CCFA-200b CrowdStrike Falcon Certification Program Free Practice Exam Questions (2026 Updated)

The No Action option is assigned when an administrator wants to save the IOC for future use but does not want Falcon to take an enforcement or detection action at that time. In IOC Management, hash indicators can be assigned actions such as Block, Detect Only, Allow, or None/No Action. Block prevents the hash and can show it as a detection when the required prevention policy setting is enabled. Detect Only generates a detection but takes no prevention action. Allow adds the hash to the allowlist and suppresses detection for that indicator. No Action is different from all three: it retains the indicator in IOC Management without blocking it, allowing it, or generating a detection. This is useful when an indicator is being staged, tracked, reviewed, or retained for future activation after validation. It is not an allowlist or blocklist action. Reference topics: Rule Configuration, Custom IOCs, IOC Management Actions, Hash Indicator Handling.

Prevention policies are assigned through host group membership. Falcon uses host groups as the scalable policy-targeting mechanism for prevention, sensor update, response, containment-adjacent workflows, and other policy families. Administrators assign one or more host groups to a policy; hosts inherit the applicable policy according to group membership and policy precedence. Direct per-host policy assignment is not the normal Falcon model because it does not scale and bypasses group-based governance. IP ranges can be used as dynamic group criteria in some contexts, but the policy itself is still assigned to a host group, not directly to the IP range. Manual configuration on each endpoint is not used for Falcon cloud-managed prevention policy enforcement.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

The correct role is Falcon Security Lead. Falcon role guidance identifies Falcon Security Lead as a role that can manage detections, manage quarantined files, contain hosts, search events, reset user credentials, and view exclusions. Falcon Analyst – Read Only can view detections and exclusions but does not have management authority over quarantined files. Endpoint Manager is focused on sensor deployment, sensor configuration, update policies, and host group administration; it is not the role for quarantine management. Detections Exceptions Manager is associated with exception or exclusion-style administration, not quarantined file operations. Managing quarantined files includes operational actions such as reviewing quarantined items, releasing files, undoing releases, deleting quarantined files, and potentially downloading extracted files when permitted by configuration and role. Because quarantine actions can reintroduce files to endpoints or remove evidence, Falcon assigns this capability only to roles with sufficient security operations authority. Reference topics: User Management, Default Roles, Falcon Prevent Roles, Quarantined Files.

IP addresses are added to a containment policy to allow contained hosts to communicate with specific trusted resources during network containment. Network containment isolates the host to reduce attacker movement while maintaining required Falcon cloud communication. Organizations may need contained hosts to access patch servers, update sources, remediation infrastructure, domain services, or other tightly controlled internal systems. The purpose is not to automate containment based on IP address; automation is handled through workflows. Analyst permissions are controlled by user roles, not containment policy IP entries. Falcon console access is unrelated because containment policy applies to endpoint network communication, not administrative access to the web console. The course guide explicitly connects containment-policy IP allowances with patching and controlled access during containment.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

The likely cause is that Redact HTTP Detection Details is enabled in the prevention policy. Falcon HTTP detections can include privacy-sensitive details such as URLs, raw HTTP headers, and POST bodies when that information is present and relevant to the detection. However, the prevention policy includes a privacy control that redacts these details before they are sent to the CrowdStrike cloud. The documentation states that enabling Redact HTTP Detection Details removes this sensitive HTTP detection data while still allowing HTTP detections to be generated. This means the detection itself can still appear, but the additional context is intentionally absent. Aggressive or cautious ML settings do not explain missing HTTP headers or POST body content. A perimeter firewall block would affect whether the communication occurs, not selectively redact detection details. If HTTP detections were never enabled, the issue would be absent detections, not detections with missing sensitive fields. Reference topics: Policy Application, Prevention Policy Settings, HTTP Detections, Redact HTTP Detection Details.