Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CrowdStrike CCFR-201b CrowdStrike Certified Falcon Responder Exam Practice Test

Page: 1 / 20
Total 199 questions

CrowdStrike Certified Falcon Responder Questions and Answers

Question 1

When analyzing the raw telemetry for a ' DNSRequest ' event, which of the following raw data fields is available to the responder?

Options:

A.

browser_type

B.

index

C.

cpu_usage_percent

D.

monitor_mode

Question 2

In the Hash Search tool, which of the following is listed under Process Executions?

Options:

A.

Operating System

B.

File Signature

C.

Command Line

D.

Sensor Version

Question 3

To ensure that a malicious file cannot be accidentally executed or accessed by other processes, how are quarantined files stored on the local endpoints?

Options:

A.

They are hidden within the Windows System32 directory.

B.

They are stored in an encrypted format.

C.

They are renamed with a random 32-character extension.

D.

They are moved to a password-protected ZIP file on the desktop.

Question 4

In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?

Options:

A.

The file has been successfully quarantined by the sensor.

B.

There is related Intelligence (Intel) data available for this detection.

C.

The process has been identified as a legitimate system file.

D.

The host is currently undergoing a remote live response session.

Question 5

What actions are available for domain name-based Indicators of Compromise (IOCs) in Falcon?

Options:

A.

Detect only

Allow

B.

Block

Detect only

Allow

C.

Block

Allow

No action

D.

Detect only

No action

Question 6

Refer to the image.

Question # 6

You receive the detection displayed in the image above on a host in your environment.

Assuming you have the correct permissions, where would you navigate to remotely connect to the host and investigate further?

Options:

A.

Investigate > Connect to host

B.

View Incident > Connect to host

C.

Actions > Connect to host

Question 7

The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?

Options:

A.

To manage the installation and update of Falcon sensors.

B.

To provide a summary of the current threat state and active detections in the environment.

C.

To view the raw telemetry of every event happening on the network.

D.

To audit the changes made by other Falcon administrators.

Question 8

Which of the following is returned from the IP Search tool?

Options:

A.

IP Summary information from Falcon events containing the given IP

B.

Threat Graph Data for the given IP from Falcon sensors

C.

Unmanaged host data from system ARP tables for the given IP

D.

IP Detection Summary information for detection events containing the given IP

Question 9

An analyst needs to perform local sandbox analysis on a malicious file. When they download a quarantined file from the Falcon UI, what is the file format and the default password?

Options:

A.

.zip, password: crowdstrike

B.

.7-zip, password: infected

C.

.rar, password: malware

D.

.exe, no password

Question 10

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?

Options:

A.

Falcon X

B.

Investigate

C.

Discover

D.

Spotlight

Question 11

A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?

Options:

A.

List of running services and drivers.

B.

Macro Execution History for Microsoft Office products.

C.

Recent network connections and IP addresses.

D.

List of local user accounts and administrators.

Question 12

What happens when a hash is allowlisted?

Options:

A.

Execution is prevented, but detection alerts are suppressed

B.

Execution is allowed on all hosts, including all other Falcon customers

C.

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

D.

Execution is allowed on all hosts that fall under the organization ' s CID

Question 13

Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?

Options:

A.

The standard Process ID (PID) assigned by the Windows operating system.

B.

A sensor-assigned decimal number that is unique for each process across time and hosts.

C.

The memory address where the process’s executable is loaded.

D.

The total number of seconds the process has been running.

Question 14

In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?

Options:

A.

Scripts (.ps1, .sh)

B.

Executables (.exe)

C.

Executions (Process starts)

D.

Archive files (.zip, .7z)

Question 15

What is an advantage of using the IP Search tool?

Options:

A.

IP searches provide manufacture and timezone data that can not be accessed anywhere else

B.

IP searches allow for multiple comma separated IPv6 addresses as input

C.

IP searches offer shortcuts to launch response actions and network containment on target hosts

D.

IP searches provide host, process, and organizational unit data without the need to write a query

Question 16

In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?

Options:

A.

During the ' Understand the detection ' phase.

B.

During the ' Understand process(es) involved ' phase.

C.

During the ' Examine what is normal for the system ' phase.

D.

After the incident has been fully remediated.

Question 17

CrowdStrike supports various deployment types. What is a ' POD sensor ' ?

Options:

A.

A sensor specifically designed for mobile devices (iOS/Android).

B.

A sensor that is installed directly on a Kubernetes or Docker host to monitor containers.

C.

A legacy sensor used only for disconnected or air-gapped systems.

D.

A physical appliance that sits on the network to monitor traffic.

Question 18

The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?

Options:

A.

Average time to resolve a detection.

B.

Total number of detections resolved by each analyst.

C.

The top 10 hosts/users/files with the most detections.

D.

The breakdown of True Positive vs. False Positive resolutions.

Question 19

A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?

Options:

A.

An existing process was terminated by the user.

B.

A new process was created and started on the endpoint.

C.

A process successfully established a network connection.

D.

A process modified a sensitive registry key.

Question 20

What happens when a hash is set to Always Block through IOC Management?

Options:

A.

Execution is prevented on all hosts by default

B.

Execution is prevented on selected host groups

C.

Execution is prevented and detection alerts are suppressed

D.

The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Question 21

Refer to the image.

Question # 21

You are using Advanced Event Search to find the event record for a suspicious network connection.

Using the Event List Interactions button for the event, indicated by the arrow in the image above, which option will show all contextual event data around the process execution being investigated?

Options:

A.

Show Responsible Process Data

B.

Inspect

C.

Show +/- 10-minute windows of events

D.

Investigate Host

Question 22

Data retention is a key factor in retrospective hunting. How long will " Detection Related Events " be retained in the Falcon environment?

Options:

A.

30 days

B.

60 days

C.

90 days

D.

1 year

Question 23

When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?

Options:

A.

Filename-based allowlist

B.

Hash-based allowlist

C.

Path-based allowlist

D.

Command-line allowlist

Question 24

A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?

Options:

A.

Explore, Keep Access, Gain Access, Falcon Detection Method, Contact Controlled systems, Follow Through

B.

Reconnaissance, Delivery, Weaponization, Exploitation, Installation, Command and Control

C.

Identify, Protect, Detect, Respond, Recover, Lessons Learned

D.

Triage, Containment, Remediation, Eradication, Reporting, Recovery

Question 25

Which option indicates a hash is allowlisted?

Options:

A.

No Action

B.

Allow

C.

Ignore

D.

Always Block

Question 26

To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?

Options:

A.

The External IP and the Username of the logged-in user.

B.

The Agent ID (AID) and the Target Process ID (TargetProcessId_decimal).

C.

The MAC Address of the host and the SHA256 hash of the file.

D.

The Policy ID and the timestamp of the first event.

Question 27

Which statement is TRUE regarding the " Bulk Domains " search?

Options:

A.

It will show a list of computers and process that performed a lookup of any of the domains in your search

B.

The " Bulk Domains " search will allow you to blocklist your queried domains

C.

The " Bulk Domains " search will show IP address and port information for any associated connections D. You should only pivot to the " Bulk Domains " search tool after completing an investigation

Question 28

A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?

Options:

A.

Host Timeline

B.

Process Timeline

C.

User Timeline

D.

Administrative Timeline

Question 29

What happens when you open the full detection details?

Options:

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

Question 30

When performing a ' Hash Search ' , which of the following is NOT a filter available for use?

Options:

A.

SHA256

B.

MD5

C.

File Type

D.

Filename

Question 31

A SOC Manager is reviewing the monthly efficiency of the incident response team. They are specifically analyzing how many alerts were handled by each individual analyst and the ratio of legitimate threats to noise to optimize staffing levels. While navigating the Detection Resolutions Dashboard, which of the following metrics would they NOT find, as it is primarily located within the Activity or Executive summary dashboards?

Options:

A.

Detections by user (Analyst performance)

B.

Total Detections by Host

C.

Total count of False Positives

D.

Detection resolution status breakdown

Question 32

When using ' User Search ' to investigate a potentially compromised account, which of the following is NOT a filter available in the User Search?

Options:

A.

Username

B.

Hostname

C.

Process ID

D.

Time Range

Question 33

What action is used when you want to save a prevention hash for later use?

Options:

A.

Always Block

B.

Never Block

C.

Always Allow

D.

No Action

Question 34

An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?

Options:

A.

Investigate > Quarantine

B.

Endpoint Security > Monitor > Quarantined Files

C.

Configuration > Response > Quarantine

D.

Dashboards > Security > Quarantine

Question 35

Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?

Options:

A.

A global intelligence report about a new adversary.

B.

A specific detection that occurred on a particular host.

C.

The main settings menu of the Falcon console.

D.

The help documentation in the Support portal.

Question 36

A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?

Options:

A.

Investigate > Activity Dashboard

B.

Endpoint Security > Monitor > Activity Dashboard

C.

Configuration > General > Activity Dashboard

D.

Support > Analytics > Activity Dashboard

Question 37

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

Options:

A.

You can ' t export detailed event data from a detection, you have to use the Process Timeline or an Event Search

B.

In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the " Export Process Events " button

C.

In Full Detection Details, you choose the " View Process Activity " option and then export from that view

D.

From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Question 38

What are Event Actions?

Options:

A.

Automated searches that can be used to pivot between related events and searches

B.

Pivotable hyperlinks available in a Host Search

C.

Custom event data queries bookmarked by the currently signed in Falcon user

D.

Raw Falcon event data

Question 39

Following a detection involving a suspected ransomware binary, the Falcon sensor automatically takes a prevention action to prevent the file from executing. An analyst needs to retrieve this file for local sandbox analysis. Considering the default configuration, for how many days will this file remain stored in the encrypted quarantine folder on the local endpoint?

Options:

A.

7 days

B.

14 days

C.

30 days

D.

90 days

Question 40

A responder is analyzing a MITRE-related alert and sees the technique ' Explore > Discovery > Cloud Service Dashboard ' . Which of the following scenarios best describes the technical activity associated with this technique?

Options:

A.

An adversary uses an automated script to bruteforce S3 bucket permissions.

B.

An adversary uses a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment.

C.

An adversary executes an API call to terminate all running EC2 instances in a region.

D.

An adversary deploys a crypto-miner inside a compromised Docker container.

Question 41

When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?

Options:

A.

Process Timeline

B.

Host Timeline

C.

User Timeline

D.

Network Timeline

Question 42

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

Options:

A.

Identifies a detailed list of all process executions for the specified hashes

B.

Identifies hosts that loaded or executed the specified hashes

C.

Identifies users associated with the specified hashes

D.

Identifies detections related to the specified hashes

Question 43

While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:

Options:

A.

Falcon Detection Method

B.

MITRE Tactic

C.

Indicator of Attack (IOA)

D.

Prevention Policy Level

Question 44

In various telemetry events like ' FileWrite ' or ' NetworkConnect ' , Falcon identifies the process that performed the action. Which field will always identify this " acting " process?

Options:

A.

ContextProcessId_decimal

B.

TargetProcessId_decimal

C.

ParentProcessId_decimal

D.

OwnerProcessId_decimal

Question 45

If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?

Options:

A.

C:\Temp\CrowdStrike\Quarantine

B.

C:\Windows\System32\Drivers\CrowdStrike\Quarantine

C.

C:\Program Files\CrowdStrike\Quarantine

D.

C:\Users\Public\CrowdStrike\Quarantine

Question 46

CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?

Options:

A.

10%

B.

20%

C.

50%

D.

100%

Question 47

You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

Options:

A.

ProcessTimeline Link

B.

PID

C.

UTCtime

D.

Process ID or Parent Process ID

Question 48

Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?

Options:

A.

Identifying future threats using predictive AI models.

B.

Applying an investigative approach across historical timed buckets of telemetry to find past activity.

C.

Terminating a malicious process as it starts to execute.

D.

Recovering files that were encrypted by a ransomware attack.

Question 49

The primary purpose for running a Hash Search is to:

Options:

A.

determine any network connections

B.

review the processes involved with a detection

C.

determine the origin of the detection

D.

review information surrounding a hash ' s related activity

Question 50

The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

Options:

A.

500

B.

750

C.

1000

D.

1200

Question 51

The User Search results are organized into several categories. Which of the following is NOT a sub-heading in the User Search?

Options:

A.

User Logons

B.

Unique Executables Written

C.

Admin tool usage

D.

Network Connections

Question 52

What types of events are returned by a Process Timeline?

Options:

A.

Only detection events

B.

All cloudable events

C.

Only process events

D.

Only network events

Question 53

An executive asks for a definition of ' CrowdScore ' . Which of the following sentences best describes what CrowdScore is?

Options:

A.

It is a ranking system that compares your organization’s security to other companies.

B.

It is a metric designed to show an organization ' s threat level on a continual basis by aggregating related detections.

C.

It is the total number of detections that have been resolved within the last 24 hours.

D.

It is a measure of the total processing power being used by the Falcon sensors globally.

Question 54

Which of the following subtitles/sub-views cannot be seen in the results of a ' Hash Search ' ?

Options:

A.

File Metadata

B.

Process Timeline

C.

Intel Indicators

D.

Execution History

Question 55

Refer to the image.

Question # 55

In the Full Detection View while viewing the Process Tree you see an attack outlined as in the image above.

Based on what you see, what happened during the attack?

Options:

A.

The attacker launched a command prompt, renamed binaries, executed malware, and prepared exfiltration

B.

The attacker launched a command prompt to establish a reverse shell to grant remote code execution capabilities

C.

The attacker executed malware, renamed binaries, prepared exfiltration, and deleted backups to prevent recovery

D.

The attacker launched a command prompt, enumerated the host, created persistence, and deleted backups to prevent recovery

Question 56

In the " Full Detection Details " , which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?

Options:

A.

Thedata is unable to be exported

B.

View as Process Tree

C.

View as Process Timeline

D.

View as Process Activity

Question 57

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

Options:

A.

Host Search

B.

Event Search

C.

Hash Search

D.

User Search

Question 58

Sensor Visibility Exclusion patterns are written in which syntax?

Options:

A.

Glob Syntax

B.

Kleene Star Syntax

C.

RegEx

D.

SPL(Splunk)

Question 59

Refer to the image.

Question # 59

Within a Host Search, you have filtered for cmd.exe in the Process executions table and now need to pivot to a process timeline.

Which item in the table do you select to pivot to the Process Timeline?

Options:

A.

PID

B.

Process ID

C.

Command Line

Page: 1 / 20
Total 199 questions