CCFA-200b CrowdStrike Falcon Certification Program Questions and Answers

Third-party integrations require an API Client and Secret Key . Falcon API access is configured by creating an API client with the required scopes, then securely storing the generated client ID and secret. The integration uses those credentials to request OAuth2 tokens and interact with the Falcon APIs according to the assigned scopes. An OAuth2 token is obtained after the client credentials are created; it is not the first credential combination generated. “Access Key and Secret Key” resembles cloud provider terminology, while “Integration Key and Customer ID” is not the standard Falcon API credential pair. The CCFA user and API management material emphasizes creating scoped API clients and protecting the secret because it is shown only at creation time.

The primary concern with Windows RFM is that sensors do not have full visibility into all events occurring on the host. In Windows RFM, the sensor continues operating at reduced capacity and can still report events and trigger detections, but it temporarily unhooks from some kernel elements. Without those kernel elements, some detection patterns and a small number of preventions may not trigger. The host is not necessarily offline, powered off, or unable to communicate with the cloud. RFM is also not the same as an operating system crash; it is a protective compatibility state. The CCFA sensor deployment topic emphasizes that RFM reduces visibility and prevention coverage, which is why administrators should identify and remediate RFM hosts promptly.

The correct installation parameter is ProvNoWait=1. During Windows sensor installation, the host must contact the CrowdStrike cloud to complete provisioning. By default, if the host cannot establish cloud connectivity within the provisioning window, the installer aborts and removes the sensor. For slow links, proxy delays, restricted networks, or troubleshooting scenarios, ProvNoWait=1 prevents the installer from aborting solely because cloud connectivity was not achieved within the default period. The course material describes this as the supported override for the provisioning timeout. The other options are not valid Falcon installer parameters for this purpose. Timeout=30 and Timeout=0 are generic-looking but not the documented Falcon provisioning override, while DelayedStart=1 does not address cloud provisioning failure.

MFA for Real Time Response is configured under General settings . Falcon Administrators can enable Real Time Response identity verification from Support and resources > Resources and tools > General settings. This applies Falcon MFA to high-risk RTR operations according to the configured trigger, such as before connecting to a host or before executing sensitive commands like run or kill. Response policies determine which RTR commands are available to hosts and users, but they do not configure MFA enforcement. Notifications and containment policies are unrelated to RTR identity verification. The course guide highlights that RTR MFA applies broadly to users in the CID once enabled, regardless of response policy assignment, making General settings the correct administrative location.

The Sensor report dashboard is the best answer because it provides an overview of active sensors in the environment and summarizes deployment and coverage data for sensor administration. The question asks for an overview of the top ten most-applied policies by sensors, which is a dashboard-level summary rather than a per-host assignment lookup. The Sensor Policy Daily Report is more granular: it is used to review the groups and policies assigned to a host and is updated once per day, so it is not the best choice for a top-ten environmental overview. Scheduled reports are a delivery mechanism for recurring report generation, not the specific report containing the requested sensor-policy overview. Executive Summary provides broader executive-level security posture information and is not the focused sensor-policy distribution view. CCFA reporting guidance places sensor deployment and coverage reporting under Sensors, where the Sensor Report provides the overview of active sensors and related sensor-management posture. Reference topics: Dashboards and Reports, Sensors reports, Sensor Report dashboard, Sensor Policy Daily Report.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

When a host does not match a custom host group assigned to a policy, Falcon applies the applicable Default Policy . Falcon policies operate through host group assignment and precedence. A host may match one or more groups; when multiple policies apply, precedence determines which policy wins. If no custom policy assignment applies, the default policy is the fallback. The platform does not leave hosts without policy coverage, nor does it retain a previously active custom policy indefinitely once the host no longer qualifies. It also does not automatically choose the most restrictive policy unless that policy is assigned and has the highest precedence. This default-policy behavior is central to safe policy design in CCFA: administrators must review default policy settings because unassigned hosts inherit them.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

The default user role that can manage API credentials is Falcon Administrator . Falcon’s role-permission matrix shows “Manage API credentials” enabled for Falcon Administrator and not enabled for the other listed roles. Falcon Administrator is the broad administrative role that can access nearly all console functionality, with the notable exception that Real Time Response still requires dedicated RTR roles. Managing API credentials is a high-risk administrative function because API clients and secrets can be used by integrations, scripts, and external systems to access Falcon APIs according to assigned scopes. Therefore, Falcon restricts this capability to administrative authority rather than operational roles such as Falcon Security Lead or Endpoint Manager. Falcon Security Lead can manage detections, quarantined files, containment, event searches, and credential resets, but it cannot manage users, roles, or API credentials. “Falcon API Manager” is not the default role presented in the official role model. Reference topics: User Management, Default Roles, API Clients and Keys, Role-Based Access Control.

The role that allows a Falcon user to create Real Time Response custom scripts is Real Time Responder – Administrator . Falcon separates RTR permissions into three default responder roles. Read Only Analyst can run reconnaissance-style commands. Active Responder can run read-only commands plus additional response commands, including commands that modify host state and certain approved custom scripts. However, creating custom scripts, uploading files for the put command, and directly running executables with run are reserved for the RTR Administrator role. This distinction is important because custom scripts can perform powerful host-level actions and must be restricted to experienced incident response personnel. The course guide also notes that users must have an RTR role to access RTR functionality at all; Falcon Administrator alone does not automatically include RTR access. “Real Time Responder – Script Developer” is not one of the standard RTR roles. Reference topics: User Management, Real Time Response Roles, Custom Scripts, RTR Role Permissions.

The correct report is Machine Learning Prevention Monitoring . This report helps administrators understand how machine-learning policy levels affect detection and prevention volume. It is useful during policy tuning because Falcon machine-learning settings can be staged from detection-focused configurations to prevention-focused configurations. Administrators can use this data to estimate how many events would be detected or blocked at different ML aggressiveness levels and then adjust policies with fewer surprises. Falcon Prevention Policy Debug is not the reporting feature designed for this purpose, and the Prevention Policy Audit Trail tracks administrative changes rather than activity volume. The CCFA policy tuning model relies on measuring detection and prevention outcomes before increasing enforcement, especially during staged deployment phases.

The least privilege role for extracting files with RTR is Real Time Responder - Active Responder . The Active Responder role includes the ability to use the get command to retrieve files from endpoints, along with additional response commands beyond read-only reconnaissance. The RTR Administrator role can also extract files, but it grants broader capabilities such as creating custom scripts, uploading files with put, and directly running executables, so it is not least privilege. Falcon Security Lead and Falcon Investigator are detection and investigation roles but do not provide the required RTR command authority by themselves. CCFA role design emphasizes giving users only the permissions needed to complete the task. For file extraction, Active Responder is sufficient and appropriately scoped.

The correct setting is Uninstall and Maintenance Protection . In Falcon, this control is configured inside Sensor Update Policies and is specifically designed to prevent unauthorized sensor removal or maintenance operations. The official guidance states that the “Uninstall and maintenance protection” setting prevents unauthorized uninstallation of the sensor and controls whether a local administrator can manually update or uninstall the sensor. When enabled, uninstalling, repairing, unloading, downgrading, or manually upgrading the sensor requires a valid maintenance token. For supported Windows sensor versions, this protection can also prevent unauthorized modification of sensor grouping tags, which helps stop users from moving endpoints into less restrictive policy assignments. The course guide recommends keeping this setting enabled for normal production policies and creating a separate temporary maintenance policy only when legitimate sensor changes are required. “Installation and Maintenance Protection,” “Sensor Version Control Protection,” and “Update and Management Protection” are not the official Falcon setting names. Reference topics: Sensor Deployment, Sensor Update Policies, Maintenance Tokens, Uninstall Protection.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

Custom IOA rules are designed to detect behavior, not simply static files. Falcon’s core prevention model distinguishes between Indicators of Compromise, which are often file/hash/domain/IP based, and Indicators of Attack, which describe behavioral patterns associated with suspicious or malicious activity. Custom IOAs allow administrators to define organization-specific behavioral detections, such as process creation, file creation, network connection, or command-line behavior. They are especially useful when the activity may not be universally malicious but is unwanted or suspicious in a specific environment. Blocking known malware is more closely aligned with IOC management or machine-learning prevention. System updates and network settings are unrelated to custom IOA rule intent. The course guide describes custom IOAs as a way to gain visibility into activity Falcon does not otherwise detect and optionally block or kill that behavior.

The correct answer is LMHosts and Windows Base Filtering Engine . The Windows sensor depends on certain Windows services being installed and running. The course guide identifies required services including LMHosts, Network Store Interface, Windows Base Filtering Engine, and Windows Power Service, with additional services depending on proxy and network configuration. Among the answer choices, LMHosts and BFE are both explicitly listed required services. Windows firewall and cloud connectivity are important connectivity considerations, but the question asks what services should be verified as installed and running. Network Store Interface is required, but Network List Service is not the documented pair in the provided option. Therefore, option A is the best match.

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

A Falcon Administrator role alone does not grant the ability to initiate a Real Time Response session. RTR access is controlled by dedicated Real Time Responder roles, and the course guidance is explicit that “you must have a Real Time Responder role to connect to a host” and that “the Falcon Administrator role doesn’t include access to Real Time Response.” The administrator must be assigned one of the RTR roles, such as Real Time Responder - Read Only Analyst, Active Responder, or Administrator, depending on the level of command access required. A logged-in user on the endpoint does not prevent RTR connection, and Falcon can also connect to hosts that are network contained as long as RTR requirements are met. Another analyst session may affect operational coordination, but it is not the primary cause in this scenario. The correct CCFA topic alignment is User Management and Real Time Response role assignment.

Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

The Default Sensor Policy is the fallback policy that applies when a host is not matched to another assigned sensor policy. Falcon policy assignment is driven by host group membership and policy precedence. If a host belongs to a group that has an assigned policy, Falcon applies the highest-precedence applicable policy. If the host is not part of any group, or if its groups do not have a policy assigned, Falcon automatically applies the default policy. This ensures every sensor has an update policy path and avoids unmanaged update behavior. The default policy is not a test mechanism, does not reset all settings, and is not intended to deploy the oldest supported sensor version. The course guide states that the default policy may appear as platform_default and is applied to hosts that do not have an assigned policy. Reference topics: Sensor Deployment, Sensor Update Policies, Default Policy, Host Group Policy Assignment.

The new sensor update policy must be enabled and placed at a higher precedence than the broader policy assigned to all Windows servers. Falcon policy resolution is precedence-based when a host belongs to multiple host groups. In this scenario, each test Windows server belongs to both groups: the narrow “test Windows servers” group and the broad “all Windows servers” group. If the test policy has lower precedence, the broader Windows server policy wins and the test servers will not receive the new sensor update configuration. Falcon policy precedence uses ranking order where precedence 1 is higher than precedence 2, and the highest-ranking applicable policy becomes active on the host. This allows safe staged testing by making the narrow pilot policy outrank the general production policy while affecting only hosts in the test group. Manual installation or uninstallation is not required and would bypass Falcon’s managed sensor update workflow. Reference topics: Sensor Deployment, Sensor Update Policies, Host Groups, Policy Precedence.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

Fusion SOAR workflows run automatically from Event triggers or Scheduled triggers. Event triggers execute when Falcon observes a matching event, such as a detection, incident, audit event, custom IOA detection, or other supported trigger category. Scheduled triggers run at a defined time or recurrence, allowing routine automation such as reporting, searches, or maintenance workflows. Conditions refine when a workflow continues after the trigger, but they are not triggers themselves. Actions are the tasks performed after the workflow starts, such as sending email, assigning detections, containing hosts, or running RTR commands. The CCFA workflow model separates trigger, condition, and action clearly: triggers start workflows, conditions filter logic, and actions perform outcomes.