We at Crack4sure are committed to giving students who are preparing for the CrowdStrike CCFR-201b Exam the most current and reliable questions . To help people study, we've made some of our CrowdStrike Certified Falcon Responder exam materials available for free to everyone. You can take the Free CCFR-201b Practice Test as many times as you want. The answers to the practice questions are given, and each answer is explained.
The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?
When performing a ' Hash Search ' , which of the following is NOT a filter available for use?
Your lead analyst instructs you to dump the kernel memory of a Windows system using Real Time Response (RTR).
Which native RTR command best helps you to quickly achieve the task?
When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?
What is an advantage of using a Process Timeline?
Within the context of CrowdStrike’s behavioral detection engine, what does the acronym ' IOA ' stand for?
How are processes on the same plane ordered (bottom ' VMTOOLSD.EXE ' to top CMD.EXE ' )?


Executive dashboards provide a high-level view of security. Which of the following CANNOT be seen from the Executive Summary Dashboard?
In the context of raw event searching, the term ' ProcessRollup2 ' refers to a value within which field?
Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?
While quarantined files stay on the local host for 30 days by default, how many days does a quarantined file remain stored in the CrowdStrike Cloud?
You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.
How can you resolve this issue?
When viewing the summary list on the ' Endpoint Detections ' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?
After an investigation, the following malicious artifacts have been identified:
C:\Users*\AppData\iamnotmalware.exe
C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iamnotmalware.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamnotmalware_really
What method will remove all associated artifacts from hosts that trigger future related detections?
An adversary is attempting to disable security features by modifying the system registry. Which of the following native Windows processes is specifically designed to create, modify, and delete Registry keys via the command line?
What do IOA exclusions help you achieve?
CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?
To track the relationship between a parent and its child, Falcon uses specific ID fields. What raw data is used as the ' ParentProcessId_decimal ' when a process spawns a child process?
The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?
If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
What are Event Actions?
In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?
When a responder needs to take data out of the Falcon console for external analysis, which of the following is NOT an option when exporting searches?
Which option indicates a hash is allowlisted?
Where are quarantined files stored on Windows hosts?
A responder has identified a suspicious PowerShell script executing on a domain controller. To perform a deep-dive forensic analysis of every action taken by that specific process—including network connections and file modifications—the analyst needs to pivot to a Process Timeline. What is the absolute minimum telemetry data required to generate this auto-filled view?
Responders use ' IP Search ' to track connections to malicious infrastructure. Which of the following statements about the IP Search is FALSE?
Responders must understand the limitations and capabilities of custom rules. Which of the following statements about custom IOAs is FALSE?
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?
What happens when a quarantined file is released?
While in an Event Search, a responder clicks on an event action. What does the ' Show Child Processes ' event action do?
Which of the following is NOT a valid event type?
A responder is analyzing a process tree where a suspicious executable is listed as a direct child of services.exe. In this scenario, which source is most likely responsible for the execution?
Refer to the image.

You are using Advanced Event Search to find the event record for a suspicious network connection.
Using the Event List Interactions button for the event, indicated by the arrow in the image above, which option will show all contextual event data around the process execution being investigated?
During a targeted investigation into a potentially compromised internal administrative account, a responder utilizes the User Search functionality within the Investigate menu. The goal is to identify if the account was leveraged to drop or launch unauthorized binaries across multiple systems in the environment. Which specific data category is natively visible in the User Search results to facilitate this check?
Multiple detections with the process schtasks.exe begin to alert in the UI. The process executes the following command line on several unique hosts:
schtasks.exe /Query /TN " Qljsscdqr "
What is the most efficient way to identify which hosts are executing this scheduled task?
Where are quarantine files located on a Mac Endpoint?
To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?
An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?
In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:
The function of Machine Learning Exclusions is to___________.
You are responding to a cybersecurity incident and observe several outbound network connections from host Bob-Desktop. Upon review, you determine this to be a result of a Threat Actor ' s attempt to exfiltrate data.
What action should you take to stop the exfiltration using the Falcon Platform?
When analyzing the raw telemetry for a ' DNSRequest ' event, which of the following raw data fields is available to the responder?
A responder is unsure about the difference between ' Detection ' and ' Prevention ' settings. Where can they find information about Detection and Prevention Policies?
During the incident response process, a responder must update the status of a detection. Which of the following options is NOT a valid detection status recognized by the Falcon console?
What information is contained within a Process Timeline?
When using ' User Search ' to investigate a potentially compromised account, which of the following is NOT a filter available in the User Search?
Refer to Image:

You are investigating a network connection in event search.
Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?
How long are quarantined files stored on the host?
3 Months Free Update
3 Months Free Update
3 Months Free Update