Certified Falcon Responder

Here you have the best CrowdStrike CCFR-201 practice exam questions

  • You have 60 total questions to study from
  • Each page has 5 questions, making a total of 12 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on November 15, 2024
Question 1 of 60

Where can you find hosts that are in Reduced Functionality Mode?

    Correct Answer: B

    Hosts in Reduced Functionality Mode can be found on the Executive Summary dashboard. This dashboard provides an overview of various states of hosts, including those in Reduced Functionality Mode, without the need to apply additional filters.

Question 2 of 60

When reviewing a Host Timeline, which of the following filters is available?

    Correct Answer: B

    When reviewing a Host Timeline, filtering by Event Types is a common feature. This allows users to focus on specific kinds of events, such as login attempts, malware detections, or configuration changes, which are essential for detailed security analysis and monitoring.

Question 3 of 60

How does a DNSRequest event link to its responsible process?

    Correct Answer: C

    A DNSRequest event is linked to its responsible process via its ContextProcessId_decimal field. This field captures the process context associated with the DNS request, identifying the process that initiated the DNS resolution request, which is essential for understanding and analyzing network activities related to security events.

Question 4 of 60

What information does the MITRE ATT&CK Framework provide?

    Correct Answer: C

    The MITRE ATT&CK Framework provides information about the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use. This framework is a comprehensive knowledge base that details the tactics, techniques, and procedures (TTPs) adversaries utilize in their attacks.

Question 5 of 60

Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

    Correct Answer: A

    An adversary is trying to keep access through persistence by creating an account. Within the MITRE-Based Falcon Detections Framework, the tactic of 'Keep Access' is associated with techniques that adversaries use to maintain their foothold in a system. 'Persistence' includes various methods used by adversaries to ensure they can maintain access to a system across reboots, credential changes, and other interruptions that could cut off their access. 'Create Account' is a specific technique where an adversary creates a new account on the system to ensure they can regain access even if their initial method of entry is discovered and blocked. Thus, the correct way to interpret 'Keep Access > Persistence > Create Account' is that an adversary is trying to keep access through persistence by creating an account.