CrowdStrike CCFA-200b - CrowdStrike Falcon Certification Program

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

The most efficient dynamic grouping criterion is Type: Workstation . Host type is specifically intended to distinguish categories such as workstation, server, or domain controller. Using OU may work only if Active Directory structure is perfectly aligned and consistently maintained, which is not guaranteed. Grouping tags require prior tag assignment during installation or post-install configuration, adding administrative dependency. Platform Windows would include Windows servers and possibly other Windows systems that are not workstations. The CCFA group creation topic emphasizes using the most precise available host attribute for dynamic group membership. Since the desired group is all workstations, Type: Workstation directly maps to the requirement and avoids broader or manually dependent criteria.

The best answer is Managed Assets dashboard . This dashboard-oriented view is used for operational visibility across managed endpoints and helps administrators understand how assets are distributed across important attributes, including policy-related coverage. The question asks for a “top-ten” review of sensor update, prevention, and device control policies as new hosts are added to the CID, which aligns with dashboard summarization rather than a per-host daily report. The Sensor Policy Daily Report is useful for reviewing assigned groups and policies for hosts, but it is not the best answer for a high-level top-ten usage review. Executive Summary is broader leadership reporting, not the operational location for policy-use distribution across managed assets. The CCFA reporting objective here is policy coverage awareness at scale.

MFA for Real Time Response is configured under General settings . Falcon Administrators can enable Real Time Response identity verification from Support and resources > Resources and tools > General settings. This applies Falcon MFA to high-risk RTR operations according to the configured trigger, such as before connecting to a host or before executing sensitive commands like run or kill. Response policies determine which RTR commands are available to hosts and users, but they do not configure MFA enforcement. Notifications and containment policies are unrelated to RTR identity verification. The course guide highlights that RTR MFA applies broadly to users in the CID once enabled, regardless of response policy assignment, making General settings the correct administrative location.

The Machine-Learning Prevention report is used to evaluate what Falcon would have blocked under different machine-learning prevention levels. The official reporting guidance describes Machine Learning Prevention as a report that lets administrators “view malware that would have been blocked in your environment during the last 30 days based on different Machine Learning Prevention settings,” including Cautious, Moderate, or Aggressive levels. This makes option C the precise answer. The report is not the quarantine management dashboard; quarantined files are reviewed and released from the Quarantined Files area. It is also not primarily a spike-analysis dashboard for active attacks, although unusual volume may support investigation. Option D is close in theme but inaccurate because the purpose is not to summarize aggressiveness settings and actual quarantine totals; it is to model prevention impact across ML settings. Reference topics: Dashboards and Reports, Machine Learning Prevention report, prevention policy tuning, ML prevention levels.

The Sensor report dashboard is the best answer because it provides an overview of active sensors in the environment and summarizes deployment and coverage data for sensor administration. The question asks for an overview of the top ten most-applied policies by sensors, which is a dashboard-level summary rather than a per-host assignment lookup. The Sensor Policy Daily Report is more granular: it is used to review the groups and policies assigned to a host and is updated once per day, so it is not the best choice for a top-ten environmental overview. Scheduled reports are a delivery mechanism for recurring report generation, not the specific report containing the requested sensor-policy overview. Executive Summary provides broader executive-level security posture information and is not the focused sensor-policy distribution view. CCFA reporting guidance places sensor deployment and coverage reporting under Sensors, where the Sensor Report provides the overview of active sensors and related sensor-management posture. Reference topics: Dashboards and Reports, Sensors reports, Sensor Report dashboard, Sensor Policy Daily Report.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

The role that allows a Falcon user to create Real Time Response custom scripts is Real Time Responder – Administrator . Falcon separates RTR permissions into three default responder roles. Read Only Analyst can run reconnaissance-style commands. Active Responder can run read-only commands plus additional response commands, including commands that modify host state and certain approved custom scripts. However, creating custom scripts, uploading files for the put command, and directly running executables with run are reserved for the RTR Administrator role. This distinction is important because custom scripts can perform powerful host-level actions and must be restricted to experienced incident response personnel. The course guide also notes that users must have an RTR role to access RTR functionality at all; Falcon Administrator alone does not automatically include RTR access. “Real Time Responder – Script Developer” is not one of the standard RTR roles. Reference topics: User Management, Real Time Response Roles, Custom Scripts, RTR Role Permissions.