Home
» CrowdStrike
» Falcon Platform
» CCFA-200b Exam

CrowdStrike Certified Falcon Administrator (CCFA-200b)

Get full access to the updated question bank and confidently prepare for your exam.

Vendor

CrowdStrike

Certification

Falcon Platform

Content

153 Qs

Status

Verified

Updated

5 days ago

Test the Practice Engine

Experience our interactive testing environment with free demo questions

Launch Free Demo

Best Value Bundle

Premium Bundle

Complete Success Suite

$108 $69

Save $39 Instantly

✓

Full PDF + Interactive Engine Everything you need to pass
✓

All Advanced Question Types Drag & Drop, Hotspots, Case Studies
✓

Priority 24/7 Expert Support Direct line to certification leads
✓

90 Days Free Priority Updates Stay current as exams change

Success Metric

98.4% Pass Rate

Verified by 15k+ Students

Secure Checkout

Popular

Standard Simulation

Practice Engine

$59

One-Time Payment

Web-Based (Zero Install)
Real Testing Environment Virtual & Practice Modes
Interactive Engine Drag & Drop, Hotspots
60 Days Free Updates

Compatible with All Devices

Verified Secure Checkout

Basic Tier

PDF Study Guide

$49

Digital Access

✓ Exam Questions (PDF)
✓ Mobile Friendly
✓ 60 Days Updates

Download Free Sample PDF

Verified 5-Question Preview (CCFA-200b)

Secure Checkout

Verified Community

The CertoMetrics Standard.

Recommend the #1 platform for verified CrowdStrike certification resources.

Success Network

Help a Colleague Succeed.

Invite a peer to get their own updated CCFA-200b prep kit.

Exam Overview

The CrowdStrike Certified Falcon Administrator (CCFA-200b) certification validates an individual's proficiency in deploying, configuring, and managing the CrowdStrike Falcon platform. Achieving this certification demonstrates a deep understanding of Falcon's capabilities, including endpoint prevention, detection, visibility, and response features. It signifies your ability to effectively administer the platform to enhance an organization's security posture against modern threats. This credential is invaluable for cybersecurity professionals seeking to prove their expertise in a leading endpoint protection solution, opening doors to advanced roles and showcasing a commitment to maintaining robust, next-generation endpoint security environments. It directly contributes to securing critical assets and streamlining incident response workflows.

Questions

60-70

Passing Score

700/1000

Duration

90 Minutes

Difficulty

Intermediate

Level

Professional

Skills Measured

Deployment and Sensor Management: Understanding various deployment methods, managing sensor installations, health, and updates across different operating systems.

Policy Configuration and Management: Administering prevention policies, detection policies, custom IOAs (Indicators of Attack), and host groups to optimize security posture and minimize false positives.

Threat Detection and Analysis: Utilizing the Falcon console for alert investigation, understanding detection mechanisms, and leveraging Real-Time Visibility (RTV) for proactive threat hunting.

Incident Response and Remediation: Performing basic incident response tasks using Real-Time Response (RTR) capabilities, isolating hosts, and initiating remediation actions.

Platform Administration and Troubleshooting: Managing user roles, API clients, configuring dashboards and reports, and basic troubleshooting of common Falcon platform and sensor issues.

Career Path

Target Roles

Security Administrator Security Engineer SOC Analyst (Tier 2/3)

Common Questions

Is the material up to date?

Yes. We update our question bank weekly to match the latest CrowdStrike standards. You get free updates for 90 days.

What format do I get?

You get instant access to both the **PDF** (for reading) and our **Premium Test Engine** (for exam simulation).

Is there a guarantee?

Absolutely. If you fail the CCFA-200b exam using our materials, we offer a full money-back guarantee.

When do I get the download?

Instantly. The download link is available in your dashboard immediately after payment is confirmed.

Free Study Guide Samples

Previewing updated CCFA-200b bank (5 Questions).

Quality Verified

QUESTION 1

What is the function of a single asterisk (*) in an ML exclusion pattern?

The single asterisk will match any number of characters, including none. It does include separator characters, such as \ or /, which separate portions of a file path

The single asterisk will match any number of characters, including none. It does not include separator characters, such as \ or /, which separate portions of a file path

The single asterisk is the insertion point for the variable list that follows the path

The single asterisk is only used to start an expression, and it represents the drive letter

Correct Option: B

✅

Reasoning: In CrowdStrike ML exclusion patterns, a single asterisk (*) acts as a wildcard that matches zero or more characters within a single path segment. It explicitly does not match directory separator characters (e.g., \ or /), meaning it won't cross directory boundaries. ❌ Why the other choices are incorrect:

Option A is incorrect: This describes the behavior of a double asterisk (**), which matches any characters including path separators. A single asterisk does not include separators.
Option C is incorrect: A single asterisk is a wildcard for character matching within paths, not a placeholder for a variable list.
Option D is incorrect: A single asterisk is a general wildcard, not specifically a drive letter representation or only used to start an expression.

QUESTION 2

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"

Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group

Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Correct Option: C

✅

Reasoning: To disable RTR only for a specific host group, the correct procedure is to create a new, dedicated Response Policy. Within this new policy, disable the "Real Time Response" setting. Then, assign this new policy directly to the target host group. This ensures RTR is disabled solely for those hosts, leaving other host groups unaffected by their assigned policies. ❌ Why the other choices are incorrect:

Option A is incorrect: Editing the Default Response Policy and toggling RTR off would disable RTR for all hosts not covered by a more specific policy, not just the specified host group. This is too broad.
Option B is incorrect: Response policies do not use "exceptions lists under Real Time Functionality" to disable RTR for entire host groups in this manner. This is not the CrowdStrike mechanism for this requirement.
Option D is incorrect: The requirement is for a host group, not individual host names. Furthermore, using an "exceptions list" to disable core RTR functionality for a host or group is not the standard CrowdStrike method; a dedicated policy is.

QUESTION 3

When creating new IOCs in IOC management, which of the following fields must be configured?

Hash, Description, Filename

Hash, Action and Expiry Date

Filename, Severity and Expiry Date

Hash, Platform and Action

Correct Option: D

✅ ****Hash, Platform and Action **

Reasoning: When creating a custom file hash IOC in the CrowdStrike Falcon console, the Hash, Platform (e.g., Windows, macOS, Linux, All), and Action (e.g., Detect, Prevent, No Action) fields are all mandatory for successful creation. ❌ Why the other choices are incorrect:

Option A is incorrect:**

✅ Analysis:
and Filename are optional fields. While good practice, they are not strictly required to save a hash-based IOC.
Option B is incorrect: The Expiry Date is optional; an IOC can be set to never expire.
Option C is incorrect: Filename, Severity, and Expiry Date are all optional fields for creating a hash-based IOC. Severity is typically associated with detections, not the IOC itself.

Reference: https://docs.crowdstrike.com/en-US/falcon/4.33/falcon-platform-ug/ioc-management/ioc-management.htm

QUESTION 4

Your CISO has decided all Falcon Analysts should also have the ability to view files and file contents locally on compromised hosts, but without the ability to take them off the host. What is the most appropriate role that can be added to fullfil this requirement?

Remediation Manager

Real Time Responder – Read Only Analyst

Falcon Analyst – Read Only

Real Time Responder – Active Responder

Correct Option: B

✅ **Real Time Responder – Read Only Analyst **

Reasoning: This role provides Real-Time Response capabilities to interact with hosts, enabling analysts to view local files and their contents. The "Read Only" attribute specifically restricts actions that would pull files off the host, directly addressing the requirement to prevent exfiltration. ❌ Why the other choices are incorrect:

Option A is incorrect: Remediation Manager primarily manages detections and remediation tasks within the Falcon console, not direct live host interaction for file viewing.
Option C is incorrect: Falcon Analyst – Read Only provides console-level visibility but does not grant the necessary Real-Time Response access for direct endpoint file interaction.
Option D is incorrect: Real Time Responder – Active Responder provides full RTR capabilities, including the ability to pull files off the host, which directly contradicts the stated requirement.

QUESTION 5

One of your development teams is working on code for a new enterprise application but Falcon continually flags the execution as a detection during testing. All development work is required to be stored on a file

share in a folder called "devcode." What setting can you use to reduce false positives on this file path?

USB Device Policy

Firewall Rule Group

Containment Policy

Machine Learning Exclusions

Correct Option: D

✅

Reasoning: Machine Learning Exclusions allow administrators to specify file paths, hashes, or processes to be excluded from Falcon's ML-based detections. This directly addresses the scenario where legitimate development code in the "devcode" folder is continually flagged as a false positive, reducing detection noise. ❌ Why the other choices are incorrect:

Option A is incorrect: USB Device Policy controls access to USB storage devices, which is irrelevant to false positives on a file share.
Option B is incorrect: Firewall Rule Groups manage network traffic and connectivity, not the detection logic for local executable files.
Option C is incorrect: Containment Policy isolates compromised hosts from the network, a reactive measure unrelated to reducing false positives for legitimate development code.

Full Question Bank Locked

You have reached the end of the free study guide preview. Upgrade now to unlock all 153 questions and the full simulation engine.

Certification Path

Related Certifications

View All CrowdStrike Exams →

CrowdStrike CCFR-201b Updated: Jun 10, 2026 CrowdStrike CCFH-202b Updated: Jun 15, 2026 CrowdStrike CCSE-204 Updated: Jun 16, 2026 CrowdStrike CCSA-205 Updated: Jun 16, 2026 CrowdStrike CCCS-203b Updated: Jun 13, 2026 CrowdStrike IDP Updated: Jun 14, 2026

View All CrowdStrike Exams →

Customer Reviews

5 / 5

(15,000+ verified)

100%

Global Community Feedback

David M.

Verified Student

"The practice engine is incredible. It feels exactly like the real testing environment and helped me build so much confidence."

Sarah J.

Premium Member

"The PDF is very well organized and the explanations for the answers are actually helpful, not just random text."

Michael C.

Verified Buyer

"I was skeptical, but the content is high quality and definitely worth the price. I passed on my first try!"