Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with ExamsMirror

The correct parameter is VDI=true. In virtual desktop or cloned virtual machine scenarios, Falcon must avoid duplicate Agent IDs across clones. Persistent clone workflows require sensor installation to be performed with the correct VDI parameter so that each cloned endpoint registers properly and receives a unique identity. ProvNoWait=1 is used for provisioning-timeout behavior and does not address duplicate Agent IDs. NO_START=1 is used in some deployment contexts to delay sensor start but is not the VDI identity control. VM=True is not the documented Falcon parameter. CCFA sensor deployment guidance treats VDI and golden-image preparation as a distinct deployment pattern because cloning a sensor incorrectly can duplicate identity and corrupt host tracking, policy assignment, and detection attribution.

The new sensor update policy must be enabled and placed at a higher precedence than the broader policy assigned to all Windows servers. Falcon policy resolution is precedence-based when a host belongs to multiple host groups. In this scenario, each test Windows server belongs to both groups: the narrow “test Windows servers” group and the broad “all Windows servers” group. If the test policy has lower precedence, the broader Windows server policy wins and the test servers will not receive the new sensor update configuration. Falcon policy precedence uses ranking order where precedence 1 is higher than precedence 2, and the highest-ranking applicable policy becomes active on the host. This allows safe staged testing by making the narrow pilot policy outrank the general production policy while affecting only hosts in the test group. Manual installation or uninstallation is not required and would bypass Falcon’s managed sensor update workflow. Reference topics: Sensor Deployment, Sensor Update Policies, Host Groups, Policy Precedence.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.

Falcon uses role-based access control. Permissions are enabled inside roles, and then those roles are assigned to users. This allows administrators to apply least privilege by creating roles that contain only the specific permissions required for a task or module. Users do not receive all permissions by default, and permissions are not generally assigned one-by-one directly to users as a primary model. The role defines what actions can be performed, such as managing users, editing policies, creating exclusions, managing custom IOAs, or using RTR capabilities. The course guide explains that custom roles are built by enabling the required permission groups and disabling unrelated permissions. This supports operational separation of duties and auditability.

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

A script interfacing with the Falcon platform typically uses API credentials, so the correct log is the API audit . Falcon UI audit logs track actions performed through the web console. RTR session audit logs track Real Time Response sessions and commands executed on hosts. Prevention policy debug is not the right audit source for platform API activity. When investigating scripted or automated access, administrators must determine which API client or credential performed the action, when it occurred, and what endpoint or operation was invoked. The CCFA user management and audit topics emphasize separating console user activity from API-driven activity so that administrative investigation maps to the correct telemetry source. API audit is therefore the correct answer.

The correct method is to enter multiple hostnames in the Hostname filter and separate each hostname with a comma. Host Management is designed to let administrators filter, search, and customize host views so they can quickly locate endpoints by attributes such as hostname, grouping tags, IP/CIDR range, operating system version, domain, and other host metadata. A single Hostname filter can accept multiple hostname values, and separating values with commas allows Falcon to treat them as multiple entries within that filter rather than requiring separate filters. Adding the same Hostname filter repeatedly is inefficient and can create unintended filter logic. A decimal is not a valid separator for hostname lists, and there is no separate “Multiple Hostnames” filter in the Host Management workflow. This topic belongs to Host Management and Setup, specifically Host Management filtering, search behavior, and multi-value filter usage.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

Falcon quarantine is enabled through Prevention policy settings . Specifically, administrators configure Next-Gen Antivirus settings, prevention sliders, and the quarantine-related controls within the prevention policy assigned to the host. General Settings are used for tenant-wide administrative settings such as RTR MFA, not endpoint file quarantine behavior. Manual file deletion is not Falcon quarantine and lacks the controlled evidence-preserving workflow of a security product. System restore is an operating system recovery feature and is unrelated to Falcon policy enforcement. The course guide frames quarantine as part of the prevention policy stack: Falcon must first detect and prevent a malicious file, then the policy determines whether the file is quarantined on the host.