Free CrowdStrike Certified Falcon Responder Exam CCFR-201 Exam Practice Test

What happens when a quarantined file is released?

• It is moved into the C:\CrowdStrike\Quarantine\Released folder on the host
• It is allowed to execute on the host
• It is deleted
• It is allowed to execute on all hosts

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

• It contains the TargetProcessld_decimal value for other related events
• It contains an internal value not useful for an investigation
• It contains the ContextProcessld_decimal value for the parent process that made the DNS request
• It contains the TargetProcessld_decimal value for the process that made the DNS request

What information is contained within a Process Timeline?

• All cloudable process-related events within a given timeframe
• All cloudable events for a specific host
• Only detection process-related events within a given timeframe
• A view of activities on Mac or Linux hosts

Which of the following is NOT a valid event type?

• StartofProcess
• EndofProcess
• ProcessRollup2
• DnsRequest

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

• ParentProcessld_decimal and aid
• ResponsibleProcessld_decimal and aid
• ContextProcessld_decimal and aid
• TargetProcessld_decimal and aid

After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

• Draw Process Explorer
• Show a +/- 10-minute window of events
• Show a Process Timeline for the responsible process
• Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)

In the Hash Search tool, which of the following is listed under Process Executions?

• Operating System
• File Signature
• Command Line
• Sensor Version

What happens when a hash is set to Always Block through IOC Management?

• Execution is prevented on all hosts by default
• Execution is prevented on selected host groups
• Execution is prevented and detection alerts are suppressed
• The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

The primary purpose for running a Hash Search is to:

• determine any network connections
• review the processes involved with a detection
• determine the origin of the detection
• review information surrounding a hash's related activity

What does pivoting to an Event Search from a detection do?

• It gives you the ability to search for similar events on other endpoints quickly
• It takes you to the raw Insight event data and provides you with a number of Event Actions
• It takes you to a Process Timeline for that detection so you can see all related events
• It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection