Questions for the CCFA-200 were updated on : Nov 21 ,2025
What can exclusions be applied to?
B
Explanation:
The option that describes what exclusions can be applied to is that exclusions can be applied to
either all hosts or specified groups. An exclusion is a rule that defines what files, folders, processes,
IP addresses, or domains should be excluded from detection or prevention by the Falcon sensor. You
can create and manage exclusions in the Exclusions page in the Falcon console. You can apply
exclusions to either all hosts in your environment or to specific host groups that you select. You
cannot apply exclusions to individual hosts selected by the administrator.
Reference: : [Cybersecurity Resources | CrowdStrike]
You have a Windows host on your network in Reduced functionality mode (RFM). While the system is
in RFM, which of the following is TRUE?
D
Explanation:
The option that is true when a Windows host is in Reduced Functionality Mode (RFM) is that some
detection patterns and preventions will not be triggered. RFM is a mode that limits the sensor’s
functionality due to license expiration, network connectivity loss, or certificate validation failure.
When a Windows sensor is in RFM, it will only provide basic prevention capabilities, such as blocking
known malware hashes and preventing script execution from the %TEMP% directory. The sensor will
not send any telemetry or detection events to the Falcon platform, and will not receive any policy or
update changes from the Falcon cloud. This means that some detection patterns and preventions
that rely on telemetry, machine learning, or cloud analysis will not be triggered.
Reference: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list
after how many days?
D
Explanation:
A sensor that has not contacted the Falcon cloud will be automatically deleted from the hosts list
after 90 days. A sensor that has not contacted the Falcon cloud for more than seven days is
considered inactive and will be moved from the Host Management page to the Trash page. An
inactive sensor will remain in the Trash page for 90 days before being permanently deleted from the
Falcon platform. You can restore an inactive sensor from the Trash page if it contacts the Falcon cloud
again within 90 days.
Reference: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
When a host belongs to more than one host group, how is sensor update precedence determined?
D
Explanation:
The option that describes how sensor update precedence is determined when a host belongs to
more than one host group is that all of the host’s groups are examined in aggregate and the policy
with highest precedence is applied to the host. A Sensor Update policy is a policy that controls how
and when the Falcon sensor is updated on a host. You can create and assign custom Sensor Update
policies to different hosts or groups in your environment. Each Sensor Update policy has a
precedence value, which determines its priority over other policies. The higher the precedence
value, the higher the priority. If a host belongs to more than one host group, each with a different
Sensor Update policy assigned, then all of the host’s groups are examined in aggregate and the policy
with highest precedence among them is applied to the host.
Reference: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
What may prevent a user from logging into Falcon via single sign-on (SSO)?
A
Explanation:
: The option that may prevent a user from logging into Falcon via single sign-on (SSO) is that the SSO
username doesn’t match their email address in Falcon. SSO is a feature that allows you to use an
external identity provider (IdP) to authenticate and authorize users to access the Falcon platform.
SSO simplifies and streamlines the login process, as users only need to remember one set of
credentials for multiple applications. However, SSO requires that the username in the IdP matches
the email address in Falcon for each user. If there is a mismatch between the username and the
email address, the user will not be able to log into Falcon via SSO.
Reference: : [Cybersecurity Resources | CrowdStrike]
The Customer ID (CID) is important in which of the following scenarios?
B
Explanation:
The Customer ID (CID) is important in which of the following scenarios: when performing the sensor
installation process and when setting up API keys. The CID is a unique identifier for your organization
that is required for authenticating your sensor installation and communication with the Falcon cloud.
You need to provide your CID when installing the Falcon sensor on a host, either by using a
command-line parameter or by using the falconctl tool. The CID is also required for setting up API
keys, which are used for accessing the Falcon platform programmatically via the Falcon APIs. You
need to provide your CID when creating an API client and key in the API Clients and Keys page in the
Falcon console.
Reference: : [Cybersecurity Resources | CrowdStrike]
You need to have the ability to monitor suspicious VBA macros. Which Sensor Visibility setting should
be turned on within the Prevention policy settings?
A
Explanation:
Turn on the Script-Based Execution Monitoring prevention policy setting to enable the "Falcon sensor
to monitor the contents of scripts and shells that are popular mechanisms for executing malicious
code on hosts. This setting does not kill or block scripts."
Scripting languages:
Excel 4.0 macros
JScript
VBA Macros
VBScript
The Sensor Visibility setting that should be turned on within the Prevention policy settings to monitor
suspicious VBA macros is Script-based Execution Monitoring. Script-based Execution Monitoring is a
feature that enables the Falcon sensor to monitor and prevent malicious script execution on
Windows systems. The feature uses machine learning and behavioral analysis to detect suspicious
scripts or commands executed by various script interpreters, such as PowerShell, WScript, CScript, or
Bash. VBA (Visual Basic for Applications) is a scripting language that can be embedded in Microsoft
Office documents, such as Word or Excel. VBA macros can be used to automate tasks or perform
actions within the documents, but they can also be abused by attackers to deliver malware or
execute malicious code. Script-based Execution Monitoring can help detect and prevent such attacks
by monitoring the contents of VBA macros for execution of malicious content.
Reference: : [Falcon Administrator Learning Path | Infographic | CrowdStrike]
What is the purpose of the Machine-Learning Prevention Monitoring Report?
D
Explanation:
Machine-Learning Prevention Monitoring dashboard: Use this dashboard to view malware that
would have been blocked in your environment over the selected timeframe based on different
Machine Learning Prevention settings (Cautious, Moderate, Aggressive or Extra Aggressive).
The Falcon Administrator has created a new prevention policy to apply to the "Servers" group;
however, when applying the new prevention policy this group is not appearing in the list of available
groups. What is the most likely issue?
B
Explanation:
The most likely issue for not being able to apply a new prevention policy to the “Servers” group is
that the “Servers” group already has a policy applied to it. A prevention policy is a policy that defines
the prevention capabilities and settings for the Falcon sensor on a host. You can create and assign
custom prevention policies to different hosts or groups in your environment. However, you can only
assign one prevention policy per host or group at a time.
If a host or group already has a prevention
policy applied to it, you cannot apply another prevention policy to it unless you remove or replace
the existing one2
.
Reference: 2
:
Cybersecurity Resources | CrowdStrike
Which of the following prevention policy settings monitors contents of scripts and shells for
execution of malicious content on compatible operating systems?
A
Explanation:
The prevention policy setting that monitors contents of scripts and shells for execution of malicious
content on compatible operating systems is Script-based Execution Monitoring. Script-based
Execution Monitoring is a feature that enables the Falcon sensor to monitor and prevent malicious
script execution on Windows systems. The feature uses machine learning and behavioral analysis to
detect suspicious scripts or commands executed by various script interpreters, such as PowerShell,
WScript, CScript, or Bash.
You can enable or disable Script-based Execution Monitoring in the
Prevention Policy for Windows hosts1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike
What best describes the relationship between Sensor Update policies and Operating Systems?
D
Explanation:
The option that describes the relationship between Sensor Update policies and Operating Systems is
that a Sensor Update policy must be configured for each Operating System (Windows, Mac, Linux).
This option is essentially a repetition of question 141 and its answer. Sensor Update policies are
specific to each operating system type, as different operating systems have different sensor versions,
features, and requirements.
Therefore, you need to create and assign separate Sensor Update
policies for each operating system type in your environment1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike
What is the purpose of the Default Sensor Policy?
D
Explanation:
The purpose of the Default Sensor Policy is that it acts as a “catch all” policy if no other Sensor
Policies are applied. A Sensor Policy is a policy that defines the detection and prevention settings for
the Falcon sensor on a host. You can create and assign custom Sensor Policies to different hosts or
groups in your environment. However, if a host is not assigned to a specific Sensor Policy, it will
inherit the settings from the Default Sensor Policy. The Default Sensor Policy is a “catch-all” policy
that is enabled by default and has the “Malware Protection” feature turned on.
You can modify the
settings of the Default Sensor Policy, but you cannot delete or disable it1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike
Why do Sensor Update policies need to be configured for each OS (Windows, Mac, Linux)?
B
Explanation:
Sensor Update policies need to be configured for each OS (Windows, Mac, Linux) because Sensor
Update policies are OS dependent. A Sensor Update policy is a policy that controls how and when
the Falcon sensor is updated on a host. Sensor Update policies are specific to each operating system
type, as different operating systems have different sensor versions, features, and
requirements.
Therefore, you need to create and assign separate Sensor Update policies for each
operating system type in your environment1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike
Which statement describes what is recommended for the Default Sensor Update policy?
A
Explanation:
The statement that describes what is recommended for the Default Sensor Update policy is that the
Default Sensor Update policy should align to an organization’s overall sensor updating practice while
leveraging Auto N-1 and Auto N-2 configurations where possible. As explained in question 139, the
Default Sensor Update policy is a “catch-all” policy that applies to any host that is not assigned to a
specific Sensor Update policy. Therefore, it is recommended that the Default Sensor Update policy
should align to your organization’s overall sensor updating practice, such as how frequently and how
quickly you want to update your sensors.
It is also recommended that you leverage the Auto N-1 and
Auto N-2 configurations, which allow you to automatically update your sensors to the latest or
second-latest sensor version without requiring manual intervention1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike
What will happen to a host if it is not assigned a Sensor Update policy?
D
Explanation:
The option that describes what will happen to a host if it is not assigned a Sensor Update policy is
that the host will use the Default Sensor Update policy. A Sensor Update policy is a policy that
controls how and when the Falcon sensor is updated on a host. You can create and assign custom
Sensor Update policies to different hosts or groups in your environment. However, if a host is not
assigned to a specific Sensor Update policy, it will inherit the settings from the Default Sensor Update
policy. The Default Sensor Update policy is a “catch-all” policy that is enabled by default and has the
“Uninstall and Maintenance Protection” feature turned on.
You can modify the settings of the Default
Sensor Update policy, but you cannot delete or disable it1
.
Reference: 1
:
Falcon Administrator Learning Path | Infographic | CrowdStrike