CrowdStrike Falcon Certification Program CCFA-200b CrowdStrike Study Notes

MFA for Real Time Response is configured under General settings . Falcon Administrators can enable Real Time Response identity verification from Support and resources > Resources and tools > General settings. This applies Falcon MFA to high-risk RTR operations according to the configured trigger, such as before connecting to a host or before executing sensitive commands like run or kill. Response policies determine which RTR commands are available to hosts and users, but they do not configure MFA enforcement. Notifications and containment policies are unrelated to RTR identity verification. The course guide highlights that RTR MFA applies broadly to users in the CID once enabled, regardless of response policy assignment, making General settings the correct administrative location.

A sensor with no applicable custom host group assignment receives the Default policy . Sensor update policies follow the same basic host group and precedence pattern used throughout Falcon policy management. If a host is included in a group assigned to a higher-precedence sensor update policy, that policy applies. If it does not match any assigned custom policy, Falcon falls back to the default sensor update policy. The top-precedence policy only applies when the host belongs to a host group assigned to that policy. Auto N-1 is a possible version-selection strategy within a policy, not the automatic fallback policy assignment. This is why the course emphasizes reviewing default policy settings carefully before broad deployment.

The primary concern with Windows RFM is that sensors do not have full visibility into all events occurring on the host. In Windows RFM, the sensor continues operating at reduced capacity and can still report events and trigger detections, but it temporarily unhooks from some kernel elements. Without those kernel elements, some detection patterns and a small number of preventions may not trigger. The host is not necessarily offline, powered off, or unable to communicate with the cloud. RFM is also not the same as an operating system crash; it is a protective compatibility state. The CCFA sensor deployment topic emphasizes that RFM reduces visibility and prevention coverage, which is why administrators should identify and remediate RFM hosts promptly.

The highest level of protection in the three-phase prevention policy model is Phase 3 . Falcon’s staged policy model allows organizations to begin with safer detection-focused settings, then progress toward stronger prevention as false positives are triaged and exclusions are tuned. Phase 1 is intended for initial deployment, especially when pre-existing antivirus or HIPS is present, and is more conservative. Phase 2 increases enforcement and aligns more closely with recommended protection. Phase 3 represents the fully realized best-practice posture with the highest protection level among the listed phases. CCFA policy application guidance emphasizes progressing through these phases deliberately, using detection review, allowlisting, exclusions, and change control before applying the most protective settings broadly.