CrowdStrike Certified Falcon Administrator (CCFA) — Question 56

Your organization has a set of servers that are not allowed to be accessed remotely, including via Real Time Response (RTR). You already have these servers in their own Falcon host group. What is the next step to disable RTR only on these hosts?

Answer options

• A. Edit the Default Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
• B. Edit the Default Response Policy and add the host group to the exceptions list under "Real Time Functionality"
• C. Create a new Response Policy, toggle the "Real Time Response" switch off and assign the policy to the host group
• D. Create a new Response Policy and add the host name to the exceptions list under "Real Time Functionality"

Correct answer: C

Explanation

The correct answer is C because creating a new Response Policy allows you to specifically disable RTR for the designated host group without affecting other policies. Option A is incorrect as it applies changes to the Default Response Policy, which could impact other hosts. Option B is not suitable because adding the host group to exceptions would not effectively disable RTR for them. Option D is incorrect since it addresses individual host names rather than the entire group.