Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

CCFR-201b CrowdStrike Certified Falcon Responder Questions and Answers

Questions 4

When a responder needs to take data out of the Falcon console for external analysis, which of the following is NOT an option when exporting searches?

Options:

A.

CSV

B.

JSON

C.

PDF

D.

Gzip

Buy Now
Questions 5

How long are quarantined files stored in the CrowdStrike Cloud?

Options:

A.

45 Days

B.

90 Days

C.

Days

D.

Quarantined files are not deleted

Buy Now
Questions 6

You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

Options:

A.

User logons after the detection

B.

Executions of schtasks.exe after the detection

C.

Scheduled tasks registered prior to the detection

D.

Pivot to a Hash search for taskeng.exe

Buy Now
Questions 7

An adversary is attempting to disable security features by modifying the system registry. Which of the following native Windows processes is specifically designed to create, modify, and delete Registry keys via the command line?

Options:

A.

reg.exe

B.

taskmgr.exe

C.

lsass.exe

D.

svchost.exe

Buy Now
Questions 8

From a detection, what is the fastest way to see children and sibling process information?

Options:

A.

Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)

B.

Select Full Detection Details from the detection

C.

Right-click the process and select " Follow Process Chain "

D.

Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Buy Now
Questions 9

Multiple detections with the process schtasks.exe begin to alert in the UI. The process executes the following command line on several unique hosts:

schtasks.exe /Query /TN " Qljsscdqr "

What is the most efficient way to identify which hosts are executing this scheduled task?

Options:

A.

Filter detections by command line and sort by ' Host:A to Z '

B.

Filter detections by command line and group by triggering file

C.

Filter detections by the triggering file and sort by ' Host:A to Z '

D.

Filter detections by command line and group by host

Buy Now
Questions 10

A list of managed and unmanaged neighbors for an endpoint can be found:

Options:

A.

by using Hosts page in the Investigate tool

B.

by reviewing " Groups " in Host Management under the Hosts page

C.

under " Audit " by running Sensor Visibility Exclusions Audit

D.

only by searching event data using Event Search

Buy Now
Questions 11

To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?

Options:

A.

The External IP and the Username of the logged-in user.

B.

The Agent ID (AID) and the Target Process ID (TargetProcessId_decimal).

C.

The MAC Address of the host and the SHA256 hash of the file.

D.

The Policy ID and the timestamp of the first event.

Buy Now
Questions 12

What must be true about a custom script before it can be executed from within a Fusion SOAR Workflow?

Options:

A.

The Response Policy must allow for the execution of Workflows

B.

The script must exist on the host locally

C.

The script must contain input and output JSON fields

D.

The Share with workflows option must be enabled for the custom script

Buy Now
Questions 13

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?

Options:

A.

Falcon X

B.

Investigate

C.

Discover

D.

Spotlight

Buy Now
Questions 14

A responder is analyzing a process tree where a suspicious executable is listed as a direct child of services.exe. In this scenario, which source is most likely responsible for the execution?

Options:

A.

An interactive user login via RDP.

B.

A Windows Service or a process launched by the Service Control Manager.

C.

A web browser download initiated by the end user.

D.

A script executed directly from a removable USB drive.

Buy Now
Questions 15

The Falcon sensor is designed to provide deep visibility into endpoint activity, yet it is not omniscient. According to the Cyber Kill Chain model, which of the following stages does the Falcon sensor typically NOT have visibility over?

Options:

A.

Exploitation of a memory-resident vulnerability

B.

Installation of a persistent backdoor

C.

Weaponization of a malicious payload on the adversary ' s infrastructure

D.

Delivery of a malicious document via an encrypted email attachment

Buy Now
Questions 16

A responder releases a file from quarantine on a specific workstation. What is the default scope of the allowlist that is created during this process?

Options:

A.

Global (applies to all hosts in the environment)

B.

Only the specific host where the file was originally quarantined

C.

All hosts within the same host group as the source host

D.

All hosts running the same operating system version

Buy Now
Questions 17

Refer to the image.

Within a Host Search, you have filtered for cmd.exe in the Process executions table and now need to pivot to a process timeline.

Which item in the table do you select to pivot to the Process Timeline?

Options:

A.

PID

B.

Process ID

C.

Command Line

Buy Now
Questions 18

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

Options:

A.

You can ' t export detailed event data from a detection, you have to use the Process Timeline or an Event Search

B.

In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the " Export Process Events " button

C.

In Full Detection Details, you choose the " View Process Activity " option and then export from that view

D.

From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Buy Now
Questions 19

You are writing a script that your colleagues could run on any Windows machine using Real Time Response (RTR). The script you have written is over the 40-KB limit.

How should you run the script to avoid technical issues?

Options:

A.

Use the put command to place the script on the host and runscript -hostpath to run the script

B.

Break the script into multiple files under 40 KB and run each one sequentially with runscript -raw

C.

Use the put command to place the script on the host and runscript -cloudfile to run the script

D.

Use the runscript -cloudfile command to upload the script from your local machine and execute it directly

Buy Now
Questions 20

During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?

Options:

A.

Monitor

B.

Block

C.

No Action

D.

Kill Process

Buy Now
Questions 21

You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

Options:

A.

IP Addresses

B.

Remote or Network Logon Activity

C.

Remote Access Graph

D.

Hash Executions

Buy Now
Questions 22

A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?

Options:

A.

An existing process was terminated by the user.

B.

A new process was created and started on the endpoint.

C.

A process successfully established a network connection.

D.

A process modified a sensitive registry key.

Buy Now
Questions 23

When a responder is looking at the ' Full Detection Details ' page, they can toggle between several views. Which of the following is NOT a layout option available for viewing these details?

Options:

A.

Graph View

B.

Tree View

C.

Process Timeline

D.

List View

Buy Now
Questions 24

Where are quarantined files stored on Windows hosts?

Options:

A.

Windows\Quarantine

B.

Windows\System32\Drivers\CrowdStrike\Quarantine

C.

Windows\System32\

D.

Windows\temp\Drivers\CrowdStrike\Quarantine

Buy Now
Questions 25

In the ' Investigate > Hunt > Linux Sensors ' dashboard, responders can view various Linux-specific activities. Which of the following sub-titling is NOT displayed in this dashboard?

Options:

A.

Sudo Executions

B.

Cron Usage

C.

Kernel Module Loads

D.

User Logins

Buy Now
Questions 26

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

Options:

A.

ParentProcessld_decimal and aid

B.

ResponsibleProcessld_decimal and aid

C.

ContextProcessld_decimal and aid

D.

TargetProcessld_decimal and aid

Buy Now
Questions 27

Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?

Options:

A.

Analyzing historical logs from the past 90 days to find missed threats.

B.

Investigating incoming telemetry in real time or on a near real-time basis to catch active threats.

C.

Scanning every file on a hard drive once per week for dormant viruses.

D.

Manually updating the Falcon sensor on every machine in the fleet.

Buy Now
Questions 28

The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?

Options:

A.

Activity

B.

Investigate

C.

Configuration

D.

Dashboards

Buy Now
Questions 29

Which of the following is an example of a MITRE ATT AND CK tactic?

Options:

A.

Eternal Blue

B.

Defense Evasion

C.

Emotet

D.

Phishing

Buy Now
Questions 30

What happens when you create a Sensor Visibility Exclusion for a trusted file path?

Options:

A.

It excludes host information from Detections and Incidents generated within that file path location

B.

It prevents file uploads to the CrowdStrike cloud from that file path

C.

It excludes sensor monitoring and event collection for the trusted file path

D.

It disables detection generation from that path, however the sensor can still perform prevention actions

Buy Now
Questions 31

While reviewing the high-level organizational structure of a complex detection in the Falcon console, a responder identifies several layers of activity. Which of the following is NOT officially recognized as an Objective Layer within the CrowdStrike detection hierarchy?

Options:

A.

Contact Controlled Systems

B.

Lateral Movement

C.

Gain Access

D.

Follow Through

Buy Now
Questions 32

When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?

Options:

A.

It represents the specific software version or exploit code used to crash a service.

B.

It is the adversary ' s tactical goal: the fundamental reason for performing a specific action.

C.

It is the unique cryptographic hash associated with a malicious file discovered on disk.

D.

It is the specific command-line string used to execute a PowerShell script.

Buy Now
Questions 33

When using ' User Search ' to investigate a potentially compromised account, which of the following is NOT a filter available in the User Search?

Options:

A.

Username

B.

Hostname

C.

Process ID

D.

Time Range

Buy Now
Questions 34

Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?

Options:

A.

Grouped by Process

B.

Grouped by Alert

C.

Grouped by File Path

D.

Grouped by Severity

Buy Now
Questions 35

Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?

Options:

A.

A list of every time a user has logged in or out of the machine.

B.

Every host-relevant event (Process, File, Registry, Network) recorded in a given timeframe.

C.

A history of every hardware change or driver update on the endpoint.

D.

A log of every time the Falcon sensor was updated or restarted.

Buy Now
Questions 36

The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?

Options:

A.

Process Termination

B.

File Quarantine

C.

Process Restart

D.

Network Isolation

Buy Now
Questions 37

Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?

Options:

A.

The standard Process ID (PID) assigned by the Windows operating system.

B.

A sensor-assigned decimal number that is unique for each process across time and hosts.

C.

The memory address where the process’s executable is loaded.

D.

The total number of seconds the process has been running.

Buy Now
Questions 38

When reviewing the data within a process timeline, what specific type of information is being displayed to the responder?

Options:

A.

A capture of all raw network packets sent by the process.

B.

All cloudable process-related events (files written, network connections, etc.) for that process in a given timeframe.

C.

A list of every user who has ever logged into that specific endpoint.

D.

A summary of the hardware performance metrics during the time of the detection.

Buy Now
Questions 39

A responder is unsure about the difference between ' Detection ' and ' Prevention ' settings. Where can they find information about Detection and Prevention Policies?

Options:

A.

On the public CrowdStrike blog.

B.

In the Support page under the Docs section.

C.

By clicking the ' About ' button in the user profile.

D.

In the training videos on the main Dashboard.

Buy Now
Questions 40

What do IOA exclusions help you achieve?

Options:

A.

Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy

B.

Reduce false positives of behavioral detections from IOA based detections only

C.

Reduce false positives of behavioral detections from IOA based detections based on a file hash

D.

Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Buy Now
Questions 41

Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?

Options:

A.

A global intelligence report about a new adversary.

B.

A specific detection that occurred on a particular host.

C.

The main settings menu of the Falcon console.

D.

The help documentation in the Support portal.

Buy Now
Questions 42

You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.

How can you resolve this issue?

Options:

A.

Set the -timeout argument to off

B.

Set the -timeout argument to a longer period

C.

Rerun the script

D.

Change the timeout policy in the console settings

Buy Now
Questions 43

Responders often use Process Explorer to visualize process behavior. Which of the following is NOT a valid way to pivot to a Process Explorer view?

Options:

A.

From Detection > Top Right Drop Down > View as Process Activity

B.

From Configuration > Prevention Policies > View Process Explorer

C.

From Event Search > Click on a specific Process ID

D.

From Host Search > Processes and Services list

Buy Now
Questions 44

What is an advantage of using a Process Timeline?

Options:

A.

Process related events can be filtered to display specific event types

B.

Suspicious processes are color-coded based on their frequency and legitimacy over time

C.

Processes responsible for spikes in CPU performance are displayed overtime

D.

A visual representation of Parent-Child and Sibling process relationships is provided

Buy Now
Questions 45

An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?

Options:

A.

A brand new detection has been triggered on a host that was recently added to the network.

B.

A detection that was previously moved to a resolved status has generated new telemetry and activity.

C.

A user has logged into a machine for the first time since the sensor was installed.

D.

The Falcon Overwatch team has manually verified that the detection is an active threat.

Buy Now
Questions 46

An analyst wants to see the raw events behind a specific detection. Which icon in the UI allows them to pivot directly to an event search?

Options:

A.

Shield icon

B.

Spyglass icon

C.

Trash can icon

D.

Gear icon

Buy Now
Questions 47

You are responding to a cybersecurity incident and observe several outbound network connections from host Bob-Desktop. Upon review, you determine this to be a result of a Threat Actor ' s attempt to exfiltrate data.

What action should you take to stop the exfiltration using the Falcon Platform?

Options:

A.

Use the Falcon console to network contain Bob-Desktop

B.

Access Bob-Desktop via RTR and run the contain command

C.

Find the IP address associated with the exfiltration and block it by creating an IOA

D.

Find the IP address associated with the exfiltration and block it by creating an IOC

Buy Now
Questions 48

You are pre-staging a Custom IOC for later use and want to save a file hash for later use after approval.

Which action should you use?

Options:

A.

Save Hash

B.

Monitor

C.

No Action

D.

Always Block

Buy Now
Questions 49

Following a detection involving a suspected ransomware binary, the Falcon sensor automatically takes a prevention action to prevent the file from executing. An analyst needs to retrieve this file for local sandbox analysis. Considering the default configuration, for how many days will this file remain stored in the encrypted quarantine folder on the local endpoint?

Options:

A.

7 days

B.

14 days

C.

30 days

D.

90 days

Buy Now
Questions 50

A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:

Options:

A.

Technique

B.

Tactic

C.

Objective

D.

Indicator

Buy Now
Questions 51

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

Options:

A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Buy Now
Questions 52

CrowdStrike supports various deployment types. What is a ' POD sensor ' ?

Options:

A.

A sensor specifically designed for mobile devices (iOS/Android).

B.

A sensor that is installed directly on a Kubernetes or Docker host to monitor containers.

C.

A legacy sensor used only for disconnected or air-gapped systems.

D.

A physical appliance that sits on the network to monitor traffic.

Buy Now
Questions 53

Where can you find hosts that are in Reduced Functionality Mode?

Options:

A.

Event Search

B.

Executive Summary dashboard

C.

Host Search

D.

Installation Tokens

Buy Now
Questions 54

A responder has identified a suspicious PowerShell script executing on a domain controller. To perform a deep-dive forensic analysis of every action taken by that specific process—including network connections and file modifications—the analyst needs to pivot to a Process Timeline. What is the absolute minimum telemetry data required to generate this auto-filled view?

Options:

A.

Agent ID (AID) and Local IP Address

B.

Agent ID (AID) and Target Process ID (TargetProcessId_decimal)

C.

Hostname and MAC Address

D.

User SID and SHA256 Hash

Buy Now
Questions 55

Refer to Image:

You are investigating a network connection in event search.

Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?

Options:

A.

Inspect

B.

Show Responsible Process Data

C.

Draw Process Explorer

D.

Show Associated Event Data

Buy Now
Questions 56

Refer to the image.

What does the arrowed line indicate?

Options:

A.

PowerShell spawned Notepad.exe, which injected a thread back to Excel.exe

B.

The thread injection was considered a Medium severity injection

C.

PowerShell spawned Notepad.exe, which injected a thread back to PowerShell

D.

Notepad.exe injected itself into Excel.exe

Buy Now
Questions 57

What information does the MITRE ATT AND CK Framework provide?

Options:

A.

It provides best practices for different cybersecurity domains, such as Identify and Access Management

B.

It provides a step-by-step cyber incident response strategy

C.

It provides the phases of an adversary ' s lifecycle, the platforms they are known to attack, and the specific methods they use

D.

It is a system that attributes an attack techniques to a specific threat actor

Buy Now
Questions 58

While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?

Options:

A.

Timestamp

B.

Event Name

C.

PID (Process ID)

D.

CPU Temperature

Buy Now
Questions 59

When an analyst downloads a quarantined file from the Falcon UI for offline analysis, what is the specific file format and the required password for extraction?

Options:

A.

The file is downloaded as a 7-zip archive and requires the password ' infected ' for extraction.

B.

The file is downloaded in its raw binary format without any encryption or compression.

C.

The file is downloaded as a standard ZIP archive but does not require a password to open.

D.

The file is downloaded as an encrypted .exe that can only be opened by a CrowdStrike sensor.

Buy Now
Exam Code: CCFR-201b
Exam Name: CrowdStrike Certified Falcon Responder
Last Update: Jul 1, 2026
Questions: 181
CCFR-201b pdf

CCFR-201b PDF

$25.5  $84.99
CCFR-201b Engine

CCFR-201b Testing Engine

$30  $99.99
CCFR-201b PDF + Engine

CCFR-201b PDF + Testing Engine

$40.5  $134.99