Free Practice Questions for CrowdStrike CCFA-200b Exam

The Real Time Response audit log records operational details about RTR sessions, including who connected, which host was accessed, when the session began, how long it lasted, which commands were run, and files retrieved through RTR activity. The course guidance describes the RTR sessions audit log as a history of recorded activity for the CID’s Real Time Response sessions. It includes session start time, session status, user, hostname, connected-from source, commands used, and session duration. Session details also include host details, retrieved files, and detections, with command history subject to specific exclusions such as help, clear, and history, which are not recorded. Option A describes host inventory and policy context rather than RTR session auditing. Option B is incomplete and emphasizes command return results, which is not the core listed audit-log summary. Option D is incorrect because RTR activity is explicitly collected in audit logs. CCFA reference topics: Real Time Response, RTR Audit Logs, Session Details, Host Management and Setup.

The correct retention period is 45 days . In Falcon Host Management, a host becomes inactive when its sensor no longer sends heartbeat communication back to the CrowdStrike cloud. Inactive status is identified by the host’s Last Seen timestamp, allowing administrators to determine when the endpoint last communicated. Falcon automatically removes hosts that remain inactive for more than 45 days from both the Host Management page and the Trash page. This behavior prevents stale endpoint records from remaining indefinitely in the operational console while still giving administrators time to review, delete, restore, or investigate host records before they age out. The 60-day, 75-day, and 90-day options do not match the documented Falcon host lifecycle. This topic belongs to Host Management and Setup, specifically inactive host cleanup, deleted host handling, Trash retention, and endpoint lifecycle management.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.

The Customer ID with Checksum, often referred to as the CID or CCID/CIDC, is required when installing a new Falcon Sensor so the sensor can register to the correct Falcon customer environment. The deployment guidance repeatedly instructs administrators to copy the Customer ID checksum from Host setup and management > Deploy > Sensor downloads before running sensor installation. For macOS, the installer workflow requires running falconctl license with the customer ID checksum after installation. For Windows installations, the installer requires the Customer ID with Checksum value obtained from the Sensor downloads page. This value is not used to locate a host in Host Management, and it is not the normal control for defining host group criteria. Sensor uninstallation is controlled by maintenance tokens or uninstall protection settings, not CIDC. Reference topics: Sensor Deployment, Sensor downloads, Customer ID checksum, Windows and macOS sensor installation.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

The required upload format is TXT . Static host groups can be populated by selecting hosts in the console, manually entering hostnames or host IDs, or uploading a text file. Falcon supports adding hosts by host ID or hostname depending on whether the static group was created as “Static by host ID” or “Static by hostname.” The uploaded TXT file must contain only host IDs or only hostnames, with each entry separated by a new line. This method supports adding up to 1,000 hosts at a time, so uploading 500 servers is within the supported limit. XLSX, PDF, and JSON are not the documented upload formats for static host group membership. The course guide also notes that static groups are useful for controlled testing scenarios, such as validating a newly created sensor update policy against a specific set of hosts. Reference topics: Group Creation, Static Host Groups, Upload Hosts, Host ID and Hostname Assignment.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

For a known false positive that is being blocked or quarantined, the best IOC action is Allow . In Falcon IOC Management, Allow is used to add known-good indicators to the allowlist so that Falcon does not continue treating them as malicious. Detect Only would continue generating visibility but would not necessarily resolve the operational disruption if the object is still being blocked by another setting. Prevent would explicitly block execution and is the opposite of the desired outcome. No action would leave the false positive unresolved. The CCFA policy and exclusions model emphasizes using the correct exclusion or allowlisting mechanism after validation. For hash-based or IOC-driven false positives, Allow is the direct remediation path.

The correct location is the Workflow Execution log. Fusion SOAR separates configuration change history from workflow run history. The Workflow Audit log is used to review changes made to workflows, such as edits, versions, or modifications by users. The Execution log is the operational record of workflow activity. It shows every time workflows are triggered, along with execution date, execution status, trigger, action, and workflow name. It also allows administrators to inspect execution details, including whether the workflow completed successfully, failed, or is still in progress. The course guide states that administrators should go to Fusion workflows > Execution log to review each workflow execution and examine where a workflow may have failed. This makes it the correct source for success and failure history. Falcon UI Audit Trail is broader administrative auditing, and Custom Alert History is not the Fusion SOAR execution history location. The correct CCFA topic alignment is Workflows, specifically Fusion SOAR monitoring and execution review.

The correct setting is Moderate Level ML . Falcon’s prevention policy guidance recommends Moderate for most use cases, and the staged deployment model for environments with pre-existing antivirus begins with Phase 1, where machine-learning prevention is conservative while detection is used to triage and tune. The important CCFA concept is not to begin with Extra Aggressive or Aggressive prevention on a newly deployed host with another antivirus product, because that increases false-positive and compatibility risk. Cautious detects only when confidence is very high, but Falcon’s recommended baseline for practical protection is Moderate. The course guide states that Moderate detects or prevents when the machine-learning system has moderate confidence and is recommended for most use cases, while Extra Aggressive is not recommended outside penetration testing scenarios.