CCFA-200b CrowdStrike Falcon Certification Program Questions and Answers

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

The best answer is Managed Assets dashboard . This dashboard-oriented view is used for operational visibility across managed endpoints and helps administrators understand how assets are distributed across important attributes, including policy-related coverage. The question asks for a “top-ten” review of sensor update, prevention, and device control policies as new hosts are added to the CID, which aligns with dashboard summarization rather than a per-host daily report. The Sensor Policy Daily Report is useful for reviewing assigned groups and policies for hosts, but it is not the best answer for a high-level top-ten usage review. Executive Summary is broader leadership reporting, not the operational location for policy-use distribution across managed assets. The CCFA reporting objective here is policy coverage awareness at scale.

The first component configured when creating a Fusion SOAR workflow from scratch is the Trigger . Falcon workflows follow a trigger-condition-action model: the trigger determines what starts the workflow, the condition narrows execution logic, and the action defines what Falcon does after the workflow criteria are met. For a workflow involving critical vulnerabilities, the trigger is the event that initiates automation, such as Falcon detecting or receiving a vulnerability-related event. Only after the trigger is selected can the administrator add conditions, such as vulnerability severity equals Critical, and then define the action, such as generating an alert, creating a ticket, sending a notification, or initiating another response. The course guide describes this model using the exact example of critical vulnerabilities: Trigger is Falcon detecting an endpoint vulnerability, Condition is vulnerability severity of Critical, and Action is creating a ServiceNow incident. Therefore, Action and Condition are configured after the trigger, and Workflow Name is administrative metadata rather than the execution-starting component. Reference topics: Fusion SOAR workflows, trigger-condition-action model, vulnerability workflow automation.

The Customer ID with Checksum, often referred to as the CID or CCID/CIDC, is required when installing a new Falcon Sensor so the sensor can register to the correct Falcon customer environment. The deployment guidance repeatedly instructs administrators to copy the Customer ID checksum from Host setup and management > Deploy > Sensor downloads before running sensor installation. For macOS, the installer workflow requires running falconctl license with the customer ID checksum after installation. For Windows installations, the installer requires the Customer ID with Checksum value obtained from the Sensor downloads page. This value is not used to locate a host in Host Management, and it is not the normal control for defining host group criteria. Sensor uninstallation is controlled by maintenance tokens or uninstall protection settings, not CIDC. Reference topics: Sensor Deployment, Sensor downloads, Customer ID checksum, Windows and macOS sensor installation.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

On Microsoft Windows, the supported command to verify that the Falcon Sensor is running is sc.exe query csagent. This command queries the Windows service control manager for the Falcon sensor service driver named csagent. When the sensor is running correctly, the output shows SERVICE_NAME: csagent and a running state, specifically STATE : 4 RUNNING. This is the direct operational validation method documented for Windows sensor troubleshooting. cswindiag.exe is used to collect diagnostic information, but it is not the standard command for confirming the running state of the sensor. netstat.exe -f displays network connections and DNS names, not Falcon sensor service status. sc.exe query falcon is incorrect because the Windows service name is not falcon; it is csagent. Reference topics: Windows Sensor Deployment, Verify Sensor Status, Sensor Troubleshooting, Host Setup and Management.

A list of hosts that have not communicated with the CrowdStrike cloud is found in Inactive Sensors . The Inactive Sensors report identifies sensors that have not reported within a given timeframe and is intended for deployment coverage and operational health review. Host Groups organize systems for policy assignment but are not the report for cloud communication gaps. The Activity Dashboard focuses on detections, incidents, and security activity rather than sensor check-in status. Sensor Report provides an overview of active sensors, while Inactive Sensors specifically addresses hosts that have stopped reporting. CCFA dashboard and report guidance identifies Inactive Sensors as the report administrators use to locate endpoints that may be powered off, decommissioned, disconnected, or experiencing communication problems.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.

The Sensor report dashboard is the best answer because it provides an overview of active sensors in the environment and summarizes deployment and coverage data for sensor administration. The question asks for an overview of the top ten most-applied policies by sensors, which is a dashboard-level summary rather than a per-host assignment lookup. The Sensor Policy Daily Report is more granular: it is used to review the groups and policies assigned to a host and is updated once per day, so it is not the best choice for a top-ten environmental overview. Scheduled reports are a delivery mechanism for recurring report generation, not the specific report containing the requested sensor-policy overview. Executive Summary provides broader executive-level security posture information and is not the focused sensor-policy distribution view. CCFA reporting guidance places sensor deployment and coverage reporting under Sensors, where the Sensor Report provides the overview of active sensors and related sensor-management posture. Reference topics: Dashboards and Reports, Sensors reports, Sensor Report dashboard, Sensor Policy Daily Report.

The required role is Real Time Response - Administrator . RTR Administrator can create custom scripts, upload files for the put command, and perform higher-risk RTR operations that are not available to Active Responders. Active Responder can execute certain response actions and retrieve files, but it does not provide full script management capability. Workflow Author relates to Fusion SOAR workflows, not RTR script creation and sharing. Falcon Scripts Manager is not the correct default role in this context. The CCFA RTR topic separates roles into Read Only Analyst, Active Responder, and Administrator. Building, saving, and sharing custom scripts requires the administrative RTR capability, so RTR Administrator is the correct least role for that task.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.

The primary purpose of Falcon audit logs is to track configuration and administrative changes . Audit logs provide accountability by showing what changed, who made the change, and when it occurred. Examples include policy creation, updates, deletions, role changes, user management actions, IP allowlist changes, and other administrative activity. Tracing file changes is the purpose of file integrity monitoring tools such as Falcon FileVantage, not the general Falcon audit log. Monitoring system performance is handled through sensor health, host status, and operational telemetry rather than audit logs. CCFA emphasizes audit logs as an administrative governance and investigation tool that supports accountability, change review, and security operations oversight.

Sensor Update policies are platform-specific, meaning separate policies exist for Windows, Mac, and Linux sensors. The official Sensor Update Policies guidance states that administrators use these policies to control the update process for sensors on hosts, and that each host is assigned to a sensor policy based on host group membership. It then specifies that there are separate sensor update policies for separate platforms: Windows, Mac, and Linux. Therefore, a single sensor update policy cannot be universally applied across all operating systems. Windows does not share update policies with macOS, and macOS does not share update policies with Linux. Linux kernel compatibility is an important deployment consideration, but it does not mean Windows and Mac share one policy family while Linux alone has a different model. The correct CCFA principle is that sensor update management is performed per supported platform, then targeted to host groups within that platform. Reference topics: Sensor Deployment, Sensor Update Policies, platform-specific sensor management, host group policy assignment.

The correct installation parameter is ProvNoWait=1. During Windows sensor installation, the host must contact the CrowdStrike cloud to complete provisioning. By default, if the host cannot establish cloud connectivity within the provisioning window, the installer aborts and removes the sensor. For slow links, proxy delays, restricted networks, or troubleshooting scenarios, ProvNoWait=1 prevents the installer from aborting solely because cloud connectivity was not achieved within the default period. The course material describes this as the supported override for the provisioning timeout. The other options are not valid Falcon installer parameters for this purpose. Timeout=30 and Timeout=0 are generic-looking but not the documented Falcon provisioning override, while DelayedStart=1 does not address cloud provisioning failure.

Falcon user accounts must be created using an email address from the approved domains configured for the CID. This ensures that account creation is limited to authorized organizational identity domains and reduces the risk of adding unauthorized external users. New users are not automatically assigned the Falcon Analyst role by default; roles must be assigned according to operational need. Employee identification numbers and domain-number prefixes are not Falcon account requirements. The CCFA user management topic emphasizes identity governance, approved domains, role assignment, and least privilege. Falcon Administrators create users, assign appropriate roles, and ensure that access aligns with approved organizational identity controls. Therefore, the approved-domain email requirement is the correct statement.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

The Real Time Response audit log records operational details about RTR sessions, including who connected, which host was accessed, when the session began, how long it lasted, which commands were run, and files retrieved through RTR activity. The course guidance describes the RTR sessions audit log as a history of recorded activity for the CID’s Real Time Response sessions. It includes session start time, session status, user, hostname, connected-from source, commands used, and session duration. Session details also include host details, retrieved files, and detections, with command history subject to specific exclusions such as help, clear, and history, which are not recorded. Option A describes host inventory and policy context rather than RTR session auditing. Option B is incomplete and emphasizes command return results, which is not the core listed audit-log summary. Option D is incorrect because RTR activity is explicitly collected in audit logs. CCFA reference topics: Real Time Response, RTR Audit Logs, Session Details, Host Management and Setup.

The correct action is to use the built-in Fusion SOAR OverWatch detection remediation and prioritization playbook. This playbook is specifically designed to automate response when Falcon OverWatch flags an endpoint detection. The documented workflow actions include setting the endpoint detection status to In Progress, containing the device where the detection occurred, adding associated identity and endpoint context to watchlists when applicable, and sending an email notification. This directly satisfies leadership’s requirement for immediate containment and notification of the appropriate internal staff. Emailing the OverWatch team is not the correct operational response because OverWatch has already generated the detection; the customer SOC or incident response team must be notified. Creating a new detection is also incorrect because the detection already exists. Blocking the detection is not a valid response action; containment is the host-level control. Reference topics: Fusion SOAR Playbooks, OverWatch Detection Remediation and Prioritization, Host Containment Automation.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

Fusion SOAR workflows run automatically from Event triggers or Scheduled triggers. Event triggers execute when Falcon observes a matching event, such as a detection, incident, audit event, custom IOA detection, or other supported trigger category. Scheduled triggers run at a defined time or recurrence, allowing routine automation such as reporting, searches, or maintenance workflows. Conditions refine when a workflow continues after the trigger, but they are not triggers themselves. Actions are the tasks performed after the workflow starts, such as sending email, assigning detections, containing hosts, or running RTR commands. The CCFA workflow model separates trigger, condition, and action clearly: triggers start workflows, conditions filter logic, and actions perform outcomes.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

Falcon user permissions are defined through roles, and those roles can be either default roles or custom roles. A user gains permissions by being assigned one or more roles, and Falcon grants the combined permissions enabled across all assigned roles. Default roles provide predefined permission sets for common operational responsibilities, while custom roles allow administrators to restrict or expand access for specialized duties. Permissions are not assigned one-by-one directly during user account creation as the primary model. A user also does not need a default role before receiving a custom role; custom roles can be assigned as needed after they are created and validated. Custom role permission sets are scoped to the customer environment and are not globally shared across all CrowdStrike customers. This role-based model supports least privilege, separation of duties, and auditable administrative access. Reference topics: User Management, Role Management, Default Roles, Custom Roles, Permissions.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.