CrowdStrike CCFA-200b CrowdStrike Falcon Certification Program Exam Practice Test

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.

Falcon user permissions are defined through roles, and those roles can be either default roles or custom roles. A user gains permissions by being assigned one or more roles, and Falcon grants the combined permissions enabled across all assigned roles. Default roles provide predefined permission sets for common operational responsibilities, while custom roles allow administrators to restrict or expand access for specialized duties. Permissions are not assigned one-by-one directly during user account creation as the primary model. A user also does not need a default role before receiving a custom role; custom roles can be assigned as needed after they are created and validated. Custom role permission sets are scoped to the customer environment and are not globally shared across all CrowdStrike customers. This role-based model supports least privilege, separation of duties, and auditable administrative access. Reference topics: User Management, Role Management, Default Roles, Custom Roles, Permissions.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

The Real Time Response audit log records operational details about RTR sessions, including who connected, which host was accessed, when the session began, how long it lasted, which commands were run, and files retrieved through RTR activity. The course guidance describes the RTR sessions audit log as a history of recorded activity for the CID’s Real Time Response sessions. It includes session start time, session status, user, hostname, connected-from source, commands used, and session duration. Session details also include host details, retrieved files, and detections, with command history subject to specific exclusions such as help, clear, and history, which are not recorded. Option A describes host inventory and policy context rather than RTR session auditing. Option B is incomplete and emphasizes command return results, which is not the core listed audit-log summary. Option D is incorrect because RTR activity is explicitly collected in audit logs. CCFA reference topics: Real Time Response, RTR Audit Logs, Session Details, Host Management and Setup.

The correct troubleshooting step is to check the CrowdStrike Windows Sensor log file for errors. Falcon sensor uninstall and maintenance operations are protected processes, especially when uninstall protection or tamper protection is enabled. Force-stopping services or deleting directories manually can damage the installation, leave drivers or services in an inconsistent state, and complicate remediation. Rebooting may be necessary in some cases, but it should not be the first diagnostic action when the uninstall appears stuck. The Windows sensor deployment guidance directs administrators to review sensor logs when installation, connection, or uninstall behavior is abnormal. Logs provide the error context needed to determine whether the issue is a token, policy, service dependency, installer state, or connectivity problem.

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

IP addresses are added to a containment policy to allow contained hosts to communicate with specific trusted resources during network containment. Network containment isolates the host to reduce attacker movement while maintaining required Falcon cloud communication. Organizations may need contained hosts to access patch servers, update sources, remediation infrastructure, domain services, or other tightly controlled internal systems. The purpose is not to automate containment based on IP address; automation is handled through workflows. Analyst permissions are controlled by user roles, not containment policy IP entries. Falcon console access is unrelated because containment policy applies to endpoint network communication, not administrative access to the web console. The course guide explicitly connects containment-policy IP allowances with patching and controlled access during containment.

The Customer ID with Checksum, often referred to as the CID or CCID/CIDC, is required when installing a new Falcon Sensor so the sensor can register to the correct Falcon customer environment. The deployment guidance repeatedly instructs administrators to copy the Customer ID checksum from Host setup and management > Deploy > Sensor downloads before running sensor installation. For macOS, the installer workflow requires running falconctl license with the customer ID checksum after installation. For Windows installations, the installer requires the Customer ID with Checksum value obtained from the Sensor downloads page. This value is not used to locate a host in Host Management, and it is not the normal control for defining host group criteria. Sensor uninstallation is controlled by maintenance tokens or uninstall protection settings, not CIDC. Reference topics: Sensor Deployment, Sensor downloads, Customer ID checksum, Windows and macOS sensor installation.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

The correct report is Machine Learning Prevention Monitoring . This report helps administrators understand how machine-learning policy levels affect detection and prevention volume. It is useful during policy tuning because Falcon machine-learning settings can be staged from detection-focused configurations to prevention-focused configurations. Administrators can use this data to estimate how many events would be detected or blocked at different ML aggressiveness levels and then adjust policies with fewer surprises. Falcon Prevention Policy Debug is not the reporting feature designed for this purpose, and the Prevention Policy Audit Trail tracks administrative changes rather than activity volume. The CCFA policy tuning model relies on measuring detection and prevention outcomes before increasing enforcement, especially during staged deployment phases.

Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

The correct installation parameter is ProvNoWait=1. During Windows sensor installation, the host must contact the CrowdStrike cloud to complete provisioning. By default, if the host cannot establish cloud connectivity within the provisioning window, the installer aborts and removes the sensor. For slow links, proxy delays, restricted networks, or troubleshooting scenarios, ProvNoWait=1 prevents the installer from aborting solely because cloud connectivity was not achieved within the default period. The course material describes this as the supported override for the provisioning timeout. The other options are not valid Falcon installer parameters for this purpose. Timeout=30 and Timeout=0 are generic-looking but not the documented Falcon provisioning override, while DelayedStart=1 does not address cloud provisioning failure.

When a host is network contained, Falcon restricts network communication while still allowing connectivity required for Falcon cloud operations. To permit patching or operating system update workflows during containment, administrators should add the IP addresses of trusted update sources to the containment policy. This is safer than allowing all internal IPs, which would weaken containment and potentially permit lateral movement. Host Firewall policy is not the correct control for containment exceptions, because containment policy governs traffic allowed while a host is isolated. Removing containment entirely would restore network access but would defeat the containment objective. The course guide specifically notes that patching contained hosts requires adding the Windows Update or patch source IP addresses to the containment policy.

The most stable automatic update setting is Auto-N-2 . Falcon sensor update policy options allow administrators to choose how aggressively hosts receive new sensor builds. Auto-Latest provides the newest version fastest, while Auto-N-1 lags one version behind. Auto-N-2 lags further behind and is therefore the most conservative automatic option because the build has had more time in the field before broad adoption. A pinned version can be stable temporarily, but it is not an automatic update level and can become outdated if not managed carefully. The course guide notes that Auto-N-1 and Auto-N-2 remain on known stable sensor versions and are designed to reduce update risk compared with latest-version deployment.

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

The default role that allows viewing all analyst session details is Falcon Administrator . RTR-specific roles allow users to perform or view their own RTR activities according to their level, but the Falcon Administrator has broader administrative visibility across the CID, including all RTR session details. The RTR Administrator role has elevated RTR execution and script/file capabilities, but the course guide distinguishes complete administrative session visibility from RTR execution authority. Falcon Security Lead and RTR Read-Only Analyst do not provide all analyst session detail visibility. This separation is important because Falcon uses roles to distinguish operational response permissions from audit and administrative oversight. The correct default role for all-session visibility is Falcon Administrator.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

The correct action is to create a Fusion SOAR workflow using the OverWatch remediation and prioritization playbook to contain the host and notify the SOC team. Fusion SOAR workflows automate response actions based on Falcon events. OverWatch detections are high-value human-hunted detections, and a predefined OverWatch playbook exists to support fast remediation actions such as containment, email notification, and related response steps. Emailing the OverWatch team is not the customer’s responsibility; the correct internal recipients are typically the SOC or incident response staff. Blocking “the detection” is not the correct workflow model because detections are records of observed behavior, while containment is the host-level response. Creating a detection is also incorrect because OverWatch already generated the detection.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.