CCFA-200b Exam Dumps - CrowdStrike Falcon Certification Program Questions and Answers

Custom IOA rules are designed to detect behavior, not simply static files. Falcon’s core prevention model distinguishes between Indicators of Compromise, which are often file/hash/domain/IP based, and Indicators of Attack, which describe behavioral patterns associated with suspicious or malicious activity. Custom IOAs allow administrators to define organization-specific behavioral detections, such as process creation, file creation, network connection, or command-line behavior. They are especially useful when the activity may not be universally malicious but is unwanted or suspicious in a specific environment. Blocking known malware is more closely aligned with IOC management or machine-learning prevention. System updates and network settings are unrelated to custom IOA rule intent. The course guide describes custom IOAs as a way to gain visibility into activity Falcon does not otherwise detect and optionally block or kill that behavior.

The correct role is Falcon Security Lead. Falcon role guidance identifies Falcon Security Lead as a role that can manage detections, manage quarantined files, contain hosts, search events, reset user credentials, and view exclusions. Falcon Analyst – Read Only can view detections and exclusions but does not have management authority over quarantined files. Endpoint Manager is focused on sensor deployment, sensor configuration, update policies, and host group administration; it is not the role for quarantine management. Detections Exceptions Manager is associated with exception or exclusion-style administration, not quarantined file operations. Managing quarantined files includes operational actions such as reviewing quarantined items, releasing files, undoing releases, deleting quarantined files, and potentially downloading extracted files when permitted by configuration and role. Because quarantine actions can reintroduce files to endpoints or remove evidence, Falcon assigns this capability only to roles with sufficient security operations authority. Reference topics: User Management, Default Roles, Falcon Prevent Roles, Quarantined Files.

The most stable automatic update setting is Auto-N-2 . Falcon sensor update policy options allow administrators to choose how aggressively hosts receive new sensor builds. Auto-Latest provides the newest version fastest, while Auto-N-1 lags one version behind. Auto-N-2 lags further behind and is therefore the most conservative automatic option because the build has had more time in the field before broad adoption. A pinned version can be stable temporarily, but it is not an automatic update level and can become outdated if not managed carefully. The course guide notes that Auto-N-1 and Auto-N-2 remain on known stable sensor versions and are designed to reduce update risk compared with latest-version deployment.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

Fusion SOAR workflows run automatically from Event triggers or Scheduled triggers. Event triggers execute when Falcon observes a matching event, such as a detection, incident, audit event, custom IOA detection, or other supported trigger category. Scheduled triggers run at a defined time or recurrence, allowing routine automation such as reporting, searches, or maintenance workflows. Conditions refine when a workflow continues after the trigger, but they are not triggers themselves. Actions are the tasks performed after the workflow starts, such as sending email, assigning detections, containing hosts, or running RTR commands. The CCFA workflow model separates trigger, condition, and action clearly: triggers start workflows, conditions filter logic, and actions perform outcomes.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

The highest level of protection in the three-phase prevention policy model is Phase 3 . Falcon’s staged policy model allows organizations to begin with safer detection-focused settings, then progress toward stronger prevention as false positives are triaged and exclusions are tuned. Phase 1 is intended for initial deployment, especially when pre-existing antivirus or HIPS is present, and is more conservative. Phase 2 increases enforcement and aligns more closely with recommended protection. Phase 3 represents the fully realized best-practice posture with the highest protection level among the listed phases. CCFA policy application guidance emphasizes progressing through these phases deliberately, using detection review, allowlisting, exclusions, and change control before applying the most protective settings broadly.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

To patch a network-contained host, create or update a Containment Policy that allowlists the specific IP addresses of the patch management or update sources. Containment blocks most network traffic by design, so update jobs fail unless the required update infrastructure is explicitly permitted. The course guide calls out IP addresses for Windows Update or update sources, not FQDN-based allowlisting, as the supported containment-policy exception method. Content update policies are unrelated to allowing host network traffic during containment. IP Allowlist Management controls administrative access to Falcon from specific source IPs; it does not permit contained endpoints to reach patch servers. Therefore, the containment policy must allow the patch infrastructure IPs.

The combined maximum length of all sensor grouping tags is 256 characters , including comma separators. Grouping tags are assigned during installation using the appropriate installer parameter and can later be used in Host Management and dynamic host group rules. Because multiple tags can be applied to a host, Falcon enforces a combined-length limit across all tags rather than only a per-tag limit in this context. Exceeding this value can cause installation or tagging behavior to fail or produce incomplete tag assignment. The other choices are not the documented maximum. CCFA sensor deployment guidance specifically states that when using multiple tags, the combined length of all tags for a host, including comma separators, cannot exceed 256 characters.