Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CrowdStrike
  5. CCFA-200

CrowdStrike CCFA-200 Exam Questions
CrowdStrike Certified Falcon Administrator (Page 6 )

Updated On: 16-Feb-2026
Page 6 of 32
PDF with 153 Questions

What information is provided in Logan Activities under Visibility Reports?

  1. A list of all logons for all users
  2. A list of last endpoints that a user logged in to
  3. A list of users who are remotely logged on to devices based on local IP and local port
  4. A list of unique users who are remotely logged on to devices based on the country

Answer(s): B

Explanation:

The Logon Activities report under Visibility Reports provides a list of last endpoints that a user logged in to. This report shows the user name, domain name, logon type, logon time and endpoint name for each logon event. The other options are either incorrect or not related to the report.


Reference:

[CrowdStrike Falcon User Guide], page 50.



What can the Quarantine Manager role do?

  1. Manage and change prevention settings
  2. Manage quarantined files to release and download
  3. Manage detection settings
  4. Manage roles and users

Answer(s): B

Explanation:

The Quarantine Manager role can manage quarantined files to release and download. This role allows users to view and search quarantined files, as well as release them from quarantine or download them for further analysis. The other roles do not have this capability.


Reference:

[CrowdStrike Falcon User Guide], page 19.



What command should be run to verify if a Windows sensor is running?

  1. regedit myfile.reg
  2. sc query csagent
  3. netstat -f
  4. ps -ef | grep falcon

Answer(s): B

Explanation:

The command that should be run to verify if a Windows sensor is running is sc query csagent. This command will display the status and information of the csagent service, which is the Falcon sensor service. The other commands are either incorrect or not applicable to Windows sensors.


Reference:

[CrowdStrike Falcon User Guide], page 29.



When configuring a specific prevention policy, the admin can align the policy to two different types of groups, Host Groups and which other?

  1. Custom IOA Rule Groups
  2. Custom IOC Groups
  3. Enterprise Groups
  4. Operating System Groups

Answer(s): A

Explanation:

Prevention Policies are created based on the OS (Windows, MAC and Linux policies). Once a prevention policy is created, three options appear on top: Settings, Assigned Host Groups and Assigned Custom IOAS (tested on Crowdstrike). Therefore, Host Groups and Custom IOAS are the two different types of groups a prevention policy can be aligned to.



Which role allows a user to connect to hosts using Real-Time Response?

  1. Endpoint Manager
  2. Falcon Administrator
  3. Real Time Responder ­ Active Responder
  4. Prevention Hashes Manager

Answer(s): C

Explanation:

The role that allows a user to connect to hosts using Real-Time Response is Real Time Responder ­ Active Responder. This role allows users to use the "Connect to Host" feature to gather additional information from the host, as well as execute commands and scripts on the host. The other roles do not have this capability.


Reference:

[CrowdStrike Falcon User Guide], page 18.






Post your Comments and Discuss CrowdStrike CCFA-200 exam dumps with other Community members:

Join the CCFA-200 Discussion