CCFA-200b CrowdStrike Falcon Certification Program Free Practice Exam Questions (2026 Updated)

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

The combined maximum length of all sensor grouping tags is 256 characters , including comma separators. Grouping tags are assigned during installation using the appropriate installer parameter and can later be used in Host Management and dynamic host group rules. Because multiple tags can be applied to a host, Falcon enforces a combined-length limit across all tags rather than only a per-tag limit in this context. Exceeding this value can cause installation or tagging behavior to fail or produce incomplete tag assignment. The other choices are not the documented maximum. CCFA sensor deployment guidance specifically states that when using multiple tags, the combined length of all tags for a host, including comma separators, cannot exceed 256 characters.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

Sensor Update policies are platform-specific, meaning separate policies exist for Windows, Mac, and Linux sensors. The official Sensor Update Policies guidance states that administrators use these policies to control the update process for sensors on hosts, and that each host is assigned to a sensor policy based on host group membership. It then specifies that there are separate sensor update policies for separate platforms: Windows, Mac, and Linux. Therefore, a single sensor update policy cannot be universally applied across all operating systems. Windows does not share update policies with macOS, and macOS does not share update policies with Linux. Linux kernel compatibility is an important deployment consideration, but it does not mean Windows and Mac share one policy family while Linux alone has a different model. The correct CCFA principle is that sensor update management is performed per supported platform, then targeted to host groups within that platform. Reference topics: Sensor Deployment, Sensor Update Policies, platform-specific sensor management, host group policy assignment.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

Hosts that have been offline for ten minutes or longer can be found in Host Management . Host Management provides operational host state, including whether a host is online, offline, contained, inactive, or in Reduced Functionality Mode. The ten-minute threshold is associated with the console’s host online/offline status behavior. Sensor Coverage Dashboard is useful for higher-level deployment coverage analysis, but Host Management is the direct place to find and filter host state. Host Groups are used to organize hosts and assign policies, not primarily to identify current connectivity state. The CCFA Host Management topic focuses on using the Host Management page to search, filter, and act on endpoints based on current sensor status and host attributes.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.

The best field to filter by for Domain Controllers is Type . In Host Management, the Type field identifies the host category, including desktop, server, or domain controller. This makes it the most direct and precise field for locating domain controllers before reviewing their sensor version information. Sensor Version is useful after the correct host population has been identified, but filtering by Sensor Version alone would group systems by Falcon sensor build, not by whether they are domain controllers. Platform filters by broad operating system family, such as Windows, macOS, or Linux, and OS Version filters by the installed operating system version, neither of which uniquely identifies domain controllers. The course guide’s host filter descriptions explicitly define Type as “Desktop, server or domain controller OS” and Sensor Version as the version of Falcon sensor installed on the host. Therefore, the correct workflow is to filter by Type = Domain Controller, then review or sort the Sensor Version field for those matching hosts. Reference topics: Host Management filters, host type, sensor version review.

The configuration is applied in the Containment Policy . Network containment restricts endpoint network activity to isolate a potentially compromised host, but Falcon allows administrators to define specific IP addresses that contained hosts may still communicate with. The official guidance states that on the Containment Policy page, administrators can allow IP addresses over which hosts will always be permitted to communicate, even when contained. This is commonly used for tightly controlled resources such as patching systems, remediation infrastructure, or other trusted internal services needed during response. IP Allowlist Management is different: it controls which source IP addresses may access the Falcon console or API, not which destinations a contained host may reach. Response Policies control Real Time Response command permissions, and Maintenance Tokens relate to sensor uninstall or maintenance operations. Therefore, the correct CCFA topic alignment is Policy Application, specifically Network Containment and Containment Policy configuration.

The correct action is to use the built-in Fusion SOAR OverWatch detection remediation and prioritization playbook. This playbook is specifically designed to automate response when Falcon OverWatch flags an endpoint detection. The documented workflow actions include setting the endpoint detection status to In Progress, containing the device where the detection occurred, adding associated identity and endpoint context to watchlists when applicable, and sending an email notification. This directly satisfies leadership’s requirement for immediate containment and notification of the appropriate internal staff. Emailing the OverWatch team is not the correct operational response because OverWatch has already generated the detection; the customer SOC or incident response team must be notified. Creating a new detection is also incorrect because the detection already exists. Blocking the detection is not a valid response action; containment is the host-level control. Reference topics: Fusion SOAR Playbooks, OverWatch Detection Remediation and Prioritization, Host Containment Automation.

For a known false positive that is being blocked or quarantined, the best IOC action is Allow . In Falcon IOC Management, Allow is used to add known-good indicators to the allowlist so that Falcon does not continue treating them as malicious. Detect Only would continue generating visibility but would not necessarily resolve the operational disruption if the object is still being blocked by another setting. Prevent would explicitly block execution and is the opposite of the desired outcome. No action would leave the false positive unresolved. The CCFA policy and exclusions model emphasizes using the correct exclusion or allowlisting mechanism after validation. For hash-based or IOC-driven false positives, Allow is the direct remediation path.

The most stable automatic update setting is Auto-N-2 . Falcon sensor update policy options allow administrators to choose how aggressively hosts receive new sensor builds. Auto-Latest provides the newest version fastest, while Auto-N-1 lags one version behind. Auto-N-2 lags further behind and is therefore the most conservative automatic option because the build has had more time in the field before broad adoption. A pinned version can be stable temporarily, but it is not an automatic update level and can become outdated if not managed carefully. The course guide notes that Auto-N-1 and Auto-N-2 remain on known stable sensor versions and are designed to reduce update risk compared with latest-version deployment.