CrowdStrike Updated CCFA-200b Exam Questions and Answers by tymoteusz

The Customer ID with Checksum, often referred to as the CID or CCID/CIDC, is required when installing a new Falcon Sensor so the sensor can register to the correct Falcon customer environment. The deployment guidance repeatedly instructs administrators to copy the Customer ID checksum from Host setup and management > Deploy > Sensor downloads before running sensor installation. For macOS, the installer workflow requires running falconctl license with the customer ID checksum after installation. For Windows installations, the installer requires the Customer ID with Checksum value obtained from the Sensor downloads page. This value is not used to locate a host in Host Management, and it is not the normal control for defining host group criteria. Sensor uninstallation is controlled by maintenance tokens or uninstall protection settings, not CIDC. Reference topics: Sensor Deployment, Sensor downloads, Customer ID checksum, Windows and macOS sensor installation.

Custom IOA rules are designed to detect behavior, not simply static files. Falcon’s core prevention model distinguishes between Indicators of Compromise, which are often file/hash/domain/IP based, and Indicators of Attack, which describe behavioral patterns associated with suspicious or malicious activity. Custom IOAs allow administrators to define organization-specific behavioral detections, such as process creation, file creation, network connection, or command-line behavior. They are especially useful when the activity may not be universally malicious but is unwanted or suspicious in a specific environment. Blocking known malware is more closely aligned with IOC management or machine-learning prevention. System updates and network settings are unrelated to custom IOA rule intent. The course guide describes custom IOAs as a way to gain visibility into activity Falcon does not otherwise detect and optionally block or kill that behavior.

The correct action is to temporarily disable detections for the server in Host Management and re-enable them after the penetration test is complete. Falcon’s Disable Detections function is specifically useful for test hosts when administrators want to prevent test detections from cluttering the Endpoint detections console. When detections are disabled, detections for that host are removed from the console immediately, and no new detections from that host display until detections are enabled again. This does not uninstall the sensor, and the sensor continues to operate normally with prevention policies, custom IOA rules, exclusion rules, and other controls still processed. Creating a workflow to email the SOC would increase noise rather than reduce it. Permanently disabling detections creates unnecessary long-term blind spots. Deleting detections and containing the server is also inappropriate because the activity is authorized testing, not necessarily an incident requiring containment. Reference topics: Host Management, Disable Detections, endpoint detection suppression, penetration test handling.

Red Hat Enterprise Linux is an operating system distribution and version family, so the most precise Host Management filter is OS version . Platform would generally distinguish broad operating system families such as Windows, macOS, or Linux, but it would not narrow results specifically to RHEL. Type identifies host form factor or role, such as desktop, server, or domain controller. OU refers to Active Directory organizational unit membership, which applies to directory-joined assets rather than Linux distribution identity. The course guide’s Host Management and dynamic grouping filter list identifies OS Version as the field used for the installed operating system version. Therefore, to locate RHEL systems, OS version is the most appropriate filter.