Weekend Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CCFR-201b CrowdStrike Certified Falcon Responder Questions and Answers

Questions 4

Which tool or search type is recommended as the " best search " to use when performing the " Examine what ' s normal for this system " step in an investigation?

Options:

A.

User Search

B.

Host Search

C.

Hash Search

D.

IP Search

Buy Now
Questions 5

When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

Options:

A.

Do nothing, as this file is common and well known

B.

From detection, click the VT Hash button to pivot to VirusTotal to investigate further

C.

From detection, use API manager to create a custom blocklist

D.

From detection, submit to FalconX for deep dive analysis

Buy Now
Questions 6

Which of the following is NOT a valid event type?

Options:

A.

StartofProcess

B.

EndofProcess

C.

ProcessRollup2

D.

DnsRequest

Buy Now
Questions 7

You are pre-staging a Custom IOC for later use and want to save a file hash for later use after approval.

Which action should you use?

Options:

A.

Save Hash

B.

Monitor

C.

No Action

D.

Always Block

Buy Now
Questions 8

A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?

Options:

A.

It is deleted from the disk and a log is sent to the cloud.

B.

It is moved to the CrowdStrike Cloud and removed from the local host immediately.

C.

It is compressed, password protected, and moved to the Quarantine folder on the endpoint.

D.

It is renamed to a .tmp extension and moved to the Windows Recycle Bin.

Buy Now
Questions 9

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

Options:

A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Buy Now
Questions 10

Within the context of CrowdStrike’s behavioral detection engine, what does the acronym ' IOA ' stand for?

Options:

A.

Indicator of Activity

B.

Indicator of Attack

C.

Integrated Operation Alert

D.

Internal Objective Analysis

Buy Now
Questions 11

The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?

Options:

A.

10MB

B.

32MB

C.

64MB

D.

128MB

Buy Now
Questions 12

A responder has identified a suspicious PowerShell script executing on a domain controller. To perform a deep-dive forensic analysis of every action taken by that specific process—including network connections and file modifications—the analyst needs to pivot to a Process Timeline. What is the absolute minimum telemetry data required to generate this auto-filled view?

Options:

A.

Agent ID (AID) and Local IP Address

B.

Agent ID (AID) and Target Process ID (TargetProcessId_decimal)

C.

Hostname and MAC Address

D.

User SID and SHA256 Hash

Buy Now
Questions 13

The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?

Options:

A.

Process Termination

B.

File Quarantine

C.

Process Restart

D.

Network Isolation

Buy Now
Questions 14

Responders use ' IP Search ' to track connections to malicious infrastructure. Which of the following statements about the IP Search is FALSE?

Options:

A.

It identifies every host that connected to a specific IP.

B.

It provides Intel data if the IP is known to CrowdStrike.

C.

The search only allows for one IP to be entered at a time.

D.

It shows the first and last time the IP was seen in the environment.

Buy Now
Questions 15

In the " Full Detection Details " , which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?

Options:

A.

Thedata is unable to be exported

B.

View as Process Tree

C.

View as Process Timeline

D.

View as Process Activity

Buy Now
Questions 16

When performing a ' Hash Search ' , which of the following is NOT a filter available for use?

Options:

A.

SHA256

B.

MD5

C.

File Type

D.

Filename

Buy Now
Questions 17

In various telemetry events like ' FileWrite ' or ' NetworkConnect ' , Falcon identifies the process that performed the action. Which field will always identify this " acting " process?

Options:

A.

ContextProcessId_decimal

B.

TargetProcessId_decimal

C.

ParentProcessId_decimal

D.

OwnerProcessId_decimal

Buy Now
Questions 18

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

Options:

A.

It contains an internal value not useful for an investigation

B.

It contains the TargetProcessld_decimal value of the child process

C.

It contains the Sensorld_decimal value for related events

D.

It contains the TargetProcessld_decimal of the parent process

Buy Now
Questions 19

If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?

Options:

A.

C:\Temp\CrowdStrike\Quarantine

B.

C:\Windows\System32\Drivers\CrowdStrike\Quarantine

C.

C:\Program Files\CrowdStrike\Quarantine

D.

C:\Users\Public\CrowdStrike\Quarantine

Buy Now
Questions 20

A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?

Options:

A.

List of running services and drivers.

B.

Macro Execution History for Microsoft Office products.

C.

Recent network connections and IP addresses.

D.

List of local user accounts and administrators.

Buy Now
Questions 21

A list of managed and unmanaged neighbors for an endpoint can be found:

Options:

A.

by using Hosts page in the Investigate tool

B.

by reviewing " Groups " in Host Management under the Hosts page

C.

under " Audit " by running Sensor Visibility Exclusions Audit

D.

only by searching event data using Event Search

Buy Now
Questions 22

By default, when a file is quarantined by the Falcon sensor to prevent execution, how many days does that file remain on the host ' s local disk?

Options:

A.

7 days

B.

14 days

C.

30 days

D.

90 days

Buy Now
Questions 23

When viewing the summary list on the ' Endpoint Detections ' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?

Options:

A.

The exact time the Falcon sensor was first installed on the host.

B.

The timestamp of the last activity recorded for that specific detection.

C.

The time the detection was first assigned to a human analyst.

D.

The file creation time for the primary process involved in the alert.

Buy Now
Questions 24

What information does the MITRE ATT AND CK Framework provide?

Options:

A.

It provides best practices for different cybersecurity domains, such as Identify and Access Management

B.

It provides a step-by-step cyber incident response strategy

C.

It provides the phases of an adversary ' s lifecycle, the platforms they are known to attack, and the specific methods they use

D.

It is a system that attributes an attack techniques to a specific threat actor

Buy Now
Questions 25

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

Options:

A.

You can ' t export detailed event data from a detection, you have to use the Process Timeline or an Event Search

B.

In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the " Export Process Events " button

C.

In Full Detection Details, you choose the " View Process Activity " option and then export from that view

D.

From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Buy Now
Questions 26

An attacker attaches cmd.exe as a debugger to osk.exe through a registry key.

What tactic and technique describe this activity?

Options:

A.

Persistence via Image File Execution Options Injection

B.

Post-Exploit via Malicious Tool Execution

C.

Persistence via External Remote Services

D.

Privilege Escalation via Bypass User Account Control

Buy Now
Questions 27

During a targeted investigation into a potentially compromised internal administrative account, a responder utilizes the User Search functionality within the Investigate menu. The goal is to identify if the account was leveraged to drop or launch unauthorized binaries across multiple systems in the environment. Which specific data category is natively visible in the User Search results to facilitate this check?

Options:

A.

Registry Key Operations

B.

Network File Transfer ports

C.

Unique Executables Written and Process Executions

D.

BIOS and Hardware modification logs

Buy Now
Questions 28

In the ' Investigate > Hunt > Linux Sensors ' dashboard, responders can view various Linux-specific activities. Which of the following sub-titling is NOT displayed in this dashboard?

Options:

A.

Sudo Executions

B.

Cron Usage

C.

Kernel Module Loads

D.

User Logins

Buy Now
Questions 29

During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?

Options:

A.

Monitor

B.

Block

C.

No Action

D.

Kill Process

Buy Now
Questions 30

Which of the following statements about the ' Hash Search ' (Single Search) is TRUE?

Options:

A.

It can search for both files and registry keys simultaneously.

B.

It identifies the geographical location of the file ' s creator.

C.

The ' Hash Written History ' section is only available for SHA256 hashes.

D.

It is primarily used to isolate a host from the network.

Buy Now
Questions 31

While reviewing the high-level organizational structure of a complex detection in the Falcon console, a responder identifies several layers of activity. Which of the following is NOT officially recognized as an Objective Layer within the CrowdStrike detection hierarchy?

Options:

A.

Contact Controlled Systems

B.

Lateral Movement

C.

Gain Access

D.

Follow Through

Buy Now
Questions 32

You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.

How can you resolve this issue?

Options:

A.

Set the -timeout argument to off

B.

Set the -timeout argument to a longer period

C.

Rerun the script

D.

Change the timeout policy in the console settings

Buy Now
Questions 33

In the Hash Search tool, which of the following is listed under Process Executions?

Options:

A.

Operating System

B.

File Signature

C.

Command Line

D.

Sensor Version

Buy Now
Questions 34

A security analyst is triaging a high-severity alert on a critical production server. To understand the adversary ' s intent and technical execution within the framework of industry standards, the analyst refers to the console ' s categorization. Which specific methodology does CrowdStrike utilize within the Falcon platform to classify detections based on technical behavior?

Options:

A.

MITRE-Based Falcon Detections Framework

B.

NIST Incident Response Lifecycle

C.

Falcon Adversary Attribution Matrix

D.

Cyber Kill Chain Classification

Buy Now
Questions 35

The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?

Options:

A.

It allows for the automated decryption of files affected by ransomware.

B.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

C.

It enables the sensor to block kernel-level drivers from unknown publishers.

D.

It provides a real-time count of the total number of files on the endpoint.

Buy Now
Questions 36

Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?

Options:

A.

Identifying future threats using predictive AI models.

B.

Applying an investigative approach across historical timed buckets of telemetry to find past activity.

C.

Terminating a malicious process as it starts to execute.

D.

Recovering files that were encrypted by a ransomware attack.

Buy Now
Questions 37

You are reviewing the raw data in an Event Search from a detection tree. You find a DnsRequest event and want to determine whether any other DNS requests were performed by the original process.

Which two field values do you need from this event to perform a Process Timeline search?

Options:

A.

ParentProcessId and aid

B.

ResponsibleProcessId and aid

C.

RequestType and aid

D.

ContextProcessId and aid

Buy Now
Questions 38

Refer to Image:

CCFR-201b Question 38

You are investigating a network connection in event search.

Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?

Options:

A.

Inspect

B.

Show Responsible Process Data

C.

Draw Process Explorer

D.

Show Associated Event Data

Buy Now
Questions 39

While investigating a detection, how can you identify all other processes that may have run on the host around the time of an event?

Options:

A.

Run a Process Search in the Investigate app and specify a hostname and time range

B.

Run a Process Timeline in the Investigate app and specify a hostname and time range

C.

Run a Host Search with a specified hostname and time range

D.

Click Full Detection Details to see a Process Tree and then specify a time range

Buy Now
Questions 40

When a responder is looking at the ' Full Detection Details ' page, they can toggle between several views. Which of the following is NOT a layout option available for viewing these details?

Options:

A.

Graph View

B.

Tree View

C.

Process Timeline

D.

List View

Buy Now
Questions 41

Evaluate the following process tree observed in a detection:

root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe

Based on the parent-child relationships, which entry source is most likely?

Options:

A.

A remote service exploitation targeting a system process.

B.

A phishing attack where the user executed a malicious file from the desktop.

C.

A scheduled task running under the SYSTEM account.

D.

A supply chain attack targeting the Windows Boot manager.

Buy Now
Questions 42

What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

Options:

A.

A managed neighbor is currently network contained and an unmanaged neighbor is uncontained

B.

A managed neighbor has an installed and provisioned sensor

C.

An unmanaged neighbor is in a segmented area of the network

D.

A managed sensor has an active prevention policy

Buy Now
Questions 43

When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?

Options:

A.

Process Timeline

B.

Host Timeline

C.

User Timeline

D.

Network Timeline

Buy Now
Questions 44

A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?

Options:

A.

Host Timeline

B.

Process Timeline

C.

User Timeline

D.

Administrative Timeline

Buy Now
Questions 45

Your lead analyst instructs you to dump the kernel memory of a Windows system using Real Time Response (RTR).

Which native RTR command best helps you to quickly achieve the task?

Options:

A.

CSWINDIAG

B.

dumpmem

C.

xmemdump

D.

memdump

Buy Now
Questions 46

CrowdStrike supports various deployment types. What is a ' POD sensor ' ?

Options:

A.

A sensor specifically designed for mobile devices (iOS/Android).

B.

A sensor that is installed directly on a Kubernetes or Docker host to monitor containers.

C.

A legacy sensor used only for disconnected or air-gapped systems.

D.

A physical appliance that sits on the network to monitor traffic.

Buy Now
Questions 47

A responder is analyzing a MITRE-related alert and sees the technique ' Explore > Discovery > Cloud Service Dashboard ' . Which of the following scenarios best describes the technical activity associated with this technique?

Options:

A.

An adversary uses an automated script to bruteforce S3 bucket permissions.

B.

An adversary uses a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment.

C.

An adversary executes an API call to terminate all running EC2 instances in a region.

D.

An adversary deploys a crypto-miner inside a compromised Docker container.

Buy Now
Questions 48

Which of the following tactic and technique combinations is sourced from MITRE ATT AND CK information?

Options:

A.

Falcon Intel via Intelligence Indicator - Domain

B.

Machine Learning via Cloud-Based ML

C.

Malware via PUP

D.

Credential Access via OS Credential Dumping

Buy Now
Questions 49

The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?

Options:

A.

Activity

B.

Investigate

C.

Configuration

D.

Dashboards

Buy Now
Questions 50

Where can you find hosts that are in Reduced Functionality Mode?

Options:

A.

Event Search

B.

Executive Summary dashboard

C.

Host Search

D.

Installation Tokens

Buy Now
Questions 51

Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?

Options:

A.

The standard Process ID (PID) assigned by the Windows operating system.

B.

A sensor-assigned decimal number that is unique for each process across time and hosts.

C.

The memory address where the process’s executable is loaded.

D.

The total number of seconds the process has been running.

Buy Now
Questions 52

Which is TRUE regarding a file released from quarantine?

Options:

A.

No executions are allowed for 14 days after release

B.

It is allowed to execute on all hosts

C.

It is deleted

D.

It will not generate future machine learning detections on the associated host

Buy Now
Questions 53

What does pivoting to an Event Search from a detection do?

Options:

A.

It gives you the ability to search for similar events on other endpoints quickly

B.

It takes you to the raw Insight event data and provides you with a number of Event Actions

C.

It takes you to a Process Timeline for that detection so you can see all related events

D.

It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

Buy Now
Questions 54

To track the relationship between a parent and its child, Falcon uses specific ID fields. What raw data is used as the ' ParentProcessId_decimal ' when a process spawns a child process?

Options:

A.

The Operating System PID of the parent.

B.

The TargetProcessId_decimal of the parent process.

C.

The ContextProcessId_decimal of the system.

D.

The RootProcessId_decimal of the entire tree.

Buy Now
Questions 55

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

Options:

A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Buy Now
Questions 56

From the Detections page, how can you view ' in-progress ' detections assigned to Falcon Analyst Alex?

Options:

A.

Filter on ' Analyst: Alex '

B.

Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections

C.

Filter on ' Hostname: Alex ' and ' Status: In-Progress '

D.

Filter on ' Status: In-Progress ' and ' Assigned-to: Alex*

Buy Now
Questions 57

Refer to the image.

CCFR-201b Question 57

You are using Advanced Event Search to find the event record for a suspicious network connection.

Using the Event List Interactions button for the event, indicated by the arrow in the image above, which option will show all contextual event data around the process execution being investigated?

Options:

A.

Show Responsible Process Data

B.

Inspect

C.

Show +/- 10-minute windows of events

D.

Investigate Host

Buy Now
Questions 58

Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?

Options:

A.

Analyzing historical logs from the past 90 days to find missed threats.

B.

Investigating incoming telemetry in real time or on a near real-time basis to catch active threats.

C.

Scanning every file on a hard drive once per week for dormant viruses.

D.

Manually updating the Falcon sensor on every machine in the fleet.

Buy Now
Questions 59

What happens when a hash is set to Always Block through IOC Management?

Options:

A.

Execution is prevented on all hosts by default

B.

Execution is prevented on selected host groups

C.

Execution is prevented and detection alerts are suppressed

D.

The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Buy Now
Questions 60

While quarantined files stay on the local host for 30 days by default, how many days does a quarantined file remain stored in the CrowdStrike Cloud?

Options:

A.

30 days

B.

60 days

C.

90 days

D.

180 days

Buy Now
Questions 61

Which of the following subtitles/sub-views cannot be seen in the results of a ' Hash Search ' ?

Options:

A.

File Metadata

B.

Process Timeline

C.

Intel Indicators

D.

Execution History

Buy Now
Questions 62

Where are quarantine files located on a Mac Endpoint?

Options:

A.

/tmp/cs/quarantine

B.

/Library/CS/Quarantine

C.

/Applications/Falcon/Quarantine

D.

/Users/Shared/CS/Quarantine

Buy Now
Exam Code: CCFR-201b
Exam Name: CrowdStrike Certified Falcon Responder
Last Update: Jul 19, 2026
Questions: 209

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99