Free CrowdStrike CCFA-200b Practice Exam with Questions & Answers

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.

The correct location is the Workflow Execution log. Fusion SOAR separates configuration change history from workflow run history. The Workflow Audit log is used to review changes made to workflows, such as edits, versions, or modifications by users. The Execution log is the operational record of workflow activity. It shows every time workflows are triggered, along with execution date, execution status, trigger, action, and workflow name. It also allows administrators to inspect execution details, including whether the workflow completed successfully, failed, or is still in progress. The course guide states that administrators should go to Fusion workflows > Execution log to review each workflow execution and examine where a workflow may have failed. This makes it the correct source for success and failure history. Falcon UI Audit Trail is broader administrative auditing, and Custom Alert History is not the Fusion SOAR execution history location. The correct CCFA topic alignment is Workflows, specifically Fusion SOAR monitoring and execution review.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.

To quarantine files on the host, Falcon requires the relevant Next-Gen Antivirus prevention capability and Quarantine & Security Center Registration . Quarantine occurs after files are prevented by NGAV, so Falcon must first be configured to detect and prevent malicious executable content using the Next-Gen Antivirus prevention sliders, such as Cloud Machine Learning and Sensor Machine Learning prevention levels. The Quarantine & Security Center Registration setting then allows Falcon to quarantine executable files after NGAV prevention. On Windows workstations, enabling this setting also registers Falcon with Windows Security Center and can disable Microsoft Defender automatically. Malware Protection and Custom Execution Blocking relate to different prevention mechanisms, especially IOC-based blocking, but they are not the required pairing for NGAV quarantine. Behavior-Based Threat Prevention and Advanced Remediation Actions are also not the required quarantine configuration. Reference topics: Prevention Policy Settings, Next-Gen Antivirus, Quarantine, Quarantine & Security Center Registration.

IP addresses are added to a containment policy to allow contained hosts to communicate with specific trusted resources during network containment. Network containment isolates the host to reduce attacker movement while maintaining required Falcon cloud communication. Organizations may need contained hosts to access patch servers, update sources, remediation infrastructure, domain services, or other tightly controlled internal systems. The purpose is not to automate containment based on IP address; automation is handled through workflows. Analyst permissions are controlled by user roles, not containment policy IP entries. Falcon console access is unrelated because containment policy applies to endpoint network communication, not administrative access to the web console. The course guide explicitly connects containment-policy IP allowances with patching and controlled access during containment.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

Falcon uses role-based access control. Permissions are enabled inside roles, and then those roles are assigned to users. This allows administrators to apply least privilege by creating roles that contain only the specific permissions required for a task or module. Users do not receive all permissions by default, and permissions are not generally assigned one-by-one directly to users as a primary model. The role defines what actions can be performed, such as managing users, editing policies, creating exclusions, managing custom IOAs, or using RTR capabilities. The course guide explains that custom roles are built by enabling the required permission groups and disabling unrelated permissions. This supports operational separation of duties and auditability.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.