Pass the CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with Dumpstech

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

To patch a network-contained host, create or update a Containment Policy that allowlists the specific IP addresses of the patch management or update sources. Containment blocks most network traffic by design, so update jobs fail unless the required update infrastructure is explicitly permitted. The course guide calls out IP addresses for Windows Update or update sources, not FQDN-based allowlisting, as the supported containment-policy exception method. Content update policies are unrelated to allowing host network traffic during containment. IP Allowlist Management controls administrative access to Falcon from specific source IPs; it does not permit contained endpoints to reach patch servers. Therefore, the containment policy must allow the patch infrastructure IPs.

A script interfacing with the Falcon platform typically uses API credentials, so the correct log is the API audit . Falcon UI audit logs track actions performed through the web console. RTR session audit logs track Real Time Response sessions and commands executed on hosts. Prevention policy debug is not the right audit source for platform API activity. When investigating scripted or automated access, administrators must determine which API client or credential performed the action, when it occurred, and what endpoint or operation was invoked. The CCFA user management and audit topics emphasize separating console user activity from API-driven activity so that administrative investigation maps to the correct telemetry source. API audit is therefore the correct answer.

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.