CrowdStrike CCFR-201 CrowdStrike Certified Falcon Responder Online Training
CrowdStrike CCFR-201 Online Training
The questions for CCFR-201 were last updated at Dec 24,2024.
- Exam Code: CCFR-201
- Exam Name: CrowdStrike Certified Falcon Responder
- Certification Provider: CrowdStrike
- Latest update: Dec 24,2024
Which is TRUE regarding a file released from quarantine?
- A . No executions are allowed for 14 days after release
- B . It is allowed to execute on all hosts
- C . It is deleted
- D . It will not generate future machine learning detections on the associated host
Which of the following is an example of a MITRE ATT&CK tactic?
- A . Eternal Blue
- B . Defense Evasion
- C . Emotet
- D . Phishing
You notice that taskeng.exe is one of the processes involved in a detection.
What activity should you investigate next?
- A . User logons after the detection
- B . Executions of schtasks.exe after the detection
- C . Scheduled tasks registered prior to the detection
- D . Pivot to a Hash search for taskeng.exe
Where can you find hosts that are in Reduced Functionality Mode?
- A . Event Search
- B . Executive Summary dashboard
- C . Host Search
- D . Installation Tokens
From the Detections page, how can you view ‘in-progress’ detections assigned to Falcon Analyst Alex?
- A . Filter on’Analyst: Alex’
- B . Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
- C . Filter on ‘Hostname: Alex’ and ‘Status: In-Progress’
- D . Filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*
The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?
- A . The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
- B . The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
- C . The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
- D . The Process Activity View creates a count of event types only, which can be useful when scoping the event
After running an Event Search, you can select many Event Actions depending on your results.
Which of the following is NOT an option for any Event Action?
- A . Draw Process Explorer
- B . Show a +/- 10-minute window of events
- C . Show a Process Timeline for the responsible process
- D . Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
Which option indicates a hash is allowlisted?
- A . No Action
- B . Allow
- C . Ignore
- D . Always Block
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?
- A . Falcon Intel via Intelligence Indicator – Domain
- B . Machine Learning via Cloud-Based ML
- C . Malware via PUP
- D . Credential Access via OS Credential Dumping
What do IOA exclusions help you achieve?
- A . Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
- B . Reduce false positives of behavioral detections from IOA based detections only
- C . Reduce false positives of behavioral detections from IOA based detections based on a file hash
- D . Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only