CrowdStrike Falcon Certification Program CCFA-200b Full Course Free

The correct Windows prevention policy setting is Suspicious Scripts and Commands . This setting focuses on detecting suspicious or malicious script and shell command activity. It is aligned with Falcon’s behavioral detection model for activity occurring through interpreters and command shells, where adversaries commonly use PowerShell, command prompts, scripts, and living-off-the-land techniques. Script-based execution visibility increases visibility into script execution, but the question asks about monitoring shell contents for execution of malicious content, which maps to Suspicious Scripts and Commands. Enhanced exploitation visibility and additional user mode data visibility provide other telemetry and exploit-related coverage but are not the specific shell-content monitoring setting. CCFA prevention policy topics distinguish visibility settings from detection/prevention settings that identify suspicious command behavior.

The correct role is Falcon Security Lead. Falcon role guidance identifies Falcon Security Lead as a role that can manage detections, manage quarantined files, contain hosts, search events, reset user credentials, and view exclusions. Falcon Analyst – Read Only can view detections and exclusions but does not have management authority over quarantined files. Endpoint Manager is focused on sensor deployment, sensor configuration, update policies, and host group administration; it is not the role for quarantine management. Detections Exceptions Manager is associated with exception or exclusion-style administration, not quarantined file operations. Managing quarantined files includes operational actions such as reviewing quarantined items, releasing files, undoing releases, deleting quarantined files, and potentially downloading extracted files when permitted by configuration and role. Because quarantine actions can reintroduce files to endpoints or remove evidence, Falcon assigns this capability only to roles with sufficient security operations authority. Reference topics: User Management, Default Roles, Falcon Prevent Roles, Quarantined Files.

Manual macOS sensor installation requires approval for the Falcon system extension , Full Disk Access , and the network filter extension on supported macOS versions. Apple’s security model requires explicit authorization before endpoint security extensions and network content filtering components can load. Full Disk Access is required for the sensor to inspect protected filesystem locations and operate correctly. Omitting any one of these approvals can leave the sensor partially installed, unable to provide expected visibility, or unable to load required components. The course guide’s macOS deployment section identifies system extension approval and network filter authorization as required for Big Sur and later, and also states Full Disk Access must be granted for proper operation.

The default user role that can manage API credentials is Falcon Administrator . Falcon’s role-permission matrix shows “Manage API credentials” enabled for Falcon Administrator and not enabled for the other listed roles. Falcon Administrator is the broad administrative role that can access nearly all console functionality, with the notable exception that Real Time Response still requires dedicated RTR roles. Managing API credentials is a high-risk administrative function because API clients and secrets can be used by integrations, scripts, and external systems to access Falcon APIs according to assigned scopes. Therefore, Falcon restricts this capability to administrative authority rather than operational roles such as Falcon Security Lead or Endpoint Manager. Falcon Security Lead can manage detections, quarantined files, containment, event searches, and credential resets, but it cannot manage users, roles, or API credentials. “Falcon API Manager” is not the default role presented in the official role model. Reference topics: User Management, Default Roles, API Clients and Keys, Role-Based Access Control.