Question 18 - CCFA-200 Real Exam Questions [Jan 2026 Update]s

Q: 18

A security administrator needs to automatically quarantine files flagged as malicious by the Falcon sensor. What is the best way to configure this response using workflows in CrowdStrike Falcon?

Options

Correct Answer:

Explanation

The most effective and integrated method is a two-step process within the Falcon platform. First, the quarantine capability must be enabled for the sensor via a Prevention Policy. This policy grants the sensor the necessary permissions to move files. Second, a Falcon Fusion workflow is created to automate the response. This workflow is configured with a trigger for "new malware detections" and an action to "quarantine the file" associated with that detection. This combination ensures that the response is both authorized and automatically executed, directly fulfilling the administrator's requirement without external tools or overly broad actions like host isolation.

Why Incorrect

A. Detection rules (Custom IOAs) are for creating new detection logic, not for automating response actions like quarantine for existing, known malware detections.

B. Using external scripts and other antivirus solutions is inefficient and complex. Falcon has native, built-in quarantine capabilities that should be used for this task.

C. Isolating an endpoint (network containment) is a host-level action that severs network connectivity. It does not quarantine the specific malicious file on the disk.

References

1. CrowdStrike Falcon Documentation

Prevention Policies: The "Malware Protection" section within the prevention policy settings details the configuration options for enabling the sensor to quarantine both confirmed malicious files and suspicious files. This is a prerequisite for the quarantine action to succeed. (Reference: CrowdStrike Falcon Platform Documentation

Prevention Policy Settings Guide

"Malware Protection" section).

2. CrowdStrike Falcon Documentation

Falcon Fusion Workflows: The official documentation for Falcon Fusion workflows specifies "Quarantine File" as a supported

automated action. The documentation outlines creating a workflow with a trigger (e.g.

Detection created) and an action (falcon.quarantineFile) to automate this response. (Reference: CrowdStrike Falcon Platform Documentation

Falcon Fusion Workflow Guide

"Available Actions" and "Building a Workflow" sections).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE