Pass the CrowdStrike CrowdStrike Falcon Certification Program CCFA-200b Questions and answers with CertsForce

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

To patch a network-contained host, create or update a Containment Policy that allowlists the specific IP addresses of the patch management or update sources. Containment blocks most network traffic by design, so update jobs fail unless the required update infrastructure is explicitly permitted. The course guide calls out IP addresses for Windows Update or update sources, not FQDN-based allowlisting, as the supported containment-policy exception method. Content update policies are unrelated to allowing host network traffic during containment. IP Allowlist Management controls administrative access to Falcon from specific source IPs; it does not permit contained endpoints to reach patch servers. Therefore, the containment policy must allow the patch infrastructure IPs.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.