Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CrowdStrike > CCFR > CCFR-201b

CCFR-201b CrowdStrike Certified Falcon Responder Question and Answers

Question # 4

The Falcon console integrates heavily with the MITRE ATT AND CK framework to provide industry-standard context. Which of the following tactics displayed in the detection UI is a direct implementation of a MITRE ATT AND CK tactic?

A.

Malware Action

B.

Impact

C.

Intelligence-Based Match

D.

Script-Based Execution

Full Access
Question # 5

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

A.

You can ' t export detailed event data from a detection, you have to use the Process Timeline or an Event Search

B.

In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the " Export Process Events " button

C.

In Full Detection Details, you choose the " View Process Activity " option and then export from that view

D.

From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Full Access
Question # 6

Which of the following is an example of a MITRE ATT AND CK tactic?

A.

Eternal Blue

B.

Defense Evasion

C.

Emotet

D.

Phishing

Full Access
Question # 7

While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?

A.

The percentage of the CPU being consumed by the network and disk.

B.

The specific number of telemetry events recorded for network and disk activity by that process.

C.

The total size in megabytes of the data sent over the network and written to disk.

D.

The number of other hosts that have seen similar network and disk activity.

Full Access
Question # 8

What actions are available for domain name-based Indicators of Compromise (IOCs) in Falcon?

A.

Detect only

Allow

B.

Block

Detect only

Allow

C.

Block

Allow

No action

D.

Detect only

No action

Full Access
Question # 9

During an advanced hunting session, a responder is writing a custom query in the Event Search tool to track the lineage of a suspicious process. They notice a field labeled TargetProcessId_decimal. Which of the following sentences accurately describes the technical significance of this value within the CrowdStrike telemetry ecosystem?

A.

It is the standard Process ID (PID) assigned by the Windows Task Manager.

B.

It is a sensor-assigned, environment-wide unique decimal identifier for that specific process instance.

C.

It represents the memory offset where the process ' s primary thread began.

D.

It is a count of the total number of child processes spawned by that executable.

Full Access
Question # 10

What information does the MITRE ATT AND CK Framework provide?

A.

It provides best practices for different cybersecurity domains, such as Identify and Access Management

B.

It provides a step-by-step cyber incident response strategy

C.

It provides the phases of an adversary ' s lifecycle, the platforms they are known to attack, and the specific methods they use

D.

It is a system that attributes an attack techniques to a specific threat actor

Full Access
Question # 11

In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?

A.

The file has been successfully quarantined by the sensor.

B.

There is related Intelligence (Intel) data available for this detection.

C.

The process has been identified as a legitimate system file.

D.

The host is currently undergoing a remote live response session.

Full Access
Question # 12

A security analyst is triaging a high-severity alert on a critical production server. To understand the adversary ' s intent and technical execution within the framework of industry standards, the analyst refers to the console ' s categorization. Which specific methodology does CrowdStrike utilize within the Falcon platform to classify detections based on technical behavior?

A.

MITRE-Based Falcon Detections Framework

B.

NIST Incident Response Lifecycle

C.

Falcon Adversary Attribution Matrix

D.

Cyber Kill Chain Classification

Full Access
Question # 13

Data retention is a key factor in retrospective hunting. How long will " Detection Related Events " be retained in the Falcon environment?

A.

30 days

B.

60 days

C.

90 days

D.

1 year

Full Access
Question # 14

A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?

A.

Explore, Keep Access, Gain Access, Falcon Detection Method, Contact Controlled systems, Follow Through

B.

Reconnaissance, Delivery, Weaponization, Exploitation, Installation, Command and Control

C.

Identify, Protect, Detect, Respond, Recover, Lessons Learned

D.

Triage, Containment, Remediation, Eradication, Reporting, Recovery

Full Access
Question # 15

When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?

A.

Filename-based allowlist

B.

Hash-based allowlist

C.

Path-based allowlist

D.

Command-line allowlist

Full Access
Question # 16

While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?

A.

Timestamp

B.

Event Name

C.

PID (Process ID)

D.

CPU Temperature

Full Access
Question # 17

What is an advantage of using the IP Search tool?

A.

IP searches provide manufacture and timezone data that can not be accessed anywhere else

B.

IP searches allow for multiple comma separated IPv6 addresses as input

C.

IP searches offer shortcuts to launch response actions and network containment on target hosts

D.

IP searches provide host, process, and organizational unit data without the need to write a query

Full Access
Question # 18

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Full Access
Question # 19

When navigating the ' Custom IOA ' creation wizard, a user must select a rule type. Which of the following is NOT a valid IOA rule type available for selection?

A.

Process Creation

B.

File Creation

C.

Domain Name

D.

Scheduled Task

Full Access
Question # 20

Refer to the image.

You receive the detection displayed in the image above on a host in your environment.

Assuming you have the correct permissions, where would you navigate to remotely connect to the host and investigate further?

A.

Investigate > Connect to host

B.

View Incident > Connect to host

C.

Actions > Connect to host

Full Access
Question # 21

Which of the following is returned from the IP Search tool?

A.

IP Summary information from Falcon events containing the given IP

B.

Threat Graph Data for the given IP from Falcon sensors

C.

Unmanaged host data from system ARP tables for the given IP

D.

IP Detection Summary information for detection events containing the given IP

Full Access
Question # 22

What do IOA exclusions help you achieve?

A.

Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy

B.

Reduce false positives of behavioral detections from IOA based detections only

C.

Reduce false positives of behavioral detections from IOA based detections based on a file hash

D.

Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Full Access
Question # 23

While most searches are accessible from a detection, some require a manual jump. Which search is not available as a direct pivot from a detection?

A.

Host Search

B.

Hash Search

C.

User Search

D.

IP Search

Full Access
Question # 24

When a responder needs to take data out of the Falcon console for external analysis, which of the following is NOT an option when exporting searches?

A.

CSV

B.

JSON

C.

PDF

D.

Gzip

Full Access
Question # 25

When examining a detection process tree, several fields are provided to give context. Which of the following is NOT included in the standard fields of a detection process tree?

A.

Command Line

B.

User Name

C.

HTTP Post contents

D.

SHA256 Hash

Full Access
Question # 26

A responder has identified a suspicious PowerShell script executing on a domain controller. To perform a deep-dive forensic analysis of every action taken by that specific process—including network connections and file modifications—the analyst needs to pivot to a Process Timeline. What is the absolute minimum telemetry data required to generate this auto-filled view?

A.

Agent ID (AID) and Local IP Address

B.

Agent ID (AID) and Target Process ID (TargetProcessId_decimal)

C.

Hostname and MAC Address

D.

User SID and SHA256 Hash

Full Access
Question # 27

Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?

A.

Grouped by Process

B.

Grouped by Alert

C.

Grouped by File Path

D.

Grouped by Severity

Full Access
Question # 28

A responder wants to verify why a certain quarantined file was not uploaded to the cloud. Which specific policy dictates whether quarantined files are permitted to be uploaded?

A.

Sensor Update Policy

B.

Prevention Policy

C.

Response Policy

D.

Quarantine Management Policy

Full Access
Question # 29

What is an advantage of using a Process Timeline?

A.

Process related events can be filtered to display specific event types

B.

Suspicious processes are color-coded based on their frequency and legitimacy over time

C.

Processes responsible for spikes in CPU performance are displayed overtime

D.

A visual representation of Parent-Child and Sibling process relationships is provided

Full Access
Question # 30

During a targeted investigation into a potentially compromised internal administrative account, a responder utilizes the User Search functionality within the Investigate menu. The goal is to identify if the account was leveraged to drop or launch unauthorized binaries across multiple systems in the environment. Which specific data category is natively visible in the User Search results to facilitate this check?

A.

Registry Key Operations

B.

Network File Transfer ports

C.

Unique Executables Written and Process Executions

D.

BIOS and Hardware modification logs

Full Access
Question # 31

You are writing a script that your colleagues could run on any Windows machine using Real Time Response (RTR). The script you have written is over the 40-KB limit.

How should you run the script to avoid technical issues?

A.

Use the put command to place the script on the host and runscript -hostpath to run the script

B.

Break the script into multiple files under 40 KB and run each one sequentially with runscript -raw

C.

Use the put command to place the script on the host and runscript -cloudfile to run the script

D.

Use the runscript -cloudfile command to upload the script from your local machine and execute it directly

Full Access
Question # 32

You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

A.

ProcessTimeline Link

B.

PID

C.

UTCtime

D.

Process ID or Parent Process ID

Full Access
Question # 33

When performing a ' Hash Search ' , which of the following is NOT a filter available for use?

A.

SHA256

B.

MD5

C.

File Type

D.

Filename

Full Access
Question # 34

Depending on the subscription level, " Cloudable Events " (standard telemetry) have a specific retention period. What is the minimum period of time that these events are retained?

A.

1 day

B.

7 days

C.

14 days

D.

30 days

Full Access
Question # 35

When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?

A.

It represents the specific software version or exploit code used to crash a service.

B.

It is the adversary ' s tactical goal: the fundamental reason for performing a specific action.

C.

It is the unique cryptographic hash associated with a malicious file discovered on disk.

D.

It is the specific command-line string used to execute a PowerShell script.

Full Access
Question # 36

Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?

A.

ProcessRollup2

B.

FileCreation

C.

NetworkConnect

D.

RegistryUpdate

Full Access
Question # 37

When reviewing a Host Timeline, which of the following filters is available?

A.

Severity

B.

Event Types

C.

User Name

D.

Detection ID

Full Access
Question # 38

Which of the following is NOT a filter available on the Detections page?

A.

Severity

B.

CrowdScore

C.

Time

D.

Triggering File

Full Access
Question # 39

When viewing the main ' Quarantine ' dashboard to manage blocked files, which of the following pieces of information CANNOT be seen by default?

A.

Filename

B.

Host Name

C.

Hash

D.

Date Quarantined

Full Access
Question # 40

In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?

A.

Scripts (.ps1, .sh)

B.

Executables (.exe)

C.

Executions (Process starts)

D.

Archive files (.zip, .7z)

Full Access
Question # 41

To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?

A.

< Technique > , < Tactic > , < Objective >

B.

< Objective > , < Tactic > , < Technique >

C.

< Objective > , < Technique > , < Tactic >

D.

< Tactic > , < Objective > , < Technique >

Full Access
Question # 42

What happens when you open the full detection details?

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

Full Access
Question # 43

A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?

A.

Host Timeline

B.

Process Timeline

C.

User Timeline

D.

Administrative Timeline

Full Access
Question # 44

Detections in Falcon are classified by their origin. Which of the following is NOT a recognized type of detection?

A.

Machine Learning

B.

Behavioral

C.

Intelligence

D.

Custom IOA

Full Access
Question # 45

Bulk Search tools have several features in common. Which of the following is incorrect as a feature common to all Bulk Search types?

A.

They allow for searching multiple items (up to 500) at once.

B.

Regular Expressions (Regex) are allowed within the search fields.

C.

Search results can be exported for further analysis.

D.

They search across historical telemetry in the cloud.

Full Access
Question # 46

When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?

A.

Selecting a Rule Type (e.g., Process Creation).

B.

Specifying the Severity level of the resulting detection.

C.

Assigning a specific host group to the IOA rule at the time of creation.

D.

Providing a unique name for the rule.

Full Access
Question # 47

A responder wants to include a visual representation of a process tree in an incident report. Which of the following is NOT a valid way to export process data from ' Full Detection Details ' ?

A.

Process Tree > PNG

B.

Process Tree > JPEG

C.

Detection > CSV

D.

Process Tree > JSON

Full Access
Question # 48

A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?

A.

List of running services and drivers.

B.

Macro Execution History for Microsoft Office products.

C.

Recent network connections and IP addresses.

D.

List of local user accounts and administrators.

Full Access
Question # 49

If the Falcon sensor identifies suspicious behavioral patterns—such as a process attempting to dump memory from lsass.exe—what specific type of detection will be generated?

A.

Indicator of Compromise (IOC)

B.

Indicator of Attack (IOA)

C.

Known Malware Alert

D.

Intelligence Data Match

Full Access
Question # 50

Evaluate the following process tree observed in a detection:

root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe

Based on the parent-child relationships, which entry source is most likely?

A.

A remote service exploitation targeting a system process.

B.

A phishing attack where the user executed a malicious file from the desktop.

C.

A scheduled task running under the SYSTEM account.

D.

A supply chain attack targeting the Windows Boot manager.

Full Access
Question # 51

Where are quarantine files located on a Mac Endpoint?

A.

/tmp/cs/quarantine

B.

/Library/CS/Quarantine

C.

/Applications/Falcon/Quarantine

D.

/Users/Shared/CS/Quarantine

Full Access
Question # 52

In the context of raw event searching, the term ' ProcessRollup2 ' refers to a value within which field?

A.

event_type

B.

event_simpleName

C.

action_id

D.

process_status

Full Access
Question # 53

The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?

A.

It allows for the automated decryption of files affected by ransomware.

B.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

C.

It enables the sensor to block kernel-level drivers from unknown publishers.

D.

It provides a real-time count of the total number of files on the endpoint.

Full Access
Question # 54

A list of managed and unmanaged neighbors for an endpoint can be found:

A.

by using Hosts page in the Investigate tool

B.

by reviewing " Groups " in Host Management under the Hosts page

C.

under " Audit " by running Sensor Visibility Exclusions Audit

D.

only by searching event data using Event Search

Full Access
Question # 55

Which of the following sentences best describes the primary use of the ' Hash Executions ' Search (Bulk Search)?

A.

It allows a responder to upload a file to the cloud for detonating in a sandbox.

B.

It allows for a summary view of the environment-wide presence of a given list of multiple hashes.

C.

It allows an administrator to block a single hash across all machines.

D.

It provides a detailed process tree for every execution of a single hash.

Full Access
Question # 56

Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?

A.

A global intelligence report about a new adversary.

B.

A specific detection that occurred on a particular host.

C.

The main settings menu of the Falcon console.

D.

The help documentation in the Support portal.

Full Access
Question # 57

What types of events are returned by a Process Timeline?

A.

Only detection events

B.

All cloudable events

C.

Only process events

D.

Only network events

Full Access
Question # 58

When analyzing the raw telemetry for a ' DNSRequest ' event, which of the following raw data fields is available to the responder?

A.

browser_type

B.

index

C.

cpu_usage_percent

D.

monitor_mode

Full Access
Question # 59

In the Falcon console, detections can be automated or manual. Which of the following options represents a manual detection?

A.

A detection triggered by the Machine Learning engine.

B.

A Falcon Overwatch-pushed detection.

C.

A detection based on a Custom IOA.

D.

A detection matched against a known Intelligence IOC.

Full Access