Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with Dumpstech

The Machine-Learning Prevention report is used to evaluate what Falcon would have blocked under different machine-learning prevention levels. The official reporting guidance describes Machine Learning Prevention as a report that lets administrators “view malware that would have been blocked in your environment during the last 30 days based on different Machine Learning Prevention settings,” including Cautious, Moderate, or Aggressive levels. This makes option C the precise answer. The report is not the quarantine management dashboard; quarantined files are reviewed and released from the Quarantined Files area. It is also not primarily a spike-analysis dashboard for active attacks, although unusual volume may support investigation. Option D is close in theme but inaccurate because the purpose is not to summarize aggressiveness settings and actual quarantine totals; it is to model prevention impact across ML settings. Reference topics: Dashboards and Reports, Machine Learning Prevention report, prevention policy tuning, ML prevention levels.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

In addition to host group assignment, prevention policies can have Custom IOA Rule Groups assigned to them. This is how custom IOA rules become active for hosts covered by a prevention policy. Host groups determine which endpoints receive the policy, while assigned Custom IOA Rule Groups determine which custom behavioral detections are included in that policy. Operating System Groups and Machine Learning Groups are not assignable group objects in this context. Custom IOC Groups are not the policy-assignment mechanism described here; custom IOCs are managed through IOC Management with actions such as detect, allow, or block. The CCFA rule configuration model requires administrators to understand that custom IOA rule groups are attached to prevention policies before they can trigger detections.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

The correct report is the Sensor Report . Falcon’s Sensors reporting area contains reports used by administrators to manage sensor deployment and coverage. The Sensor Report provides an overview of active sensors in the environment and is the correct high-level view for reviewing sensor deployment posture. It supports operational review of host-related attributes such as platform, operating system information, device or host type, domain, and sensor version, making it useful for quickly understanding sensor coverage and endpoint distribution. The Sensor Policy Daily Report is different: it is used to review groups and policies assigned to a host and is updated once per day, so it is not the best answer for a filterable environment-wide sensor overview. “Sensor Status Report” and “Sensor Overview Report” are not the named report options in the official report list. Reference topics: Dashboards and Reports, Sensors Reports, Sensor Report, Sensor Policy Daily Report.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The required role is Real Time Response - Administrator . RTR Administrator can create custom scripts, upload files for the put command, and perform higher-risk RTR operations that are not available to Active Responders. Active Responder can execute certain response actions and retrieve files, but it does not provide full script management capability. Workflow Author relates to Fusion SOAR workflows, not RTR script creation and sharing. Falcon Scripts Manager is not the correct default role in this context. The CCFA RTR topic separates roles into Read Only Analyst, Active Responder, and Administrator. Building, saving, and sharing custom scripts requires the administrative RTR capability, so RTR Administrator is the correct least role for that task.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

The Real Time Response audit log records operational details about RTR sessions, including who connected, which host was accessed, when the session began, how long it lasted, which commands were run, and files retrieved through RTR activity. The course guidance describes the RTR sessions audit log as a history of recorded activity for the CID’s Real Time Response sessions. It includes session start time, session status, user, hostname, connected-from source, commands used, and session duration. Session details also include host details, retrieved files, and detections, with command history subject to specific exclusions such as help, clear, and history, which are not recorded. Option A describes host inventory and policy context rather than RTR session auditing. Option B is incomplete and emphasizes command return results, which is not the core listed audit-log summary. Option D is incorrect because RTR activity is explicitly collected in audit logs. CCFA reference topics: Real Time Response, RTR Audit Logs, Session Details, Host Management and Setup.