CCFA-200b CrowdStrike Falcon Certification Program Questions and Answers

The correct method is to enter multiple hostnames in the Hostname filter and separate each hostname with a comma. Host Management is designed to let administrators filter, search, and customize host views so they can quickly locate endpoints by attributes such as hostname, grouping tags, IP/CIDR range, operating system version, domain, and other host metadata. A single Hostname filter can accept multiple hostname values, and separating values with commas allows Falcon to treat them as multiple entries within that filter rather than requiring separate filters. Adding the same Hostname filter repeatedly is inefficient and can create unintended filter logic. A decimal is not a valid separator for hostname lists, and there is no separate “Multiple Hostnames” filter in the Host Management workflow. This topic belongs to Host Management and Setup, specifically Host Management filtering, search behavior, and multi-value filter usage.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

The primary purpose of Falcon audit logs is to track configuration and administrative changes . Audit logs provide accountability by showing what changed, who made the change, and when it occurred. Examples include policy creation, updates, deletions, role changes, user management actions, IP allowlist changes, and other administrative activity. Tracing file changes is the purpose of file integrity monitoring tools such as Falcon FileVantage, not the general Falcon audit log. Monitoring system performance is handled through sensor health, host status, and operational telemetry rather than audit logs. CCFA emphasizes audit logs as an administrative governance and investigation tool that supports accountability, change review, and security operations oversight.

The recommended approach is to minimize the number of groups while still meeting policy and operational requirements. Host groups are central to policy assignment, sensor updates, prevention tuning, containment workflows, and response policies. Excessive or overlapping groups make precedence difficult to reason about and increase the chance that hosts receive unexpected policies. Department-based or IP-only grouping may be useful in specific cases, but they should not be used indiscriminately. CCFA best practice is to design groups around clear policy intent, stable attributes, and operational need. Dynamic groups should be preferred when membership can be defined reliably by attributes such as OS, OU, tags, or host type. A smaller, well-governed group model is easier to audit and maintain.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

When a host is network contained, Falcon restricts network communication while still allowing connectivity required for Falcon cloud operations. To permit patching or operating system update workflows during containment, administrators should add the IP addresses of trusted update sources to the containment policy. This is safer than allowing all internal IPs, which would weaken containment and potentially permit lateral movement. Host Firewall policy is not the correct control for containment exceptions, because containment policy governs traffic allowed while a host is isolated. Removing containment entirely would restore network access but would defeat the containment objective. The course guide specifically notes that patching contained hosts requires adding the Windows Update or patch source IP addresses to the containment policy.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

On Microsoft Windows, the supported command to verify that the Falcon Sensor is running is sc.exe query csagent. This command queries the Windows service control manager for the Falcon sensor service driver named csagent. When the sensor is running correctly, the output shows SERVICE_NAME: csagent and a running state, specifically STATE : 4 RUNNING. This is the direct operational validation method documented for Windows sensor troubleshooting. cswindiag.exe is used to collect diagnostic information, but it is not the standard command for confirming the running state of the sensor. netstat.exe -f displays network connections and DNS names, not Falcon sensor service status. sc.exe query falcon is incorrect because the Windows service name is not falcon; it is csagent. Reference topics: Windows Sensor Deployment, Verify Sensor Status, Sensor Troubleshooting, Host Setup and Management.

Sensors in Reduced Functionality Mode can be displayed by going to Host Management and filtering for RFM . Host Management provides filterable host attributes and operational states, including RFM. This allows administrators to quickly identify systems where the sensor is operating with reduced capability, usually because of unsupported or uncertified kernel conditions. Sensor health reporting can provide operational status, but the course guide specifically identifies the Host Management page as a method for filtering the host list to show devices currently in RFM. “Host status” and “Sensor status” are not the precise UI locations described in the answer choices. Therefore, the direct and verified workflow is Host Management > filter for RFM.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

The primary concern with Windows RFM is that sensors do not have full visibility into all events occurring on the host. In Windows RFM, the sensor continues operating at reduced capacity and can still report events and trigger detections, but it temporarily unhooks from some kernel elements. Without those kernel elements, some detection patterns and a small number of preventions may not trigger. The host is not necessarily offline, powered off, or unable to communicate with the cloud. RFM is also not the same as an operating system crash; it is a protective compatibility state. The CCFA sensor deployment topic emphasizes that RFM reduces visibility and prevention coverage, which is why administrators should identify and remediate RFM hosts promptly.

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

In addition to host group assignment, prevention policies can have Custom IOA Rule Groups assigned to them. This is how custom IOA rules become active for hosts covered by a prevention policy. Host groups determine which endpoints receive the policy, while assigned Custom IOA Rule Groups determine which custom behavioral detections are included in that policy. Operating System Groups and Machine Learning Groups are not assignable group objects in this context. Custom IOC Groups are not the policy-assignment mechanism described here; custom IOCs are managed through IOC Management with actions such as detect, allow, or block. The CCFA rule configuration model requires administrators to understand that custom IOA rule groups are attached to prevention policies before they can trigger detections.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

When a host does not match a custom host group assigned to a policy, Falcon applies the applicable Default Policy . Falcon policies operate through host group assignment and precedence. A host may match one or more groups; when multiple policies apply, precedence determines which policy wins. If no custom policy assignment applies, the default policy is the fallback. The platform does not leave hosts without policy coverage, nor does it retain a previously active custom policy indefinitely once the host no longer qualifies. It also does not automatically choose the most restrictive policy unless that policy is assigned and has the highest precedence. This default-policy behavior is central to safe policy design in CCFA: administrators must review default policy settings because unassigned hosts inherit them.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

The highest level of protection in the three-phase prevention policy model is Phase 3 . Falcon’s staged policy model allows organizations to begin with safer detection-focused settings, then progress toward stronger prevention as false positives are triaged and exclusions are tuned. Phase 1 is intended for initial deployment, especially when pre-existing antivirus or HIPS is present, and is more conservative. Phase 2 increases enforcement and aligns more closely with recommended protection. Phase 3 represents the fully realized best-practice posture with the highest protection level among the listed phases. CCFA policy application guidance emphasizes progressing through these phases deliberately, using detection review, allowlisting, exclusions, and change control before applying the most protective settings broadly.

The correct report is the Sensor Report . Falcon’s Sensors reporting area contains reports used by administrators to manage sensor deployment and coverage. The Sensor Report provides an overview of active sensors in the environment and is the correct high-level view for reviewing sensor deployment posture. It supports operational review of host-related attributes such as platform, operating system information, device or host type, domain, and sensor version, making it useful for quickly understanding sensor coverage and endpoint distribution. The Sensor Policy Daily Report is different: it is used to review groups and policies assigned to a host and is updated once per day, so it is not the best answer for a filterable environment-wide sensor overview. “Sensor Status Report” and “Sensor Overview Report” are not the named report options in the official report list. Reference topics: Dashboards and Reports, Sensors Reports, Sensor Report, Sensor Policy Daily Report.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

The additional option used to refine an Event trigger is a Condition . An Event trigger starts the workflow when a selected type of Falcon event occurs, but conditions narrow execution to events that match specific criteria. For example, a workflow may trigger on EPP detections but continue only when severity is high, hostname matches a test system, or platform equals Windows. Parameter, operator, and value are components of a condition, but “parameter” alone is not the workflow refinement object. Filter and Trigger Details are not the correct CCFA term for this workflow refinement step. Fusion SOAR design relies on conditions to prevent overly broad automation and to ensure response actions apply only to intended events.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.