Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with Dumpstech

The least privilege role for extracting files with RTR is Real Time Responder - Active Responder . The Active Responder role includes the ability to use the get command to retrieve files from endpoints, along with additional response commands beyond read-only reconnaissance. The RTR Administrator role can also extract files, but it grants broader capabilities such as creating custom scripts, uploading files with put, and directly running executables, so it is not least privilege. Falcon Security Lead and Falcon Investigator are detection and investigation roles but do not provide the required RTR command authority by themselves. CCFA role design emphasizes giving users only the permissions needed to complete the task. For file extraction, Active Responder is sufficient and appropriately scoped.

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

The correct report is Machine Learning Prevention Monitoring . This report helps administrators understand how machine-learning policy levels affect detection and prevention volume. It is useful during policy tuning because Falcon machine-learning settings can be staged from detection-focused configurations to prevention-focused configurations. Administrators can use this data to estimate how many events would be detected or blocked at different ML aggressiveness levels and then adjust policies with fewer surprises. Falcon Prevention Policy Debug is not the reporting feature designed for this purpose, and the Prevention Policy Audit Trail tracks administrative changes rather than activity volume. The CCFA policy tuning model relies on measuring detection and prevention outcomes before increasing enforcement, especially during staged deployment phases.

The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

Third-party integrations require an API Client and Secret Key . Falcon API access is configured by creating an API client with the required scopes, then securely storing the generated client ID and secret. The integration uses those credentials to request OAuth2 tokens and interact with the Falcon APIs according to the assigned scopes. An OAuth2 token is obtained after the client credentials are created; it is not the first credential combination generated. “Access Key and Secret Key” resembles cloud provider terminology, while “Integration Key and Customer ID” is not the standard Falcon API credential pair. The CCFA user and API management material emphasizes creating scoped API clients and protecting the secret because it is shown only at creation time.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.