Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

CrowdStrike CCFR-201b Dumps

Page: 1 / 20
Total 199 questions

CrowdStrike Certified Falcon Responder Questions and Answers

Question 1

When navigating the ' Custom IOA ' creation wizard, a user must select a rule type. Which of the following is NOT a valid IOA rule type available for selection?

Options:

A.

Process Creation

B.

File Creation

C.

Domain Name

D.

Scheduled Task

Question 2

The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?

Options:

A.

Activity

B.

Investigate

C.

Configuration

D.

Dashboards

Question 3

What does the Full Detection Details option provide?

Options:

A.

It provides a visualization of program ancestry via the Process Tree View

B.

It provides a visualization of program ancestry via the Process Activity View

C.

It provides detailed list of detection events via the Process Table View

D.

It provides a detailed list of detection events via the Process Tree View

Question 4

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

Options:

A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Question 5

To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?

Options:

A.

< Technique > , < Tactic > , < Objective >

B.

< Objective > , < Tactic > , < Technique >

C.

< Objective > , < Technique > , < Tactic >

D.

< Tactic > , < Objective > , < Technique >

Question 6

What action is needed to ensure Falcon does not block or generate a detection for a process by using the file hash?

Options:

A.

Create a Custom IOC with an action of allow for the hash

B.

Create a Machine Learning Exclusion with an action of allow for the hash

C.

Create a Custom IOA with an action of allow for the hash

D.

Create an IOA Exclusion with an action of allow for the hash

Question 7

When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?

Options:

A.

Selecting a Rule Type (e.g., Process Creation).

B.

Specifying the Severity level of the resulting detection.

C.

Assigning a specific host group to the IOA rule at the time of creation.

D.

Providing a unique name for the rule.

Question 8

Executive dashboards provide a high-level view of security. Which of the following CANNOT be seen from the Executive Summary Dashboard?

Options:

A.

Detections broken down by Tactic.

B.

A breakdown of Agent Versions across the fleet.

C.

The top 10 hosts with the most detections.

D.

The organization’s current CrowdScore trend.

Question 9

Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?

Options:

A.

ProcessRollup2

B.

FileCreation

C.

NetworkConnect

D.

RegistryUpdate

Question 10

Which statement is TRUE regarding the " Bulk Domains " search?

Options:

A.

It will show a list of computers and process that performed a lookup of any of the domains in your search

B.

The " Bulk Domains " search will allow you to blocklist your queried domains

C.

The " Bulk Domains " search will show IP address and port information for any associated connections D. You should only pivot to the " Bulk Domains " search tool after completing an investigation

Question 11

An executive asks for a definition of ' CrowdScore ' . Which of the following sentences best describes what CrowdScore is?

Options:

A.

It is a ranking system that compares your organization’s security to other companies.

B.

It is a metric designed to show an organization ' s threat level on a continual basis by aggregating related detections.

C.

It is the total number of detections that have been resolved within the last 24 hours.

D.

It is a measure of the total processing power being used by the Falcon sensors globally.

Question 12

While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?

Options:

A.

Timestamp

B.

Event Name

C.

PID (Process ID)

D.

CPU Temperature

Question 13

You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

Options:

A.

IP Addresses

B.

Remote or Network Logon Activity

C.

Remote Access Graph

D.

Hash Executions

Question 14

When a responder is looking at the ' Full Detection Details ' page, they can toggle between several views. Which of the following is NOT a layout option available for viewing these details?

Options:

A.

Graph View

B.

Tree View

C.

Process Timeline

D.

List View

Question 15

What are Event Actions?

Options:

A.

Automated searches that can be used to pivot between related events and searches

B.

Pivotable hyperlinks available in a Host Search

C.

Custom event data queries bookmarked by the currently signed in Falcon user

D.

Raw Falcon event data

Question 16

CrowdStrike supports various deployment types. What is a ' POD sensor ' ?

Options:

A.

A sensor specifically designed for mobile devices (iOS/Android).

B.

A sensor that is installed directly on a Kubernetes or Docker host to monitor containers.

C.

A legacy sensor used only for disconnected or air-gapped systems.

D.

A physical appliance that sits on the network to monitor traffic.

Question 17

Responders often use Process Explorer to visualize process behavior. Which of the following is NOT a valid way to pivot to a Process Explorer view?

Options:

A.

From Detection > Top Right Drop Down > View as Process Activity

B.

From Configuration > Prevention Policies > View Process Explorer

C.

From Event Search > Click on a specific Process ID

D.

From Host Search > Processes and Services list

Question 18

What types of events are returned by a Process Timeline?

Options:

A.

Only detection events

B.

All cloudable events

C.

Only process events

D.

Only network events

Question 19

What is an advantage of using a Process Timeline?

Options:

A.

Process related events can be filtered to display specific event types

B.

Suspicious processes are color-coded based on their frequency and legitimacy over time

C.

Processes responsible for spikes in CPU performance are displayed overtime

D.

A visual representation of Parent-Child and Sibling process relationships is provided

Question 20

When viewing the summary list on the ' Endpoint Detections ' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?

Options:

A.

The exact time the Falcon sensor was first installed on the host.

B.

The timestamp of the last activity recorded for that specific detection.

C.

The time the detection was first assigned to a human analyst.

D.

The file creation time for the primary process involved in the alert.

Question 21

Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?

Options:

A.

A list of every time a user has logged in or out of the machine.

B.

Every host-relevant event (Process, File, Registry, Network) recorded in a given timeframe.

C.

A history of every hardware change or driver update on the endpoint.

D.

A log of every time the Falcon sensor was updated or restarted.

Question 22

When managing files within the ' Quarantined Files ' dashboard, which of the following is NOT a valid action available to the responder?

Options:

A.

Release

B.

Download

C.

Investigate

D.

Delete

Question 23

If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?

Options:

A.

C:\Temp\CrowdStrike\Quarantine

B.

C:\Windows\System32\Drivers\CrowdStrike\Quarantine

C.

C:\Program Files\CrowdStrike\Quarantine

D.

C:\Users\Public\CrowdStrike\Quarantine

Question 24

While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?

Options:

A.

The percentage of the CPU being consumed by the network and disk.

B.

The specific number of telemetry events recorded for network and disk activity by that process.

C.

The total size in megabytes of the data sent over the network and written to disk.

D.

The number of other hosts that have seen similar network and disk activity.

Question 25

How long are quarantined files stored in the CrowdStrike Cloud?

Options:

A.

45 Days

B.

90 Days

C.

Days

D.

Quarantined files are not deleted

Question 26

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

Options:

A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Question 27

Responders must understand the limitations and capabilities of custom rules. Which of the following statements about custom IOAs is FALSE?

Options:

A.

They can be used to monitor or block specific command-line strings.

B.

A Custom IOA rule group can only be applied to one single prevention policy.

C.

They can generate ' Informational ' detections if set to the ' Monitor ' action.

D.

They allow for pattern matching using wildcards or specific strings.

Question 28

What information is contained within a Process Timeline?

Options:

A.

All cloudable process-related events within a given timeframe

B.

All cloudable events for a specific host

C.

Only detection process-related events within a given timeframe

D.

A view of activities on Mac or Linux hosts

Question 29

In the Falcon console, detections can be automated or manual. Which of the following options represents a manual detection?

Options:

A.

A detection triggered by the Machine Learning engine.

B.

A Falcon Overwatch-pushed detection.

C.

A detection based on a Custom IOA.

D.

A detection matched against a known Intelligence IOC.

Question 30

To understand how a threat moved on a system, a responder must know the role of common processes. Which of the following statements best describes the standard functionality of explorer.exe?

Options:

A.

It is a system process responsible for the Local Security Authority subsystem.

B.

It is the primary process responsible for the File Explorer UI and the user ' s desktop environment.

C.

It is the Windows Command Processor used for executing batch files.

D.

It is the service control manager that handles the starting of background tasks.

Question 31

A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?

Options:

A.

It is deleted from the disk and a log is sent to the cloud.

B.

It is moved to the CrowdStrike Cloud and removed from the local host immediately.

C.

It is compressed, password protected, and moved to the Quarantine folder on the endpoint.

D.

It is renamed to a .tmp extension and moved to the Windows Recycle Bin.

Question 32

What do IOA exclusions help you achieve?

Options:

A.

Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy

B.

Reduce false positives of behavioral detections from IOA based detections only

C.

Reduce false positives of behavioral detections from IOA based detections based on a file hash

D.

Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Question 33

To track the relationship between a parent and its child, Falcon uses specific ID fields. What raw data is used as the ' ParentProcessId_decimal ' when a process spawns a child process?

Options:

A.

The Operating System PID of the parent.

B.

The TargetProcessId_decimal of the parent process.

C.

The ContextProcessId_decimal of the system.

D.

The RootProcessId_decimal of the entire tree.

Question 34

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

Options:

A.

SHA256 and TargetProcessld_decimal

B.

SHA256 and ParentProcessld_decimal

C.

aid and ParentProcessld_decimal

D.

aid and TargetProcessld_decimal

Question 35

When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?

Options:

A.

Filename-based allowlist

B.

Hash-based allowlist

C.

Path-based allowlist

D.

Command-line allowlist

Question 36

By default, when a file is quarantined by the Falcon sensor to prevent execution, how many days does that file remain on the host ' s local disk?

Options:

A.

7 days

B.

14 days

C.

30 days

D.

90 days

Question 37

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

Options:

A.

It contains an internal value not useful for an investigation

B.

It contains the TargetProcessld_decimal value of the child process

C.

It contains the Sensorld_decimal value for related events

D.

It contains the TargetProcessld_decimal of the parent process

Question 38

When an analyst downloads a quarantined file from the Falcon UI for offline analysis, what is the specific file format and the required password for extraction?

Options:

A.

The file is downloaded as a 7-zip archive and requires the password ' infected ' for extraction.

B.

The file is downloaded in its raw binary format without any encryption or compression.

C.

The file is downloaded as a standard ZIP archive but does not require a password to open.

D.

The file is downloaded as an encrypted .exe that can only be opened by a CrowdStrike sensor.

Question 39

Where can you find hosts that are in Reduced Functionality Mode?

Options:

A.

Event Search

B.

Executive Summary dashboard

C.

Host Search

D.

Installation Tokens

Question 40

A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?

Options:

A.

Investigate > Activity Dashboard

B.

Endpoint Security > Monitor > Activity Dashboard

C.

Configuration > General > Activity Dashboard

D.

Support > Analytics > Activity Dashboard

Question 41

When navigating the main ' Detections ' page, several filters are available in the dropdown menu. Which of the following is NOT a filter available in this menu?

Options:

A.

Severity

B.

Tactic

C.

Location tag

D.

Status

Question 42

The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?

Options:

A.

To manage the installation and update of Falcon sensors.

B.

To provide a summary of the current threat state and active detections in the environment.

C.

To view the raw telemetry of every event happening on the network.

D.

To audit the changes made by other Falcon administrators.

Question 43

In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?

Options:

A.

During the ' Understand the detection ' phase.

B.

During the ' Understand process(es) involved ' phase.

C.

During the ' Examine what is normal for the system ' phase.

D.

After the incident has been fully remediated.

Question 44

What happens when you open the full detection details?

Options:

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

Question 45

Which Executive Summary dashboard item indicates sensors running with unsupported versions?

Options:

A.

Detections by Severity

B.

Inactive Sensors

C.

Sensors in RFM

D.

Active Sensors

Question 46

CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?

Options:

A.

10%

B.

20%

C.

50%

D.

100%

Question 47

The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?

Options:

A.

Average time to resolve a detection.

B.

Total number of detections resolved by each analyst.

C.

The top 10 hosts/users/files with the most detections.

D.

The breakdown of True Positive vs. False Positive resolutions.

Question 48

Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?

Options:

A.

Analyzing historical logs from the past 90 days to find missed threats.

B.

Investigating incoming telemetry in real time or on a near real-time basis to catch active threats.

C.

Scanning every file on a hard drive once per week for dormant viruses.

D.

Manually updating the Falcon sensor on every machine in the fleet.

Question 49

The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?

Options:

A.

10MB

B.

32MB

C.

64MB

D.

128MB

Question 50

While most searches are accessible from a detection, some require a manual jump. Which search is not available as a direct pivot from a detection?

Options:

A.

Host Search

B.

Hash Search

C.

User Search

D.

IP Search

Question 51

The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?

Options:

A.

It allows for the automated decryption of files affected by ransomware.

B.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

C.

It enables the sensor to block kernel-level drivers from unknown publishers.

D.

It provides a real-time count of the total number of files on the endpoint.

Question 52

The Bulk Domain Search tool contains Domain information along with which of the following?

Options:

A.

Process Information

B.

Port Information

C.

IP Lookup Information

D.

Threat Actor Information

Question 53

When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?

Options:

A.

Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet

B.

Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)

C.

Local Prevalence is the Virus Total score for the hash of the triggering file

D.

Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments

Question 54

You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

Options:

A.

ProcessTimeline Link

B.

PID

C.

UTCtime

D.

Process ID or Parent Process ID

Question 55

What is the difference between a Host Search and a Host Timeline?

Options:

A.

Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor

B.

A Host Timeline only includes process execution events and user account activity

C.

Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host

D.

There is no difference - Host Search and Host Timeline are different names for the same search page

Question 56

When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?

Options:

A.

Process Timeline

B.

Host Timeline

C.

User Timeline

D.

Network Timeline

Question 57

In the context of raw event searching, the term ' ProcessRollup2 ' refers to a value within which field?

Options:

A.

event_type

B.

event_simpleName

C.

action_id

D.

process_status

Question 58

While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:

Options:

A.

Falcon Detection Method

B.

MITRE Tactic

C.

Indicator of Attack (IOA)

D.

Prevention Policy Level

Question 59

What must be true about a custom script before it can be executed from within a Fusion SOAR Workflow?

Options:

A.

The Response Policy must allow for the execution of Workflows

B.

The script must exist on the host locally

C.

The script must contain input and output JSON fields

D.

The Share with workflows option must be enabled for the custom script

Page: 1 / 20
Total 199 questions