The likely cause is that the laptop is not a member of a host group assigned to the custom prevention policy. Falcon policies are applied through host group membership and policy precedence. A policy must be enabled and assigned to one or more host groups; Falcon then applies the policy settings to hosts based on their group membership. If a host is not in any group assigned to an enabled custom policy, it automatically receives the Default Policy. Since the custom policy is already enabled and successfully running on more than 1,000 other hosts, the policy itself is functioning correctly. The issue is therefore not sensor health, firewall connectivity, or a manual prompt. Falcon does not require a 24-hour waiting period before applying custom policies to newly installed hosts, and administrators do not manually approve policy application on the endpoint through a local prompt. The resolution is to verify the laptop’s group membership, dynamic group criteria, tags, OU, hostname pattern, or other assignment rule used by the custom policy’s host group. Reference topics: Policy Application, host group membership, default policy fallback, prevention policy assignment.

The correct approach is to create a custom IOA rule that monitors process creation matching .*\\remote\.exe. The goal is to generate a detection for review when an authorized remote access executable runs. Custom IOAs are specifically suited for detecting organization-specific behaviors, including process creation based on executable path or command-line patterns. An exclusion would suppress detections, not create them. A scheduled search may find process events after the fact, but it does not create a Falcon detection in the same way a custom IOA does. An IOC for remote.exe would be less precise unless based on a hash and would not express the behavioral “process creation” condition. The course guide identifies custom IOA process creation rules as the correct tool for this use case.

A custom IOA rule is not fully functional until its rule group is assigned to a prevention policy . Custom IOAs are created inside rule groups, and those groups must be enabled. However, Falcon applies custom IOA rule groups to endpoints through prevention policies. If the rule and rule group are enabled but not assigned to a prevention policy that applies to the target hosts, the rule will not trigger detections. There is no requirement to manually trigger the rule, and hosts are not individually selected as the primary application method. Host targeting occurs through prevention policy assignment to host groups. The CCFA guide explicitly states that rule and group enablement alone is insufficient without prevention policy assignment.

Sensor updates are managed through sensor update policies assigned to host groups. Falcon uses host group membership to determine which policy applies to a host. Sensor update policies control whether hosts remain pinned to a specific version, automatically update to a relative version such as Auto - N-1 or Auto - N-2, or receive specific maintenance protections. Prevention policies control security behavior, not sensor versioning. Manual updates do not scale and are not the Falcon administrative model for enforcing consistent versions across many endpoints. Direct installation is only the initial deployment mechanism, not ongoing update governance. The course guide emphasizes using host groups and sensor update policies to control sensor maintenance at scale across Windows, macOS, and Linux platforms.

The best answer is Managed Assets dashboard . This dashboard-oriented view is used for operational visibility across managed endpoints and helps administrators understand how assets are distributed across important attributes, including policy-related coverage. The question asks for a “top-ten” review of sensor update, prevention, and device control policies as new hosts are added to the CID, which aligns with dashboard summarization rather than a per-host daily report. The Sensor Policy Daily Report is useful for reviewing assigned groups and policies for hosts, but it is not the best answer for a high-level top-ten usage review. Executive Summary is broader leadership reporting, not the operational location for policy-use distribution across managed assets. The CCFA reporting objective here is policy coverage awareness at scale.

A Falcon Administrator role alone does not grant the ability to initiate a Real Time Response session. RTR access is controlled by dedicated Real Time Responder roles, and the course guidance is explicit that “you must have a Real Time Responder role to connect to a host” and that “the Falcon Administrator role doesn’t include access to Real Time Response.” The administrator must be assigned one of the RTR roles, such as Real Time Responder - Read Only Analyst, Active Responder, or Administrator, depending on the level of command access required. A logged-in user on the endpoint does not prevent RTR connection, and Falcon can also connect to hosts that are network contained as long as RTR requirements are met. Another analyst session may affect operational coordination, but it is not the primary cause in this scenario. The correct CCFA topic alignment is User Management and Real Time Response role assignment.

Sensors in Reduced Functionality Mode can be displayed by going to Host Management and filtering for RFM . Host Management provides filterable host attributes and operational states, including RFM. This allows administrators to quickly identify systems where the sensor is operating with reduced capability, usually because of unsupported or uncertified kernel conditions. Sensor health reporting can provide operational status, but the course guide specifically identifies the Host Management page as a method for filtering the host list to show devices currently in RFM. “Host status” and “Sensor status” are not the precise UI locations described in the answer choices. Therefore, the direct and verified workflow is Host Management > filter for RFM.

The highest level of protection in the three-phase prevention policy model is Phase 3 . Falcon’s staged policy model allows organizations to begin with safer detection-focused settings, then progress toward stronger prevention as false positives are triaged and exclusions are tuned. Phase 1 is intended for initial deployment, especially when pre-existing antivirus or HIPS is present, and is more conservative. Phase 2 increases enforcement and aligns more closely with recommended protection. Phase 3 represents the fully realized best-practice posture with the highest protection level among the listed phases. CCFA policy application guidance emphasizes progressing through these phases deliberately, using detection review, allowlisting, exclusions, and change control before applying the most protective settings broadly.

The least privilege role for extracting files with RTR is Real Time Responder - Active Responder . The Active Responder role includes the ability to use the get command to retrieve files from endpoints, along with additional response commands beyond read-only reconnaissance. The RTR Administrator role can also extract files, but it grants broader capabilities such as creating custom scripts, uploading files with put, and directly running executables, so it is not least privilege. Falcon Security Lead and Falcon Investigator are detection and investigation roles but do not provide the required RTR command authority by themselves. CCFA role design emphasizes giving users only the permissions needed to complete the task. For file extraction, Active Responder is sufficient and appropriately scoped.

A list of hosts that have not communicated with the CrowdStrike cloud is found in Inactive Sensors . The Inactive Sensors report identifies sensors that have not reported within a given timeframe and is intended for deployment coverage and operational health review. Host Groups organize systems for policy assignment but are not the report for cloud communication gaps. The Activity Dashboard focuses on detections, incidents, and security activity rather than sensor check-in status. Sensor Report provides an overview of active sensors, while Inactive Sensors specifically addresses hosts that have stopped reporting. CCFA dashboard and report guidance identifies Inactive Sensors as the report administrators use to locate endpoints that may be powered off, decommissioned, disconnected, or experiencing communication problems.