CCFA-200b Exam Dumps - CrowdStrike Falcon Certification Program Questions and Answers

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

The correct action is to create a Fusion SOAR workflow using the OverWatch remediation and prioritization playbook to contain the host and notify the SOC team. Fusion SOAR workflows automate response actions based on Falcon events. OverWatch detections are high-value human-hunted detections, and a predefined OverWatch playbook exists to support fast remediation actions such as containment, email notification, and related response steps. Emailing the OverWatch team is not the customer’s responsibility; the correct internal recipients are typically the SOC or incident response staff. Blocking “the detection” is not the correct workflow model because detections are records of observed behavior, while containment is the host-level response. Creating a detection is also incorrect because OverWatch already generated the detection.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.