CCFA-200 CrowdStrike Certified Falcon Administrator Free Practice Exam Questions (2025 Updated)

OU (organizational unit) is a filter within the Host setup and management > Host management page. The Host management page allows you to view and manage all the hosts in your environment that have Falcon sensors installed. You can filter the hosts by hostname, group, OS version, sensor version, last seen date, health events, detections, and preventions. You can also filter by OU, which is a logical grouping of hosts based on their Active Directory domain structure1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The option that should be disabled on firewalls so that the sensor’s man-in-the-middle attack protection works properly is deep packet inspection. Deep packet inspection is a network configuration that inspects and modifies the data packets that pass through a firewall. Deep packet inspection may interfere with the sensor’s certificate validation, which is a feature that verifies that the server certificate presented by the Falcon cloud matches a hard-coded certificate embedded in the sensor. If the certificate validation fails, the sensor will reject the connection and generate an error3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

Real Time Responder - Administrator (RTR Administrator) - Can do everything RTR Active Responder can do, plus create custom scripts, upload files to hosts using the put command, and directly run executables using the run command.

Glob syntax is used to specify exclusion patterns to easily exclude files and folders and extensions from detections. Glob syntax allows you to use wildcards (*) and ranges ([a-z]) to match multiple characters or values in a file path or name. For example, you can use glob syntax to exclude all files with .exe extension in a folder by using C:\Folder*.exe as an exclusion pattern2.

References: 2: Cybersecurity Resources | CrowdStrike

The administrator can disable all detections for a host by selecting the host and then choosing the option to Disable Detections in the Host Management page. This will prevent the host from sending any detection events to the Falcon Cloud. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 32.

User permissions are set in Falcon by assigning pre-defined permissions to sets called roles. Users can be assigned multiple roles based on job function and they assume a cumulative set of permissions based on those assignments. Roles are collections of permissions that define what users can see and do in Falcon. Permissions are granular actions that allow users to access specific features or functions in Falcon. For example, a user who is assigned both the Falcon Administrator role and the Falcon Investigator role will have all the permissions from both roles2.

References: 2: Cybersecurity Resources | CrowdStrike

The administrator can modify settings to permit certain traffic during a containment period by creating or editing a Containment Policy. This policy allows users to specify which ports, protocols and IP addresses are allowed or blocked during network containment. The other options are either incorrect or not related to network containment. Reference: [CrowdStrike Falcon User Guide], page 40.

An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after 90 days. An inactive host is a host that has not communicated with the Falcon platform for more than seven days. An inactive host will be moved from the Host Management page to the Trash page after seven days of inactivity. An inactive host will remain in the Trash page for 90 days before being permanently deleted from the Falcon platform. You can restore an inactive host from the Trash page if it becomes active again within 90 days1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

The report that lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported is Sensor Coverage Lookup. The Sensor Coverage Lookup report allows you to view and compare the sensor versions and coverage status for each operating system type in your environment. You can use this report to identify any sensors that are in RFM or are approaching end-of-life (EOL) support. You can also view the release date and EOL date for each sensor version3.

References: 3: How to Become a CrowdStrike Certified Falcon Administrator

The best approach to updating the Containment Policy to allow a new patch server that should be reachable while hosts in your environment are network contained is to add an allowlist entry for the individual server’s IP address. An allowlist entry allows you to define a list of trusted IP addresses that can communicate with your contained hosts. This way, you can isolate a host from the network while still allowing it to access essential resources or services, such as a patch server. If the server’s IP address is static and does not change, adding an individual IP address is more precise and secure than adding a host group or a network range2.

References: 2: Cybersecurity Resources | CrowdStrike

The administrator can find a list of hosts that have not communicated with the CrowdStrike Cloud in the last 30 days by going to Host setup and management > Managed endpoints > Inactive Sensors. Then, change the time range to 30 days. This will show the host name, last seen date, sensor version and group name for each inactive host. The other options are either incorrect or not available. Reference: [CrowdStrike Falcon User Guide], page 31.

The option that is not an available action for an API Client is Retrieve an API Client Secret. An API Client is an entity that represents a user or application that can access the Falcon platform programmatically via the Falcon APIs. An API Client has an API Client ID and an API Client Secret, which are used for authenticating and authorizing API requests. You can create and manage API Clients in the API Clients and Keys page in the Falcon console. The available actions for an API Client are Edit an API Client, Reset an API Client Secret, and Delete an API Client. You cannot retrieve an API Client Secret after it has been created, as it is only displayed once during creation for security reasons2.

References: 2: Cybersecurity Resources | CrowdStrike

From a command line, running the sc query csagent -version command is not a way to determine the sensor version installed on a specific endpoint. This command will only show the status of the csagent service, not the sensor version. The other options are valid ways to determine the sensor version installed on a specific endpoint using Falcon UI or API. You can use the Sensor Report, the Host Search, or the Host Management features to filter, search, or select the desired endpoint and view the sensor version information12.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike 2: How to Become a CrowdStrike Certified Falcon Administrator

Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that would have been blocked in your environment over the selected timeframe based on different Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).

The option that best describes what the Uninstall and Maintenance Protection setting controls within your Sensor Update Policy is that it prevents unauthorized uninstallation of the sensor. The Uninstall and Maintenance Protection setting is a feature that adds an extra layer of security to the sensor by requiring a maintenance token to uninstall or update the sensor manually. The maintenance token is a unique code that can be generated by a Falcon Administrator or a Real Time Response -Administrator in the Falcon console. Without a valid maintenance token, the sensor cannot be uninstalled or updated by anyone, including local administrators or malware2.

References: 2: Cybersecurity Resources | CrowdStrike

The Inactive Sensor Report in the Host setup and management option allows you to view a list of hosts that have not communicated with the Falcon platform for a specified period of time. You can filter the report by sensor version, OS, and last seen date. This report can help you identify hosts that may have connectivity issues or need sensor updates1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

There are three “Auto” sensor version update options available for Windows Sensor Update Policies: Auto - N-1, Auto - TEST-QA and Auto - Latest. These options allow the administrator to automatically update the sensor version to the previous stable version, the latest test version or the latest stable version, respectively. Reference: [CrowdStrike Falcon User Guide], page 38.

The option that is true regarding disabling detections for a host is that the detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled. This option is essentially a repetition of question 127 and its answer. Disabling detections for a host will remove any existing detections for that host from the console and prevent any new detections from appearing in the console until detections are enabled again1.

References: 1: Falcon Administrator Learning Path | Infographic | CrowdStrike

Roles are never called 'working groups' in the documentation. The only other option that can be edited on a existing user is first and last name.