CrowdStrike CCFR-201 CrowdStrike Certified Falcon Responder Online Training
CrowdStrike CCFR-201 Online Training
The questions for CCFR-201 were last updated at Dec 24,2024.
- Exam Code: CCFR-201
- Exam Name: CrowdStrike Certified Falcon Responder
- Certification Provider: CrowdStrike
- Latest update: Dec 24,2024
After pivoting to an event search from a detection, you locate the ProcessRollup2 event.
Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
- A . SHA256 and TargetProcessld_decimal
- B . SHA256 and ParentProcessld_decimal
- C . aid and ParentProcessld_decimal
- D . aid and TargetProcessld_decimal
The function of Machine Learning Exclusions is to___________.
- A . stop all detections for a specific pattern ID
- B . stop all sensor data collection for the matching path(s)
- C . Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
- D . stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
- A . It excludes host information from Detections and Incidents generated within that file path location
- B . It prevents file uploads to the CrowdStrike cloud from that file path
- C . It excludes sensor monitoring and event collection for the trusted file path
- D . It disables detection generation from that path, however the sensor can still perform prevention actions
What types of events are returned by a Process Timeline?
- A . Only detection events
- B . All cloudable events
- C . Only process events
- D . Only network events
What is the difference between a Host Search and a Host Timeline?
- A . Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
- B . A Host Timeline only includes process execution events and user account activity
- C . Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
- D . There is no difference – Host Search and Host Timeline are different names for the same search
page
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?
- A . It contains an internal value not useful for an investigation
- B . It contains the TargetProcessld_decimal value of the child process
- C . It contains the Sensorld_decimal value for related events
- D . It contains the TargetProcessld_decimal of the parent process
What action is used when you want to save a prevention hash for later use?
- A . Always Block
- B . Never Block
- C . Always Allow
- D . No Action
A list of managed and unmanaged neighbors for an endpoint can be found:
- A . by using Hosts page in the Investigate tool
- B . by reviewing "Groups" in Host Management under the Hosts page
- C . under "Audit" by running Sensor Visibility Exclusions Audit
- D . only by searching event data using Event Search
What happens when a hash is allowlisted?
- A . Execution is prevented, but detection alerts are suppressed
- B . Execution is allowed on all hosts, including all other Falcon customers
- C . The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists
- D . Execution is allowed on all hosts that fall under the organization’s CID
Which of the following is returned from the IP Search tool?
- A . IP Summary information from Falcon events containing the given IP
- B . Threat Graph Data for the given IP from Falcon sensors
- C . Unmanaged host data from system ARP tables for the given IP
- D . IP Detection Summary information for detection events containing the given IP