CCFA-200b CrowdStrike Falcon Certification Program Questions and Answers

The primary purpose of Falcon audit logs is to track configuration and administrative changes . Audit logs provide accountability by showing what changed, who made the change, and when it occurred. Examples include policy creation, updates, deletions, role changes, user management actions, IP allowlist changes, and other administrative activity. Tracing file changes is the purpose of file integrity monitoring tools such as Falcon FileVantage, not the general Falcon audit log. Monitoring system performance is handled through sensor health, host status, and operational telemetry rather than audit logs. CCFA emphasizes audit logs as an administrative governance and investigation tool that supports accountability, change review, and security operations oversight.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

The required role is Real Time Response - Administrator . RTR Administrator can create custom scripts, upload files for the put command, and perform higher-risk RTR operations that are not available to Active Responders. Active Responder can execute certain response actions and retrieve files, but it does not provide full script management capability. Workflow Author relates to Fusion SOAR workflows, not RTR script creation and sharing. Falcon Scripts Manager is not the correct default role in this context. The CCFA RTR topic separates roles into Read Only Analyst, Active Responder, and Administrator. Building, saving, and sharing custom scripts requires the administrative RTR capability, so RTR Administrator is the correct least role for that task.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

The correct method is to enter multiple hostnames in the Hostname filter and separate each hostname with a comma. Host Management is designed to let administrators filter, search, and customize host views so they can quickly locate endpoints by attributes such as hostname, grouping tags, IP/CIDR range, operating system version, domain, and other host metadata. A single Hostname filter can accept multiple hostname values, and separating values with commas allows Falcon to treat them as multiple entries within that filter rather than requiring separate filters. Adding the same Hostname filter repeatedly is inefficient and can create unintended filter logic. A decimal is not a valid separator for hostname lists, and there is no separate “Multiple Hostnames” filter in the Host Management workflow. This topic belongs to Host Management and Setup, specifically Host Management filtering, search behavior, and multi-value filter usage.

To patch a network-contained host, create or update a Containment Policy that allowlists the specific IP addresses of the patch management or update sources. Containment blocks most network traffic by design, so update jobs fail unless the required update infrastructure is explicitly permitted. The course guide calls out IP addresses for Windows Update or update sources, not FQDN-based allowlisting, as the supported containment-policy exception method. Content update policies are unrelated to allowing host network traffic during containment. IP Allowlist Management controls administrative access to Falcon from specific source IPs; it does not permit contained endpoints to reach patch servers. Therefore, the containment policy must allow the patch infrastructure IPs.

The default role that allows viewing all analyst session details is Falcon Administrator . RTR-specific roles allow users to perform or view their own RTR activities according to their level, but the Falcon Administrator has broader administrative visibility across the CID, including all RTR session details. The RTR Administrator role has elevated RTR execution and script/file capabilities, but the course guide distinguishes complete administrative session visibility from RTR execution authority. Falcon Security Lead and RTR Read-Only Analyst do not provide all analyst session detail visibility. This separation is important because Falcon uses roles to distinguish operational response permissions from audit and administrative oversight. The correct default role for all-session visibility is Falcon Administrator.

Falcon user permissions are defined through roles, and those roles can be either default roles or custom roles. A user gains permissions by being assigned one or more roles, and Falcon grants the combined permissions enabled across all assigned roles. Default roles provide predefined permission sets for common operational responsibilities, while custom roles allow administrators to restrict or expand access for specialized duties. Permissions are not assigned one-by-one directly during user account creation as the primary model. A user also does not need a default role before receiving a custom role; custom roles can be assigned as needed after they are created and validated. Custom role permission sets are scoped to the customer environment and are not globally shared across all CrowdStrike customers. This role-based model supports least privilege, separation of duties, and auditable administrative access. Reference topics: User Management, Role Management, Default Roles, Custom Roles, Permissions.

Sensor updates are managed through sensor update policies assigned to host groups. Falcon uses host group membership to determine which policy applies to a host. Sensor update policies control whether hosts remain pinned to a specific version, automatically update to a relative version such as Auto - N-1 or Auto - N-2, or receive specific maintenance protections. Prevention policies control security behavior, not sensor versioning. Manual updates do not scale and are not the Falcon administrative model for enforcing consistent versions across many endpoints. Direct installation is only the initial deployment mechanism, not ongoing update governance. The course guide emphasizes using host groups and sensor update policies to control sensor maintenance at scale across Windows, macOS, and Linux platforms.

Falcon user accounts must be created using an email address from the approved domains configured for the CID. This ensures that account creation is limited to authorized organizational identity domains and reduces the risk of adding unauthorized external users. New users are not automatically assigned the Falcon Analyst role by default; roles must be assigned according to operational need. Employee identification numbers and domain-number prefixes are not Falcon account requirements. The CCFA user management topic emphasizes identity governance, approved domains, role assignment, and least privilege. Falcon Administrators create users, assign appropriate roles, and ensure that access aligns with approved organizational identity controls. Therefore, the approved-domain email requirement is the correct statement.

The correct location is the Workflow Execution log. Fusion SOAR separates configuration change history from workflow run history. The Workflow Audit log is used to review changes made to workflows, such as edits, versions, or modifications by users. The Execution log is the operational record of workflow activity. It shows every time workflows are triggered, along with execution date, execution status, trigger, action, and workflow name. It also allows administrators to inspect execution details, including whether the workflow completed successfully, failed, or is still in progress. The course guide states that administrators should go to Fusion workflows > Execution log to review each workflow execution and examine where a workflow may have failed. This makes it the correct source for success and failure history. Falcon UI Audit Trail is broader administrative auditing, and Custom Alert History is not the Fusion SOAR execution history location. The correct CCFA topic alignment is Workflows, specifically Fusion SOAR monitoring and execution review.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

The first component configured when creating a Fusion SOAR workflow from scratch is the Trigger . Falcon workflows follow a trigger-condition-action model: the trigger determines what starts the workflow, the condition narrows execution logic, and the action defines what Falcon does after the workflow criteria are met. For a workflow involving critical vulnerabilities, the trigger is the event that initiates automation, such as Falcon detecting or receiving a vulnerability-related event. Only after the trigger is selected can the administrator add conditions, such as vulnerability severity equals Critical, and then define the action, such as generating an alert, creating a ticket, sending a notification, or initiating another response. The course guide describes this model using the exact example of critical vulnerabilities: Trigger is Falcon detecting an endpoint vulnerability, Condition is vulnerability severity of Critical, and Action is creating a ServiceNow incident. Therefore, Action and Condition are configured after the trigger, and Workflow Name is administrative metadata rather than the execution-starting component. Reference topics: Fusion SOAR workflows, trigger-condition-action model, vulnerability workflow automation.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

A Falcon Administrator role alone does not grant the ability to initiate a Real Time Response session. RTR access is controlled by dedicated Real Time Responder roles, and the course guidance is explicit that “you must have a Real Time Responder role to connect to a host” and that “the Falcon Administrator role doesn’t include access to Real Time Response.” The administrator must be assigned one of the RTR roles, such as Real Time Responder - Read Only Analyst, Active Responder, or Administrator, depending on the level of command access required. A logged-in user on the endpoint does not prevent RTR connection, and Falcon can also connect to hosts that are network contained as long as RTR requirements are met. Another analyst session may affect operational coordination, but it is not the primary cause in this scenario. The correct CCFA topic alignment is User Management and Real Time Response role assignment.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

The Sensor report dashboard is the best answer because it provides an overview of active sensors in the environment and summarizes deployment and coverage data for sensor administration. The question asks for an overview of the top ten most-applied policies by sensors, which is a dashboard-level summary rather than a per-host assignment lookup. The Sensor Policy Daily Report is more granular: it is used to review the groups and policies assigned to a host and is updated once per day, so it is not the best choice for a top-ten environmental overview. Scheduled reports are a delivery mechanism for recurring report generation, not the specific report containing the requested sensor-policy overview. Executive Summary provides broader executive-level security posture information and is not the focused sensor-policy distribution view. CCFA reporting guidance places sensor deployment and coverage reporting under Sensors, where the Sensor Report provides the overview of active sensors and related sensor-management posture. Reference topics: Dashboards and Reports, Sensors reports, Sensor Report dashboard, Sensor Policy Daily Report.

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

The new sensor update policy must be enabled and placed at a higher precedence than the broader policy assigned to all Windows servers. Falcon policy resolution is precedence-based when a host belongs to multiple host groups. In this scenario, each test Windows server belongs to both groups: the narrow “test Windows servers” group and the broad “all Windows servers” group. If the test policy has lower precedence, the broader Windows server policy wins and the test servers will not receive the new sensor update configuration. Falcon policy precedence uses ranking order where precedence 1 is higher than precedence 2, and the highest-ranking applicable policy becomes active on the host. This allows safe staged testing by making the narrow pilot policy outrank the general production policy while affecting only hosts in the test group. Manual installation or uninstallation is not required and would bypass Falcon’s managed sensor update workflow. Reference topics: Sensor Deployment, Sensor Update Policies, Host Groups, Policy Precedence.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

The additional option used to refine an Event trigger is a Condition . An Event trigger starts the workflow when a selected type of Falcon event occurs, but conditions narrow execution to events that match specific criteria. For example, a workflow may trigger on EPP detections but continue only when severity is high, hostname matches a test system, or platform equals Windows. Parameter, operator, and value are components of a condition, but “parameter” alone is not the workflow refinement object. Filter and Trigger Details are not the correct CCFA term for this workflow refinement step. Fusion SOAR design relies on conditions to prevent overly broad automation and to ensure response actions apply only to intended events.

The correct action is to create a Fusion SOAR workflow using the OverWatch remediation and prioritization playbook to contain the host and notify the SOC team. Fusion SOAR workflows automate response actions based on Falcon events. OverWatch detections are high-value human-hunted detections, and a predefined OverWatch playbook exists to support fast remediation actions such as containment, email notification, and related response steps. Emailing the OverWatch team is not the customer’s responsibility; the correct internal recipients are typically the SOC or incident response staff. Blocking “the detection” is not the correct workflow model because detections are records of observed behavior, while containment is the host-level response. Creating a detection is also incorrect because OverWatch already generated the detection.

The default user role that can manage API credentials is Falcon Administrator . Falcon’s role-permission matrix shows “Manage API credentials” enabled for Falcon Administrator and not enabled for the other listed roles. Falcon Administrator is the broad administrative role that can access nearly all console functionality, with the notable exception that Real Time Response still requires dedicated RTR roles. Managing API credentials is a high-risk administrative function because API clients and secrets can be used by integrations, scripts, and external systems to access Falcon APIs according to assigned scopes. Therefore, Falcon restricts this capability to administrative authority rather than operational roles such as Falcon Security Lead or Endpoint Manager. Falcon Security Lead can manage detections, quarantined files, containment, event searches, and credential resets, but it cannot manage users, roles, or API credentials. “Falcon API Manager” is not the default role presented in the official role model. Reference topics: User Management, Default Roles, API Clients and Keys, Role-Based Access Control.