CrowdStrike Updated CCFA-200b Exam Questions and Answers by maximillian

The most accurate ML exclusion pattern is Program Files\Software\**\*.exe. Falcon prevention policy exclusions use glob syntax, and Windows exclusion paths are written without the drive name and without a leading backslash. The pattern must therefore begin at Program Files\Software\, not C:\Program Files\Software\. A single asterisk pattern such as Program Files\Software\*.exe matches only .exe files directly inside the Software folder and does not include subfolders. The double-asterisk pattern with a path separator, **\*.exe, is the correct recursive construction because it matches executable files within the target folder and its subdirectories. **\*.exe by itself is overly broad because it could match executable files in many locations, not just the Software directory. Program Files\Software\**.exe is less precise than the documented recursive executable pattern. Reference topics: Rule Configuration, Machine Learning Exclusions, Prevention Policy Exclusions, Glob Syntax.

Falcon user permissions are defined through roles, and those roles can be either default roles or custom roles. A user gains permissions by being assigned one or more roles, and Falcon grants the combined permissions enabled across all assigned roles. Default roles provide predefined permission sets for common operational responsibilities, while custom roles allow administrators to restrict or expand access for specialized duties. Permissions are not assigned one-by-one directly during user account creation as the primary model. A user also does not need a default role before receiving a custom role; custom roles can be assigned as needed after they are created and validated. Custom role permission sets are scoped to the customer environment and are not globally shared across all CrowdStrike customers. This role-based model supports least privilege, separation of duties, and auditable administrative access. Reference topics: User Management, Role Management, Default Roles, Custom Roles, Permissions.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

The best answer is Managed Assets dashboard . This dashboard-oriented view is used for operational visibility across managed endpoints and helps administrators understand how assets are distributed across important attributes, including policy-related coverage. The question asks for a “top-ten” review of sensor update, prevention, and device control policies as new hosts are added to the CID, which aligns with dashboard summarization rather than a per-host daily report. The Sensor Policy Daily Report is useful for reviewing assigned groups and policies for hosts, but it is not the best answer for a high-level top-ten usage review. Executive Summary is broader leadership reporting, not the operational location for policy-use distribution across managed assets. The CCFA reporting objective here is policy coverage awareness at scale.