CCFA-200 Online Practice Questions and Answers

Which option allows you to exclude behavioral detections from the detections page?

A. Machine Learning Exclusion

B. IOA Exclusion

C. IOC Exclusion

D. Sensor Visibility Exclusion

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

A. Contact support and request that they modify the Machine Learning settings to no longer include this detection

B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"

C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

What is the primary purpose of using glob syntax in an exclusion?

A. To specify a Domain be excluded from detections

B. To specify exclusion patterns to easily exclude files and folders and extensions from detections

C. To specify exclusion patterns to easily add files and folders and extensions to be prevented

D. To specify a network share be excluded from detections

Which of the following options is a feature found ONLY with the Sensor-based Machine Learning (ML)?

A. Next-Gen Antivirus (NGAV) protection

B. Adware and Potentially Unwanted Program detection and prevention

C. Real-time offline protection

D. Identification and analysis of unknown executables

What can the Quarantine Manager role do?

A. Manage and change prevention settings

B. Manage quarantined files to release and download

C. Manage detection settings

D. Manage roles and users

With Custom Alerts, it is possible to __________.

A. schedule the alert to run at any interval

B. receive an alert in an email

C. configure prevention actions for alerting

D. be alerted to activity in real-time

What is the purpose of a containment policy?

A. To define which Falcon analysts can contain endpoints

B. To define the duration of Network Containment

C. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)

D. To define allowed IP addresses over which your hosts will communicate when contained

When the Notify End Users policy setting is turned on, which of the following is TRUE?

A. End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist

B. End users will be immediately notified via a pop-up that their machine is in-network isolation

C. End-users receive a pop-up notification when a prevention action occurs

D. End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

You are beginning the rollout of the Falcon Sensor for the first time side-by-side with your existing security solution. You need to configure the Machine Learning levels of the Prevention Policy so it does not interfere with existing solutions

during the testing phase.

What settings do you choose?

A. Detection slider: Extra Aggressive Prevention slider: Cautious

B. Detection slider: Moderate Prevention slider: Disabled

C. Detection slider: Cautious Prevention slider: Cautious

D. Detection slider: Disabled Prevention slider: Disabled

What is the function of a single asterisk (*) in an ML exclusion pattern?

A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

C. The single asterisk is the insertion point for the variable list that follows the path

D. The single asterisk is only used to start an expression, and it represents the drive letter