Free CrowdStrike CCFA-200b Practice Exam with Questions & Answers | Set: 2

The first component configured when creating a Fusion SOAR workflow from scratch is the Trigger . Falcon workflows follow a trigger-condition-action model: the trigger determines what starts the workflow, the condition narrows execution logic, and the action defines what Falcon does after the workflow criteria are met. For a workflow involving critical vulnerabilities, the trigger is the event that initiates automation, such as Falcon detecting or receiving a vulnerability-related event. Only after the trigger is selected can the administrator add conditions, such as vulnerability severity equals Critical, and then define the action, such as generating an alert, creating a ticket, sending a notification, or initiating another response. The course guide describes this model using the exact example of critical vulnerabilities: Trigger is Falcon detecting an endpoint vulnerability, Condition is vulnerability severity of Critical, and Action is creating a ServiceNow incident. Therefore, Action and Condition are configured after the trigger, and Workflow Name is administrative metadata rather than the execution-starting component. Reference topics: Fusion SOAR workflows, trigger-condition-action model, vulnerability workflow automation.

The correct page is Sensor Health . The Sensor Health dashboard is designed to show Falcon sensor operational status across the environment and help administrators identify hosts running unsupported sensor versions, unsupported operating system versions, incorrect configurations, connectivity problems, and RFM conditions. The official guidance states that the Sensor Health dashboard includes information about “hosts that entered RFM each day” and clarifies that this shows hosts newly entering Reduced Functionality Mode, not the total number of hosts currently in RFM. This distinction matters because Sensor Health is used to track newly emerging sensor health issues over time, while Host Management can be used to filter for the current list of hosts in RFM. Hosts Overview and Activity Overview do not provide this specific daily RFM count. Support and resources is a navigation area, not the sensor health reporting dashboard. Reference topics: Dashboards and Reports, Sensor Health Dashboard, Reduced Functionality Mode, Sensor Operational Status.

The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.

The required role is Real Time Response - Administrator . RTR Administrator can create custom scripts, upload files for the put command, and perform higher-risk RTR operations that are not available to Active Responders. Active Responder can execute certain response actions and retrieve files, but it does not provide full script management capability. Workflow Author relates to Fusion SOAR workflows, not RTR script creation and sharing. Falcon Scripts Manager is not the correct default role in this context. The CCFA RTR topic separates roles into Read Only Analyst, Active Responder, and Administrator. Building, saving, and sharing custom scripts requires the administrative RTR capability, so RTR Administrator is the correct least role for that task.

Windows hosts commonly enter Reduced Functionality Mode when the Windows kernel changes and CrowdStrike has not yet certified that kernel for full sensor operation. This can happen after Microsoft updates. RFM is a protective mode that prevents compatibility problems while allowing the sensor to continue operating at reduced capacity. Loss of internet connectivity may affect cloud communication but does not by itself place the sensor in RFM. Network containment restricts network traffic but is unrelated to kernel compatibility. A sensor update policy issue could cause version drift, but RFM specifically relates to kernel support and sensor compatibility. The course guide explains that Windows RFM is most commonly tied to Microsoft updates and kernel certification status.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.

Sensor updates are managed through sensor update policies assigned to host groups. Falcon uses host group membership to determine which policy applies to a host. Sensor update policies control whether hosts remain pinned to a specific version, automatically update to a relative version such as Auto - N-1 or Auto - N-2, or receive specific maintenance protections. Prevention policies control security behavior, not sensor versioning. Manual updates do not scale and are not the Falcon administrative model for enforcing consistent versions across many endpoints. Direct installation is only the initial deployment mechanism, not ongoing update governance. The course guide emphasizes using host groups and sensor update policies to control sensor maintenance at scale across Windows, macOS, and Linux platforms.

When an API client is created in Falcon, the generated credential pair is the Client ID and Secret . These two values identify and authenticate the integration when it requests access to Falcon APIs. The official API client workflow directs administrators to go to Support and resources > Resources and tools > API clients and keys, create the API client, assign the required scopes, and then copy the client ID and secret from the API client created dialog. The secret must be stored securely because it is not visible again after the credential window is closed. Customer ID or CID is used for tenant and sensor-related identification, not API authentication. OAuth2 tokens are generated later by using the client ID and secret; they are not the initial credential pair. Reference topics: User Management, API clients and keys, OAuth2-based API authentication, third-party integration credentials.

A list of hosts that have not communicated with the CrowdStrike cloud is found in Inactive Sensors . The Inactive Sensors report identifies sensors that have not reported within a given timeframe and is intended for deployment coverage and operational health review. Host Groups organize systems for policy assignment but are not the report for cloud communication gaps. The Activity Dashboard focuses on detections, incidents, and security activity rather than sensor check-in status. Sensor Report provides an overview of active sensors, while Inactive Sensors specifically addresses hosts that have stopped reporting. CCFA dashboard and report guidance identifies Inactive Sensors as the report administrators use to locate endpoints that may be powered off, decommissioned, disconnected, or experiencing communication problems.

When a host is network contained, Falcon restricts network communication while still allowing connectivity required for Falcon cloud operations. To permit patching or operating system update workflows during containment, administrators should add the IP addresses of trusted update sources to the containment policy. This is safer than allowing all internal IPs, which would weaken containment and potentially permit lateral movement. Host Firewall policy is not the correct control for containment exceptions, because containment policy governs traffic allowed while a host is isolated. Removing containment entirely would restore network access but would defeat the containment objective. The course guide specifically notes that patching contained hosts requires adding the Windows Update or patch source IP addresses to the containment policy.