What is the CrowdStrike Certified Falcon Administrator (CCFA) Certification?
The CrowdStrike Certified Falcon Administrator (CCFA) certification is a credential that validates the ability to manage the CrowdStrike Falcon® platform. This cloud-native endpoint protection solution uses artificial intelligence and behavioral analysis to detect and prevent cyberattacks. The CrowdStrike CCFA certification is ideal for the administrator or any analyst with access to the administrative side of the Falcon platform.
You must pass a 60-minute exam to earn the CCFA certification. The exam will evaluate your knowledge, skills, and abilities to perform the following:
- Effective user management
- Deploying and managing the Falcon sensor
- Configuring deployment and prevention policies based on business risk
- Configuring allowlists, blocklists, and file-path exclusions
- Conducting administrative reporting
The CrowdStrike Certified Falcon Administrator (CCFA) certification exam consists of 50 multiple-choice questions and has a passing score of 80%.
About the exam
The CrowdStrike Certified Falcon Administrator (CCFA) certification exam is 90 minutes long and has 60 questions. The questions are clear and straightforward, without confusing wording, double negatives, or fill-in-the-blank questions. The exam has been carefully reviewed by technical and non-technical experts and taken by various candidates.
Prerequisites
To take the CCFA certification exam, candidates should have at least six (6) months of experience with CrowdStrike Falcon in a production environment. Candidates should be able to read and understand English well enough to support comprehension. Exams are appropriate for non-native English speakers.
Exam scope
As a general guideline, the following topics are likely to appear on the exam, but other related topics may also be included in specific delivery formats:
- User Management
- Sensor Deployment
- Host Management
- Group Creation
- Prevention Policies
- Custom IOA Rules
- Sensor Update Policy
- Quarantine Files
- IOC Management
- Containment Policies
- Exclusions
- Reports
- Real-Time Response Policy/Audit Logs
- API Clients and Keys
- Notification Workflow
Exam objectives
This CrowdStrike Certified Falcon Administrator (CCFA) certification exam is structured according to the following subtopics and learning objectives:
USER MANAGEMENT
- DeterminerolesrequiredforaccesstofeaturesandfunctionalityintheFalconconsole
- Describe the capabilities and limitations of each RTR role
- Create a new user, delete and edit a user, etc.
SENSOR DEPLOYMENT
- Analyze the pre-installation OS/networking requirements before installing the Falcon sensor.
- Analyze the default policies and apply best practices to prepare workloads for the Falcon sensor.
- Apply appropriate settings to successfully install a Falcon sensor on Windows, Linux, and macOS
- Apply basic sensor install requirements and installation processes
- Apply additional/advanced options for images/VDIs, tokens, and tags
- Uninstall a sensor
- Troubleshooting
- Recognize issues with basic configuration requirements in the system environment or Falcon components
- Resolve policy settings, permissions, and threshold issues
- Perform root cause analysis related to system/user issues
HOST MANAGEMENT
- Propose how filtering might be used on the Host Management page
- Disable detections for a host
- Explain the effect of disabling detections on a host
- Explain the impact of reduced functionality mode (RFM) and why it might be caused
- Find hosts in RFM
- Find inactive sensors
- Recall how long inactive sensors are retained to define your data backup plan.
- Determine which reports to use when reporting on information relating to a host.
- Explain the importance of understanding your company's Falcon Insight data retention timeframe.
GROUP CREATION
- Determine the appropriate group assignment for endpoints and understand how this impacts the application of policies
- Describe policy types, components, applications, and workflow
- Define precedence, groups, and best practices
PREVENTION POLICIES
- Determine the appropriate prevention policy settings for endpoints and explain how this impacts the security posture
- Demonstrate what the default policy is used for and apply best practices when configuring default policies
- Configure a detection-only policy
- Explain what Machine Learning is "on sensor" vs. "the cloud."
- Describe what each of the different policy-setting options does
- Define NextGen AV Settings
- Describe what End User Notifications do
- Assign a prevention policy to groups and hosts
- Explain what precedence does regarding prevention policies
- Describe policy best practices
CUSTOM IOA RULES
- Create custom IOA rules to monitor behavior that is not fundamentally malicious.
SENSOR UPDATE POLICIES
- Determine the appropriate sensor update policy settings and related general settings to control the update process
- Define an updated policy
- Demonstrate what the default policy is used for and apply best practices when configuring default policies
- Describe what auto-update does
- Explain separate policies for MAC/Win/*nix
- Explain where to build versions are visible for a single sensor or across your environment
- Describe what precedence does regarding sensor update policies
QUARANTINE FILES
- Apply options required to manage quarantine files.
IOC MANAGEMENT
- Assess IOC settings required for customized security posturing and to manage false positives.
CONTAINMENT POLICY
- Configure an allowlist of the appropriate IP addresses while the network is under containment based on security workflow requirements
- Describe what a containment policy does
- Allowlist network traffic so it can connect to contained hosts
EXCLUSIONS
- Interpret business requirements to allow trusted activity, resolve false positives, and fix performance issues
- Write an effective file exclusion rule using glob syntax
- Apply File Pattern Exclusions to groups
- Demonstrate how to manage exclusion rules
SENSOR REPORTS
- Explain the different types of sensor reports and what each report provides
- Explain what information is contained in Machine-Learning Prevention Monitoring Report
- Explain what information is in the Falcon UI Audit Trail Report
- Explain what information is in the API Audit Trail, Prevention Policy Audit Trail, Prevention Hashes, Ignored Reports
- Explain what information is in the Prevention Policy Debug Report
- Explain what information a Linux Sensor Report will provide
- Explain what information a Mac Sensor Report will provide
- Explain the differences between the visibility and hunting reports
- Explain the information shown in the logon activity report
- Explain the information shown in the remote logon activity report
- Explain the information shown on the remote access graph
- Explain the information shown on the unique host connecting to the countries' map
- Explain what information can be found in the visibility reports
- Write an effective custom alert rule
REAL TIME RESPONSE POLICY/AUDIT LOGS
- Apply roles and policy settings, and track and review RTR audit logs to manage user activity.
API CLIENTS AND KEYS
- Manage API Keys
NOTIFICATION WORKFLOW
- Configure custom alerts to notify individuals about policies, detections, and incidents
The final say
The CrowdStrike Falcon® Certification program equips professionals with the skills and knowledge to use the latest endpoint detection and response (EDR) technology tools and cyber threat intelligence to defend their organization against sophisticated cyberattacks. The program teaches professionals how to detect, prevent and stop breaches using the CrowdStrike Falcon® platform, a cloud-native endpoint protection solution.
If you want to take the CrowdStrike CCFA certification exam, we can only help you pass the exam on your first attempt. CBT Proxy has helped IT professionals achieve their certification goals for over a decade. To know more about the CCFA certification exam and how to get started, click the chat options below, and one of our guides will contact you shortly.
