CrowdStrike CCFA Exam Dumps & Practice Test Questions

Question 1:

What does a single asterisk (*) represent when used in an ML (Machine Learning) exclusion pattern?

A. Matches any number of characters, including none, and includes directory separators like \ or /
B. Matches any number of characters, including none, but excludes directory separators like \ or /
C. Represents the location where variable lists are inserted in the path
D. Must appear at the beginning of the expression and stands for the drive letter

Correct Answer: B

Explanation:

In Machine Learning exclusion patterns—often used in endpoint protection and threat detection systems—the single asterisk (*) serves as a wildcard character to match varying character strings within file or path names. However, it’s crucial to understand exactly how it operates, particularly in file path structures.

The single asterisk (*) matches any number of characters, including zero, but does not match directory separators such as the backslash (\) on Windows or the forward slash (/) on Unix-like systems. This means the wildcard can match any sequence within the same folder or filename segment but will not extend into subdirectories. It’s constrained to the specific level of the file path where it is placed.

For example:

• Pattern: logs/*.log
  Matches: logs/error.log, logs/debug.log
  Does not match: logs/2025/error.log

This is why Option B is correct. It accurately describes that a single asterisk can match zero or more characters but excludes the directory separators (/ or \), keeping the match within one folder level.

Let’s clarify why the other options are incorrect:

• A is wrong because it falsely claims the asterisk includes path separators, which would allow it to match across directories. This behavior is associated with a double asterisk (**), not a single asterisk.

• C misrepresents the purpose of the asterisk. It is not a placeholder for inserting variables. The asterisk's job is to act as a wildcard for pattern matching—not as a dynamic injection point.

• D inaccurately claims the asterisk must begin the expression and refers to a drive letter, which has no relevance to wildcard behavior in exclusion patterns.

In summary, when used in ML exclusion patterns, the single asterisk is a powerful but limited tool. It provides flexibility for matching file or path segments within the same directory level but stops short at folder boundaries. This ensures targeted exclusions without overreaching into unrelated parts of the file system.

Therefore, Option B is the correct answer.

Question 2:

If a custom vendor-created binary is triggering multiple false positives across various endpoints in your environment, what is the most appropriate way to prevent these detections from reoccurring?

A. Contact support to disable Machine Learning detection for this binary
B. Add the binary’s hash in IOC Management and set the action to "Allow"
C. Add the binary’s hash in IOC Management and set the action to "Block, hide detection"
D. Add the binary’s hash in IOC Management and set the action to "No Action"

Correct Answer: B

Explanation:

When a trusted, custom-built binary—such as one created by a software vendor—is being mistakenly flagged by Machine Learning as malicious, it's essential to address the issue precisely and safely without compromising the integrity of the overall detection system.

The ideal solution in such a case is to use IOC (Indicator of Compromise) Management to add the hash of the binary and then configure its action to "Allow." This explicitly instructs the endpoint protection system to recognize the binary as safe and exclude it from future detections.

Here’s why Option B is the correct and most effective approach:

Using the "Allow" action ensures that the binary’s hash is acknowledged by the system as safe across all protected endpoints. The system will no longer trigger alerts or blocks against it, thereby resolving the issue of repeated false positives. This method keeps the custom binary operational while maintaining comprehensive protection for the rest of the environment.

Let’s examine why the other options are less suitable:

• A. Contacting support to disable detection may appear reasonable, but it introduces delay, depends on external teams, and may lead to broader changes in Machine Learning rules that could reduce the system’s sensitivity to actual threats. It also lacks specificity and precision.

• C. Choosing to “Block, hide detection” contradicts the goal. This setting would prevent the binary from executing, effectively disrupting business operations—especially since the binary is known to be safe and business-critical.

• D. The “No Action” setting means the detection engine neither blocks nor allows—it simply observes. This doesn’t guarantee the binary will be excluded from future threat assessments, leaving room for future false alarms.

In summary, adding the file’s hash to the IOC Management system and marking it with the "Allow" action provides a controlled, reliable, and repeatable way to manage trusted binaries without compromising security for other files or users.

Thus, Option B is the most appropriate and correct solution.

Question 3:

Which of the following best defines the main function of a containment policy within a security solution?

A. To designate which Falcon analysts have the authority to perform containment actions
B. To specify how long an endpoint remains in network containment
C. To determine the conditions under which an endpoint is placed into containment, such as a critical detection
D. To list the IP addresses permitted for communication when an endpoint is contained

Correct Answer: C

Explanation:

A containment policy in an endpoint detection and response (EDR) or security platform is primarily used to set the rules or triggers that determine when a device should be isolated from the network. This is a key security control intended to limit the spread of malware, ransomware, or other malicious activity detected within the system. The policy defines what kind of security events or indicators of compromise should result in the automatic containment of a host.

For instance, a containment policy may specify that if a critical severity detection occurs—such as evidence of command-and-control activity or lateral movement—the impacted host should be instantly placed in network containment. This response is both proactive and automated, reducing the time between threat detection and mitigation, which is critical in preventing further compromise of the environment.

Let’s evaluate the other options to understand why they are incorrect:

• A suggests that a containment policy’s function is to define which users (Falcon analysts) can carry out the containment action. While user roles and permissions are important for operational control, they fall under access control or role-based permission settings—not the function of the containment policy itself.

• B mentions defining the duration of containment. While duration can be managed through different policies or administrative procedures, it is not the core purpose of a containment policy. The containment policy’s job is to define the “why” and “when,” not “how long.”

• D refers to specifying which IP addresses remain accessible while a device is contained. While some solutions may allow for restricted communication to certain IPs during containment (e.g., to allow continued contact with management servers), this is a technical configuration, not the main intent of the containment policy.

In conclusion, the role of a containment policy is to automate and enforce the decision-making process that determines when a device poses enough of a risk to require isolation. This action is based on threat intelligence and detection severity, ensuring the response is timely and consistent. Thus, C is the most accurate answer.

Question 4:

When an administrator creates a file exclusion rule, how many groups of hosts can the rule be assigned to at once?

A. Exclusion rules are not associated with specific host groups
B. Exclusions can only be assigned to a maximum of three host groups
C. There is no restriction—the exclusion can be applied to any or all host groups
D. Exclusion rules can only be assigned to one host group at a time

Correct Answer: C

Explanation:

When managing security settings in enterprise environments, particularly in endpoint protection or antivirus platforms, exclusion rules are used to prevent specific files, folders, or processes from being flagged by the system. These exclusions are critical for reducing false positives and ensuring the continued operation of trusted applications.

In a typical security console, administrators have the flexibility to apply these exclusions across multiple host groups—logical groupings of devices with similar roles, risk profiles, or configurations. This flexibility enables fine-tuned control and policy enforcement across diverse systems, such as development machines, finance department computers, or servers.

Option C correctly states that there is no limit on the number of groups an exclusion can be applied to. This allows administrators to efficiently implement consistent exclusions across an entire environment or selectively apply them to specific groups as needed. This approach supports scalability and minimizes manual configuration errors.

Let’s break down why the other options are incorrect:

• A implies that file exclusions are not linked to host groups or machines, which is inaccurate. Most security platforms do allow administrators to apply exclusions based on groupings or individual endpoints to ensure precise policy control.

• B suggests a limitation of only three host groups per exclusion. This is too restrictive and not representative of how modern security platforms work. Most solutions provide administrators with the freedom to assign exclusions broadly or narrowly based on business needs—without artificial constraints.

• D proposes that exclusions can be aligned to only one group per rule. This would severely hamper policy management and require duplicate rules for every group needing the same exclusion, making the system inefficient and harder to maintain.

In essence, the ability to apply a single exclusion to many or all groups simplifies security administration and enhances consistency across the environment. Organizations benefit from this capability by ensuring that trusted processes are uniformly exempt from unnecessary scanning or alerting, without sacrificing security oversight. Therefore, C is the most accurate and efficient choice.

Question 5:

As a Falcon Administrator, you find that you're unable to use the "Connect to Host" function to collect additional live data from a specific endpoint. 

What additional role must be assigned to your user account to enable this feature?

A. Real Time Responder
B. Endpoint Manager
C. Falcon Investigator
D. Remediation Manager

Correct Answer: A

Explanation:

Although the Falcon Administrator role provides wide-ranging administrative privileges in the Falcon platform, it does not automatically include the ability to access certain real-time investigative tools. One such feature is "Connect to Host," which allows administrators or analysts to directly interface with an endpoint and pull live data for deeper security analysis. To utilize this functionality, the user account must be explicitly assigned the Real Time Responder role.

The Real Time Responder role grants users the authority to conduct active investigations by initiating secure sessions with endpoints. This functionality is especially valuable during a security incident when analysts need immediate visibility into a host’s current processes, network connections, file system status, and other runtime attributes. It is designed for scenarios where static data isn't enough, and live endpoint interaction is essential.

Let’s evaluate why the other roles are not suitable:

• B. Endpoint Manager is primarily focused on overseeing endpoint configurations and deploying policy settings across the fleet. While important for system hygiene, this role lacks the live-access tools needed for real-time response.

• C. Falcon Investigator does provide access to a suite of investigation and forensic analysis capabilities, such as event timelines and threat intelligence, but it stops short of granting live access to endpoints.

• D. Remediation Manager is designed to permit users to take action to mitigate or remediate identified threats (such as deleting malicious files or quarantining hosts). However, it does not permit live connection to hosts for investigative purposes.

In essence, real-time connection capabilities fall under a specialized set of permissions granted only through the Real Time Responder role. This separation is intentional for security reasons, ensuring that only appropriately authorized users can initiate direct connections to endpoints, which could otherwise introduce risk if misused.

Therefore, to use the "Connect to Host" feature, an administrator must be assigned the Real Time Responder role, making A the correct answer.

Question 6:

What is the proper administrative method for resetting a user's password within the user management system?

A. Open the user’s profile and click “Generate New Password”
B. Use the three-dot menu next to the account and select “Reset Password”
C. Choose “Update Account” and manually input a new password
D. Rebuild the user account due to an invalid certificate

Correct Answer: B

Explanation:

Resetting a user’s password is one of the most basic but crucial administrative functions within any user management system. The recommended method to perform this action is to navigate to the User Management section, locate the affected user, click the three-dot menu (often representing more options) beside the user’s profile, and then select “Reset Password.” This is the standardized, secure, and efficient way of resetting a password, and it typically triggers an automated email or a system-generated temporary password.

This method ensures both security and compliance with best practices. The reset action typically involves system-level validation, ensures password complexity rules are maintained, and often logs the action for auditing purposes.

Now, let’s evaluate why the other options are not correct:

• A. Generate New Password via Account Details: While it might sound logical, this function usually doesn’t exist as described. Most platforms avoid manual password generation in user profiles for security reasons and to minimize administrative mishandling.

• C. Manually Create Password via “Update Account”: This is outdated and discouraged. Allowing admins to create a password manually increases the risk of weak passwords or poor transmission methods (e.g., sending passwords over email or chat). Furthermore, it often lacks auditing and policy enforcement mechanisms.

• D. Rebuild Account Due to Certificate Errors: This choice is overcomplicated and largely irrelevant to simple password resets. Certificates typically relate to advanced cryptographic authentication methods (such as PKI). Password resets do not require full account reconstruction or certificate regeneration unless in specialized, highly secure environments—which is not applicable in routine user management tasks.

Using the “Reset Password” function through the three-dot menu ensures the process is streamlined, secure, policy-compliant, and aligned with platform functionality. It reduces the risk of human error and enforces consistent password protocols across the organization.

For these reasons, the correct and recommended method is option B.

Question 7:

Your IT team manages a group of servers that must never be accessible remotely, including through Real Time Response (RTR). These servers are already assigned to a dedicated Falcon host group. 

What should you do next to ensure RTR is disabled only for this group of servers?

A. Modify the Default Response Policy, disable the "Real Time Response" setting, and apply it to the host group
B. Adjust the Default Response Policy by adding the host group to the "Real Time Functionality" exceptions list
C. Create a custom Response Policy, disable the "Real Time Response" feature, and assign it to the host group
D. Set up a new Response Policy and list each server's hostname in the exceptions section for "Real Time Functionality"

Correct Answer: C

Explanation:

To effectively restrict Real Time Response (RTR) on a specific set of servers, the recommended strategy is to create a new custom Response Policy, disable the RTR feature, and assign this policy to the host group containing those servers. This approach ensures targeted control without inadvertently affecting other hosts in your environment.

RTR is a powerful tool that allows administrators to run commands and scripts on hosts for investigation and remediation. However, some systems—due to their sensitivity or security requirements—must be explicitly shielded from any form of remote command execution. When these systems are grouped under a specific Falcon host group, assigning a Response Policy tailored for that group is the most efficient and safest course of action.

Why Option C is Correct:

Creating a new Response Policy and disabling the Real Time Response feature ensures that RTR will not be available on the targeted servers. Applying this policy specifically to the host group containing those machines allows for clear policy segregation, avoids unintended consequences, and maintains secure configuration management.

This method provides centralized and scalable control, making it easier to update or revert settings in the future. It aligns with best practices of policy isolation, especially in environments with different levels of sensitivity and compliance requirements.

Why the Other Options Are Incorrect:

• A. Editing the Default Response Policy and disabling RTR may technically work, but it's not advisable. The Default Response Policy might be applied to other host groups or endpoints unintentionally, causing broader restrictions than intended.

• B. Adding the host group to the exceptions list under "Real Time Functionality" doesn’t disable RTR—it only manages certain functionalities related to RTR. This won't ensure a complete lockout of RTR access, making it an incomplete solution.

• D. Listing hostnames manually under exceptions is inefficient, error-prone, and not scalable. It lacks the precision and flexibility that comes with managing entire host groups. Also, it doesn’t guarantee RTR is disabled—only certain actions might be bypassed.

Conclusion:

To selectively disable RTR on a predefined group of servers, the most precise and secure method is to create a new Response Policy, turn off the RTR capability, and assign that policy directly to the Falcon host group. This avoids impacting other systems and allows for easier policy maintenance and auditing.

Question 8:

While adding a new Indicator of Compromise (IOC) in your IOC management system, which of the following sets of fields must be completed for the IOC to be valid and actionable?

A. Hash, Description, Filename
B. Hash, Action, Expiry Date
C. Filename, Severity, Expiry Date
D. Hash, Platform, Action

Correct Answer: D

Explanation:

In IOC management systems, Indicators of Compromise (IOCs) are critical for identifying threats and enabling automated or manual responses within a cybersecurity platform. When creating a new IOC, it’s essential to populate the mandatory fields so that the system can correctly apply logic and enforcement mechanisms across supported platforms.

The three essential fields that must be configured are:

• Hash – A unique identifier of the suspicious file (typically an MD5, SHA1, or SHA256 value).

• Platform – The environment where the IOC should be applied (e.g., Windows, macOS, Linux).

• Action – What should happen when the IOC is detected (e.g., Alert, Block, Prevent execution).

Why Option D is Correct:

Each field in option D plays a foundational role:

• The Hash enables precise identification of the malicious or suspicious file. It ensures that detection isn’t based on vague or dynamic identifiers like filenames.

• The Platform determines where the rule should be enforced. This ensures that an IOC meant for Windows, for example, doesn’t mistakenly trigger on macOS.

• The Action tells the system how to respond to the presence of the IOC, whether it should alert the user, block execution, or quarantine the file.

This combination makes the IOC immediately functional and enforceable across your threat detection infrastructure.

Why the Other Options Are Incorrect:

• A. While the Hash is necessary, Description and Filename are optional metadata. They can provide context to analysts but aren’t essential for enforcement.

• B. Though Hash and Action are required, Expiry Date is not. Expiry can help with lifecycle management of temporary IOCs but isn’t fundamental to its creation.

• C. Filename and Severity are supplemental. Severity can prioritize response, but it doesn’t directly influence system behavior unless paired with an action. Expiry Date is useful but not required.

Conclusion:

For an IOC to be immediately actionable within most modern security platforms, it must include the hash for identification, the platform to define scope, and an action to dictate the response. These fields ensure that the IOC can be automatically enforced by the system. Thus, the correct answer is D – Hash, Platform, and Action.

Question 9:

Your Chief Information Security Officer (CISO) wants Falcon Analysts to inspect files and their contents on compromised endpoints but explicitly restricts their ability to export or transfer those files from the device. 

Which role best meets this access control requirement?

A. Remediation Manager
B. Real Time Responder – Read Only Analyst
C. Falcon Analyst – Read Only
D. Real Time Responder – Active Responder

Correct Answer: B

Explanation:

In this scenario, the organization’s CISO is focused on balancing incident response capabilities with data security by ensuring Falcon Analysts can view files on affected endpoints but cannot extract or manipulate them. This is a common requirement in environments where strict data governance and internal control policies are enforced.

The “Real Time Responder – Read Only Analyst” role is designed precisely for this situation. This role grants read-only access to the Real Time Response (RTR) tool in the Falcon platform. With this role, an analyst can browse file systems, open file contents, and examine system artifacts live on an endpoint, all without having the permissions needed to download, modify, or delete those files.

This limited yet powerful access enables teams to investigate incidents quickly and thoroughly without risking the unintentional (or malicious) exfiltration of sensitive data. This is a key capability for compliance with internal security frameworks and external regulations such as GDPR or HIPAA, where containment and visibility are needed but extraction must be controlled.

Let’s assess the incorrect options:

• A. Remediation Manager provides elevated privileges focused on responding to threats, including quarantining files or executing response actions. While powerful, it exceeds the “view-only” requirement and thus fails the CISO’s intent to limit file movement.

• C. Falcon Analyst – Read Only offers broad visibility across dashboards and detection logs, but does not provide access to RTR functions like live file exploration. It’s useful for alert monitoring, but not hands-on host interaction.

• D. Real Time Responder – Active Responder gives full RTR access, including the ability to extract files, execute scripts, and initiate containment—far more than what the CISO intends to allow.

By assigning the Real Time Responder – Read Only Analyst role, organizations strike a precise balance between visibility and control, allowing analysts to work effectively within tight security parameters.

Question 10:

During testing, one of your development teams notices that Falcon repeatedly flags their custom application code as a detection. All such code is stored in a designated shared folder named "devcode.

Which configuration should be used to prevent these recurring false positives from interfering with development?

A. USB Device Policy
B. Firewall Rule Group
C. Containment Policy
D. Machine Learning Exclusions

Correct Answer: D

Explanation:

False positives can be highly disruptive in development environments, especially when security solutions like Falcon mistake custom or unsigned code for malicious behavior. In this case, developers are working within a controlled folder called “devcode”, and Falcon’s machine learning-based detection models are misidentifying the code as a threat.

The appropriate solution in such a case is to use Machine Learning Exclusions. These exclusions allow security teams to define trusted file paths, processes, or behaviors that should be ignored by the machine learning detection engine. By adding the "devcode" folder to the exclusion list, the system will treat its contents as non-suspicious, effectively eliminating recurring false alerts without disabling broader threat detection features.

This setting is especially useful in environments where continuous integration and testing are key workflows. Development teams often write scripts, install dependencies, or simulate traffic—all of which may resemble threat patterns. Machine Learning Exclusions enable security teams to maintain robust protection without standing in the way of innovation.

Now, let’s evaluate the incorrect options:

• A. USB Device Policy relates to controlling access to external devices like USB drives. It’s useful for data loss prevention but has no bearing on how Falcon treats local file paths or development folders.

• B. Firewall Rule Group controls network traffic rules, such as IP blocking or port control. It doesn't influence file-based detections and would not help in reducing false positives for code execution.

• C. Containment Policy deals with isolating compromised hosts or suspicious processes after a detection has already occurred. It’s part of the incident response workflow and doesn't prevent or suppress initial detection events.

Machine Learning Exclusions are specifically designed for use cases where legitimate processes or files are repeatedly misclassified. They provide a targeted and intelligent way to tune the detection engine without reducing security posture elsewhere.

For organizations that rely heavily on custom-built tools or scripts, these exclusions are a critical part of DevSecOps practices.

Therefore, the correct answer is D – Machine Learning Exclusions.