Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with ExamsMirror

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

The additional option used to refine an Event trigger is a Condition . An Event trigger starts the workflow when a selected type of Falcon event occurs, but conditions narrow execution to events that match specific criteria. For example, a workflow may trigger on EPP detections but continue only when severity is high, hostname matches a test system, or platform equals Windows. Parameter, operator, and value are components of a condition, but “parameter” alone is not the workflow refinement object. Filter and Trigger Details are not the correct CCFA term for this workflow refinement step. Fusion SOAR design relies on conditions to prevent overly broad automation and to ensure response actions apply only to intended events.

The default user role that can manage API credentials is Falcon Administrator . Falcon’s role-permission matrix shows “Manage API credentials” enabled for Falcon Administrator and not enabled for the other listed roles. Falcon Administrator is the broad administrative role that can access nearly all console functionality, with the notable exception that Real Time Response still requires dedicated RTR roles. Managing API credentials is a high-risk administrative function because API clients and secrets can be used by integrations, scripts, and external systems to access Falcon APIs according to assigned scopes. Therefore, Falcon restricts this capability to administrative authority rather than operational roles such as Falcon Security Lead or Endpoint Manager. Falcon Security Lead can manage detections, quarantined files, containment, event searches, and credential resets, but it cannot manage users, roles, or API credentials. “Falcon API Manager” is not the default role presented in the official role model. Reference topics: User Management, Default Roles, API Clients and Keys, Role-Based Access Control.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

Custom IOA rules are designed to detect behavior, not simply static files. Falcon’s core prevention model distinguishes between Indicators of Compromise, which are often file/hash/domain/IP based, and Indicators of Attack, which describe behavioral patterns associated with suspicious or malicious activity. Custom IOAs allow administrators to define organization-specific behavioral detections, such as process creation, file creation, network connection, or command-line behavior. They are especially useful when the activity may not be universally malicious but is unwanted or suspicious in a specific environment. Blocking known malware is more closely aligned with IOC management or machine-learning prevention. System updates and network settings are unrelated to custom IOA rule intent. The course guide describes custom IOAs as a way to gain visibility into activity Falcon does not otherwise detect and optionally block or kill that behavior.