Free Practice Questions for CrowdStrike CCFA-200b Exam

A list of hosts that have not communicated with the CrowdStrike cloud is found in Inactive Sensors . The Inactive Sensors report identifies sensors that have not reported within a given timeframe and is intended for deployment coverage and operational health review. Host Groups organize systems for policy assignment but are not the report for cloud communication gaps. The Activity Dashboard focuses on detections, incidents, and security activity rather than sensor check-in status. Sensor Report provides an overview of active sensors, while Inactive Sensors specifically addresses hosts that have stopped reporting. CCFA dashboard and report guidance identifies Inactive Sensors as the report administrators use to locate endpoints that may be powered off, decommissioned, disconnected, or experiencing communication problems.

The workflow must be tied to an Event trigger for EPP detections and refined with conditions that identify the pentest host, such as hostname or Agent ID. A workflow that assigns all EPP detections to yourself would be overly broad and would affect unrelated detections. The question asks for detections related to your pentest, which requires trigger refinement. Creating an alert is not the preferred Falcon Fusion automation path, and creating an IOC for the host is conceptually incorrect because IOCs represent indicators such as hashes, domains, IPs, or file names, not assignment logic. Fusion SOAR conditions use parameters, operators, and values to filter when a workflow should execute. Once matched, the workflow action can assign the detection to the appropriate analyst.

The combined maximum length of all sensor grouping tags is 256 characters , including comma separators. Grouping tags are assigned during installation using the appropriate installer parameter and can later be used in Host Management and dynamic host group rules. Because multiple tags can be applied to a host, Falcon enforces a combined-length limit across all tags rather than only a per-tag limit in this context. Exceeding this value can cause installation or tagging behavior to fail or produce incomplete tag assignment. The other choices are not the documented maximum. CCFA sensor deployment guidance specifically states that when using multiple tags, the combined length of all tags for a host, including comma separators, cannot exceed 256 characters.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

The correct answer is LMHosts and Windows Base Filtering Engine . The Windows sensor depends on certain Windows services being installed and running. The course guide identifies required services including LMHosts, Network Store Interface, Windows Base Filtering Engine, and Windows Power Service, with additional services depending on proxy and network configuration. Among the answer choices, LMHosts and BFE are both explicitly listed required services. Windows firewall and cloud connectivity are important connectivity considerations, but the question asks what services should be verified as installed and running. Network Store Interface is required, but Network List Service is not the documented pair in the provided option. Therefore, option A is the best match.

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

The correct choice is to create a dynamic group with assignment criteria set to OS Version = Windows 10 . Dynamic host groups automatically add hosts when they match the assignment rule and automatically remove hosts when they no longer match. This is the correct group type when the requirement is to continuously include all applicable hosts across the environment without manual maintenance. Falcon’s host group documentation states that dynamic groups can use attributes such as grouping tags, IP/CIDR range, OS version, Active Directory OU, and hostname prefix or suffix, and that matching hosts are automatically added. Static groups would require manually adding each Windows 10 host and would not automatically include newly deployed Windows 10 systems. OS Type Workstation is also insufficient because it identifies a device type, not a specific operating system version. Reference topics: Group Creation, Dynamic Host Groups, Assignment Rules, OS Version Filtering.

Falcon supports standard IP address and CIDR-based notation when defining or searching network address ranges. CIDR notation represents an address and prefix length, such as 192.168.5.1/24, and is the correct structured format among the choices. The other answer choices contain malformed spacing, invalid separators, or unsupported range syntax. Falcon documentation specifically identifies CIDR notation as an accepted method for defining IP ranges, while also noting that single IP addresses and defined ranges may be used depending on the feature. In Host Management and related policy configuration areas, using valid address notation is critical because malformed IP syntax will either be rejected or fail to match hosts correctly. The correct answer is therefore the CIDR-formatted option, not the informal or incorrectly spaced alternatives.