• Home
  • Blogs
  • Certification Topics of CCFR-201 Exam PDF Recently Updated Questions [Q21-Q41]

Certification Topics of CCFR-201 Exam PDF Recently Updated Questions [Q21-Q41]

Share

Certification Topics of CCFR-201 Exam PDF Recently Updated Questions

CCFR-201 Exam Prep Guide: Prep guide for the CCFR-201 Exam

NEW QUESTION # 21
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence.
Which answer best defines Local Prevalence?

  • A. Local Prevalence is the Virus Total score for the hash of the triggering file
  • B. Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
  • C. Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
  • D. Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.


NEW QUESTION # 22
From a detection, what is the fastest way to see children and sibling process information?

  • A. Select Full Detection Details from the detection
  • B. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • C. Right-click the process and select "Follow Process Chain"
  • D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


NEW QUESTION # 23
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

  • A. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
  • B. Draw Process Explorer
  • C. Show a +/- 10-minute window of events
  • D. Show a Process Timeline for the responsible process

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.


NEW QUESTION # 24
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

  • A. It contains the TargetProcessld_decimal of the parent process
  • B. It contains the Sensorld_decimal value for related events
  • C. It contains the TargetProcessld_decimal value of the child process
  • D. It contains an internal value not useful for an investigation

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.


NEW QUESTION # 25
Which of the following is returned from the IP Search tool?

  • A. Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP
  • B. IP Summary information from Falcon events containing the given IP
  • C. Threat Graph Data for the given IP from Falcon sensors

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.


NEW QUESTION # 26
What happens when a hash is allowlisted?

  • A. Execution is prevented, but detection alerts are suppressed
  • B. Execution is allowed on all hosts that fall under the organization's CID
  • C. Execution is allowed on all hosts, including all other Falcon customers
  • D. The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.


NEW QUESTION # 27
Which of the following is an example of a MITRE ATT&CK tactic?

  • A. Eternal Blue
  • B. Defense Evasion
  • C. Phishing
  • D. Emotet

Answer: B

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.


NEW QUESTION # 28
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

  • A. Remote or Network Logon Activity
  • B. Remote Access Graph
  • C. IP Addresses
  • D. Hash Executions

Answer: C

Explanation:
Explanation
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.


NEW QUESTION # 29
How long does detection data remain in the CrowdStrike Cloud before purging begins?

  • A. 90 Days
  • B. 14 Days
  • C. 30 Days
  • D. 45 Days

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.


NEW QUESTION # 30
Which option indicates a hash is allowlisted?

  • A. Allow
  • B. Always Block
  • C. No Action
  • D. Ignore

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.


NEW QUESTION # 31
What action is used when you want to save a prevention hash for later use?

  • A. Always Block
  • B. No Action
  • C. Never Block
  • D. Always Allow

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 32
Where can you find hosts that are in Reduced Functionality Mode?

  • A. Installation Tokens
  • B. Event Search
  • C. Host Search
  • D. Executive Summary dashboard

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.


NEW QUESTION # 33
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.


NEW QUESTION # 34
What happens when a quarantined file is released?

  • A. It is deleted
  • B. It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host
  • C. It is allowed to execute on the host
  • D. It is allowed to execute on all hosts

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.


NEW QUESTION # 35
What is an advantage of using a Process Timeline?

  • A. Process related events can be filtered to display specific event types
  • B. Processes responsible for spikes in CPU performance are displayed overtime
  • C. Suspicious processes are color-coded based on their frequency and legitimacy over time
  • D. A visual representation of Parent-Child and Sibling process relationships is provided

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc2. This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation2.


NEW QUESTION # 36
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

  • A. Pivot to a Hash search for taskeng.exe
  • B. Executions of schtasks.exe after the detection
  • C. User logons after the detection
  • D. Scheduled tasks registered prior to the detection

Answer: D

Explanation:
Explanation
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.


NEW QUESTION # 37
In the Hash Search tool, which of the following is listed under Process Executions?

  • A. Operating System
  • B. Command Line
  • C. Sensor Version
  • D. File Signature

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. Under Process Executions, you can see the process name and command line for each hash execution1.


NEW QUESTION # 38
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?

  • A. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
  • B. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
  • C. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
  • D. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.


NEW QUESTION # 39
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies detections related to the specified hashes
  • B. Identifies users associated with the specified hashes
  • C. Identifies a detailed list of all process executions for the specified hashes
  • D. Identifies hosts that loaded or executed the specified hashes

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 40
What does the Full Detection Details option provide?

  • A. It provides a visualization of program ancestry via the Process Tree View
  • B. It provides detailed list of detection events via the Process Table View
  • C. It provides a detailed list of detection events via the Process Tree View
  • D. It provides a visualization of program ancestry via the Process Activity View

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.


NEW QUESTION # 41
......

2023 New Preparation Guide of CrowdStrike CCFR-201 Exam: https://www.prep4king.com/CCFR-201-exam-prep-material.html

CCFR-201 Practice Exam - 63 Unique Questions: https://drive.google.com/open?id=1oy4pD9N9EEQ60FFwuULwQlBdg4_daRok

Related Blogs

more
CrowdStrike CCFR-201 Certification Practice Exam

Prep4King will provide you with the best valid & training material for you to practice. You can get an good result with the help by our high quality study material.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 PREP4KING.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy