CrowdStrike Certified Falcon Responder (CCFR-201b) Free Practice Test

Question 1

When viewing the summary list on the 'Endpoint Detections' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?

A. The time the detection was first assigned to a human analyst.

B. The timestamp of the last activity recorded for that specific detection.

C. The exact time the Falcon sensor was first installed on the host.

D. The file creation time for the primary process involved in the alert.

Correct Answer: B

Question 2

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

A. It contains an internal value not useful for an investigation

B. It contains the TargetProcessld_decimal value for other related events

C. It contains the ContextProcessld_decimal value for the parent process that made the DNS request

D. It contains the TargetProcessld_decimal value for the process that made the DNS request

Correct Answer: D

Question 3

Filtering is essential for managing a high volume of alerts. Which of the following filters is available by default within the 'Endpoint Detections' dashboard to help narrow down specific threats?

A. Triggering File

B. Sensor Update Policy Name

C. Local Subnet Mask

D. Hardware BIOS Version

Correct Answer: A

Question 4

If the Falcon sensor identifies suspicious behavioral patterns-such as a process attempting to dump memory from lsass.exe-what specific type of detection will be generated?

A. Indicator of Attack (IOA)

B. Indicator of Compromise (IOC)

C. Known Malware Alert

D. Intelligence Data Match

Correct Answer: A

Question 5

When investigating system-level persistence, it is critical to know what the services.exe process is responsible for. What is its primary function?

A. Managing user profiles and registry hives during login.

B. Providing a graphical interface for the Windows Task Manager.

C. Monitoring network traffic for potential data exfiltration.

D. Launching and managing the lifecycle of system services.

Correct Answer: D

Question 6

How long does detection data remain in the CrowdStrike Cloud before purging begins?

A. 30 Days

B. 90 Days

C. 14 Days

D. 45 Days

Correct Answer: B

Question 7

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

A. Host Search

B. User Search

C. Hash Search

D. Event Search

Correct Answer: D

Question 8

The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?

A. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine

B. The Process Activity View creates a count of event types only, which can be useful when scoping the event

C. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process

D. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis

Correct Answer: D

Welcome to TestSimulate

CrowdStrike Certified Falcon Responder (CCFR-201b) Free Practice Test