Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
MuleSoft
Okta
Oracle
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. CrowdStrike
  3. CCFA-200

CrowdStrike CCFA-200 Exam (page: 1)
CrowdStrike Certified Falcon Administrator
Updated on: 07-Nov-2025

Viewing Page 1 of 32
CCFA-200 PDF 153 Questions

What is the function of a single asterisk (*) in an ML exclusion pattern?

  1. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  2. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  3. The single asterisk is the insertion point for the variable list that follows the path
  4. The single asterisk is only used to start an expression, and it represents the drive letter

Answer(s): B


Reference:

https://docs.microsoft.com/en-us/azure/machine-learning The asterisk is a wildcard character that can be used in exclusion patterns to match any number of characters. However, it does not match separator characters, such as \ or /, which are used to separate portions of a file path. For example, the pattern C:\Windows\*\*.exe will match any executable file in any subfolder of the Windows folder, but not in the Windows folder itself.

Falcon Administrator Learning Path | Infographic | CrowdStrike



You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints.
What is the best way to prevent these in the future?

  1. Contact support and request that they modify the Machine Learning settings to no longer include this detection
  2. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
  3. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
  4. Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Answer(s): B

Explanation:

to match any number of characters including none while not matching beyond path separators (\ or /) and double asterisks are used to recursively match zero or more directories that fall under the current directory.



What is the purpose of a containment policy?

  1. To define which Falcon analysts can contain endpoints
  2. To define the duration of Network Containment
  3. To define the trigger under which a machine is put in Network Containment (e.g. a critical detection)
  4. To define allowed IP addresses over which your hosts will communicate when contained

Answer(s): D

Explanation:

In the Containment Policy page have the title "Network traffic allowlist" and it only allows to add IPs or CIDR networks to exclude in the moment of the isolation of any host, because it is a global policy, not allowing make distinctions between machines.



An administrator creating an exclusion is limited to applying a rule to how many groups of hosts?

  1. File exclusions are not aligned to groups or hosts
  2. There is a limit of three groups of hosts applied to any exclusion
  3. There is no limit and exclusions can be applied to any or all groups
  4. Each exclusion can be aligned to only one group of hosts

Answer(s): C

Explanation:

An exclusion is a rule that tells the Falcon platform to ignore certain files, folders, processes, or registry keys when performing prevention or detection actions. An administrator can create an exclusion and apply it to one or more groups of hosts, or to all hosts in the organization. For example, an administrator can create an exclusion for a legitimate application that is causing false positives and apply it to the group of hosts that are running that application.


Reference:

Falcon Administrator Learning Path | Infographic | CrowdStrike



Even though you are a Falcon Administrator, you discover you are unable to use the "Connect to Host" feature to gather additional information which is only available on the host.
Which role do you need added to your user account to have this capability?

  1. Real Time Responder
  2. Endpoint Manager
  3. Falcon Investigator
  4. Remediation Manager

Answer(s): A

Explanation:

The Real Time Responder role allows users to use the "Connect to Host" feature to gather additional information from the host, such as running processes, registry keys, files, etc. The other roles do not have this capability.


Reference:

CrowdStrike Falcon User Guide, page 18.



Viewing Page 1 of 32



Share your comments for CrowdStrike CCFA-200 exam with other users:

Anonymous 9/14/2023 4:27:00 AM

question number 4s answer is 3, option c. i
UNITED STATES


p das 12/7/2023 11:41:00 PM

very good questions
UNITED STATES


Anna 1/5/2024 1:12:00 AM

i am confused about the answers to the questions. are the answers correct?
KOREA REPUBLIC OF


Bhavya 9/13/2023 10:15:00 AM

very usefull
Anonymous


Rahul Kumar 8/31/2023 12:30:00 PM

need certification.
CANADA


Diran Ole 9/17/2023 5:15:00 PM

great exam prep
CANADA


Venkata Subbarao Bandaru 6/24/2023 8:45:00 AM

i require dump
Anonymous


D 7/15/2023 1:38:00 AM

good morning, could you please upload this exam again,
Anonymous


Ann 9/15/2023 5:39:00 PM

hi can you please upload the dumps for sap contingent module. thanks
AUSTRALIA


Sridhar 1/16/2024 9:19:00 PM

good questions
Anonymous


Summer 10/4/2023 9:57:00 PM

looking forward to the real exam
Anonymous


vv 12/2/2023 2:45:00 PM

good ones for exam preparation
UNITED STATES


Danny Zas 9/15/2023 4:45:00 AM

this is a good experience
UNITED STATES


SM 1211 10/12/2023 10:06:00 PM

hi everyone
UNITED STATES


A 10/2/2023 6:08:00 PM

waiting for the dump. please upload.
UNITED STATES


Anonymous 7/16/2023 11:05:00 AM

upload cks exam questions
Anonymous


Johan 12/13/2023 8:16:00 AM

awesome training material
NETHERLANDS


PC 7/28/2023 3:49:00 PM

where is dump
Anonymous


YoloStar Yoloing 10/22/2023 9:58:00 PM

q. 289 - the correct answer should be b not d, since the question asks for the most secure way to provide access to a s3 bucket (a single one), and by principle of the least privilege you should not be giving access to all buckets.
Anonymous


Zelalem Nega 5/14/2023 12:45:00 PM

please i need if possible h12-831,
UNITED KINGDOM


unknown-R 11/23/2023 7:36:00 AM

good collection of questions and solution for pl500 certification
UNITED STATES


Swaminathan 5/11/2023 9:59:00 AM

i would like to appear the exam.
Anonymous


Veenu 10/24/2023 6:26:00 AM

i am very happy as i cleared my comptia a+ 220-1101 exam. i studied from as it has all exam dumps and mock tests available. i got 91% on the test.
Anonymous


Karan 5/17/2023 4:26:00 AM

need this dump
Anonymous


Ramesh Kutumbaka 12/30/2023 11:17:00 PM

its really good to eventuate knowledge before appearing for the actual exam.
Anonymous


anonymous 7/20/2023 10:31:00 PM

this is great
CANADA


Xenofon 6/26/2023 9:35:00 AM

please i want the questions to pass the exam
UNITED STATES


Diego 1/21/2024 8:21:00 PM

i need to pass exam
Anonymous


Vichhai 12/25/2023 3:25:00 AM

great, i appreciate it.
AUSTRALIA


P Simon 8/25/2023 2:39:00 AM

please could you upload (isc)2 certified in cybersecurity (cc) exam questions
SOUTH AFRICA


Karim 10/8/2023 8:34:00 PM

good questions, wrong answers
Anonymous


Itumeleng 1/6/2024 12:53:00 PM

im preparing for exams
Anonymous


MS 1/19/2024 2:56:00 PM

question no: 42 isnt azure vm an iaas solution? so, shouldnt the answer be "no"?
Anonymous


keylly 11/28/2023 10:10:00 AM

im study azure
Anonymous