Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CrowdStrike
  5. CCFA-200

CrowdStrike CCFA-200 Exam Questions
CrowdStrike Certified Falcon Administrator (Page 3 )

Updated On: 16-Feb-2026
Page 3 of 32
PDF with 153 Questions

What must an admin do to reset a user's password?

  1. From User Management, open the account details for the affected user and select "Generate New Password"
  2. From User Management, select "Reset Password" from the three dot menu for the affected user account
  3. From User Management, select "Update Account" and manually create a new password for the affected user account
  4. From User Management, the administrator must rebuild the account as the certificate for user specific private/public key generation is no longer valid

Answer(s): B

Explanation:

The administrator can reset a user's password by selecting "Reset Password" from the three dot menu for the affected user account in the User Management page. This will generate a new password and send it to the user's email address. The other options are either incorrect or not available.


Reference:

CrowdStrike Falcon User Guide, page 25.



Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group.
What is the next step to disable RTR only on these hosts?

  1. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
  2. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
  3. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
  4. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Answer(s): C

Explanation:

The administrator can create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group that contains the servers that are not allowed to be accessed remotely. This will disable RTR only on those hosts, while keeping it enabled for the rest of the hosts. Editing the Default Response Policy or adding exceptions will not achieve the desired result.


Reference:

CrowdStrike Falcon User Guide, page 35.



When creating new IOCs in IOC management, which of the following fields must be configured?

  1. Hash, Description, Filename
  2. Hash, Action and Expiry Date
  3. Filename, Severity and Expiry Date
  4. Hash, Platform and Action

Answer(s): D

Explanation:

When creating new IOCs in IOC management, the administrator must configure the Hash, Platform and Action fields. The Hash field is the value of the IOC, such as MD5, SHA1 or SHA256. The Platform field is the operating system that the IOC applies to, such as Windows, Linux or Mac. The Action field is the action that Falcon will take when detecting the IOC, such as Detect, Block or Allow. The other fields are either optional or not available.


Reference:

CrowdStrike Falcon User Guide, page 44



Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host.
What is the most appropriate role that can be added to fullfil this requirement?

  1. Remediation Manager
  2. Real Time Responder ­ Read Only Analyst
  3. Falcon Analyst ­ Read Only
  4. Real Time Responder ­ Active Responder

Answer(s): B

Explanation:

The Real Time Responder - Read Only Analyst only allows to run the commands "cat,cd,clear,env,eventlog,filehash,getsid,help,history,ipconfig,ls,mount,netstat,ps,reg" the role do not have permission to get files so it is the most aproximated profile for the requested capabilities.



One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

  1. USB Device Policy
  2. Firewall Rule Group
  3. Containment Policy
  4. Machine Learning Exclusions

Answer(s): D

Explanation:

Continment Policy, is a allowlist of IPs and CIDR networks allowed in the moment of a host containtment. The Machine Learning Exclusions are the way to avoid the detections done it by Machine Learning based on files, so it is possible to exclude the detections for the requested folder with a GLOB expression.






Post your Comments and Discuss CrowdStrike CCFA-200 exam dumps with other Community members:

Join the CCFA-200 Discussion