Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

CCFR-201b CrowdStrike Certified Falcon Responder Questions and Answers

Questions 4

Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?

Options:

A.

Grouped by Process

B.

Grouped by Alert

C.

Grouped by File Path

D.

Grouped by Severity

Buy Now
Questions 5

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?

Options:

A.

Falcon X

B.

Investigate

C.

Discover

D.

Spotlight

Buy Now
Questions 6

Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?

Options:

A.

A list of every time a user has logged in or out of the machine.

B.

Every host-relevant event (Process, File, Registry, Network) recorded in a given timeframe.

C.

A history of every hardware change or driver update on the endpoint.

D.

A log of every time the Falcon sensor was updated or restarted.

Buy Now
Questions 7

When navigating the main ' Detections ' page, several filters are available in the dropdown menu. Which of the following is NOT a filter available in this menu?

Options:

A.

Severity

B.

Tactic

C.

Location tag

D.

Status

Buy Now
Questions 8

When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?

Options:

A.

It represents the specific software version or exploit code used to crash a service.

B.

It is the adversary ' s tactical goal: the fundamental reason for performing a specific action.

C.

It is the unique cryptographic hash associated with a malicious file discovered on disk.

D.

It is the specific command-line string used to execute a PowerShell script.

Buy Now
Questions 9

The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?

Options:

A.

Average time to resolve a detection.

B.

Total number of detections resolved by each analyst.

C.

The top 10 hosts/users/files with the most detections.

D.

The breakdown of True Positive vs. False Positive resolutions.

Buy Now
Questions 10

During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?

Options:

A.

Monitor

B.

Block

C.

No Action

D.

Kill Process

Buy Now
Questions 11

When analyzing the raw telemetry for a ' DNSRequest ' event, which of the following raw data fields is available to the responder?

Options:

A.

browser_type

B.

index

C.

cpu_usage_percent

D.

monitor_mode

Buy Now
Questions 12

A list of managed and unmanaged neighbors for an endpoint can be found:

Options:

A.

by using Hosts page in the Investigate tool

B.

by reviewing " Groups " in Host Management under the Hosts page

C.

under " Audit " by running Sensor Visibility Exclusions Audit

D.

only by searching event data using Event Search

Buy Now
Questions 13

Filtering is essential for managing a high volume of alerts. Which of the following filters is available by default within the ' Endpoint Detections ' dashboard to help narrow down specific threats?

Options:

A.

Triggering File

B.

Hardware BIOS Version

C.

Local Subnet Mask

D.

Sensor Update Policy Name

Buy Now
Questions 14

CrowdStrike implements a specific framework within the Falcon console to help responders categorize detections based on the adversary’s ultimate goals and the technical means used to achieve them. This classification system, which maps activity to known industry standards, is known as the:

Options:

A.

MITRE-Based Falcon Detections Framework

B.

Falcon Adversary Attribution and Motivation Matrix

C.

Unified Behavioral Threat Hunting Schema

D.

CrowdStrike Intelligence Lifecycle Mapping

Buy Now
Questions 15

What happens when a hash is set to Always Block through IOC Management?

Options:

A.

Execution is prevented on all hosts by default

B.

Execution is prevented on selected host groups

C.

Execution is prevented and detection alerts are suppressed

D.

The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Buy Now
Questions 16

How does a DNSRequest event link to its responsible process?

Options:

A.

Via both its ContextProcessld__decimal and ParentProcessld_decimal fields

B.

Via its ParentProcessld_decimal field

C.

Via its ContextProcessld_decimal field

D.

Via its TargetProcessld_decimal field

Buy Now
Questions 17

The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?

Options:

A.

10MB

B.

32MB

C.

64MB

D.

128MB

Buy Now
Questions 18

What is the difference between a Host Search and a Host Timeline?

Options:

A.

Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor

B.

A Host Timeline only includes process execution events and user account activity

C.

Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host

D.

There is no difference - Host Search and Host Timeline are different names for the same search page

Buy Now
Questions 19

Which of the following is returned from the IP Search tool?

Options:

A.

IP Summary information from Falcon events containing the given IP

B.

Threat Graph Data for the given IP from Falcon sensors

C.

Unmanaged host data from system ARP tables for the given IP

D.

IP Detection Summary information for detection events containing the given IP

Buy Now
Questions 20

Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?

Options:

A.

Identifying future threats using predictive AI models.

B.

Applying an investigative approach across historical timed buckets of telemetry to find past activity.

C.

Terminating a malicious process as it starts to execute.

D.

Recovering files that were encrypted by a ransomware attack.

Buy Now
Questions 21

Which is TRUE regarding a file released from quarantine?

Options:

A.

No executions are allowed for 14 days after release

B.

It is allowed to execute on all hosts

C.

It is deleted

D.

It will not generate future machine learning detections on the associated host

Buy Now
Questions 22

Responders must understand the limitations and capabilities of custom rules. Which of the following statements about custom IOAs is FALSE?

Options:

A.

They can be used to monitor or block specific command-line strings.

B.

A Custom IOA rule group can only be applied to one single prevention policy.

C.

They can generate ' Informational ' detections if set to the ' Monitor ' action.

D.

They allow for pattern matching using wildcards or specific strings.

Buy Now
Questions 23

Which of the following is NOT a filter available on the Detections page?

Options:

A.

Severity

B.

CrowdScore

C.

Time

D.

Triggering File

Buy Now
Questions 24

What happens when you open the full detection details?

Options:

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

Buy Now
Questions 25

When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?

Options:

A.

Process Timeline

B.

Host Timeline

C.

User Timeline

D.

Network Timeline

Buy Now
Questions 26

When performing a ' Hash Search ' , which of the following is NOT a filter available for use?

Options:

A.

SHA256

B.

MD5

C.

File Type

D.

Filename

Buy Now
Questions 27

To ensure that a malicious file cannot be accidentally executed or accessed by other processes, how are quarantined files stored on the local endpoints?

Options:

A.

They are hidden within the Windows System32 directory.

B.

They are stored in an encrypted format.

C.

They are renamed with a random 32-character extension.

D.

They are moved to a password-protected ZIP file on the desktop.

Buy Now
Questions 28

A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?

Options:

A.

An existing process was terminated by the user.

B.

A new process was created and started on the endpoint.

C.

A process successfully established a network connection.

D.

A process modified a sensitive registry key.

Buy Now
Questions 29

Refer to Image:

CCFR-201b Question 29

You are investigating a network connection in event search.

Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?

Options:

A.

Inspect

B.

Show Responsible Process Data

C.

Draw Process Explorer

D.

Show Associated Event Data

Buy Now
Questions 30

When reviewing CrowdScore Incidents, which of the following statements is INCORRECT?

Options:

A.

Incidents aggregate related detections to reduce alert fatigue.

B.

Incidents are defined as inactive after 10 hours pass without any new related activity.

C.

A high CrowdScore indicates a higher likelihood of a sophisticated or widespread attack.

D.

CrowdScore is only visible to users with the ' Falcon Administrator ' role.

Buy Now
Questions 31

While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:

Options:

A.

Falcon Detection Method

B.

MITRE Tactic

C.

Indicator of Attack (IOA)

D.

Prevention Policy Level

Buy Now
Questions 32

What is an advantage of using a Process Timeline?

Options:

A.

Process related events can be filtered to display specific event types

B.

Suspicious processes are color-coded based on their frequency and legitimacy over time

C.

Processes responsible for spikes in CPU performance are displayed overtime

D.

A visual representation of Parent-Child and Sibling process relationships is provided

Buy Now
Questions 33

The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?

Options:

A.

Activity

B.

Investigate

C.

Configuration

D.

Dashboards

Buy Now
Questions 34

What happens when a hash is allowlisted?

Options:

A.

Execution is prevented, but detection alerts are suppressed

B.

Execution is allowed on all hosts, including all other Falcon customers

C.

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

D.

Execution is allowed on all hosts that fall under the organization ' s CID

Buy Now
Questions 35

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

Options:

A.

It contains an internal value not useful for an investigation

B.

It contains the TargetProcessld_decimal value of the child process

C.

It contains the Sensorld_decimal value for related events

D.

It contains the TargetProcessld_decimal of the parent process

Buy Now
Questions 36

To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?

Options:

A.

< Technique > , < Tactic > , < Objective >

B.

< Objective > , < Tactic > , < Technique >

C.

< Objective > , < Technique > , < Tactic >

D.

< Tactic > , < Objective > , < Technique >

Buy Now
Questions 37

The Bulk Domain Search tool contains Domain information along with which of the following?

Options:

A.

Process Information

B.

Port Information

C.

IP Lookup Information

D.

Threat Actor Information

Buy Now
Questions 38

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

Options:

A.

Host Search

B.

Event Search

C.

Hash Search

D.

User Search

Buy Now
Questions 39

Refer to the image.

CCFR-201b Question 39

You are using Advanced Event Search to find the event record for a suspicious network connection.

Using the Event List Interactions button for the event, indicated by the arrow in the image above, which option will show all contextual event data around the process execution being investigated?

Options:

A.

Show Responsible Process Data

B.

Inspect

C.

Show +/- 10-minute windows of events

D.

Investigate Host

Buy Now
Questions 40

A responder is analyzing a process tree where a suspicious executable is listed as a direct child of services.exe. In this scenario, which source is most likely responsible for the execution?

Options:

A.

An interactive user login via RDP.

B.

A Windows Service or a process launched by the Service Control Manager.

C.

A web browser download initiated by the end user.

D.

A script executed directly from a removable USB drive.

Buy Now
Questions 41

The Falcon sensor is designed to provide deep visibility into endpoint activity, yet it is not omniscient. According to the Cyber Kill Chain model, which of the following stages does the Falcon sensor typically NOT have visibility over?

Options:

A.

Exploitation of a memory-resident vulnerability

B.

Installation of a persistent backdoor

C.

Weaponization of a malicious payload on the adversary ' s infrastructure

D.

Delivery of a malicious document via an encrypted email attachment

Buy Now
Questions 42

An executive asks for a definition of ' CrowdScore ' . Which of the following sentences best describes what CrowdScore is?

Options:

A.

It is a ranking system that compares your organization’s security to other companies.

B.

It is a metric designed to show an organization ' s threat level on a continual basis by aggregating related detections.

C.

It is the total number of detections that have been resolved within the last 24 hours.

D.

It is a measure of the total processing power being used by the Falcon sensors globally.

Buy Now
Questions 43

An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?

Options:

A.

A brand new detection has been triggered on a host that was recently added to the network.

B.

A detection that was previously moved to a resolved status has generated new telemetry and activity.

C.

A user has logged into a machine for the first time since the sensor was installed.

D.

The Falcon Overwatch team has manually verified that the detection is an active threat.

Buy Now
Questions 44

Administrators can define their own criteria for alerts. Which of the following is an example of a custom detection within the Falcon platform?

Options:

A.

Sensor-based Malware Detections

B.

Blacklisted Hashes

C.

Overwatch Managed Detections

D.

Behavioral IOA Detections

Buy Now
Questions 45

What happens when a quarantined file is released?

Options:

A.

It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host

B.

It is allowed to execute on the host

C.

It is deleted

D.

It is allowed to execute on all hosts

Buy Now
Questions 46

A responder decides to set a specific Custom IOA to the ' Monitor ' action. Which of the following sentences best describes the technical result of this choice?

Options:

A.

The sensor will block the activity and alert the user with a pop-up.

B.

The sensor will create detections with ' Informational ' severity but will not block the activity.

C.

The sensor will log the activity in the audit logs but will not generate a detection.

D.

The sensor will automatically isolate the host from the network.

Buy Now
Questions 47

Where can you find hosts that are in Reduced Functionality Mode?

Options:

A.

Event Search

B.

Executive Summary dashboard

C.

Host Search

D.

Installation Tokens

Buy Now
Questions 48

What does pivoting to an Event Search from a detection do?

Options:

A.

It gives you the ability to search for similar events on other endpoints quickly

B.

It takes you to the raw Insight event data and provides you with a number of Event Actions

C.

It takes you to a Process Timeline for that detection so you can see all related events

D.

It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

Buy Now
Questions 49

A SOC Manager is reviewing the monthly efficiency of the incident response team. They are specifically analyzing how many alerts were handled by each individual analyst and the ratio of legitimate threats to noise to optimize staffing levels. While navigating the Detection Resolutions Dashboard, which of the following metrics would they NOT find, as it is primarily located within the Activity or Executive summary dashboards?

Options:

A.

Detections by user (Analyst performance)

B.

Total Detections by Host

C.

Total count of False Positives

D.

Detection resolution status breakdown

Buy Now
Questions 50

During the incident response process, a responder must update the status of a detection. Which of the following options is NOT a valid detection status recognized by the Falcon console?

Options:

A.

New

B.

Complete

C.

In Progress

D.

True Positive

Buy Now
Questions 51

In the context of raw event searching, the term ' ProcessRollup2 ' refers to a value within which field?

Options:

A.

event_type

B.

event_simpleName

C.

action_id

D.

process_status

Buy Now
Questions 52

An adversary is attempting to disable security features by modifying the system registry. Which of the following native Windows processes is specifically designed to create, modify, and delete Registry keys via the command line?

Options:

A.

reg.exe

B.

taskmgr.exe

C.

lsass.exe

D.

svchost.exe

Buy Now
Questions 53

If an organization is experiencing several false positives from a specific Machine Learning (ML) detection group and wants to create a tightly-scoped allowlist, which grouping should they use first?

Options:

A.

Group by Filename

B.

Group by Hash

C.

Group by Command Line

D.

Group by User

Buy Now
Questions 54

What are Event Actions?

Options:

A.

Automated searches that can be used to pivot between related events and searches

B.

Pivotable hyperlinks available in a Host Search

C.

Custom event data queries bookmarked by the currently signed in Falcon user

D.

Raw Falcon event data

Buy Now
Questions 55

A responder wants to include a visual representation of a process tree in an incident report. Which of the following is NOT a valid way to export process data from ' Full Detection Details ' ?

Options:

A.

Process Tree > PNG

B.

Process Tree > JPEG

C.

Detection > CSV

D.

Process Tree > JSON

Buy Now
Questions 56

Responders often use Process Explorer to visualize process behavior. Which of the following is NOT a valid way to pivot to a Process Explorer view?

Options:

A.

From Detection > Top Right Drop Down > View as Process Activity

B.

From Configuration > Prevention Policies > View Process Explorer

C.

From Event Search > Click on a specific Process ID

D.

From Host Search > Processes and Services list

Buy Now
Questions 57

What information does the MITRE ATT AND CK Framework provide?

Options:

A.

It provides best practices for different cybersecurity domains, such as Identify and Access Management

B.

It provides a step-by-step cyber incident response strategy

C.

It provides the phases of an adversary ' s lifecycle, the platforms they are known to attack, and the specific methods they use

D.

It is a system that attributes an attack techniques to a specific threat actor

Buy Now
Questions 58

According to the Falcon Overwatch Best Practice workflow, what is the required next step after a responder completes the ' Understand the process(es) involved ' step?

Options:

A.

Isolate the host to prevent lateral movement.

B.

Examine what is normal for the system to identify deviations.

C.

Delete the malicious file from the endpoint.

D.

Pivot to the Intelligence dashboard for actor attribution.

Buy Now
Questions 59

When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

Options:

A.

Do nothing, as this file is common and well known

B.

From detection, click the VT Hash button to pivot to VirusTotal to investigate further

C.

From detection, use API manager to create a custom blocklist

D.

From detection, submit to FalconX for deep dive analysis

Buy Now
Exam Code: CCFR-201b
Exam Name: CrowdStrike Certified Falcon Responder
Last Update: Jul 5, 2026
Questions: 199

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now CCFR-201b testing engine

PDF (Q&A)

$31.5  $104.99
buy now CCFR-201b pdf
dumpsmate guaranteed to pass

24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 05 Jul 2026