CrowdStrike CCFA-200b Dumps

Sensor updates are managed through sensor update policies assigned to host groups. Falcon uses host group membership to determine which policy applies to a host. Sensor update policies control whether hosts remain pinned to a specific version, automatically update to a relative version such as Auto - N-1 or Auto - N-2, or receive specific maintenance protections. Prevention policies control security behavior, not sensor versioning. Manual updates do not scale and are not the Falcon administrative model for enforcing consistent versions across many endpoints. Direct installation is only the initial deployment mechanism, not ongoing update governance. The course guide emphasizes using host groups and sensor update policies to control sensor maintenance at scale across Windows, macOS, and Linux platforms.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

A list of hosts that have not communicated with the CrowdStrike cloud is found in Inactive Sensors . The Inactive Sensors report identifies sensors that have not reported within a given timeframe and is intended for deployment coverage and operational health review. Host Groups organize systems for policy assignment but are not the report for cloud communication gaps. The Activity Dashboard focuses on detections, incidents, and security activity rather than sensor check-in status. Sensor Report provides an overview of active sensors, while Inactive Sensors specifically addresses hosts that have stopped reporting. CCFA dashboard and report guidance identifies Inactive Sensors as the report administrators use to locate endpoints that may be powered off, decommissioned, disconnected, or experiencing communication problems.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

Falcon user permissions are defined through roles, and those roles can be either default roles or custom roles. A user gains permissions by being assigned one or more roles, and Falcon grants the combined permissions enabled across all assigned roles. Default roles provide predefined permission sets for common operational responsibilities, while custom roles allow administrators to restrict or expand access for specialized duties. Permissions are not assigned one-by-one directly during user account creation as the primary model. A user also does not need a default role before receiving a custom role; custom roles can be assigned as needed after they are created and validated. Custom role permission sets are scoped to the customer environment and are not globally shared across all CrowdStrike customers. This role-based model supports least privilege, separation of duties, and auditable administrative access. Reference topics: User Management, Role Management, Default Roles, Custom Roles, Permissions.

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

The role that allows a Falcon user to create Real Time Response custom scripts is Real Time Responder – Administrator . Falcon separates RTR permissions into three default responder roles. Read Only Analyst can run reconnaissance-style commands. Active Responder can run read-only commands plus additional response commands, including commands that modify host state and certain approved custom scripts. However, creating custom scripts, uploading files for the put command, and directly running executables with run are reserved for the RTR Administrator role. This distinction is important because custom scripts can perform powerful host-level actions and must be restricted to experienced incident response personnel. The course guide also notes that users must have an RTR role to access RTR functionality at all; Falcon Administrator alone does not automatically include RTR access. “Real Time Responder – Script Developer” is not one of the standard RTR roles. Reference topics: User Management, Real Time Response Roles, Custom Scripts, RTR Role Permissions.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

On Microsoft Windows, the supported command to verify that the Falcon Sensor is running is sc.exe query csagent. This command queries the Windows service control manager for the Falcon sensor service driver named csagent. When the sensor is running correctly, the output shows SERVICE_NAME: csagent and a running state, specifically STATE : 4 RUNNING. This is the direct operational validation method documented for Windows sensor troubleshooting. cswindiag.exe is used to collect diagnostic information, but it is not the standard command for confirming the running state of the sensor. netstat.exe -f displays network connections and DNS names, not Falcon sensor service status. sc.exe query falcon is incorrect because the Windows service name is not falcon; it is csagent. Reference topics: Windows Sensor Deployment, Verify Sensor Status, Sensor Troubleshooting, Host Setup and Management.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

Falcon user accounts must be created using an email address from the approved domains configured for the CID. This ensures that account creation is limited to authorized organizational identity domains and reduces the risk of adding unauthorized external users. New users are not automatically assigned the Falcon Analyst role by default; roles must be assigned according to operational need. Employee identification numbers and domain-number prefixes are not Falcon account requirements. The CCFA user management topic emphasizes identity governance, approved domains, role assignment, and least privilege. Falcon Administrators create users, assign appropriate roles, and ensure that access aligns with approved organizational identity controls. Therefore, the approved-domain email requirement is the correct statement.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

When a host does not match a custom host group assigned to a policy, Falcon applies the applicable Default Policy . Falcon policies operate through host group assignment and precedence. A host may match one or more groups; when multiple policies apply, precedence determines which policy wins. If no custom policy assignment applies, the default policy is the fallback. The platform does not leave hosts without policy coverage, nor does it retain a previously active custom policy indefinitely once the host no longer qualifies. It also does not automatically choose the most restrictive policy unless that policy is assigned and has the highest precedence. This default-policy behavior is central to safe policy design in CCFA: administrators must review default policy settings because unassigned hosts inherit them.

The first component configured when creating a Fusion SOAR workflow from scratch is the Trigger . Falcon workflows follow a trigger-condition-action model: the trigger determines what starts the workflow, the condition narrows execution logic, and the action defines what Falcon does after the workflow criteria are met. For a workflow involving critical vulnerabilities, the trigger is the event that initiates automation, such as Falcon detecting or receiving a vulnerability-related event. Only after the trigger is selected can the administrator add conditions, such as vulnerability severity equals Critical, and then define the action, such as generating an alert, creating a ticket, sending a notification, or initiating another response. The course guide describes this model using the exact example of critical vulnerabilities: Trigger is Falcon detecting an endpoint vulnerability, Condition is vulnerability severity of Critical, and Action is creating a ServiceNow incident. Therefore, Action and Condition are configured after the trigger, and Workflow Name is administrative metadata rather than the execution-starting component. Reference topics: Fusion SOAR workflows, trigger-condition-action model, vulnerability workflow automation.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

The correct parameter is VDI=true. In virtual desktop or cloned virtual machine scenarios, Falcon must avoid duplicate Agent IDs across clones. Persistent clone workflows require sensor installation to be performed with the correct VDI parameter so that each cloned endpoint registers properly and receives a unique identity. ProvNoWait=1 is used for provisioning-timeout behavior and does not address duplicate Agent IDs. NO_START=1 is used in some deployment contexts to delay sensor start but is not the VDI identity control. VM=True is not the documented Falcon parameter. CCFA sensor deployment guidance treats VDI and golden-image preparation as a distinct deployment pattern because cloning a sensor incorrectly can duplicate identity and corrupt host tracking, policy assignment, and detection attribution.

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

The correct action is to create a Fusion SOAR workflow using the OverWatch remediation and prioritization playbook to contain the host and notify the SOC team. Fusion SOAR workflows automate response actions based on Falcon events. OverWatch detections are high-value human-hunted detections, and a predefined OverWatch playbook exists to support fast remediation actions such as containment, email notification, and related response steps. Emailing the OverWatch team is not the customer’s responsibility; the correct internal recipients are typically the SOC or incident response staff. Blocking “the detection” is not the correct workflow model because detections are records of observed behavior, while containment is the host-level response. Creating a detection is also incorrect because OverWatch already generated the detection.

The correct report is the Sensor Report . Falcon’s Sensors reporting area contains reports used by administrators to manage sensor deployment and coverage. The Sensor Report provides an overview of active sensors in the environment and is the correct high-level view for reviewing sensor deployment posture. It supports operational review of host-related attributes such as platform, operating system information, device or host type, domain, and sensor version, making it useful for quickly understanding sensor coverage and endpoint distribution. The Sensor Policy Daily Report is different: it is used to review groups and policies assigned to a host and is updated once per day, so it is not the best answer for a filterable environment-wide sensor overview. “Sensor Status Report” and “Sensor Overview Report” are not the named report options in the official report list. Reference topics: Dashboards and Reports, Sensors Reports, Sensor Report, Sensor Policy Daily Report.

The correct method is to enter multiple hostnames in the Hostname filter and separate each hostname with a comma. Host Management is designed to let administrators filter, search, and customize host views so they can quickly locate endpoints by attributes such as hostname, grouping tags, IP/CIDR range, operating system version, domain, and other host metadata. A single Hostname filter can accept multiple hostname values, and separating values with commas allows Falcon to treat them as multiple entries within that filter rather than requiring separate filters. Adding the same Hostname filter repeatedly is inefficient and can create unintended filter logic. A decimal is not a valid separator for hostname lists, and there is no separate “Multiple Hostnames” filter in the Host Management workflow. This topic belongs to Host Management and Setup, specifically Host Management filtering, search behavior, and multi-value filter usage.

The combined maximum length of all sensor grouping tags is 256 characters , including comma separators. Grouping tags are assigned during installation using the appropriate installer parameter and can later be used in Host Management and dynamic host group rules. Because multiple tags can be applied to a host, Falcon enforces a combined-length limit across all tags rather than only a per-tag limit in this context. Exceeding this value can cause installation or tagging behavior to fail or produce incomplete tag assignment. The other choices are not the documented maximum. CCFA sensor deployment guidance specifically states that when using multiple tags, the combined length of all tags for a host, including comma separators, cannot exceed 256 characters.

Falcon uses role-based access control. Permissions are enabled inside roles, and then those roles are assigned to users. This allows administrators to apply least privilege by creating roles that contain only the specific permissions required for a task or module. Users do not receive all permissions by default, and permissions are not generally assigned one-by-one directly to users as a primary model. The role defines what actions can be performed, such as managing users, editing policies, creating exclusions, managing custom IOAs, or using RTR capabilities. The course guide explains that custom roles are built by enabling the required permission groups and disabling unrelated permissions. This supports operational separation of duties and auditability.

The Machine-Learning Prevention report is used to evaluate what Falcon would have blocked under different machine-learning prevention levels. The official reporting guidance describes Machine Learning Prevention as a report that lets administrators “view malware that would have been blocked in your environment during the last 30 days based on different Machine Learning Prevention settings,” including Cautious, Moderate, or Aggressive levels. This makes option C the precise answer. The report is not the quarantine management dashboard; quarantined files are reviewed and released from the Quarantined Files area. It is also not primarily a spike-analysis dashboard for active attacks, although unusual volume may support investigation. Option D is close in theme but inaccurate because the purpose is not to summarize aggressiveness settings and actual quarantine totals; it is to model prevention impact across ML settings. Reference topics: Dashboards and Reports, Machine Learning Prevention report, prevention policy tuning, ML prevention levels.