Is the CCFA practice exam free?

Yes. ExamCademy offers all 243 CCFA practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the CCFA practice questions?

All CCFA questions are community-created and reviewed by moderators to align with CrowdStrike's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the CCFA exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official CrowdStrike documentation and hands-on experience for best results.

CCFA Practice Exam — Free 243+ Questions

243Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

User Management

Question 2

Sensor Deployment

Question 3

Policy Application

Question 4

Host Management and Setup

Question 5

Sensor Deployment

Question 6

Dashboards and Reports

Question 7

Sensor Deployment

Question 8

Rule Configuration

Question 9

Sensor Deployment

Question 10

Dashboards and Reports

Question 11

Policy Application

Question 12

Host Management and Setup

Question 13

Workflows

Question 14

Rule Configuration

Question 15

Rule Configuration

Question 16

Sensor Deployment

Question 17

Host Management and Setup

Question 18

Policy Application

Question 19

Policy Application

Question 20

Sensor Deployment

Question 21

User Management

Question 22

Sensor Deployment

Question 23

Rule Configuration

Question 24

Dashboards and Reports

Question 25

Policy Application

Page 1 of 10 • Questions 1-25 of 243

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

On which page of the Falcon console can one locate the Customer ID (CID)?

A API Clients and Keys
B Sensor Dashboard
C Hosts Management
D Sensor Downloads

If you are not able to update your Falcon sensors on a regular basis, what is the maximum recommended aging period before updating your sensors?

A 7 days
B 60 days
C 90 days
D There is no maximum aging period

What best describes what happens to detections in the console after clicking "Disable Detections" for a host from within the Host Management page?

A Preventions will be disabled for the host
B You cannot disable detections for a host
C The detections for the host are removed from the console immediately and no new detections will display in the console going forward
D Existing detections for the host remain, but no new detections will display in the console going forward

When a Linux host is in Reduced Functionality Mode (RFM) what telemetry and protection is still offered?

A The sensor would provide minimal protection
B The sensor provides no protection, and only collects Sensor Heart Beat events
C The sensor would function as normal
D The sensor would provide protection as normal, without event telemetry

What internet domain needs to be added to any required allowlists to allow sensors to communicate with the CrowdStrike Cloud?

A falconcloud.net
B cloudprotect-cs.net
C cloudsink.net
D csfalcon.net

Why would you use the Prevention Policy Debug Report?

A To confirm that prevention policy precedence was applied to hosts
B To confirm the number of detections on a host
C To confirm that prevention policy settings were applied to a host
D To confirm the number of host groups to which a policy was applied

The Falcon sensor uses certificate pinning to defend against man-in-the-middle attacks. What must you ensure is disabled for the sensor to communicate with the CrowdStrike Cloud?

A Proxy information
B Deep packet inspection
C NMAP scanning
D TCP inspection

After Network Containing a host, your Incident Response team states they are unable to remotely connect to the host. Which of the following would need to be configured to allow remote connections from specified IP's?

A Response Policy
B IP Allowlist Management
C Maintenance Token
D Containment Policy

Assume the Falcon Sensor was installed on a Virtual Machine template using the installation parameter NO_START=1. Afterward, the Virtual Machine template is rebooted. What is the effect on the Falcon Sensor after reboot?

A The Falcon Sensor would start, but only send a heartbeat to the Falcon console
B The Falcon Sensor would not automatically start on reboot. It would have to be manually started
C The Falcon Sensor would disable BIOS checks at startup
D The Falcon Sensor would start at reboot and generate an Agent ID

The Remote Access Graph in Visibility Reports displays:

A a bar chart where a bar represents a daily count of remote connections
B a geographical chart showing the geo-location of remote IP address
C a graph showing connections between hosts and users
D a pie chart showing a count per remote logon type

Which of the following policies allowlist network traffic even while a host is Network Contained?

A Firewall Policy
B IP Allowlist Policy
C Response Policy
D Containment Policy

An inactive host that does not contact the Falcon cloud will be automatically removed from the Host Management and Trash pages after how many days?

A 75 Days
B 45 Days
C 60 Days
D 90 Days

What three things does a workflow condition consist of?

A Notifications, alerts, and API's
B Triggers, actions, and alerts
C A parameter, an operator, and a value
D A beginning, a middle, and an end

When editing an existing IOA exclusion, what can NOT be edited?

A The exclusion name
B All parts of the exclusion can be changed
C The IOA name
D The hosts groups

When creating a custom IOA for a specific domain, which syntax would be best for detecting or preventing on all subdomains as well?

A .*.baddomain.xyz|baddomain.xyz
B baddomain.xyz|baddomain.xyz
C .baddomain.xyz|baddomain.xyz.
D Custom IOA rules cannot be created for domains

Which of the following tools developed by CrowdStrike is intended to help with removal of the CrowdStrike Windows Falcon Sensor?

A CSUninstallTool.exe
B UninstallTool.exe
C CrowdStrikeRemovalTool.exe
D FalconUninstall.exe

How many days will an inactive host remain visible within the Host Management or Trash pages?

A 90 days
B 120 days
C 15 days
D 45 days

Which of the following steps are required to delete a sensor update policy?

A Remove the policy from all assigned host groups, disable the policy, then click Delete from the policy's settings
B From the policy's settings, disable all toggles first, then click Delete
C Remove the policy from all assigned host groups, then click Delete from the policy's settings
D From the policy's settings, disable the policy, then click Delete

What best describes the relationship between Sensor Update policies and Operating Systems?

A Sensor Update polices are not Operating System specific. One policy can be applied to all Operating Systems
B A Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux)
C Windows and Mac share Sensor Update policies. Linux requires its own set of polices based on the different kernel versions
D Windows has its own Sensor Update polices. But Mac and Linux share Sensor Update policies

Which option best describes the general process for a manual installation of the Falcon Sensor on MacOS?

A Grant the Falcon package Full Disk Access, install the Falcon package, load the Falcon Sensor with the command 'falconctl stats'
B Install the Falcon package passing it the installation token in the command line
C Install the Falcon package, use falconctl to license the sensor, approve the system extension, grant the sensor Full Disk Access
D Grant the Falcon package Full Disk Access, install the Falcon package, use falconctl to license the sensor

Which user role will NOT enable the user to connect to a host using Real Time Response?

A Real Time Response -Administrator
B Real Time Response - Active Responder
C Real Time Response - Read-Only Analyst
D Falcon Administrator

What is the earliest version of Windows Server that a Sensor is compatible with?

A Server 2012
B Server 2003
C Server 2008 R2 SP1
D Server 2008

Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the detection, you see that it's triggering only on a specific Falcon IOA. What would be the best course of action for this situation?

A Create a sensor visibility exclusion for "C:\Users\Bob\DevCode\felix.dll"
B Create an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll"
C Create a Custom IOC and set it to "Allow" for "C:\Users\Bob\DevCode\felix.dll"
D Manually turn off the built-in IOA through prevention policies

Which report lists counts of sensors in Reduced Functionality Mode (RFM) for all operating system types, and tracks how long a sensor version will be supported?

A Reduce Functionality Audit Report
B Inactive Sensor Report
C Sensor Health Report
D Sensor Coverage Lookup

What will happen to a host that is not part of any group which has a prevention policy assigned to it?

A The host will apply the default prevention policy
B The host will apply a sensor-based policy to prevent a majority of known threats
C The host will send a notification to the Falcon Administrator to assign a prevention policy
D The host will disable the falcon sensor

CCFAPreview

About the CCFA Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

CCFAPreview

About the CCFA Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25