• Home
  • Articles
  • [UPDATED] CrowdStrike CCFR-201 Certification Exam Questions [Q34-Q59]

[UPDATED] CrowdStrike CCFR-201 Certification Exam Questions [Q34-Q59]

Share

[UPDATED] CrowdStrike CCFR-201 Certification Exam Questions

Quickly and Easily Pass CrowdStrike Exam with CCFR-201 real Dumps

NEW QUESTION # 34
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

  • A. Remote Access Graph
  • B. Remote or Network Logon Activity
  • C. IP Addresses
  • D. Hash Executions

Answer: C

Explanation:
Explanation
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.


NEW QUESTION # 35
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

  • A. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
  • B. Show a +/- 10-minute window of events
  • C. Show a Process Timeline for the responsible process
  • D. Draw Process Explorer

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.


NEW QUESTION # 36
Which of the following is returned from the IP Search tool?

  • A. IP Summary information from Falcon events containing the given IP
  • B. Threat Graph Data for the given IP from Falcon sensors
  • C. Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.


NEW QUESTION # 37
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies a detailed list of all process executions for the specified hashes
  • B. Identifies users associated with the specified hashes
  • C. Identifies hosts that loaded or executed the specified hashes
  • D. Identifies detections related to the specified hashes

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 38
What are Event Actions?

  • A. Raw Falcon event data
  • B. Automated searches that can be used to pivot between related events and searches
  • C. Custom event data queries bookmarked by the currently signed in Falcon user
  • D. Pivotable hyperlinks available in a Host Search

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and searches1. They are available in various tools, such as Event Search, Process Timeline, Host Timeline, etc1. You can select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.


NEW QUESTION # 39
How long are quarantined files stored in the CrowdStrike Cloud?

  • A. Quarantined files are not deleted
  • B. Days
  • C. 45 Days
  • D. 90 Days

Answer: D

Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.


NEW QUESTION # 40
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?

  • A. Machine Learning via Cloud-Based ML
  • B. Falcon Intel via Intelligence Indicator - Domain
  • C. Credential Access via OS Credential Dumping
  • D. Malware via PUP

Answer: C

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.


NEW QUESTION # 41
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

  • A. The associated IOA will still generate a detection but the associated process would have been allowed to run
  • B. The sensor will stop sending events from the process specified in the regex pattern
  • C. The associated detection will be suppressed and the associated process would have been allowed to run
  • D. The process specified is not sent to the Falcon Sandbox for analysis

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.


NEW QUESTION # 42
What types of events are returned by a Process Timeline?

  • A. Only detection events
  • B. Only network events
  • C. Only process events
  • D. All cloudable events

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.


NEW QUESTION # 43
Where can you find hosts that are in Reduced Functionality Mode?

  • A. Event Search
  • B. Host Search
  • C. Executive Summary dashboard
  • D. Installation Tokens

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.


NEW QUESTION # 44
What information is contained within a Process Timeline?

  • A. All cloudable process-related events within a given timeframe
  • B. A view of activities on Mac or Linux hosts
  • C. Only detection process-related events within a given timeframe
  • D. All cloudable events for a specific host

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. You can specify a timeframe to limit the events to a certain period1. The tool works for any host platform, not just Mac or Linux1.


NEW QUESTION # 45
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

  • A. It contains the TargetProcessld_decimal value of the child process
  • B. It contains the Sensorld_decimal value for related events
  • C. It contains the TargetProcessld_decimal of the parent process
  • D. It contains an internal value not useful for an investigation

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.


NEW QUESTION # 46
What happens when you create a Sensor Visibility Exclusion for a trusted file path?

  • A. It excludes sensor monitoring and event collection for the trusted file path
  • B. It excludes host information from Detections and Incidents generated within that file path location
  • C. It disables detection generation from that path, however the sensor can still perform prevention actions
  • D. It prevents file uploads to the CrowdStrike cloud from that file path

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.


NEW QUESTION # 47
The primary purpose for running a Hash Search is to:

  • A. determine any network connections
  • B. review the processes involved with a detection
  • C. review information surrounding a hash's related activity
  • D. determine the origin of the detection

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash's related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.


NEW QUESTION # 48
What information does the MITRE ATT&CKFramework provide?

  • A. It is a system that attributes an attack techniques to a specific threat actor
  • B. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
  • C. It provides best practices for different cybersecurity domains, such as Identify and Access Management
  • D. It provides a step-by-step cyber incident response strategy

Answer: B

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.


NEW QUESTION # 49
When reviewing a Host Timeline, which of the following filters is available?

  • A. Detection ID
  • B. Severity
  • C. User Name
  • D. Event Types

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.


NEW QUESTION # 50
How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top CMD.EXE')?

  • A. Time started (Descending, most recent on bottom)
  • B. Process ID (Descending, highest on bottom)
  • C. Time started (Ascending, most recent on top)
  • D. Process ID (Ascending, highest on top)

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1. The processes on the same plane are ordered by time started in descending order, meaning that the most recent process is at the bottom and the oldest process is at the top1. For example, in the image you sent me, CMD.EXE is the oldest process and VMTOOLSD.EXE is the most recent process on that plane1.


NEW QUESTION # 51
What is an advantage of using the IP Search tool?

  • A. IP searches allow for multiple comma separated IPv6 addresses as input
  • B. IP searches provide host, process, and organizational unit data without the need to write a query
  • C. IP searches offer shortcuts to launch response actions and network containment on target hosts
  • D. IP searches provide manufacture and timezone data that can not be accessed anywhere else

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.


NEW QUESTION # 52
How does a DNSRequest event link to its responsible process?

  • A. Via its ParentProcessld_decimal field
  • B. Via both its ContextProcessld__decimal and ParentProcessld_decimal fields
  • C. Via its ContextProcessld_decimal field
  • D. Via its TargetProcessld_decimal field

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2. The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2. The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2. You can use this field to trace the process lineage and identify malicious or suspicious activities2.


NEW QUESTION # 53
How long are quarantined files stored on the host?

  • A. Quarantined files are never deleted from the host
  • B. 90 Days
  • C. 45 Days
  • D. 30 Days

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 54
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?

  • A. Filter on 'Hostname: Alex' and 'Status: In-Progress'
  • B. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
  • C. Filter on'Analyst: Alex'
  • D. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such asstatus, severity, tactic, technique, etc2. To view 'in-progress' detections assigned to Falcon Analyst Alex, you can filter on 'Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex2.


NEW QUESTION # 55
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

  • A. ContextProcessld_decimal and aid
  • B. ResponsibleProcessld_decimal and aid
  • C. TargetProcessld_decimal and aid
  • D. ParentProcessld_decimal and aid

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)2. These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.


NEW QUESTION # 56
Which statement is TRUE regarding the "Bulk Domains" search?

  • A. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation
  • B. It will show a list of computers and process that performed a lookup of any of the domains in your search
  • C. The "Bulk Domains" search will allow you to blocklist your queried domains

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.


NEW QUESTION # 57
What do IOA exclusions help you achieve?

  • A. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  • B. Reduce false positives of behavioral detections from IOA based detections only
  • C. Reduce false positives of behavioral detections from IOA based detections based on a file hash
  • D. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.


NEW QUESTION # 58
The function of Machine Learning Exclusions is to___________.

  • A. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
  • B. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
  • C. stop all sensor data collection for the matching path(s)
  • D. stop all detections for a specific pattern ID

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.


NEW QUESTION # 59
......

Start your CCFR-201 Exam Questions Preparation: https://www.dumpsvalid.com/CCFR-201-still-valid-exam.html

Realistic CCFR-201 Dumps Questions To Gain Brilliant Result: https://drive.google.com/open?id=1FKznb0F2se7mXsmgR4WnQ8e24wuGIpv8

Related Articles

more
CrowdStrike CCFR-201 Certification Practice Exam

Copyright © 2026 DumpsValid NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy