CCFA-200b Exam Dumps - CrowdStrike Falcon Certification Program

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

IP addresses are added to a containment policy to allow contained hosts to communicate with specific trusted resources during network containment. Network containment isolates the host to reduce attacker movement while maintaining required Falcon cloud communication. Organizations may need contained hosts to access patch servers, update sources, remediation infrastructure, domain services, or other tightly controlled internal systems. The purpose is not to automate containment based on IP address; automation is handled through workflows. Analyst permissions are controlled by user roles, not containment policy IP entries. Falcon console access is unrelated because containment policy applies to endpoint network communication, not administrative access to the web console. The course guide explicitly connects containment-policy IP allowances with patching and controlled access during containment.