CrowdStrike CrowdStrike Falcon Certification Program CCFA-200b Exam Dumps: Updated Questions & Answers (May 2026)

The Machine-Learning Prevention report is used to evaluate what Falcon would have blocked under different machine-learning prevention levels. The official reporting guidance describes Machine Learning Prevention as a report that lets administrators “view malware that would have been blocked in your environment during the last 30 days based on different Machine Learning Prevention settings,” including Cautious, Moderate, or Aggressive levels. This makes option C the precise answer. The report is not the quarantine management dashboard; quarantined files are reviewed and released from the Quarantined Files area. It is also not primarily a spike-analysis dashboard for active attacks, although unusual volume may support investigation. Option D is close in theme but inaccurate because the purpose is not to summarize aggressiveness settings and actual quarantine totals; it is to model prevention impact across ML settings. Reference topics: Dashboards and Reports, Machine Learning Prevention report, prevention policy tuning, ML prevention levels.

Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.

Because the alert is triggering on a specific Falcon IOA, the correct remediation is to create an IOA exclusion scoped to the relevant file path or behavior. IOA exclusions are specifically intended to reduce false-positive behavioral detections and preventions. A generic file exclusion may be too broad or may not suppress the behavioral IOA. A Custom IOC Allow is more appropriate for hash or indicator-based decisions, not a behavior-based detection. Creating a separate host group with a less restrictive policy weakens protection across development systems and is unnecessarily broad. CCFA guidance favors the narrowest effective exception, applied to the specific detection logic and path involved. Therefore, an IOA exclusion is the correct administrative control.

The fastest method is to use the Host Management page and apply the filter for inactive hosts. Sorting by Last Seen can help, but it is less direct and may require additional interpretation. Exporting host data to CSV is useful for offline reporting but is slower and unnecessary for immediate console triage. Searching for hosts with no Agent ID is incorrect because Falcon-managed hosts have Agent IDs; an inactive sensor is not the same thing as a missing AID. CCFA host management workflows emphasize using built-in filters for operational triage, including inactive, contained, RFM, platform, OS version, tags, and other host attributes. The Inactive Sensors report can also help, but within the answer choices, filtering Host Management is the direct operational answer.

Third-party integrations require an API Client and Secret Key . Falcon API access is configured by creating an API client with the required scopes, then securely storing the generated client ID and secret. The integration uses those credentials to request OAuth2 tokens and interact with the Falcon APIs according to the assigned scopes. An OAuth2 token is obtained after the client credentials are created; it is not the first credential combination generated. “Access Key and Secret Key” resembles cloud provider terminology, while “Integration Key and Customer ID” is not the standard Falcon API credential pair. The CCFA user and API management material emphasizes creating scoped API clients and protecting the secret because it is shown only at creation time.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

After clicking Disable Detections for a host, detections for that host are removed from the console immediately, and new detections do not display going forward unless detections are re-enabled. This action suppresses console detection visibility for the host; it does not uninstall the sensor or stop the sensor from operating. Existing detection data remains available in Event Search, but it is removed from the Endpoint detections console view. This distinction is important: disabling detections affects detection display and DetectionSummaryEvent behavior, not all telemetry collection or prevention policy processing. The course guide contrasts this with deleting a host, where prior detections remain visible. For Disable Detections specifically, the immediate console effect is removal of detections.

A script interfacing with the Falcon platform typically uses API credentials, so the correct log is the API audit . Falcon UI audit logs track actions performed through the web console. RTR session audit logs track Real Time Response sessions and commands executed on hosts. Prevention policy debug is not the right audit source for platform API activity. When investigating scripted or automated access, administrators must determine which API client or credential performed the action, when it occurred, and what endpoint or operation was invoked. The CCFA user management and audit topics emphasize separating console user activity from API-driven activity so that administrative investigation maps to the correct telemetry source. API audit is therefore the correct answer.

The configuration is applied in the Containment Policy . Network containment restricts endpoint network activity to isolate a potentially compromised host, but Falcon allows administrators to define specific IP addresses that contained hosts may still communicate with. The official guidance states that on the Containment Policy page, administrators can allow IP addresses over which hosts will always be permitted to communicate, even when contained. This is commonly used for tightly controlled resources such as patching systems, remediation infrastructure, or other trusted internal services needed during response. IP Allowlist Management is different: it controls which source IP addresses may access the Falcon console or API, not which destinations a contained host may reach. Response Policies control Real Time Response command permissions, and Maintenance Tokens relate to sensor uninstall or maintenance operations. Therefore, the correct CCFA topic alignment is Policy Application, specifically Network Containment and Containment Policy configuration.

The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.