Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with ExamsMirror

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

The most stable automatic update setting is Auto-N-2 . Falcon sensor update policy options allow administrators to choose how aggressively hosts receive new sensor builds. Auto-Latest provides the newest version fastest, while Auto-N-1 lags one version behind. Auto-N-2 lags further behind and is therefore the most conservative automatic option because the build has had more time in the field before broad adoption. A pinned version can be stable temporarily, but it is not an automatic update level and can become outdated if not managed carefully. The course guide notes that Auto-N-1 and Auto-N-2 remain on known stable sensor versions and are designed to reduce update risk compared with latest-version deployment.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

Windows hosts commonly enter Reduced Functionality Mode when the Windows kernel changes and CrowdStrike has not yet certified that kernel for full sensor operation. This can happen after Microsoft updates. RFM is a protective mode that prevents compatibility problems while allowing the sensor to continue operating at reduced capacity. Loss of internet connectivity may affect cloud communication but does not by itself place the sensor in RFM. Network containment restricts network traffic but is unrelated to kernel compatibility. A sensor update policy issue could cause version drift, but RFM specifically relates to kernel support and sensor compatibility. The course guide explains that Windows RFM is most commonly tied to Microsoft updates and kernel certification status.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

Falcon user accounts must be created using an email address from the approved domains configured for the CID. This ensures that account creation is limited to authorized organizational identity domains and reduces the risk of adding unauthorized external users. New users are not automatically assigned the Falcon Analyst role by default; roles must be assigned according to operational need. Employee identification numbers and domain-number prefixes are not Falcon account requirements. The CCFA user management topic emphasizes identity governance, approved domains, role assignment, and least privilege. Falcon Administrators create users, assign appropriate roles, and ensure that access aligns with approved organizational identity controls. Therefore, the approved-domain email requirement is the correct statement.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.