Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium CrowdStrike CCFR-201b Dumps Questions Answers

Page: 1 / 15
Total 199 questions

CrowdStrike Certified Falcon Responder Questions and Answers

Question 1

While investigating a detection, you pivot to the Advanced Event Search.

Which field would you filter by to return events executing from a specific directory on the host?

Options:

A.

TreeId

B.

@source

C.

ParentBaseFileName

D.

FilePath

Buy Now
Question 2

CrowdStrike implements a specific framework within the Falcon console to help responders categorize detections based on the adversary’s ultimate goals and the technical means used to achieve them. This classification system, which maps activity to known industry standards, is known as the:

Options:

A.

MITRE-Based Falcon Detections Framework

B.

Falcon Adversary Attribution and Motivation Matrix

C.

Unified Behavioral Threat Hunting Schema

D.

CrowdStrike Intelligence Lifecycle Mapping

Question 3

Sensor Visibility Exclusion patterns are written in which syntax?

Options:

A.

Glob Syntax

B.

Kleene Star Syntax

C.

RegEx

D.

SPL(Splunk)

Question 4

Administrators can define their own criteria for alerts. Which of the following is an example of a custom detection within the Falcon platform?

Options:

A.

Sensor-based Malware Detections

B.

Blacklisted Hashes

C.

Overwatch Managed Detections

D.

Behavioral IOA Detections

Question 5

The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?

Options:

A.

To manage the installation and update of Falcon sensors.

B.

To provide a summary of the current threat state and active detections in the environment.

C.

To view the raw telemetry of every event happening on the network.

D.

To audit the changes made by other Falcon administrators.

Question 6

When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?

Options:

A.

Filename-based allowlist

B.

Hash-based allowlist

C.

Path-based allowlist

D.

Command-line allowlist

Question 7

When investigating system-level persistence, it is critical to know what the services.exe process is responsible for. What is its primary function?

Options:

A.

Managing user profiles and registry hives during login.

B.

Launching and managing the lifecycle of system services.

C.

Monitoring network traffic for potential data exfiltration.

D.

Providing a graphical interface for the Windows Task Manager.

Question 8

You are pre-staging a Custom IOC for later use and want to save a file hash for later use after approval.

Which action should you use?

Options:

A.

Save Hash

B.

Monitor

C.

No Action

D.

Always Block

Question 9

What information is contained within a Process Timeline?

Options:

A.

All cloudable process-related events within a given timeframe

B.

All cloudable events for a specific host

C.

Only detection process-related events within a given timeframe

D.

A view of activities on Mac or Linux hosts

Question 10

An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?

Options:

A.

A brand new detection has been triggered on a host that was recently added to the network.

B.

A detection that was previously moved to a resolved status has generated new telemetry and activity.

C.

A user has logged into a machine for the first time since the sensor was installed.

D.

The Falcon Overwatch team has manually verified that the detection is an active threat.

Question 11

In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?

Options:

A.

The file has been successfully quarantined by the sensor.

B.

There is related Intelligence (Intel) data available for this detection.

C.

The process has been identified as a legitimate system file.

D.

The host is currently undergoing a remote live response session.

Question 12

If the Falcon sensor identifies suspicious behavioral patterns—such as a process attempting to dump memory from lsass.exe—what specific type of detection will be generated?

Options:

A.

Indicator of Compromise (IOC)

B.

Indicator of Attack (IOA)

C.

Known Malware Alert

D.

Intelligence Data Match

Question 13

The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?

Options:

A.

10MB

B.

32MB

C.

64MB

D.

128MB

Question 14

To manage the lifecycle of security incidents and review new alerts, a responder must navigate through the Falcon sidebar to which specific location?

Options:

A.

Investigate > Host Search > Alerts

B.

Endpoint Security > Monitor > Endpoint Detections

C.

Configuration > Security Policies > Detections

D.

Dashboards > Global Activity > Security Alerts

Question 15

A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?

Options:

A.

List of running services and drivers.

B.

Macro Execution History for Microsoft Office products.

C.

Recent network connections and IP addresses.

D.

List of local user accounts and administrators.

Question 16

The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

Options:

A.

500

B.

750

C.

1000

D.

1200

Question 17

An analyst is triaging a detection that has been categorized under the ‘Follow Through’ Objective Layer. Based on the Falcon technical documentation, which of the following adversary tactics is most likely to be observed within this specific layer?

Options:

A.

Credential Access through memory scraping

B.

Collection of sensitive data for exfiltration

C.

Initial Access via a drive-by download

D.

Discovery of local network shares and services

Question 18

In the ' Graph View ' of a detection, processes are connected by arrows. Which of the following does a yellow arrow connecting two processes indicate?

Options:

A.

A standard Parent-Child relationship.

B.

A Network connection was established between the two processes.

C.

A Thread Injector-Injectee relationship (Process Injection).

D.

A file was written by the first process and read by the second.

Question 19

The primary purpose for running a Hash Search is to:

Options:

A.

determine any network connections

B.

review the processes involved with a detection

C.

determine the origin of the detection

D.

review information surrounding a hash ' s related activity

Question 20

To speed up investigations, Falcon uses ' event workflows ' . Which of the following sentences best describes what event workflows are?

Options:

A.

They are automated scripts that perform remediation actions like killing processes.

B.

They are automated searches that can be used to pivot between related events and searches.

C.

They are PDF reports that summarize an incident for executive review.

D.

They are schedules for when the sensor should perform a full disk scan.

Question 21

When reviewing a Host Timeline, which of the following filters is available?

Options:

A.

Severity

B.

Event Types

C.

User Name

D.

Detection ID

Question 22

How are processes on the same plane ordered (bottom ' VMTOOLSD.EXE ' to top CMD.EXE ' )?

Options:

A.

Process ID (Descending, highest on bottom)

B.

Time started (Descending, most recent on bottom)

C.

Time started (Ascending, most recent on top)

D.

Process ID (Ascending, highest on top)

Question 23

To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?

Options:

A.

< Technique > , < Tactic > , < Objective >

B.

< Objective > , < Tactic > , < Technique >

C.

< Objective > , < Technique > , < Tactic >

D.

< Tactic > , < Objective > , < Technique >

Question 24

Which of the following subtitles/sub-views cannot be seen in the results of a ' Hash Search ' ?

Options:

A.

File Metadata

B.

Process Timeline

C.

Intel Indicators

D.

Execution History

Question 25

The function of Machine Learning Exclusions is to___________.

Options:

A.

stop all detections for a specific pattern ID

B.

stop all sensor data collection for the matching path(s)

C.

Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud

D.

stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

Question 26

What actions are available for domain name-based Indicators of Compromise (IOCs) in Falcon?

Options:

A.

Detect only

Allow

B.

Block

Detect only

Allow

C.

Block

Allow

No action

D.

Detect only

No action

Question 27

A responder wants to verify why a certain quarantined file was not uploaded to the cloud. Which specific policy dictates whether quarantined files are permitted to be uploaded?

Options:

A.

Sensor Update Policy

B.

Prevention Policy

C.

Response Policy

D.

Quarantine Management Policy

Question 28

An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?

Options:

A.

Investigate > Quarantine

B.

Endpoint Security > Monitor > Quarantined Files

C.

Configuration > Response > Quarantine

D.

Dashboards > Security > Quarantine

Question 29

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

Options:

A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Question 30

Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?

Options:

A.

Analyzing historical logs from the past 90 days to find missed threats.

B.

Investigating incoming telemetry in real time or on a near real-time basis to catch active threats.

C.

Scanning every file on a hard drive once per week for dormant viruses.

D.

Manually updating the Falcon sensor on every machine in the fleet.

Question 31

When performing a ' Hash Search ' , which of the following is NOT a filter available for use?

Options:

A.

SHA256

B.

MD5

C.

File Type

D.

Filename

Question 32

When examining a detection process tree, several fields are provided to give context. Which of the following is NOT included in the standard fields of a detection process tree?

Options:

A.

Command Line

B.

User Name

C.

HTTP Post contents

D.

SHA256 Hash

Question 33

Filtering is essential for managing a high volume of alerts. Which of the following filters is available by default within the ' Endpoint Detections ' dashboard to help narrow down specific threats?

Options:

A.

Triggering File

B.

Hardware BIOS Version

C.

Local Subnet Mask

D.

Sensor Update Policy Name

Question 34

From a detection, what is the fastest way to see children and sibling process information?

Options:

A.

Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)

B.

Select Full Detection Details from the detection

C.

Right-click the process and select " Follow Process Chain "

D.

Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Question 35

You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.

How can you resolve this issue?

Options:

A.

Set the -timeout argument to off

B.

Set the -timeout argument to a longer period

C.

Rerun the script

D.

Change the timeout policy in the console settings

Question 36

While quarantined files stay on the local host for 30 days by default, how many days does a quarantined file remain stored in the CrowdStrike Cloud?

Options:

A.

30 days

B.

60 days

C.

90 days

D.

180 days

Question 37

In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?

Options:

A.

Scripts (.ps1, .sh)

B.

Executables (.exe)

C.

Executions (Process starts)

D.

Archive files (.zip, .7z)

Question 38

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

Options:

A.

It contains the TargetProcessld_decimal value for other related events

B.

It contains an internal value not useful for an investigation

C.

It contains the ContextProcessld_decimal value for the parent process that made the DNS request

D.

It contains the TargetProcessld_decimal value for the process that made the DNS request

Question 39

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

Options:

A.

Identifies a detailed list of all process executions for the specified hashes

B.

Identifies hosts that loaded or executed the specified hashes

C.

Identifies users associated with the specified hashes

D.

Identifies detections related to the specified hashes

Question 40

Depending on the subscription level, " Cloudable Events " (standard telemetry) have a specific retention period. What is the minimum period of time that these events are retained?

Options:

A.

1 day

B.

7 days

C.

14 days

D.

30 days

Question 41

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

Options:

A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Question 42

What happens when a hash is allowlisted?

Options:

A.

Execution is prevented, but detection alerts are suppressed

B.

Execution is allowed on all hosts, including all other Falcon customers

C.

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

D.

Execution is allowed on all hosts that fall under the organization ' s CID

Question 43

Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

Options:

A.

An adversary is trying to keep access through persistence by creating an account

B.

An adversary is trying to keep access through persistence using browser extensions

C.

An adversary is trying to keep access through persistence using external remote services

D.

adversary is trying to keep access through persistence using application skimming

Question 44

What does the Full Detection Details option provide?

Options:

A.

It provides a visualization of program ancestry via the Process Tree View

B.

It provides a visualization of program ancestry via the Process Activity View

C.

It provides detailed list of detection events via the Process Table View

D.

It provides a detailed list of detection events via the Process Tree View

Question 45

Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?

Options:

A.

ProcessRollup2

B.

FileCreation

C.

NetworkConnect

D.

RegistryUpdate

Question 46

A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?

Options:

A.

Host Timeline

B.

Process Timeline

C.

User Timeline

D.

Administrative Timeline

Question 47

What happens when a hash is set to Always Block through IOC Management?

Options:

A.

Execution is prevented on all hosts by default

B.

Execution is prevented on selected host groups

C.

Execution is prevented and detection alerts are suppressed

D.

The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Question 48

You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

Options:

A.

ProcessTimeline Link

B.

PID

C.

UTCtime

D.

Process ID or Parent Process ID

Question 49

The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?

Options:

A.

Average time to resolve a detection.

B.

Total number of detections resolved by each analyst.

C.

The top 10 hosts/users/files with the most detections.

D.

The breakdown of True Positive vs. False Positive resolutions.

Question 50

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

Options:

A.

Host Search

B.

Event Search

C.

Hash Search

D.

User Search

Question 51

Evaluate the following process tree observed in a detection:

root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe

Based on the parent-child relationships, which entry source is most likely?

Options:

A.

A remote service exploitation targeting a system process.

B.

A phishing attack where the user executed a malicious file from the desktop.

C.

A scheduled task running under the SYSTEM account.

D.

A supply chain attack targeting the Windows Boot manager.

Question 52

You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

Options:

A.

IP Addresses

B.

Remote or Network Logon Activity

C.

Remote Access Graph

D.

Hash Executions

Question 53

Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?

Options:

A.

Identifying future threats using predictive AI models.

B.

Applying an investigative approach across historical timed buckets of telemetry to find past activity.

C.

Terminating a malicious process as it starts to execute.

D.

Recovering files that were encrypted by a ransomware attack.

Question 54

Which of the following is returned from the IP Search tool?

Options:

A.

IP Summary information from Falcon events containing the given IP

B.

Threat Graph Data for the given IP from Falcon sensors

C.

Unmanaged host data from system ARP tables for the given IP

D.

IP Detection Summary information for detection events containing the given IP

Question 55

The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?

Options:

A.

It allows for the automated decryption of files affected by ransomware.

B.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

C.

It enables the sensor to block kernel-level drivers from unknown publishers.

D.

It provides a real-time count of the total number of files on the endpoint.

Question 56

A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?

Options:

A.

An existing process was terminated by the user.

B.

A new process was created and started on the endpoint.

C.

A process successfully established a network connection.

D.

A process modified a sensitive registry key.

Question 57

The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?

Options:

A.

Process Termination

B.

File Quarantine

C.

Process Restart

D.

Network Isolation

Question 58

If an organization is experiencing several false positives from a specific Machine Learning (ML) detection group and wants to create a tightly-scoped allowlist, which grouping should they use first?

Options:

A.

Group by Filename

B.

Group by Hash

C.

Group by Command Line

D.

Group by User

Question 59

How does a DNSRequest event link to its responsible process?

Options:

A.

Via both its ContextProcessld__decimal and ParentProcessld_decimal fields

B.

Via its ParentProcessld_decimal field

C.

Via its ContextProcessld_decimal field

D.

Via its TargetProcessld_decimal field

Page: 1 / 15
Total 199 questions