Free CCFR-201 Sample Questions — CrowdStrike Certified Falcon Responder

In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?

• A. The data is unable to be exported
• B. View as Process Tree
• C. View as Process Timeline
• D. View as Process Activity

In the Hash Search tool, which of the following is listed under Process Executions?

• A. Operating System
• B. File Signature
• C. Command Line
• D. Sensor Version

What information is contained within a Process Timeline?

• A. All cloudable process-related events within a given timeframe
• B. All cloudable events for a specific host
• C. Only detection process-related events within a given timeframe
• D. view of activities on Mac or Linux hosts

What is an advantage of using a Process Timeline?

• A. Process related events can be filtered to display specific event types
• B. Suspicious processes are color-coded based on their frequency and legitimacy over time
• C. Processes responsible for spikes in CPU performance are displayed over time
• D. visual representation of Parent-Child and Sibling process relationships is provided

What are Event Actions?

• A. Automated searches that can be used to pivot between related events and searches
• B. Pivotable hyperlinks available in a Host Search
• C. Custom event data queries bookmarked by the currently signed in Falcon user
• D. Raw Falcon event data

What information does the MITRE ATT&CK Framework provide?

• A. It provides best practices for different cybersecurity domains, such as Identify and Access Management
• B. It provides a step-by-step cyber incident response strategy
• C. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
• D. It is a system that attributes attack techniques to a specific threat actor

What happens when a quarantined file is released?

• A. It is moved into the C:\CrowdStrike\Quarantine\Released folder on the host
• B. It is allowed to execute on the host
• C. It is deleted
• D. It is allowed to execute on all hosts

What do IOA exclusions help you achieve?

• A. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
• B. Reduce false positives of behavioral detections from IOA based detections only
• C. Reduce false positives of behavioral detections from IOA based detections based on a file hash
• D. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

From a detection, what is the fastest way to see children and sibling process information?

• A. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessId_decimal)
• B. Select Full Detection Details from the detection
• C. Right-click the process and select "Follow Process Chain"
• D. Select the Process Timeline feature, enter the AID, Target Process ID, and Parent Process ID

The function of Machine Learning Exclusions is to _____________.

• A. stop all detections for a specific pattern ID
• B. stop all sensor data collection for the matching path(s)
• C. stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
• D. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

The primary purpose for running a Hash Search is to:

• A. determine any network connections
• B. review the processes involved with a detection
• C. determine the origin of the detection
• D. review information surrounding a hash's related activity

What action is used when you want to save a prevention hash for later use?

• A. Always Block
• B. Never Block
• C. Always Allow
• D. No Action

From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?

• A. Filter on 'Analyst: Alex'
• B. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
• C. Filter on 'Hostname: Alex' and 'Status: In-Progress'
• D. Filter on 'Status: In-Progress' and 'Assigned-to: Alex'

Which of the following is returned from the IP Search tool?

• A. IP Summary information from Falcon events containing the given IP
• B. Threat Graph Data for the given IP from Falcon sensors
• C. Unmanaged host data from system ARP tables for the given IP
• D. IP Detection Summary information for detection events containing the given IP

Which of the following is an example of a MITRE ATT&CK tactic?

• A. Eternal Blue
• B. Defense Evasion
• C. Emotet
• D. Phishing