Free Preparation Discussions
MENU
CrowdStrike CCFR-201b Exam Questions
- Topic 1: ATT&CK Frameworks: This domain covers understanding the MITRE ATT&CK framework and applying its tactics and techniques within Falcon to provide context to detections.
- Topic 2: Detection Analysis: This domain covers analyzing and triaging detections in Falcon, including interpreting dashboards, endpoint detections, contextual data, process views, prevalence, IOCs, and implementing hash management actions like blocking, allowlisting, and exclusions.
- Topic 3: Event Search: This domain focuses on performing advanced event searches from detections, refining searches using event actions, and distinguishing between commonly used event types.
- Topic 4: Event Investigation: This domain covers analyzing Process and Host Timelines, pivoting to Process Timeline or Process Explorer, and analyzing process relationships using Full Detection Details.
- Topic 5: Search Tools: This domain covers utilizing User Search, IP Search, Hash Search, Host Search, and Bulk Domain Search to gather intelligence during investigations.
- Topic 6: Real Time Response (RTR): This domain covers RTR technical capabilities, administrative settings, connecting to hosts, using RTR commands for remediation, utilizing custom scripts, setting up workflows, and reviewing audit logs.
Free CrowdStrike CCFR-201b Exam Actual Questions
Note: Premium Questions for CCFR-201b were last updated On Apr. 16, 2026 (see below)
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1.The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1.You can also see a count of detections and incidents related to those hashes1.
What does pivoting to an Event Search from a detection do?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and provides you with a number of Event Actions1.Insight events are low-level events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc1.You can view these events in a table format and use various filters and fields to narrow down the results1.You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.These actions can help you investigate and analyze events more efficiently and effectively1.
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)1.You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1.This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1.You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Currently there are no comments in this discussion, be the first to comment!
Micheal
19 days agoLizette
26 days agoRozella
1 month agoLenna
1 month agoGerman
2 months agoIzetta
2 months agoGalen
2 months agoMiriam
2 months agoGiovanna
3 months agoNoemi
3 months agoRodolfo
3 months agoJade
3 months ago