CCFA-200b Questions and Answers

The Sensor report dashboard is the best answer because it provides an overview of active sensors in the environment and summarizes deployment and coverage data for sensor administration. The question asks for an overview of the top ten most-applied policies by sensors, which is a dashboard-level summary rather than a per-host assignment lookup. The Sensor Policy Daily Report is more granular: it is used to review the groups and policies assigned to a host and is updated once per day, so it is not the best choice for a top-ten environmental overview. Scheduled reports are a delivery mechanism for recurring report generation, not the specific report containing the requested sensor-policy overview. Executive Summary provides broader executive-level security posture information and is not the focused sensor-policy distribution view. CCFA reporting guidance places sensor deployment and coverage reporting under Sensors, where the Sensor Report provides the overview of active sensors and related sensor-management posture. Reference topics: Dashboards and Reports, Sensors reports, Sensor Report dashboard, Sensor Policy Daily Report.

The first component configured when creating a Fusion SOAR workflow from scratch is the Trigger . Falcon workflows follow a trigger-condition-action model: the trigger determines what starts the workflow, the condition narrows execution logic, and the action defines what Falcon does after the workflow criteria are met. For a workflow involving critical vulnerabilities, the trigger is the event that initiates automation, such as Falcon detecting or receiving a vulnerability-related event. Only after the trigger is selected can the administrator add conditions, such as vulnerability severity equals Critical, and then define the action, such as generating an alert, creating a ticket, sending a notification, or initiating another response. The course guide describes this model using the exact example of critical vulnerabilities: Trigger is Falcon detecting an endpoint vulnerability, Condition is vulnerability severity of Critical, and Action is creating a ServiceNow incident. Therefore, Action and Condition are configured after the trigger, and Workflow Name is administrative metadata rather than the execution-starting component. Reference topics: Fusion SOAR workflows, trigger-condition-action model, vulnerability workflow automation.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

Third-party integrations require an API Client and Secret Key . Falcon API access is configured by creating an API client with the required scopes, then securely storing the generated client ID and secret. The integration uses those credentials to request OAuth2 tokens and interact with the Falcon APIs according to the assigned scopes. An OAuth2 token is obtained after the client credentials are created; it is not the first credential combination generated. “Access Key and Secret Key” resembles cloud provider terminology, while “Integration Key and Customer ID” is not the standard Falcon API credential pair. The CCFA user and API management material emphasizes creating scoped API clients and protecting the secret because it is shown only at creation time.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

Falcon quarantine is enabled through Prevention policy settings . Specifically, administrators configure Next-Gen Antivirus settings, prevention sliders, and the quarantine-related controls within the prevention policy assigned to the host. General Settings are used for tenant-wide administrative settings such as RTR MFA, not endpoint file quarantine behavior. Manual file deletion is not Falcon quarantine and lacks the controlled evidence-preserving workflow of a security product. System restore is an operating system recovery feature and is unrelated to Falcon policy enforcement. The course guide frames quarantine as part of the prevention policy stack: Falcon must first detect and prevent a malicious file, then the policy determines whether the file is quarantined on the host.

The default role that allows viewing all analyst session details is Falcon Administrator . RTR-specific roles allow users to perform or view their own RTR activities according to their level, but the Falcon Administrator has broader administrative visibility across the CID, including all RTR session details. The RTR Administrator role has elevated RTR execution and script/file capabilities, but the course guide distinguishes complete administrative session visibility from RTR execution authority. Falcon Security Lead and RTR Read-Only Analyst do not provide all analyst session detail visibility. This separation is important because Falcon uses roles to distinguish operational response permissions from audit and administrative oversight. The correct default role for all-session visibility is Falcon Administrator.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.

The Customer ID with Checksum, often referred to as the CID or CCID/CIDC, is required when installing a new Falcon Sensor so the sensor can register to the correct Falcon customer environment. The deployment guidance repeatedly instructs administrators to copy the Customer ID checksum from Host setup and management > Deploy > Sensor downloads before running sensor installation. For macOS, the installer workflow requires running falconctl license with the customer ID checksum after installation. For Windows installations, the installer requires the Customer ID with Checksum value obtained from the Sensor downloads page. This value is not used to locate a host in Host Management, and it is not the normal control for defining host group criteria. Sensor uninstallation is controlled by maintenance tokens or uninstall protection settings, not CIDC. Reference topics: Sensor Deployment, Sensor downloads, Customer ID checksum, Windows and macOS sensor installation.

The correct report is the Sensor Report . Falcon’s Sensors reporting area contains reports used by administrators to manage sensor deployment and coverage. The Sensor Report provides an overview of active sensors in the environment and is the correct high-level view for reviewing sensor deployment posture. It supports operational review of host-related attributes such as platform, operating system information, device or host type, domain, and sensor version, making it useful for quickly understanding sensor coverage and endpoint distribution. The Sensor Policy Daily Report is different: it is used to review groups and policies assigned to a host and is updated once per day, so it is not the best answer for a filterable environment-wide sensor overview. “Sensor Status Report” and “Sensor Overview Report” are not the named report options in the official report list. Reference topics: Dashboards and Reports, Sensors Reports, Sensor Report, Sensor Policy Daily Report.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

When a host is network contained, Falcon restricts network communication while still allowing connectivity required for Falcon cloud operations. To permit patching or operating system update workflows during containment, administrators should add the IP addresses of trusted update sources to the containment policy. This is safer than allowing all internal IPs, which would weaken containment and potentially permit lateral movement. Host Firewall policy is not the correct control for containment exceptions, because containment policy governs traffic allowed while a host is isolated. Removing containment entirely would restore network access but would defeat the containment objective. The course guide specifically notes that patching contained hosts requires adding the Windows Update or patch source IP addresses to the containment policy.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

The primary concern with Windows RFM is that sensors do not have full visibility into all events occurring on the host. In Windows RFM, the sensor continues operating at reduced capacity and can still report events and trigger detections, but it temporarily unhooks from some kernel elements. Without those kernel elements, some detection patterns and a small number of preventions may not trigger. The host is not necessarily offline, powered off, or unable to communicate with the cloud. RFM is also not the same as an operating system crash; it is a protective compatibility state. The CCFA sensor deployment topic emphasizes that RFM reduces visibility and prevention coverage, which is why administrators should identify and remediate RFM hosts promptly.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

A Falcon Administrator role alone does not grant the ability to initiate a Real Time Response session. RTR access is controlled by dedicated Real Time Responder roles, and the course guidance is explicit that “you must have a Real Time Responder role to connect to a host” and that “the Falcon Administrator role doesn’t include access to Real Time Response.” The administrator must be assigned one of the RTR roles, such as Real Time Responder - Read Only Analyst, Active Responder, or Administrator, depending on the level of command access required. A logged-in user on the endpoint does not prevent RTR connection, and Falcon can also connect to hosts that are network contained as long as RTR requirements are met. Another analyst session may affect operational coordination, but it is not the primary cause in this scenario. The correct CCFA topic alignment is User Management and Real Time Response role assignment.