CCFA-200b Exam Dumps - CrowdStrike Falcon Certification Program

The correct page is Sensor Health . The Sensor Health dashboard is designed to show Falcon sensor operational status across the environment and help administrators identify hosts running unsupported sensor versions, unsupported operating system versions, incorrect configurations, connectivity problems, and RFM conditions. The official guidance states that the Sensor Health dashboard includes information about “hosts that entered RFM each day” and clarifies that this shows hosts newly entering Reduced Functionality Mode, not the total number of hosts currently in RFM. This distinction matters because Sensor Health is used to track newly emerging sensor health issues over time, while Host Management can be used to filter for the current list of hosts in RFM. Hosts Overview and Activity Overview do not provide this specific daily RFM count. Support and resources is a navigation area, not the sensor health reporting dashboard. Reference topics: Dashboards and Reports, Sensor Health Dashboard, Reduced Functionality Mode, Sensor Operational Status.

The configuration is applied in the Containment Policy . Network containment restricts endpoint network activity to isolate a potentially compromised host, but Falcon allows administrators to define specific IP addresses that contained hosts may still communicate with. The official guidance states that on the Containment Policy page, administrators can allow IP addresses over which hosts will always be permitted to communicate, even when contained. This is commonly used for tightly controlled resources such as patching systems, remediation infrastructure, or other trusted internal services needed during response. IP Allowlist Management is different: it controls which source IP addresses may access the Falcon console or API, not which destinations a contained host may reach. Response Policies control Real Time Response command permissions, and Maintenance Tokens relate to sensor uninstall or maintenance operations. Therefore, the correct CCFA topic alignment is Policy Application, specifically Network Containment and Containment Policy configuration.

The primary purpose of Falcon audit logs is to track configuration and administrative changes . Audit logs provide accountability by showing what changed, who made the change, and when it occurred. Examples include policy creation, updates, deletions, role changes, user management actions, IP allowlist changes, and other administrative activity. Tracing file changes is the purpose of file integrity monitoring tools such as Falcon FileVantage, not the general Falcon audit log. Monitoring system performance is handled through sensor health, host status, and operational telemetry rather than audit logs. CCFA emphasizes audit logs as an administrative governance and investigation tool that supports accountability, change review, and security operations oversight.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.

Sensor Update policies are platform-specific, meaning separate policies exist for Windows, Mac, and Linux sensors. The official Sensor Update Policies guidance states that administrators use these policies to control the update process for sensors on hosts, and that each host is assigned to a sensor policy based on host group membership. It then specifies that there are separate sensor update policies for separate platforms: Windows, Mac, and Linux. Therefore, a single sensor update policy cannot be universally applied across all operating systems. Windows does not share update policies with macOS, and macOS does not share update policies with Linux. Linux kernel compatibility is an important deployment consideration, but it does not mean Windows and Mac share one policy family while Linux alone has a different model. The correct CCFA principle is that sensor update management is performed per supported platform, then targeted to host groups within that platform. Reference topics: Sensor Deployment, Sensor Update Policies, platform-specific sensor management, host group policy assignment.

Falcon quarantine is enabled through Prevention policy settings . Specifically, administrators configure Next-Gen Antivirus settings, prevention sliders, and the quarantine-related controls within the prevention policy assigned to the host. General Settings are used for tenant-wide administrative settings such as RTR MFA, not endpoint file quarantine behavior. Manual file deletion is not Falcon quarantine and lacks the controlled evidence-preserving workflow of a security product. System restore is an operating system recovery feature and is unrelated to Falcon policy enforcement. The course guide frames quarantine as part of the prevention policy stack: Falcon must first detect and prevent a malicious file, then the policy determines whether the file is quarantined on the host.

The correct troubleshooting step is to check the CrowdStrike Windows Sensor log file for errors. Falcon sensor uninstall and maintenance operations are protected processes, especially when uninstall protection or tamper protection is enabled. Force-stopping services or deleting directories manually can damage the installation, leave drivers or services in an inconsistent state, and complicate remediation. Rebooting may be necessary in some cases, but it should not be the first diagnostic action when the uninstall appears stuck. The Windows sensor deployment guidance directs administrators to review sensor logs when installation, connection, or uninstall behavior is abnormal. Logs provide the error context needed to determine whether the issue is a token, policy, service dependency, installer state, or connectivity problem.