CCFA-200b Exam Dumps - CrowdStrike Falcon Certification Program

The No Action option is assigned when an administrator wants to save the IOC for future use but does not want Falcon to take an enforcement or detection action at that time. In IOC Management, hash indicators can be assigned actions such as Block, Detect Only, Allow, or None/No Action. Block prevents the hash and can show it as a detection when the required prevention policy setting is enabled. Detect Only generates a detection but takes no prevention action. Allow adds the hash to the allowlist and suppresses detection for that indicator. No Action is different from all three: it retains the indicator in IOC Management without blocking it, allowing it, or generating a detection. This is useful when an indicator is being staged, tracked, reviewed, or retained for future activation after validation. It is not an allowlist or blocklist action. Reference topics: Rule Configuration, Custom IOCs, IOC Management Actions, Hash Indicator Handling.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

For a known false positive that is being blocked or quarantined, the best IOC action is Allow . In Falcon IOC Management, Allow is used to add known-good indicators to the allowlist so that Falcon does not continue treating them as malicious. Detect Only would continue generating visibility but would not necessarily resolve the operational disruption if the object is still being blocked by another setting. Prevent would explicitly block execution and is the opposite of the desired outcome. No action would leave the false positive unresolved. The CCFA policy and exclusions model emphasizes using the correct exclusion or allowlisting mechanism after validation. For hash-based or IOC-driven false positives, Allow is the direct remediation path.

The correct role is Falcon Security Lead. Falcon role guidance identifies Falcon Security Lead as a role that can manage detections, manage quarantined files, contain hosts, search events, reset user credentials, and view exclusions. Falcon Analyst – Read Only can view detections and exclusions but does not have management authority over quarantined files. Endpoint Manager is focused on sensor deployment, sensor configuration, update policies, and host group administration; it is not the role for quarantine management. Detections Exceptions Manager is associated with exception or exclusion-style administration, not quarantined file operations. Managing quarantined files includes operational actions such as reviewing quarantined items, releasing files, undoing releases, deleting quarantined files, and potentially downloading extracted files when permitted by configuration and role. Because quarantine actions can reintroduce files to endpoints or remove evidence, Falcon assigns this capability only to roles with sufficient security operations authority. Reference topics: User Management, Default Roles, Falcon Prevent Roles, Quarantined Files.

When a host is network contained, Falcon restricts network communication while still allowing connectivity required for Falcon cloud operations. To permit patching or operating system update workflows during containment, administrators should add the IP addresses of trusted update sources to the containment policy. This is safer than allowing all internal IPs, which would weaken containment and potentially permit lateral movement. Host Firewall policy is not the correct control for containment exceptions, because containment policy governs traffic allowed while a host is isolated. Removing containment entirely would restore network access but would defeat the containment objective. The course guide specifically notes that patching contained hosts requires adding the Windows Update or patch source IP addresses to the containment policy.

The additional option used to refine an Event trigger is a Condition . An Event trigger starts the workflow when a selected type of Falcon event occurs, but conditions narrow execution to events that match specific criteria. For example, a workflow may trigger on EPP detections but continue only when severity is high, hostname matches a test system, or platform equals Windows. Parameter, operator, and value are components of a condition, but “parameter” alone is not the workflow refinement object. Filter and Trigger Details are not the correct CCFA term for this workflow refinement step. Fusion SOAR design relies on conditions to prevent overly broad automation and to ensure response actions apply only to intended events.