The additional option used to refine an Event trigger is a Condition . An Event trigger starts the workflow when a selected type of Falcon event occurs, but conditions narrow execution to events that match specific criteria. For example, a workflow may trigger on EPP detections but continue only when severity is high, hostname matches a test system, or platform equals Windows. Parameter, operator, and value are components of a condition, but “parameter” alone is not the workflow refinement object. Filter and Trigger Details are not the correct CCFA term for this workflow refinement step. Fusion SOAR design relies on conditions to prevent overly broad automation and to ensure response actions apply only to intended events.

A Fusion SOAR workflow condition is built from a parameter , an operator , and a value . The parameter is the field being evaluated, such as severity, hostname, platform, status, or detection type. The operator defines the comparison, such as equals, contains, is in, or is greater than. The value is the target value used in the comparison. This structure allows a workflow to start from a broad event trigger and then narrow execution to only the events that match the desired criteria. Alert, action, schedule, trigger, and source are workflow concepts, but they are not the three required components of a condition. The CCFA workflow model uses conditions to refine and control automation safely.

Sensor Tampering Protection is the prevention policy setting that blocks attempts to interfere with core Falcon sensor components. The official prevention policy guidance states that when this setting is enabled, it “blocks attempts to tamper with the sensor” and protects “sensor-related files, folders and registry objects from renaming or deletion.” If disabled, Falcon may still create detections for tampering attempts, but it will not block the activity. This distinction is important because attackers commonly attempt to disable or corrupt endpoint security tooling before establishing persistence, evading detection, or executing payloads. Host Modification Protection, System Configuration Protection, and Sensor Modification Protection are not the named Falcon prevention setting for this control. The correct CCFA topic alignment is Policy Application, specifically Prevention Policy Settings > Sensor Capabilities > Sensor Tampering Protection.

The best approach is to create a dynamic group with an assignment rule that filters for the OU . Because the OU is expected to gain members over time, dynamic membership ensures that new hosts automatically enter the appropriate group when their Active Directory OU attribute matches the rule. Targeting only Windows 10 would be imprecise because it would include hosts outside the intended OU and miss non-Windows-10 systems in scope. Excluding the OU is the opposite of the requirement. CCFA group creation guidance emphasizes dynamic groups for membership that should follow changing attributes such as OU, OS version, platform, tags, or host type. This supports scalable policy and exclusion assignment without manual updates.

To quarantine files, Falcon requires the relevant Next-Gen Antivirus prevention capability and the quarantine setting. The correct pairing is Next-Gen Antivirus Prevention sliders with Quarantine & Security Center Registration . Quarantine does not operate independently; Falcon must first prevent the file through NGAV-related controls such as cloud or sensor machine-learning prevention. Once prevention occurs, the quarantine setting governs whether the prevented executable is quarantined on the host. Custom Execution Blocking is related to IOC-based blocking, not the general NGAV quarantine requirement. “Advanced Remediation Actions” and an “Aggressive quarantine level” are not the documented configuration pair. The course guide identifies quarantine under Next-Gen Antivirus and ties it to prevention-level configuration and Security Center registration.

Inactive hosts are automatically removed from Host Management after 45 days of inactivity. Falcon considers hosts inactive when they have not reported to the cloud within the relevant timeframe. The Inactive Sensors reporting area is used to identify sensors that have not checked in, and the course guide notes that sensors inactive for more than 45 days are deleted from the active host view. This lifecycle behavior keeps Host Management from accumulating stale endpoint records indefinitely. Thirty days is too short for the default automatic removal period, and ninety days is longer than the documented default. Administrators should review inactive sensors regularly to identify decommissioned systems, connectivity problems, or deployment coverage gaps before records age out.

The correct administrative action is to add the architect’s email address to the managed recipient list for standard incident and detection notification emails in General settings. Falcon standard notification behavior already matches the stated requirement: CrowdStrike sends email notifications for detections with severity of medium or higher and sends incident notifications when a new incident reaches a CrowdScore of 1.0 or higher. The recipient list is managed from Support and resources > Resource and tools > General settings under “Manage list for detection and incident emails.” Creating a Falcon user or assigning a custom role does not automatically subscribe the architect to these standard email notifications. A Fusion SOAR workflow could send email, but it is unnecessary because the native notification mechanism already exists and is designed for this use case. The Detections and Exceptions Manager role controls exception management, not notification enrollment. CCFA reference topics: Falcon Notifications, General Settings, Standard Incident and Detection Notification Emails, Dashboards and Reports.

Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.

The recommended approach is to minimize the number of groups while still meeting policy and operational requirements. Host groups are central to policy assignment, sensor updates, prevention tuning, containment workflows, and response policies. Excessive or overlapping groups make precedence difficult to reason about and increase the chance that hosts receive unexpected policies. Department-based or IP-only grouping may be useful in specific cases, but they should not be used indiscriminately. CCFA best practice is to design groups around clear policy intent, stable attributes, and operational need. Dynamic groups should be preferred when membership can be defined reliably by attributes such as OS, OU, tags, or host type. A smaller, well-governed group model is easier to audit and maintain.