CrowdStrike CCFR-201b CrowdStrike Certified Falcon Responder Exam Practice Test
CrowdStrike Certified Falcon Responder Questions and Answers
When analyzing the raw telemetry for a ' DNSRequest ' event, which of the following raw data fields is available to the responder?
In the Hash Search tool, which of the following is listed under Process Executions?
To ensure that a malicious file cannot be accidentally executed or accessed by other processes, how are quarantined files stored on the local endpoints?
In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?
What actions are available for domain name-based Indicators of Compromise (IOCs) in Falcon?
Refer to the image.

You receive the detection displayed in the image above on a host in your environment.
Assuming you have the correct permissions, where would you navigate to remotely connect to the host and investigate further?
The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?
Which of the following is returned from the IP Search tool?
An analyst needs to perform local sandbox analysis on a malicious file. When they download a quarantined file from the Falcon UI, what is the file format and the default password?
You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?
A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?
What happens when a hash is allowlisted?
Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?
In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?
What is an advantage of using the IP Search tool?
In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?
CrowdStrike supports various deployment types. What is a ' POD sensor ' ?
The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?
A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?
What happens when a hash is set to Always Block through IOC Management?
Refer to the image.

You are using Advanced Event Search to find the event record for a suspicious network connection.
Using the Event List Interactions button for the event, indicated by the arrow in the image above, which option will show all contextual event data around the process execution being investigated?
Data retention is a key factor in retrospective hunting. How long will " Detection Related Events " be retained in the Falcon environment?
When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?
A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?
Which option indicates a hash is allowlisted?
To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?
Which statement is TRUE regarding the " Bulk Domains " search?
A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?
What happens when you open the full detection details?
When performing a ' Hash Search ' , which of the following is NOT a filter available for use?
A SOC Manager is reviewing the monthly efficiency of the incident response team. They are specifically analyzing how many alerts were handled by each individual analyst and the ratio of legitimate threats to noise to optimize staffing levels. While navigating the Detection Resolutions Dashboard, which of the following metrics would they NOT find, as it is primarily located within the Activity or Executive summary dashboards?
When using ' User Search ' to investigate a potentially compromised account, which of the following is NOT a filter available in the User Search?
What action is used when you want to save a prevention hash for later use?
An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?
Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?
A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
What are Event Actions?
Following a detection involving a suspected ransomware binary, the Falcon sensor automatically takes a prevention action to prevent the file from executing. An analyst needs to retrieve this file for local sandbox analysis. Considering the default configuration, for how many days will this file remain stored in the encrypted quarantine folder on the local endpoint?
A responder is analyzing a MITRE-related alert and sees the technique ' Explore > Discovery > Cloud Service Dashboard ' . Which of the following scenarios best describes the technical activity associated with this technique?
When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:
In various telemetry events like ' FileWrite ' or ' NetworkConnect ' , Falcon identifies the process that performed the action. Which field will always identify this " acting " process?
If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?
CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?
The primary purpose for running a Hash Search is to:
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
The User Search results are organized into several categories. Which of the following is NOT a sub-heading in the User Search?
What types of events are returned by a Process Timeline?
An executive asks for a definition of ' CrowdScore ' . Which of the following sentences best describes what CrowdScore is?
Which of the following subtitles/sub-views cannot be seen in the results of a ' Hash Search ' ?
Refer to the image.

In the Full Detection View while viewing the Process Tree you see an attack outlined as in the image above.
Based on what you see, what happened during the attack?
In the " Full Detection Details " , which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?
A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?
Sensor Visibility Exclusion patterns are written in which syntax?
Refer to the image.

Within a Host Search, you have filtered for cmd.exe in the Process executions table and now need to pivot to a process timeline.
Which item in the table do you select to pivot to the Process Timeline?