The role that allows a Falcon user to create Real Time Response custom scripts is Real Time Responder – Administrator . Falcon separates RTR permissions into three default responder roles. Read Only Analyst can run reconnaissance-style commands. Active Responder can run read-only commands plus additional response commands, including commands that modify host state and certain approved custom scripts. However, creating custom scripts, uploading files for the put command, and directly running executables with run are reserved for the RTR Administrator role. This distinction is important because custom scripts can perform powerful host-level actions and must be restricted to experienced incident response personnel. The course guide also notes that users must have an RTR role to access RTR functionality at all; Falcon Administrator alone does not automatically include RTR access. “Real Time Responder – Script Developer” is not one of the standard RTR roles. Reference topics: User Management, Real Time Response Roles, Custom Scripts, RTR Role Permissions.

The correct parameter is VDI=true. In virtual desktop or cloned virtual machine scenarios, Falcon must avoid duplicate Agent IDs across clones. Persistent clone workflows require sensor installation to be performed with the correct VDI parameter so that each cloned endpoint registers properly and receives a unique identity. ProvNoWait=1 is used for provisioning-timeout behavior and does not address duplicate Agent IDs. NO_START=1 is used in some deployment contexts to delay sensor start but is not the VDI identity control. VM=True is not the documented Falcon parameter. CCFA sensor deployment guidance treats VDI and golden-image preparation as a distinct deployment pattern because cloning a sensor incorrectly can duplicate identity and corrupt host tracking, policy assignment, and detection attribution.

The correct answer is to implement a Sensor Visibility Exclusion on the particular host. An SVE suppresses visibility for specified activity so that known, approved testing does not flood the Falcon console with detections or events that leadership does not need to track. This is more targeted than disabling all detections on a host and more appropriate than generating additional workflow notifications. Using RTR to kill the process would interfere with the authorized penetration test. Temporarily disabling detections may remove existing detections and suppress all detection reporting from that host, which is broader and riskier than applying a scoped exclusion. CCFA exclusion guidance stresses selecting the narrowest exclusion type that matches the operational requirement while preserving meaningful security visibility elsewhere.

The most likely reason the “Servers” host group is not available is that it is already assigned to another prevention policy. Falcon prevention policies are applied to hosts through host groups. When assigning host groups to a prevention policy, the console only presents groups that are currently available for assignment. The official prevention policy workflow states that after a host group is assigned to a policy, that host group no longer appears in the list of available groups. This prevents accidental duplicate assignment within the same policy assignment workflow and helps preserve predictable policy targeting. The group does not need to be disabled before assignment, and host type is not defined inside the prevention policy itself. The policy also does not need to be enabled before groups can be assigned; assignment can be configured before enabling the policy. Therefore, the unavailable “Servers” group indicates that it already has a prevention policy assignment. Reference topics: Policy Application, Prevention Policies, Assigned Host Groups, Host Group Policy Assignment.

Excluding mobile devices, Falcon network containment applies to Windows, Linux, and macOS hosts running the Falcon sensor . Network containment is a host-level response action that restricts a system’s network connectivity while maintaining required communication with CrowdStrike cloud services. Falcon allows administrators to contain hosts directly from host or detection workflows, and the official guidance states that Windows, Mac, and Linux hosts can be contained from the detection summary panel. Falcon Container is not the correct inclusion here because the documentation notes that Falcon Container does not support network containment for pods. Therefore, any answer including container hosts is overbroad. Windows-only, Mac-only, or Linux-only combinations are incomplete because Falcon supports containment across the three primary endpoint operating systems. The practical requirement is that the endpoint must be running the Falcon sensor and must be a supported host type for containment. Reference topics: Host Management and Setup, Network Containment, Containment Actions, Supported Host Platforms.

When a Linux sensor enters RFM, it stops processing both events and detections, but it continues sending basic status information such as SensorHeartBeat events to indicate that the sensor is installed. Linux RFM is more restrictive than Windows RFM. On Windows, the sensor may still monitor and report at reduced capacity, but on Linux, unsupported kernel or user-mode requirements can result in no detections or process events. The course guide explains that Linux sensors in RFM do not have detections or process events but continue to send heartbeat status. Therefore, the correct answer is that event and detection processing stop, while basic status continues.

Fusion SOAR workflow imports use YAML format. YAML is commonly used for declarative workflow definitions because it is human-readable while still preserving structured configuration such as triggers, conditions, actions, branches, and parameters. CSV is a tabular format and cannot represent workflow logic reliably. JSON is structured but is not the expected import format in this context. “SOAR” is a functional category, not a file format. When workflow imports fail, administrators should validate the file structure, indentation, required fields, and supported action/trigger references in the YAML file. The CCFA workflow topic emphasizes that native Falcon automation must match the supported Fusion SOAR workflow structure to import and execute successfully.

The likely restriction is that Custom Scripts is not enabled in the response policy. RTR permissions are controlled by both user role and response policy. An Active Responder can run certain custom scripts when the host’s response policy permits Custom Scripts. If that setting is disabled, the user may have the correct RTR role but still be blocked from executing the script on that host. Put-and-Run is associated with uploading and running executables and is broader than the custom-script control. Script-Based Execution Monitoring is a prevention visibility setting, not an RTR permission. RTR Administrator is required for creating custom scripts and some higher-risk actions, but an Active Responder can execute allowed custom scripts when policy permits.

Fusion SOAR workflows are built around the operational sequence of Trigger, Condition, and Action . The trigger defines the Falcon event or schedule that starts the workflow. The condition refines when the workflow should proceed by evaluating event attributes, such as severity, hostname, detection type, source, status, or other parameters. The action defines what Falcon should do after the trigger occurs and the condition is satisfied, such as assigning a detection, sending a notification, containing a host, creating a ticket, or running a response action. The official workflow guidance describes creating workflows by choosing a trigger, adding conditions to refine the trigger, and defining actions that run when the exact trigger conditions are met. Rule Type, Filter, and Objective are not the Fusion workflow execution structure. Those terms are more closely associated with detection logic or classification, not workflow automation. Reference topics: Fusion SOAR workflows, workflow triggers, workflow conditions, workflow actions.

IP addresses are added to a containment policy to allow contained hosts to communicate with specific trusted resources during network containment. Network containment isolates the host to reduce attacker movement while maintaining required Falcon cloud communication. Organizations may need contained hosts to access patch servers, update sources, remediation infrastructure, domain services, or other tightly controlled internal systems. The purpose is not to automate containment based on IP address; automation is handled through workflows. Analyst permissions are controlled by user roles, not containment policy IP entries. Falcon console access is unrelated because containment policy applies to endpoint network communication, not administrative access to the web console. The course guide explicitly connects containment-policy IP allowances with patching and controlled access during containment.