicator of attack) allows you to define custom rules for detecting or preventing suspicious behavior based on process execution, file write, network connection, or registry events. You can use regex syntax to create a Custom IOA rule that matches the event data that you want to monitor or block1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server’s IP address. An allowlist entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server. If the server’s IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range2.

References: 2: Cybersecurity Resources | CrowdStrike

The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2.

References: 2: Cybersecurity Resources | CrowdStrike

When uninstalling a sensor, a maintenance token is required if the ‘Uninstall and maintenance protection’ setting is enabled within the Sensor Update Policies. This setting prevents unauthorized or accidental uninstallation of sensors by requiring a token that can be generated from the Falcon console. The other options are either incorrect or not related to uninstalling a sensor. Reference: CrowdStrike Falcon User Guide, page 29.

The syntax that would be best for detecting or preventing on all subdomains as well is *.baddomain.xyz|baddomain. xyz. This syntax will match any domain that ends with .baddomain.xyz or is exactly baddomain.xyz. The * wildcard will match any characters before the dot, and the | operator will match either side of the expression. This syntax can be used in a Custom IOC or a Custom IOA rule to detect or prevent network connections to malicious domains1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

An inactive host will remain visible within the Host Management or Trash pages for 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that best describes the general process for installation of the Falcon Sensor on MacOS is to install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access. The Falcon package contains the sensor binary and the kernel extension, which can be installed by double-clicking on it or using a command-line tool such as installer. The falconctl tool is a command-line utility that allows you to configure and manage the sensor on MacOS systems. You can use falconctl to license the sensor by providing your Customer ID (CID) and optionally your Sensor Group ID (SGID). After licensing the sensor, you need to approve the system extension in the Security & Privacy settings of your system preferences, which will require a restart. Finally, you need to grant the sensor Full Disk Access in the Privacy settings of your system preferences, which will allow the sensor to monitor and protect your files and folders1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

When a user initiates a sensor install, the logs can be found in %SYSTEMROOT%\Temp. This folder contains temporary files and folders created by the system or applications, including the sensor installation logs. The sensor installation logs have names that start with CSFalconContainer and end with .log, such as CSFalconContainer-2023-08-31_11-23-21.log. These logs can help you troubleshoot any issues or errors that may occur during the sensor installation process3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The administrator can choose a specific sensor version number in the Sensor Update policy to manually control when the sensor version is upgraded or downgraded. This will allow the Falcon Cloud to push out sensor version changes, but only when the administrator changes the version number in the policy. The other options will either automate the sensor version updates or turn them off completely. Reference: [CrowdStrike Falcon User Guide], page 38.

The purpose of the Default Sensor Policy is that it acts as a “catch all” policy if no other Sensor Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or groups in your environment. However, if a host is not assigned to a specific Sensor Policy, it will inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a “catch-all” policy that is enabled by default and has the “Malware Protection” feature turned on. You can modify the settings of the Default Sensor Policy, but you cannot delete or disable it1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The administrator can create a new Response Policy, toggle the “Real Time Response” switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result. Reference: CrowdStrike Falcon User Guide, page 35.

The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor’s ML engine, which uses artificial intelligence to identify and stop unknown threats. The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

You are usuing RegEx here and need leading ".*" to capture www and then need a ".*" at the end to identify any sites falling under badguydomain.com

Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when the Falcon sensor is updated on a host. Sensor Update policies are specific to each operating system type, as different operating systems have different sensor versions, features, and requirements. Therefore, you need to create and assign separate Sensor Update policies for each operating system type in your environment1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

 In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, the administrator should set the Sensor version to fixed and turn on the Uninstall and maintenance protection setting in the Sensor Update Policy. This will allow the administrator to specify which sensor version will be used by the hosts using this policy, and also require a maintenance token to uninstall or upgrade the sensor. The other options are either incorrect or not sufficient to meet this criteria. Reference: CrowdStrike Falcon User Guide, page 38.

The option that may prevent a user from logging into Falcon via single sign-on (SSO) is that the SSO username doesn’t match their email address in Falcon. SSO is a feature that allows you to use an external identity provider (IdP) to authenticate and authorize users to access the Falcon platform. SSO simplifies and streamlines the login process, as users only need to remember one set of credentials for multiple applications. However, SSO requires that the username in the IdP matches the email address in Falcon for each user. If there is a mismatch between the username and the email address, the user will not be able to log into Falcon via SSO.

References: : [Cybersecurity Resources | CrowdStrike]