CCFA-200b CrowdStrike Falcon Certification Program Question and Answers

The required role is Real Time Response - Administrator . RTR Administrator can create custom scripts, upload files for the put command, and perform higher-risk RTR operations that are not available to Active Responders. Active Responder can execute certain response actions and retrieve files, but it does not provide full script management capability. Workflow Author relates to Fusion SOAR workflows, not RTR script creation and sharing. Falcon Scripts Manager is not the correct default role in this context. The CCFA RTR topic separates roles into Read Only Analyst, Active Responder, and Administrator. Building, saving, and sharing custom scripts requires the administrative RTR capability, so RTR Administrator is the correct least role for that task.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

Sensor updates are managed through sensor update policies assigned to host groups. Falcon uses host group membership to determine which policy applies to a host. Sensor update policies control whether hosts remain pinned to a specific version, automatically update to a relative version such as Auto - N-1 or Auto - N-2, or receive specific maintenance protections. Prevention policies control security behavior, not sensor versioning. Manual updates do not scale and are not the Falcon administrative model for enforcing consistent versions across many endpoints. Direct installation is only the initial deployment mechanism, not ongoing update governance. The course guide emphasizes using host groups and sensor update policies to control sensor maintenance at scale across Windows, macOS, and Linux platforms.

The correct report is the Sensor Report . Falcon’s Sensors reporting area contains reports used by administrators to manage sensor deployment and coverage. The Sensor Report provides an overview of active sensors in the environment and is the correct high-level view for reviewing sensor deployment posture. It supports operational review of host-related attributes such as platform, operating system information, device or host type, domain, and sensor version, making it useful for quickly understanding sensor coverage and endpoint distribution. The Sensor Policy Daily Report is different: it is used to review groups and policies assigned to a host and is updated once per day, so it is not the best answer for a filterable environment-wide sensor overview. “Sensor Status Report” and “Sensor Overview Report” are not the named report options in the official report list. Reference topics: Dashboards and Reports, Sensors Reports, Sensor Report, Sensor Policy Daily Report.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

The recommended approach is to minimize the number of groups while still meeting policy and operational requirements. Host groups are central to policy assignment, sensor updates, prevention tuning, containment workflows, and response policies. Excessive or overlapping groups make precedence difficult to reason about and increase the chance that hosts receive unexpected policies. Department-based or IP-only grouping may be useful in specific cases, but they should not be used indiscriminately. CCFA best practice is to design groups around clear policy intent, stable attributes, and operational need. Dynamic groups should be preferred when membership can be defined reliably by attributes such as OS, OU, tags, or host type. A smaller, well-governed group model is easier to audit and maintain.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

The highest level of protection in the three-phase prevention policy model is Phase 3 . Falcon’s staged policy model allows organizations to begin with safer detection-focused settings, then progress toward stronger prevention as false positives are triaged and exclusions are tuned. Phase 1 is intended for initial deployment, especially when pre-existing antivirus or HIPS is present, and is more conservative. Phase 2 increases enforcement and aligns more closely with recommended protection. Phase 3 represents the fully realized best-practice posture with the highest protection level among the listed phases. CCFA policy application guidance emphasizes progressing through these phases deliberately, using detection review, allowlisting, exclusions, and change control before applying the most protective settings broadly.

Sensor Update policies are platform-specific, meaning separate policies exist for Windows, Mac, and Linux sensors. The official Sensor Update Policies guidance states that administrators use these policies to control the update process for sensors on hosts, and that each host is assigned to a sensor policy based on host group membership. It then specifies that there are separate sensor update policies for separate platforms: Windows, Mac, and Linux. Therefore, a single sensor update policy cannot be universally applied across all operating systems. Windows does not share update policies with macOS, and macOS does not share update policies with Linux. Linux kernel compatibility is an important deployment consideration, but it does not mean Windows and Mac share one policy family while Linux alone has a different model. The correct CCFA principle is that sensor update management is performed per supported platform, then targeted to host groups within that platform. Reference topics: Sensor Deployment, Sensor Update Policies, platform-specific sensor management, host group policy assignment.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

A Falcon Administrator role alone does not grant the ability to initiate a Real Time Response session. RTR access is controlled by dedicated Real Time Responder roles, and the course guidance is explicit that “you must have a Real Time Responder role to connect to a host” and that “the Falcon Administrator role doesn’t include access to Real Time Response.” The administrator must be assigned one of the RTR roles, such as Real Time Responder - Read Only Analyst, Active Responder, or Administrator, depending on the level of command access required. A logged-in user on the endpoint does not prevent RTR connection, and Falcon can also connect to hosts that are network contained as long as RTR requirements are met. Another analyst session may affect operational coordination, but it is not the primary cause in this scenario. The correct CCFA topic alignment is User Management and Real Time Response role assignment.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

The No Action option is assigned when an administrator wants to save the IOC for future use but does not want Falcon to take an enforcement or detection action at that time. In IOC Management, hash indicators can be assigned actions such as Block, Detect Only, Allow, or None/No Action. Block prevents the hash and can show it as a detection when the required prevention policy setting is enabled. Detect Only generates a detection but takes no prevention action. Allow adds the hash to the allowlist and suppresses detection for that indicator. No Action is different from all three: it retains the indicator in IOC Management without blocking it, allowing it, or generating a detection. This is useful when an indicator is being staged, tracked, reviewed, or retained for future activation after validation. It is not an allowlist or blocklist action. Reference topics: Rule Configuration, Custom IOCs, IOC Management Actions, Hash Indicator Handling.

In addition to host group assignment, prevention policies can have Custom IOA Rule Groups assigned to them. This is how custom IOA rules become active for hosts covered by a prevention policy. Host groups determine which endpoints receive the policy, while assigned Custom IOA Rule Groups determine which custom behavioral detections are included in that policy. Operating System Groups and Machine Learning Groups are not assignable group objects in this context. Custom IOC Groups are not the policy-assignment mechanism described here; custom IOCs are managed through IOC Management with actions such as detect, allow, or block. The CCFA rule configuration model requires administrators to understand that custom IOA rule groups are attached to prevention policies before they can trigger detections.

The correct action is to use the built-in Fusion SOAR OverWatch detection remediation and prioritization playbook. This playbook is specifically designed to automate response when Falcon OverWatch flags an endpoint detection. The documented workflow actions include setting the endpoint detection status to In Progress, containing the device where the detection occurred, adding associated identity and endpoint context to watchlists when applicable, and sending an email notification. This directly satisfies leadership’s requirement for immediate containment and notification of the appropriate internal staff. Emailing the OverWatch team is not the correct operational response because OverWatch has already generated the detection; the customer SOC or incident response team must be notified. Creating a new detection is also incorrect because the detection already exists. Blocking the detection is not a valid response action; containment is the host-level control. Reference topics: Fusion SOAR Playbooks, OverWatch Detection Remediation and Prioritization, Host Containment Automation.

The default role that allows viewing all analyst session details is Falcon Administrator . RTR-specific roles allow users to perform or view their own RTR activities according to their level, but the Falcon Administrator has broader administrative visibility across the CID, including all RTR session details. The RTR Administrator role has elevated RTR execution and script/file capabilities, but the course guide distinguishes complete administrative session visibility from RTR execution authority. Falcon Security Lead and RTR Read-Only Analyst do not provide all analyst session detail visibility. This separation is important because Falcon uses roles to distinguish operational response permissions from audit and administrative oversight. The correct default role for all-session visibility is Falcon Administrator.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

The default user role that can manage API credentials is Falcon Administrator . Falcon’s role-permission matrix shows “Manage API credentials” enabled for Falcon Administrator and not enabled for the other listed roles. Falcon Administrator is the broad administrative role that can access nearly all console functionality, with the notable exception that Real Time Response still requires dedicated RTR roles. Managing API credentials is a high-risk administrative function because API clients and secrets can be used by integrations, scripts, and external systems to access Falcon APIs according to assigned scopes. Therefore, Falcon restricts this capability to administrative authority rather than operational roles such as Falcon Security Lead or Endpoint Manager. Falcon Security Lead can manage detections, quarantined files, containment, event searches, and credential resets, but it cannot manage users, roles, or API credentials. “Falcon API Manager” is not the default role presented in the official role model. Reference topics: User Management, Default Roles, API Clients and Keys, Role-Based Access Control.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

The correct method is to enter multiple hostnames in the Hostname filter and separate each hostname with a comma. Host Management is designed to let administrators filter, search, and customize host views so they can quickly locate endpoints by attributes such as hostname, grouping tags, IP/CIDR range, operating system version, domain, and other host metadata. A single Hostname filter can accept multiple hostname values, and separating values with commas allows Falcon to treat them as multiple entries within that filter rather than requiring separate filters. Adding the same Hostname filter repeatedly is inefficient and can create unintended filter logic. A decimal is not a valid separator for hostname lists, and there is no separate “Multiple Hostnames” filter in the Host Management workflow. This topic belongs to Host Management and Setup, specifically Host Management filtering, search behavior, and multi-value filter usage.

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.