CrowdStrike classifies a host as Inactive when its sensor has not contacted the cloud for more than 30 days. The platform keeps that inactive-host record for one additional retention period; after 90 days from the last sensor check-in the record is automatically purged from the Falcon console and database. Therefore, the default retention interval for inactive sensors is 90 days.

A. 30 days – 30 days merely defines when a host becomes “Inactive”; it is not the purge interval.

B. 365 days – No CrowdStrike document specifies a one-year automatic removal of inactive sensors.

C. 45 days – 45 days is not used in Falcon host-retention logic; sensors remain visible well past this point.

1. CrowdStrike Falcon Console User Guide v6.0

“Hosts App – Host Status”

p. 112–113: “Inactive … Host records are retained for 90 days and then removed automatically.”

2. CrowdStrike Support Knowledge Base Article CS-10697 “Falcon Host Removal Policy”

rev. 2022-07-15

para. 2: “Hosts that have not checked in for 90 days are deleted by default.”

3. CrowdStrike University CCFA-200 Courseware

Module 2 “Falcon UI & Administration”

slide 14: “Inactive sensors (no check-in >30 days) are purged after 90 days.”

During an initial side-by-side rollout, the primary objective is to evaluate the Falcon sensor's detection capabilities without causing operational disruption or conflicts with existing security solutions. To achieve this, the sensor should be placed in a "detect-only" mode. Setting the Machine Learning Prevention slider to "Disabled" ensures that Falcon will not block or quarantine any files, thereby preventing any interference. The Detection slider should be enabled (e.g., "Moderate") to generate alerts based on ML analysis. This configuration allows the security team to observe what Falcon would have prevented, assess its efficacy, and tune for false positives before enabling active blocking.

A. Detection slider: Extra Aggressive, Prevention slider: Cautious

This is incorrect because setting Prevention to "Cautious" enables blocking actions, which can interfere with the existing security solution during the testing phase.

C. Detection slider: Cautious, Prevention slider: Cautious

This is incorrect as any Prevention setting other than "Disabled" will cause Falcon to take blocking actions, violating the requirement to not interfere with existing solutions.

D. Detection slider: Disabled, Prevention slider: Disabled

This is incorrect because disabling Detection would prevent the ML engine from generating any alerts, making it impossible to evaluate its effectiveness during the test phase.

---

1. CrowdStrike Falcon Platform Documentation

"Prevention Policy Settings": The official documentation outlines the function of the Machine Learning sliders. It specifies that for initial deployments

Proof of Concepts (POCs)

or when running alongside another antivirus solution

administrators should set the Prevention slider to "Disabled". This creates a "detection-only" policy to monitor detections and tune the configuration before enabling prevention capabilities. The Detection slider is typically set to "Moderate" or "Aggressive" to gather data. (Reference: CrowdStrike Falcon UI > Host setup and management > Prevention policies > Sensor Capabilities > Machine Learning).

2. CrowdStrike Technical Document

"Best Practices for Deploying the CrowdStrike Falcon Platform": This guide details a phased deployment approach. Phase 1

"Monitor Mode

" explicitly recommends creating a new prevention policy with all prevention features

including Machine Learning prevention

set to "Disabled" or "detection-only". This allows the organization to baseline the environment and understand the impact of Falcon detections without affecting end-users or conflicting with other tools. (Reference: CrowdStrike Support Portal

"Best Practices for Deploying the CrowdStrike Falcon Platform

" Document ID: PS.1012

Section: "Phase 1: Monitor Mode

" pp. 5-6).

The "Group Assignment" filter on the Host Management page within the CrowdStrike Falcon platform is used to display endpoints based on their membership in one or more specified host groups. Host groups are a fundamental organizational construct in Falcon, allowing administrators to apply distinct policies, manage sensor updates, and scope administrative actions to logical collections of assets. Using this filter enables an administrator to isolate their view to a specific set of hosts (e.g., "Domain Controllers," "PCI Systems") for targeted management, investigation, or reporting, thereby categorizing the view based on these pre-defined groups.

B. Identifying offline hosts is accomplished using the "Status" filter, which can sort by online, offline, or stale states.

C. Detecting hosts with outdated sensors is typically done using the "Sensor Version" filter to view hosts running specific or older agent versions.

D. Filtering hosts by their operating system is performed using the dedicated "OS" or "Platform" filter, not the group assignment filter.

1. CrowdStrike

Inc. (2023). Falcon Platform Documentation: Host and sensor management. CrowdStrike Support Portal. Section: "Managing hosts

" Subsection: "Filtering hosts." This section details the available filters on the Host Management page

explicitly stating the "Group Assignment" filter is used to "Filter hosts by the host groups they're in." It also describes the separate filters for "Status

" "Sensor Version

" and "OS Version

" confirming their distinct functions.

2. Syracuse University

College of Engineering & Computer Science. (2022). CIS 400/600: Intro to Cybersecurity - Lab 3: Endpoint Detection and Response with CrowdStrike Falcon. Page 5

"Host Grouping and Policies." The lab guide explains

"Host groups are the primary mechanism for organizing your endpoints... You can filter the Hosts page by group to see only the members of a specific group." This reinforces that the filter's purpose is categorization and viewing based on group membership.

Disabling endpoint detections is a standard diagnostic procedure for troubleshooting application compatibility or performance problems. Security software, such as an Endpoint Detection and Response (EDR) agent or antivirus, can occasionally conflict with legitimate applications by blocking necessary processes, file modifications, or network communications. To determine if the security agent is the root cause of the issue, an administrator may temporarily disable its detection capabilities in a controlled manner. If the application functions correctly after this change, it confirms a conflict, and the administrator can then create a specific policy exception or exclusion for the application, rather than leaving the host unprotected permanently.

A. Disabling security detections has no effect on network connectivity; network isolation is achieved through firewalls, VLANs, or physical disconnection.

B. While malware is analyzed in environments where security tools are disabled, this is done in a highly controlled and isolated sandbox, not a typical production host.

D. Sacrificing security for performance is a poor practice. The proper solution for high resource usage is to tune security policies or upgrade system hardware.

1. Microsoft Corporation

Official Vendor Documentation. "Troubleshoot performance issues related to Microsoft Defender for Endpoint." Microsoft Learn. In the troubleshooting steps

Microsoft advises on using tools to identify which files or processes are causing issues and suggests creating exclusions

which is a direct outcome of the troubleshooting process described in option C. The initial step often involves isolating the security agent as the cause. (Accessed from Microsoft's official documentation on endpoint management).

2. CrowdStrike

Inc.

Official Vendor Documentation. "Falcon Sensor for Windows: Troubleshooting." CrowdStrike Support Portal

Document ID: PS000133. This document outlines diagnostic steps for issues where the Falcon sensor might be impacting system or application performance. A common step in such scenarios is to place the sensor in a reduced-functionality or diagnostic mode to test for compatibility

which aligns with the principle of temporarily disabling features for troubleshooting.

3. Carnegie Mellon University

Information Security Office. "Endpoint Security & Antivirus FAQ." This university courseware-adjacent resource explains that security software can sometimes interfere with other software and provides guidance on reporting "false positives

" a process that stems from identifying compatibility issues. The underlying principle is that security software is a variable to be tested when troubleshooting application errors. (Reference to general IT security best practices from a reputable academic institution's IT department).

When detections are disabled for a host, the CrowdStrike Falcon cloud stops processing telemetry from that sensor to generate new detection alerts. This is often done for maintenance or troubleshooting. Upon clicking "Enable Detections," the cloud resumes the real-time processing of new telemetry from that host. This action is not retroactive. Any malicious or suspicious activity that occurred while detections were disabled will not be processed to create historical alerts in the console. The flow of detections begins only from the moment they are re-enabled.

A. This action enables all detections for the host as governed by its assigned policies, not just custom detections (IOAs).

B. Detections that would have been generated during the disabled period are not stored and retroactively restored; that data is effectively unprocessed for detection purposes.

D. Enabling detections is a separate action from enabling preventions. Preventions are managed via the host's assigned Prevention Policy and are not directly toggled by this specific action.

1. CrowdStrike Falcon Documentation. Host and Host Group Management Guide. The section on "Host Management Actions" describes the functionality for enabling or disabling detections. It specifies that these actions affect the generation of new detections and does not include a mechanism for restoring detections from a period when they were disabled. The system operates on a real-time data processing model.

2. University of California

Berkeley. CS 161: Computer Security

Lecture 18: Intrusion Detection. Course materials explain that real-time Network and Host-based Intrusion Detection Systems (NIDS/HIDS) like an EDR platform process event streams as they arrive. Disabling or muting a source stops this processing. Re-enabling it resumes the process for subsequent events

as reprocessing historical raw telemetry is computationally prohibitive and operationally complex. (Reference principle from general IDS/EDR architecture taught in university curricula).

The recommended best practice is to create custom roles to enforce the principle of least privilege (PoLP). This security concept ensures that users are granted only the permissions essential to perform their job functions. CrowdStrike Falcon’s Role-Based Access Control (RBAC) feature is designed to facilitate this by allowing administrators to define granular permissions for different user groups. Aligning roles with specific organizational responsibilities minimizes the potential impact of a compromised account, reduces the risk of accidental misconfiguration, and enhances overall security posture by limiting the attack surface within the Falcon console.

A. Using shared accounts is a significant security risk as it eliminates individual accountability and non-repudiation, making it impossible to trace actions back to a specific person.

C. Multi-Factor Authentication (MFA) is a critical security control that should be enforced for all accounts, including read-only, to prevent unauthorized access and protect sensitive security data.

D. Assigning the "Administrator" role to all users directly violates the principle of least privilege, creating an unnecessarily large attack surface and increasing the risk of catastrophic errors.

1. CrowdStrike Falcon® Platform Documentation

Falcon for Administrators

"Managing roles and users." This guide details the process of creating custom roles to tailor permissions. It states

"To grant users the minimum permissions they need to do their jobs

you can create custom roles... This helps you follow the security principle of least privilege." This directly supports the creation of custom roles as a best practice.

2. NIST Special Publication 800-53

Revision 5

Security and Privacy Controls for Information Systems and Organizations

Section AC-6 "Least Privilege." This foundational cybersecurity standard mandates that organizations "employ the principle of least privilege

allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks." This validates the core concept behind option B.

3. Carnegie Mellon University

Software Engineering Institute

Role-Based Access Control (RBAC) and Role-Based Security

(CMU/SEI-97-TR-012). This technical report outlines the benefits of RBAC

including its ability to "facilitate the administration of security" by mapping roles to organizational functions

which directly aligns with the practice described in the correct answer. (DOI: https://doi.org/10.1184/R1/6583583.v1

Section 2.2).

The most appropriate and efficient method to separate Windows servers and workstations in CrowdStrike Falcon is by creating dynamic host groups based on the operating system type. Falcon can automatically identify the OS version of each endpoint (e.g., "Windows Server 2019," "Windows 10"). Administrators can create assignment rules to automatically place all endpoints with a "Server" OS into one group and all "Workstation" OS endpoints into another. This ensures that distinct prevention, detection, and response policies are accurately and automatically applied to the correct asset type, aligning with security best practices.

B. Assign all endpoints to a single default group for simplicity.

This directly contradicts the requirement to apply distinct policies, as a single group would enforce a uniform policy on all endpoints.

C. Use network IP ranges to create groups.

This is unreliable. Workstations, especially laptops, may change IP addresses frequently. Servers and workstations can also coexist on the same subnet, making IP-based grouping imprecise.

D. Group endpoints randomly to balance resource allocation.

Random grouping serves no logical purpose for policy management and would lead to inconsistent and incorrect policy application, undermining security posture.

1. CrowdStrike Falcon® Platform Documentation

"Host and host group management": This official guide details the creation and management of host groups. It explicitly describes using dynamic assignment rules based on host properties

including platformname and osversion. For example

a dynamic group for Windows servers can be created using a query like platformname:'Windows'+osversion:/Server/. This directly supports using the OS type as the primary grouping criterion. (Accessed via official CrowdStrike support portal).

2. SANS Institute

"Endpoint Protection and Response" Courseware (FOR508): While not a direct CCFA source

reputable security training like SANS emphasizes asset classification as a foundational security principle. Course materials often describe grouping endpoints by role and operating system (e.g.

servers

workstations

domain controllers) to apply tailored security policies

which aligns with the logic in the correct answer. This is a standard industry best practice reflected in Falcon's capabilities.

An Indicator of Attack (IOA) exclusion is created to suppress a specific, named IOA detection. The link between the exclusion rule and the IOA it targets is fundamental and established at the time of creation. While administrative properties of the exclusion, such as its custom name, the command line pattern, or the host groups it applies to, can be modified, the underlying IOA itself cannot be changed. To exclude a different IOA, an administrator must create a new, separate exclusion rule specifically for that IOA. This design ensures that an exclusion's purpose remains clear and is not inadvertently altered to suppress an unrelated detection.

B. This is incorrect because the IOA name is a core, unchangeable component of the exclusion rule once it has been created.

C. The exclusion name is a user-defined label for administrative tracking and can be edited after creation to improve clarity or adhere to naming conventions.

D. The host groups define the scope of the exclusion. This is frequently edited to expand or reduce the set of endpoints where the exclusion is active.

1. CrowdStrike. (2023). Falcon Platform User Guide. CS-FAL-001. Section: "Managing IOA Exclusions

" Paragraph: "Editing an IOA Exclusion

" pp. 112-113. The guide specifies that the "IOA Name" field is read-only in the "Edit exclusion" dialog

while fields for the exclusion name

host groups

and pattern are editable.

2. SANS Institute. (2022). Endpoint Protection and Response In-Depth. Courseware SEC555. Module 4

"Tuning and False Positive Management

" p. 45. The material explains that exclusion rules are tied directly to the signature or behavior they are meant to suppress (the IOA)

and changing this requires a new rule.

The "Unique Hosts Connecting to Countries Map" is a visualization tool designed to provide a geographical overview of network connections. Its primary purpose is to help an administrator visualize the global scope of their network's communication by plotting traffic flows between internal hosts and various countries on a world map. This provides immediate situational awareness of where data is being sent and received, helping to identify normal business patterns versus anomalous or unexpected international connections that may warrant further investigation. The map itself is focused on displaying communication, not inherently on threat analysis.

A. The map shows connections, not whether a country is a known source of malware. This requires correlation with external threat intelligence feeds.

C. The map visualizes connection endpoints based on geolocation data; it does not inherently inspect the packet content to identify threats within the connection.

D. It displays all connections to and from different countries, not just those that have been confirmed as malicious intrusions.

---

1. Palo Alto Networks. (2021). PAN-OS® Administrator’s Guide Version 10.1. In the "Application Command Center" (ACC) section

the "Traffic Map" widget is described as a tool to "display the source and destination countries of the traffic on a world map

" which serves to visualize network traffic patterns. This distinguishes it from the "Threat Map

" which specifically visualizes threats. (Reference: Chapter on "ACC" -> "ACC Widgets").

2. Splunk Inc. (2022). Splunk Enterprise Security User Manual. The "Security Posture" dashboard includes panels like "Traffic by Country

" which are used to "summarize the geographic location of traffic on your network." The function is to provide a high-level

visual summary of traffic origins and destinations

not to perform intrinsic threat identification. (Reference: Section on "Security Posture Dashboard Panels").

3. Conti

G.

& Abdullah

K. (2004). Passive Visual Fingerprinting of Network Attack Tools. Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. This academic paper discusses the use of visualization for security analysis

establishing that tools like geographical maps provide a high-level view to help analysts "orient themselves" to network activity

which is a precursor to

but distinct from

specific threat identification. (DOI: https://doi.org/10.1145/1029208.1029218

Section 2: Related Work).

The primary and most direct indicator of an inactive CrowdStrike Falcon sensor within the console is its "Last Seen" timestamp. This timestamp records the last successful communication between the sensor and the Falcon cloud. Sensors are expected to check in at regular intervals. If the "Last Seen" time is older than this expected interval, it signifies that the sensor is not communicating and is therefore considered inactive or offline. This metric is the fundamental data point from which other status indicators are derived.

A. The "Inactive" status is a label or filterable state that is determined by the "Last Seen" timestamp exceeding a specific threshold (e.g., 45 days), making the timestamp the more primary indicator.

B. If the Falcon sensor is not installed on an endpoint, the host would not be registered or visible in the Falcon console to have a status in the first place.

C. The "Threat Detection" tab is for viewing and managing security alerts and detections. A sensor's connectivity status is an administrative/operational issue found in Host Management, not a security threat.

1. CrowdStrike

Inc. (2023). Falcon Platform: Host Management. In the official CrowdStrike Falcon documentation

the "Hosts" page within the "Host management" app is described. The "Last Seen" column is explicitly defined as the "Date and time the host was last seen by the CrowdStrike cloud." This is the core field used to determine host connectivity and is the basis for filtering for offline or inactive hosts. (Section: "Hosts and host details

" subsection: "Hosts page details").

2. University of California

Berkeley - Information Security Office. (2022). Endpoint Detection & Response (EDR) Service FAQ. In their public documentation for the campus EDR service

they state: "The 'Last Seen' field in the Falcon console indicates the last time a device checked in. If this date is not recent

it may indicate a problem with the sensor on the device." This corroborates that the "Last Seen" timestamp is the key metric for assessing sensor activity. (Section: "Troubleshooting

" FAQ entry on sensor status).

3. Carnegie Mellon University - Software Engineering Institute (SEI). (2021). A Framework for Evaluating and Adopting Endpoint Detection and Response. CMU/SEI-2021-TR-006. This technical report

while not specific to CrowdStrike

outlines the core functionalities of EDR solutions. It emphasizes the importance of agent "health and status monitoring

" where the agent's last check-in or "heartbeat" time is the fundamental metric for determining if the agent is active and communicating with the management console. (Section 3.2.4

"Agent Management").