CCFA-200b Exam Results

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

The correct action is to use the built-in Fusion SOAR OverWatch detection remediation and prioritization playbook. This playbook is specifically designed to automate response when Falcon OverWatch flags an endpoint detection. The documented workflow actions include setting the endpoint detection status to In Progress, containing the device where the detection occurred, adding associated identity and endpoint context to watchlists when applicable, and sending an email notification. This directly satisfies leadership’s requirement for immediate containment and notification of the appropriate internal staff. Emailing the OverWatch team is not the correct operational response because OverWatch has already generated the detection; the customer SOC or incident response team must be notified. Creating a new detection is also incorrect because the detection already exists. Blocking the detection is not a valid response action; containment is the host-level control. Reference topics: Fusion SOAR Playbooks, OverWatch Detection Remediation and Prioritization, Host Containment Automation.

The correct page is Sensor Health . The Sensor Health dashboard is designed to show Falcon sensor operational status across the environment and help administrators identify hosts running unsupported sensor versions, unsupported operating system versions, incorrect configurations, connectivity problems, and RFM conditions. The official guidance states that the Sensor Health dashboard includes information about “hosts that entered RFM each day” and clarifies that this shows hosts newly entering Reduced Functionality Mode, not the total number of hosts currently in RFM. This distinction matters because Sensor Health is used to track newly emerging sensor health issues over time, while Host Management can be used to filter for the current list of hosts in RFM. Hosts Overview and Activity Overview do not provide this specific daily RFM count. Support and resources is a navigation area, not the sensor health reporting dashboard. Reference topics: Dashboards and Reports, Sensor Health Dashboard, Reduced Functionality Mode, Sensor Operational Status.

Network containment isolates a host from normal network communication to prevent lateral movement and attacker-controlled access. By default, a contained host cannot reach patching infrastructure, so operating system patch jobs fail unless specific exceptions are added. The Falcon configuration point for this is the Containment Policy , where administrators allowlist specific IP addresses that contained hosts may continue to communicate with. The official guidance states that to install patches on network-contained hosts, administrators must add the IP address of the Windows Update source or patching source to the environment’s containment policy. FQDN allowlisting is not the correct answer in this context; the supported containment exception is IP-based. Removing containment would restore connectivity but would also eliminate the protective isolation during a zero-day remediation scenario. Firewall Policy is not the control that governs Falcon network containment exceptions. Reference topics: Network Containment, Containment Policy, Patch Windows Hosts, Policy Application.