Question 18 - CrowdStrike CCFA-200b Real Exam Questions [June 2026 Update]

Q: 18

When a host is placed in Network Containment, which of the following is TRUE?

Options

Correct Answer:

Explanation

Network Containment is a critical response action that isolates a host from the network to prevent threat propagation. However, it is not a complete blackout. The feature is designed to block all network traffic except for communication with the CrowdStrike Falcon Cloud. This ensures the sensor remains online for further investigation and response actions. Additionally, administrators can configure the standard Falcon Firewall policy to include rules that will still be honored even when the host is contained, allowing specific tools or personnel to access the machine for remediation.

Why Incorrect

A. The containment feature blocks traffic at the host level, irrespective of whether it is destined for the local network or an external one.

C. This is incorrect because the host must maintain communication with the Falcon Cloud to receive commands, upload data, and allow for remote response.

D. The term "Containment Policy" is not the correct terminology for configuring these exceptions. The exceptions are managed within the Falcon Firewall Policy, which is applied to the host group.

References

1. CrowdStrike Falcon® Platform Documentation

Firewall Management: Containment. (Accessed via CrowdStrike Support Portal). The documentation explicitly states: "When a host is contained

it can still communicate with the CrowdStrike cloud. You can also create firewall rules to allow other specific traffic for contained hosts." This directly supports the fact that both Falcon Cloud communication and specific rules in the Firewall Policy are the exceptions.

2. CrowdStrike Falcon® Platform Documentation

Host and Cloud Management: Containing Hosts. (Accessed via CrowdStrike Support Portal). This section details the containment process

noting: "Containing a host isolates it from your network to prevent threats from spreading. The host can still communicate with CrowdStrike

and you can use firewall policy rules to allow other network connections." This confirms that the mechanism for allowing extra traffic is the firewall policy

not a separate "containment policy."

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE