• Home
  • Articles
  • Actual CCFR-201 Exam Recently Updated Questions with Free Demo [Q13-Q35]

Actual CCFR-201 Exam Recently Updated Questions with Free Demo [Q13-Q35]

Share

Actual CCFR-201 Exam Recently Updated Questions with Free Demo

Free CrowdStrike CCFR-201 Exam Questions Self-Assess Preparation

NEW QUESTION # 13
What action is used when you want to save a prevention hash for later use?

  • A. Always Allow
  • B. Always Block
  • C. Never Block
  • D. No Action

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 14
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

  • A. Executions of schtasks.exe after the detection
  • B. Scheduled tasks registered prior to the detection
  • C. User logons after the detection
  • D. Pivot to a Hash search for taskeng.exe

Answer: B

Explanation:
Explanation
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.


NEW QUESTION # 15
The function of Machine Learning Exclusions is to___________.

  • A. stop all sensor data collection for the matching path(s)
  • B. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
  • C. stop all detections for a specific pattern ID
  • D. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.


NEW QUESTION # 16
The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?

  • A. The Process Activity View creates a count of event types only, which can be useful when scoping the event
  • B. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
  • C. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
  • D. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.


NEW QUESTION # 17
How long does detection data remain in the CrowdStrike Cloud before purging begins?

  • A. 14 Days
  • B. 90 Days
  • C. 45 Days
  • D. 30 Days

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.


NEW QUESTION # 18
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?

  • A. Filter on'Analyst: Alex'
  • B. Filter on 'Hostname: Alex' and 'Status: In-Progress'
  • C. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
  • D. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such asstatus, severity, tactic, technique, etc2. To view 'in-progress' detections assigned to Falcon Analyst Alex, you can filter on 'Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex2.


NEW QUESTION # 19
What does the Full Detection Details option provide?

  • A. It provides detailed list of detection events via the Process Table View
  • B. It provides a visualization of program ancestry via the Process Activity View
  • C. It provides a visualization of program ancestry via the Process Tree View
  • D. It provides a detailed list of detection events via the Process Tree View

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.


NEW QUESTION # 20
When reviewing a Host Timeline, which of the following filters is available?

  • A. Detection ID
  • B. Event Types
  • C. Severity
  • D. User Name

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.


NEW QUESTION # 21
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies users associated with the specified hashes
  • B. Identifies a detailed list of all process executions for the specified hashes
  • C. Identifies hosts that loaded or executed the specified hashes
  • D. Identifies detections related to the specified hashes

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 22
Which is TRUE regarding a file released from quarantine?

  • A. It is allowed to execute on all hosts
  • B. It will not generate future machine learning detections on the associated host
  • C. No executions are allowed for 14 days after release
  • D. It is deleted

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 23
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

  • A. Remote Access Graph
  • B. Remote or Network Logon Activity
  • C. Hash Executions
  • D. IP Addresses

Answer: D

Explanation:
Explanation
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.


NEW QUESTION # 24
From a detection, what is the fastest way to see children and sibling process information?

  • A. Select Full Detection Details from the detection
  • B. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • C. Right-click the process and select "Follow Process Chain"
  • D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


NEW QUESTION # 25
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?

  • A. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
  • B. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
  • C. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
  • D. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.


NEW QUESTION # 26
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

  • A. A managed sensor has an active prevention policy
  • B. A managed neighbor has an installed and provisioned sensor
  • C. An unmanaged neighbor is in a segmented area of the network
  • D. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.


NEW QUESTION # 27
Which of the following is returned from the IP Search tool?

  • A. Threat Graph Data for the given IP from Falcon sensors
  • B. Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP
  • C. IP Summary information from Falcon events containing the given IP

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.


NEW QUESTION # 28
How long are quarantined files stored in the CrowdStrike Cloud?

  • A. 90 Days
  • B. Quarantined files are not deleted
  • C. 45 Days
  • D. Days

Answer: A

Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.


NEW QUESTION # 29
What information does the MITRE ATT&CKFramework provide?

  • A. It provides a step-by-step cyber incident response strategy
  • B. It provides best practices for different cybersecurity domains, such as Identify and Access Management
  • C. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
  • D. It is a system that attributes an attack techniques to a specific threat actor

Answer: C

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.


NEW QUESTION # 30
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests.
Registry Operations, and Network Operations?

  • A. View as Process Tree
  • B. View as Process Activity
  • C. View as Process Timeline
  • D. Thedata is unable to be exported

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.


NEW QUESTION # 31
Which of the following is an example of a MITRE ATT&CK tactic?

  • A. Defense Evasion
  • B. Phishing
  • C. Eternal Blue
  • D. Emotet

Answer: A

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.


NEW QUESTION # 32
Which is TRUE regarding a file released from quarantine?

  • A. It is allowed to execute on all hosts
  • B. It will not generate future machine learning detections on the associated host
  • C. No executions are allowed for 14 days after release
  • D. It is deleted

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 33
What action is used when you want to save a prevention hash for later use?

  • A. Always Allow
  • B. Always Block
  • C. Never Block
  • D. No Action

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 34
The Bulk Domain Search tool contains Domain information along with which of the following?

  • A. IP Lookup Information
  • B. Threat Actor Information
  • C. Process Information
  • D. Port Information

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.


NEW QUESTION # 35
......

CCFR-201 Free Sample Questions to Practice One Year Update: https://passleader.testpassking.com/CCFR-201-exam-testking-pass.html

Related Articles

more
CrowdStrike CCFR-201 Certification Practice Exam

Copyright © 2026 TestPassKing NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy