Free CrowdStrike CCFA-200b Practice Exam with Questions & Answers | Set: 3

The combined maximum length of all sensor grouping tags is 256 characters , including comma separators. Grouping tags are assigned during installation using the appropriate installer parameter and can later be used in Host Management and dynamic host group rules. Because multiple tags can be applied to a host, Falcon enforces a combined-length limit across all tags rather than only a per-tag limit in this context. Exceeding this value can cause installation or tagging behavior to fail or produce incomplete tag assignment. The other choices are not the documented maximum. CCFA sensor deployment guidance specifically states that when using multiple tags, the combined length of all tags for a host, including comma separators, cannot exceed 256 characters.

The most stable automatic update setting is Auto-N-2 . Falcon sensor update policy options allow administrators to choose how aggressively hosts receive new sensor builds. Auto-Latest provides the newest version fastest, while Auto-N-1 lags one version behind. Auto-N-2 lags further behind and is therefore the most conservative automatic option because the build has had more time in the field before broad adoption. A pinned version can be stable temporarily, but it is not an automatic update level and can become outdated if not managed carefully. The course guide notes that Auto-N-1 and Auto-N-2 remain on known stable sensor versions and are designed to reduce update risk compared with latest-version deployment.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

Sensor health reporting provides current operational status of sensors. Its purpose is to help administrators identify whether sensors are online, offline, in reduced functionality, properly reporting, or otherwise in a state requiring attention. User login history belongs to account or identity-related telemetry, not sensor health. Local performance metrics may be relevant during troubleshooting but are not the primary sensor health report objective. Network traffic patterns are investigated through event search, network telemetry, or other dashboards, not basic sensor health. CCFA dashboards and reports topics emphasize using sensor health and sensor reports to monitor deployment status, operational readiness, sensor connectivity, and coverage across the environment so that administrators can quickly locate hosts requiring remediation.

Third-party integrations require an API Client and Secret Key . Falcon API access is configured by creating an API client with the required scopes, then securely storing the generated client ID and secret. The integration uses those credentials to request OAuth2 tokens and interact with the Falcon APIs according to the assigned scopes. An OAuth2 token is obtained after the client credentials are created; it is not the first credential combination generated. “Access Key and Secret Key” resembles cloud provider terminology, while “Integration Key and Customer ID” is not the standard Falcon API credential pair. The CCFA user and API management material emphasizes creating scoped API clients and protecting the secret because it is shown only at creation time.

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

The primary concern with Windows RFM is that sensors do not have full visibility into all events occurring on the host. In Windows RFM, the sensor continues operating at reduced capacity and can still report events and trigger detections, but it temporarily unhooks from some kernel elements. Without those kernel elements, some detection patterns and a small number of preventions may not trigger. The host is not necessarily offline, powered off, or unable to communicate with the cloud. RFM is also not the same as an operating system crash; it is a protective compatibility state. The CCFA sensor deployment topic emphasizes that RFM reduces visibility and prevention coverage, which is why administrators should identify and remediate RFM hosts promptly.