Practice Free CCFA-200b CrowdStrike Falcon Certification Program Exam Questions Answers With Explanation

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

Falcon quarantine is enabled through Prevention policy settings . Specifically, administrators configure Next-Gen Antivirus settings, prevention sliders, and the quarantine-related controls within the prevention policy assigned to the host. General Settings are used for tenant-wide administrative settings such as RTR MFA, not endpoint file quarantine behavior. Manual file deletion is not Falcon quarantine and lacks the controlled evidence-preserving workflow of a security product. System restore is an operating system recovery feature and is unrelated to Falcon policy enforcement. The course guide frames quarantine as part of the prevention policy stack: Falcon must first detect and prevent a malicious file, then the policy determines whether the file is quarantined on the host.

The new sensor update policy must be enabled and placed at a higher precedence than the broader policy assigned to all Windows servers. Falcon policy resolution is precedence-based when a host belongs to multiple host groups. In this scenario, each test Windows server belongs to both groups: the narrow “test Windows servers” group and the broad “all Windows servers” group. If the test policy has lower precedence, the broader Windows server policy wins and the test servers will not receive the new sensor update configuration. Falcon policy precedence uses ranking order where precedence 1 is higher than precedence 2, and the highest-ranking applicable policy becomes active on the host. This allows safe staged testing by making the narrow pilot policy outrank the general production policy while affecting only hosts in the test group. Manual installation or uninstallation is not required and would bypass Falcon’s managed sensor update workflow. Reference topics: Sensor Deployment, Sensor Update Policies, Host Groups, Policy Precedence.

The correct role is Falcon Security Lead. Falcon role guidance identifies Falcon Security Lead as a role that can manage detections, manage quarantined files, contain hosts, search events, reset user credentials, and view exclusions. Falcon Analyst – Read Only can view detections and exclusions but does not have management authority over quarantined files. Endpoint Manager is focused on sensor deployment, sensor configuration, update policies, and host group administration; it is not the role for quarantine management. Detections Exceptions Manager is associated with exception or exclusion-style administration, not quarantined file operations. Managing quarantined files includes operational actions such as reviewing quarantined items, releasing files, undoing releases, deleting quarantined files, and potentially downloading extracted files when permitted by configuration and role. Because quarantine actions can reintroduce files to endpoints or remove evidence, Falcon assigns this capability only to roles with sufficient security operations authority. Reference topics: User Management, Default Roles, Falcon Prevent Roles, Quarantined Files.

For a known false positive that is being blocked or quarantined, the best IOC action is Allow . In Falcon IOC Management, Allow is used to add known-good indicators to the allowlist so that Falcon does not continue treating them as malicious. Detect Only would continue generating visibility but would not necessarily resolve the operational disruption if the object is still being blocked by another setting. Prevent would explicitly block execution and is the opposite of the desired outcome. No action would leave the false positive unresolved. The CCFA policy and exclusions model emphasizes using the correct exclusion or allowlisting mechanism after validation. For hash-based or IOC-driven false positives, Allow is the direct remediation path.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

The correct troubleshooting step is to check the CrowdStrike Windows Sensor log file for errors. Falcon sensor uninstall and maintenance operations are protected processes, especially when uninstall protection or tamper protection is enabled. Force-stopping services or deleting directories manually can damage the installation, leave drivers or services in an inconsistent state, and complicate remediation. Rebooting may be necessary in some cases, but it should not be the first diagnostic action when the uninstall appears stuck. The Windows sensor deployment guidance directs administrators to review sensor logs when installation, connection, or uninstall behavior is abnormal. Logs provide the error context needed to determine whether the issue is a token, policy, service dependency, installer state, or connectivity problem.

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

MFA for Real Time Response is configured under General settings . Falcon Administrators can enable Real Time Response identity verification from Support and resources > Resources and tools > General settings. This applies Falcon MFA to high-risk RTR operations according to the configured trigger, such as before connecting to a host or before executing sensitive commands like run or kill. Response policies determine which RTR commands are available to hosts and users, but they do not configure MFA enforcement. Notifications and containment policies are unrelated to RTR identity verification. The course guide highlights that RTR MFA applies broadly to users in the CID once enabled, regardless of response policy assignment, making General settings the correct administrative location.

The likely cause is that Redact HTTP Detection Details is enabled in the prevention policy. Falcon HTTP detections can include privacy-sensitive details such as URLs, raw HTTP headers, and POST bodies when that information is present and relevant to the detection. However, the prevention policy includes a privacy control that redacts these details before they are sent to the CrowdStrike cloud. The documentation states that enabling Redact HTTP Detection Details removes this sensitive HTTP detection data while still allowing HTTP detections to be generated. This means the detection itself can still appear, but the additional context is intentionally absent. Aggressive or cautious ML settings do not explain missing HTTP headers or POST body content. A perimeter firewall block would affect whether the communication occurs, not selectively redact detection details. If HTTP detections were never enabled, the issue would be absent detections, not detections with missing sensitive fields. Reference topics: Policy Application, Prevention Policy Settings, HTTP Detections, Redact HTTP Detection Details.

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

Falcon uses role-based access control. Permissions are enabled inside roles, and then those roles are assigned to users. This allows administrators to apply least privilege by creating roles that contain only the specific permissions required for a task or module. Users do not receive all permissions by default, and permissions are not generally assigned one-by-one directly to users as a primary model. The role defines what actions can be performed, such as managing users, editing policies, creating exclusions, managing custom IOAs, or using RTR capabilities. The course guide explains that custom roles are built by enabling the required permission groups and disabling unrelated permissions. This supports operational separation of duties and auditability.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

The correct location is the Workflow Execution log. Fusion SOAR separates configuration change history from workflow run history. The Workflow Audit log is used to review changes made to workflows, such as edits, versions, or modifications by users. The Execution log is the operational record of workflow activity. It shows every time workflows are triggered, along with execution date, execution status, trigger, action, and workflow name. It also allows administrators to inspect execution details, including whether the workflow completed successfully, failed, or is still in progress. The course guide states that administrators should go to Fusion workflows > Execution log to review each workflow execution and examine where a workflow may have failed. This makes it the correct source for success and failure history. Falcon UI Audit Trail is broader administrative auditing, and Custom Alert History is not the Fusion SOAR execution history location. The correct CCFA topic alignment is Workflows, specifically Fusion SOAR monitoring and execution review.

The correct action is to use the built-in Fusion SOAR OverWatch detection remediation and prioritization playbook. This playbook is specifically designed to automate response when Falcon OverWatch flags an endpoint detection. The documented workflow actions include setting the endpoint detection status to In Progress, containing the device where the detection occurred, adding associated identity and endpoint context to watchlists when applicable, and sending an email notification. This directly satisfies leadership’s requirement for immediate containment and notification of the appropriate internal staff. Emailing the OverWatch team is not the correct operational response because OverWatch has already generated the detection; the customer SOC or incident response team must be notified. Creating a new detection is also incorrect because the detection already exists. Blocking the detection is not a valid response action; containment is the host-level control. Reference topics: Fusion SOAR Playbooks, OverWatch Detection Remediation and Prioritization, Host Containment Automation.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

The correct parameter is VDI=true. In virtual desktop or cloned virtual machine scenarios, Falcon must avoid duplicate Agent IDs across clones. Persistent clone workflows require sensor installation to be performed with the correct VDI parameter so that each cloned endpoint registers properly and receives a unique identity. ProvNoWait=1 is used for provisioning-timeout behavior and does not address duplicate Agent IDs. NO_START=1 is used in some deployment contexts to delay sensor start but is not the VDI identity control. VM=True is not the documented Falcon parameter. CCFA sensor deployment guidance treats VDI and golden-image preparation as a distinct deployment pattern because cloning a sensor incorrectly can duplicate identity and corrupt host tracking, policy assignment, and detection attribution.

The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.

The correct report is Machine Learning Prevention Monitoring . This report helps administrators understand how machine-learning policy levels affect detection and prevention volume. It is useful during policy tuning because Falcon machine-learning settings can be staged from detection-focused configurations to prevention-focused configurations. Administrators can use this data to estimate how many events would be detected or blocked at different ML aggressiveness levels and then adjust policies with fewer surprises. Falcon Prevention Policy Debug is not the reporting feature designed for this purpose, and the Prevention Policy Audit Trail tracks administrative changes rather than activity volume. The CCFA policy tuning model relies on measuring detection and prevention outcomes before increasing enforcement, especially during staged deployment phases.