• Home
  • Articles
  • [Q103-Q120] Certification Training for CCFA-200b Exam Dumps Test Engine [2026]

[Q103-Q120] Certification Training for CCFA-200b Exam Dumps Test Engine [2026]

Share

Certification Training for CCFA-200b Exam Dumps Test Engine [2026]

Mar 26, 2026 Step by Step Guide to Prepare for CCFA-200b Exam

NEW QUESTION # 103
How does the Unique Hosts Connecting to Countries Map help an administrator?

  • A. It helps visualize global network communication
  • B. It identifies connections containing threats
  • C. It displays intrusions from foreign countries
  • D. It highlights countries with known malware

Answer: A

Explanation:
The Unique Hosts Connecting to Countries Map helps an administrator to visualize global network communication. The map shows the number of unique hosts in your environment that have established network connections to different countries in the past 24 hours. You can use this map to identify unusual or suspicious network activity, such as connections to high-risk countries or regions, or connections from hosts that are not expected to communicate with external entities.


NEW QUESTION # 104
Which command would tell you if a Falcon Sensor was running on a Windows host?

  • A. sc.exe query falcon
  • B. cswindiag.exe -status
  • C. sc.exe query csagent
  • D. netstat.exe -f

Answer: C

Explanation:
The command that would tell you if a Falcon Sensor was running on a Windows host is sc.exe query csagent. This command will show the status of the csagent service, which is responsible for running the sensor on Windows systems. The output of this command will indicate if the service is running, stopped, or paused. If the service is running, the sensor is also running.


NEW QUESTION # 105
Why is it important to know your company's event data retention limits in the Falcon platform?

  • A. Your query will require you to specify the data pool associated with the date you wish to search
  • B. This is not necessary; you simply select "All Time" in your query to search all data
  • C. You will not be able to search event data into the past beyond your retention period
  • D. Data such as process records are kept for a shorter time than event data

Answer: C

Explanation:
It is important to know your company's event data retention limits in the Falcon platform because you will not be able to search event data into the past beyond your retention period. The retention period is the amount of time that event data is stored in the Falcon Cloud, and it may vary depending on your subscription plan and settings. The other options are either incorrect or not related to knowing your retention limits.


NEW QUESTION # 106
Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

  • A. There may be special considerations for each OS
  • B. It is an auditing requirement
  • C. To assist with testing and tracking sensor rollouts
  • D. The network protocols are different for each host OS

Answer: A


NEW QUESTION # 107
Which user role will NOT enable the user to connect to a host using Real Time Response?

  • A. Real Time Response - Read-Only Analyst
  • B. Falcon Administrator
  • C. Real Time Response -Administrator
  • D. Real Time Response - Active Responder

Answer: A


NEW QUESTION # 108
What is the function of a single asterisk (*) in an ML exclusion pattern?

  • A. The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path
  • B. The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path
  • C. The single asterisk is only used to start an expression, and it represents the drive letter
  • D. The single asterisk is the insertion point for the variable list that follows the path

Answer: B

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/machine-learning The asterisk is a wildcard character that can be used in exclusion patterns to match any number of characters. However, it does not match separator characters, such as \ or /, which are used to separate portions of a file path. For example, the pattern C:\Windows\*\*.exe will match any executable file in any subfolder of the Windows folder, but not in the Windows folder itself.


NEW QUESTION # 109
Which of the following steps are required to delete a sensor update policy?

  • A. Remove the policy from all assigned host groups, then click Delete from the policy's settings
  • B. From the policy's settings, disable the policy, then click Delete
  • C. Remove the policy from all assigned host groups, disable the policy, then click Delete from the policy's settings
  • D. From the policy's settings, disable all toggles first, then click Delete

Answer: C


NEW QUESTION # 110
What type of information is found in the Linux Sensors Dashboard?

  • A. Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified
  • B. Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage
  • C. Private Information Accessed, Archiving Tools ?Exfil, Files Made Executable
  • D. Hidden File execution, Execution of file from the trash, Versions Running with Computer Names

Answer: B

Explanation:
The type of information that is found in the Linux Sensors Dashboard is Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage. The Linux Sensors Dashboard is a dashboard that provides an overview of the Linux hosts in your environment that have Falcon sensors installed.
You can use this dashboard to monitor the health and activity of your Linux hosts, such as their kernel versions, root shell usage, network communication, detections, and preventions.


NEW QUESTION # 111
When uninstalling a sensor, which of the following is required if the 'Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies?

  • A. Bulk update key
  • B. Maintenance token
  • C. Customer ID (CID)
  • D. Agent ID (AID)

Answer: B

Explanation:
When uninstalling a sensor, a maintenance token is required if the `Uninstall and maintenance protection' setting is enabled within the Sensor Update Policies. This setting prevents unauthorized or accidental uninstallation of sensors by requiring a token that can be generated from the Falcon console. The other options are either incorrect or not related to uninstalling a sensor.


NEW QUESTION # 112
When a user initiates a sensor install, where can the logs be found?

  • A. %SYSTEMROOT%\Temp
  • B. %SYSTEMROOT%\Logs
  • C. %LOCALAPPDATA%\Temp
  • D. %LOCALAPPDATA%\Logs

Answer: D


NEW QUESTION # 113
What is likely the reason your Windows host would be in Reduced Functionality Mode (RFM)?

  • A. A Sensor Update Policy was misconfigured
  • B. Microsoft updates altering the kernel
  • C. The host lost internet connectivity
  • D. A misconfiguration in your prevention policy for the host

Answer: C

Explanation:
The likely reason your Windows host would be in Reduced Functionality Mode (RFM) is that the host lost internet connectivity. RFM is a mode that limits the sensor's functionality due to license expiration, network connectivity loss, or certificate validation failure. When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking known malware hashes and preventing script execution from the %TEMP% directory. The sensor will not send any telemetry or detection events to the Falcon platform, and will not receive any policy or update changes from the Falcon cloud1. Losing internet connectivity is a common cause of RFM, as it prevents the sensor from communicating with the Falcon cloud. A misconfiguration in your prevention policy or sensor update policy will not cause RFM, as these policies are applied by the Falcon cloud and do not affect the sensor's license, network, or certificate status. Microsoft updates altering the kernel may cause compatibility issues with the sensor, but not RFM.


NEW QUESTION # 114
What best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled?

  • A. Preventions will be enabled for the host
  • B. New detections will start appearing in the console, and all retroactive stored detections will be restored to the console for that host
  • C. New detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host
  • D. Enables custom detections for the host

Answer: C

Explanation:
The option that best describes what happens to detections in the console after clicking "Enable Detections" for a host which previously had its detections disabled is that new detections will start appearing in the console immediately. Previous detections will not be restored to the console for that host. The "Enable Detections" feature allows you to enable or disable the detection and prevention capabilities of the Falcon sensor on a specific host. When you disable detections for a host, the sensor will stop sending any detection or prevention events to the Falcon console, and any existing events for that host will be removed from the console. When you enable detections for a host, the sensor will resume sending any new detection or prevention events to the Falcon console, but any previous events for that host will not be restored to the console.


NEW QUESTION # 115
The Customer ID (CID) is important in which of the following scenarios?

  • A. When performing the sensor installation process
  • B. When setting up API keys
  • C. When adding a user to the Falcon console under the Users application
  • D. When performing a Host Search

Answer: A

Explanation:
The Customer ID (CID) is important in which of the following scenarios: when performing the sensor installation process and when setting up API keys. The CID is a unique identifier for your organization that is required for authenticating your sensor installation and communication with the Falcon cloud. You need to provide your CID when installing the Falcon sensor on a host, either by using a command-line parameter or by using the falconctl tool. The CID is also required for setting up API keys, which are used for accessing the Falcon platform programmatically via the Falcon APIs. You need to provide your CID when creating an API client and key in the API Clients and Keys page in the Falcon console.


NEW QUESTION # 116
Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

  • A. Aggressive
  • B. Minimal
  • C. Moderate
  • D. Cautious

Answer: D

Explanation:
The Machine Learning (ML) slider that will only detect or prevent high confidence malicious items is Cautious. The ML slider allows you to adjust the level of sensitivity and aggressiveness of the Falcon sensor's ML engine, which uses artificial intelligence to identify and stop unknown threats.
The Cautious setting will enable the sensor to detect and prevent only high-confidence malicious events, while allowing low-confidence events to run without interference. This setting will also generate less noise and false positives than higher settings, such as Moderate or Extra Aggressive.


NEW QUESTION # 117
Which ML exclusion pattern would be the most accurate for all .exe binaries in "C:\Program Files\Software\", including any subfolders of Software?

  • A. Program Files\Software\**\*..exe
  • B. Program Files\Software\**.exe
  • C. **\*.exe
  • D. Program Files\Software\*.exe

Answer: A


NEW QUESTION # 118
When editing an existing IOA exclusion, what can NOT be edited?

  • A. The exclusion name
  • B. All parts of the exclusion can be changed
  • C. The hosts groups
  • D. The IOA name

Answer: D

Explanation:
When editing an existing IOA exclusion, the IOA name cannot be edited. An IOA (indicator of attack) exclusion allows you to define custom rules for excluding suspicious behavior from detection or prevention based on process execution, file write, network connection, or registry events. The IOA name is a predefined name that identifies the type of IOA behavior that you want to exclude, such as "Suspicious Process Execution - Script Interpreter Executing File". The IOA name cannot be changed when editing an existing IOA exclusion, as it is linked to a specific IOA rule in the Falcon platform. However, you can edit other parts of the IOA exclusion, such as the exclusion name, the hosts groups, and the filter criteria.


NEW QUESTION # 119
Which of the following controls the speed in which your sensors will receive automatic sensor updates?

  • A. Sensor Update Throttling
  • B. Channel File Update Throttling
  • C. Maintenance Tokens
  • D. Sensor Update Policy

Answer: A

Explanation:
The option that controls the speed in which your sensors will receive automatic sensor updates is Sensor Update Throttling. Sensor Update Throttling allows you to limit the number of sensors that can download a new sensor version per hour. This way, you can avoid network congestion or bandwidth issues caused by simultaneous sensor updates. You can configure the Sensor Update Throttling setting in the Sensor Update Policy for each platform.


NEW QUESTION # 120
......

Ultimate Guide to Prepare CCFA-200b Certification Exam for CrowdStrike Certified Falcon Administrator: https://www.real4prep.com/CCFA-200b-exam.html

CrowdStrike Certified Falcon Administrator CCFA-200b Real Exam Questions and Answers FREE Updated: https://drive.google.com/open?id=14bzoGFuWTWdK8b4xrHH5rzOFdsHCbP-q

Related Articles

more
CrowdStrike CCFA-200b Certification Practice Exam