Free CrowdStrike Certified Falcon Responder Exam CCFR-201 Exam Practice Test

Which of the following is an example of a MITRE ATT&CK tactic?

• Eternal Blue
• Defense Evasion
• Emotet
• Phishing

What does pivoting to an Event Search from a detection do?

• It gives you the ability to search for similar events on other endpoints quickly
• It takes you to the raw Insight event data and provides you with a number of Event Actions
• It takes you to a Process Timeline for that detection so you can see all related events
• It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

From a detection, what is the fastest way to see children and sibling process information?

• Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
• Select Full Detection Details from the detection
• Right-click the process and select "Follow Process Chain"
• Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

What is an advantage of using the IP Search tool?

• IP searches provide manufacture and timezone data that can not be accessed anywhere else
• IP searches allow for multiple comma separated IPv6 addresses as input
• IP searches offer shortcuts to launch response actions and network containment on target hosts
• IP searches provide host, process, and organizational unit data without the need to write a query

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?

• Falcon X
• Investigate
• Discover
• Spotlight

How long are quarantined files stored on the host?

• 45 Days
• 30 Days
• Quarantined files are never deleted from the host
• 90 Days

What happens when a hash is set to Always Block through IOC Management?

• Execution is prevented on all hosts by default
• Execution is prevented on selected host groups
• Execution is prevented and detection alerts are suppressed
• The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Which of the following is NOT a filter available on the Detections page?

• Severity
• CrowdScore
• Time
• Triggering File

When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

• The process specified is not sent to the Falcon Sandbox for analysis
• The associated detection will be suppressed and the associated process would have been allowed to run
• The sensor will stop sending events from the process specified in the regex pattern
• The associated IOA will still generate a detection but the associated process would have been allowed to run

You receive an email from a third-party vendor that one of their services is compromised, the vendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

• IP Addresses
• Remote or Network Logon Activity
• Remote Access Graph
• Hash Executions