Free Preparation Discussions
MENU
CrowdStrike CCFR-201b Exam Questions
- Topic 1: ATT&CK Frameworks: This domain covers understanding the MITRE ATT&CK framework and applying its tactics and techniques within Falcon to provide context to detections.
- Topic 2: Detection Analysis: This domain covers analyzing and triaging detections in Falcon, including interpreting dashboards, endpoint detections, contextual data, process views, prevalence, IOCs, and implementing hash management actions like blocking, allowlisting, and exclusions.
- Topic 3: Event Search: This domain focuses on performing advanced event searches from detections, refining searches using event actions, and distinguishing between commonly used event types.
- Topic 4: Event Investigation: This domain covers analyzing Process and Host Timelines, pivoting to Process Timeline or Process Explorer, and analyzing process relationships using Full Detection Details.
- Topic 5: Search Tools: This domain covers utilizing User Search, IP Search, Hash Search, Host Search, and Bulk Domain Search to gather intelligence during investigations.
- Topic 6: Real Time Response (RTR): This domain covers RTR technical capabilities, administrative settings, connecting to hosts, using RTR commands for remediation, utilizing custom scripts, setting up workflows, and reviewing audit logs.
Free CrowdStrike CCFR-201b Exam Actual Questions
Note: Premium Questions for CCFR-201b were last updated On Mar. 08, 2026 (see below)
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)1.You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1.This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1.You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
What happens when a quarantined file is released?
According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1.This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.
Where can you find hosts that are in Reduced Functionality Mode?
According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1.You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1.You can also view details about why a host is in RFM by clicking on its hostname1.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Izetta
10 days agoGalen
18 days agoMiriam
25 days agoGiovanna
1 month agoNoemi
1 month agoRodolfo
2 months agoJade
2 months ago