• Home
  • Blogs
  • CCFR-201 Premium PDF & Test Engine Files with 63 Questions & Answers [Q15-Q39]

CCFR-201 Premium PDF & Test Engine Files with 63 Questions & Answers [Q15-Q39]

Share

CCFR-201 Premium PDF & Test Engine Files with 63 Questions & Answers

Get 100% Real CCFR-201 Exam Questions, Accurate & Verified Answers As Seen in the Real Exam!

NEW QUESTION # 15
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

  • A. The associated IOA will still generate a detection but the associated process would have been allowed to run
  • B. The sensor will stop sending events from the process specified in the regex pattern
  • C. The associated detection will be suppressed and the associated process would have been allowed to run
  • D. The process specified is not sent to the Falcon Sandbox for analysis

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.


NEW QUESTION # 16
Where can you find hosts that are in Reduced Functionality Mode?

  • A. Executive Summary dashboard
  • B. Host Search
  • C. Installation Tokens
  • D. Event Search

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.


NEW QUESTION # 17
What action is used when you want to save a prevention hash for later use?

  • A. Always Allow
  • B. Always Block
  • C. No Action
  • D. Never Block

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 18
What types of events are returned by a Process Timeline?

  • A. Only detection events
  • B. Only process events
  • C. Only network events
  • D. All cloudable events

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.


NEW QUESTION # 19
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?

  • A. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
  • B. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
  • C. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
  • D. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.


NEW QUESTION # 20
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies a detailed list of all process executions for the specified hashes
  • B. Identifies hosts that loaded or executed the specified hashes
  • C. Identifies detections related to the specified hashes
  • D. Identifies users associated with the specified hashes

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 21
Which is TRUE regarding a file released from quarantine?

  • A. It is allowed to execute on all hosts
  • B. It will not generate future machine learning detections on the associated host
  • C. No executions are allowed for 14 days after release
  • D. It is deleted

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 22
When reviewing a Host Timeline, which of the following filters is available?

  • A. User Name
  • B. Event Types
  • C. Detection ID
  • D. Severity

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.


NEW QUESTION # 23
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.


NEW QUESTION # 24
What are Event Actions?

  • A. Custom event data queries bookmarked by the currently signed in Falcon user
  • B. Pivotable hyperlinks available in a Host Search
  • C. Raw Falcon event data
  • D. Automated searches that can be used to pivot between related events and searches

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and searches1. They are available in various tools, such as Event Search, Process Timeline, Host Timeline, etc1. You can select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.


NEW QUESTION # 25
Which Executive Summary dashboard item indicates sensors running with unsupported versions?

  • A. Sensors in RFM
  • B. Detections by Severity
  • C. Inactive Sensors
  • D. Active Sensors

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.


NEW QUESTION # 26
What action is used when you want to save a prevention hash for later use?

  • A. Always Allow
  • B. Always Block
  • C. No Action
  • D. Never Block

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 27
From a detection, what is the fastest way to see children and sibling process information?

  • A. Right-click the process and select "Follow Process Chain"
  • B. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • C. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID
  • D. Select Full Detection Details from the detection

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


NEW QUESTION # 28
Which of the following is NOT a filter available on the Detections page?

  • A. Time
  • B. CrowdScore
  • C. Triggering File
  • D. Severity

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.


NEW QUESTION # 29
Which of the following is an example of a MITRE ATT&CK tactic?

  • A. Emotet
  • B. Defense Evasion
  • C. Phishing
  • D. Eternal Blue

Answer: B

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.


NEW QUESTION # 30
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence.
Which answer best defines Local Prevalence?

  • A. Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
  • B. Local Prevalence is the Virus Total score for the hash of the triggering file
  • C. Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
  • D. Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.


NEW QUESTION # 31
How long are quarantined files stored on the host?

  • A. Quarantined files are never deleted from the host
  • B. 45 Days
  • C. 30 Days
  • D. 90 Days

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 32
The Bulk Domain Search tool contains Domain information along with which of the following?

  • A. Port Information
  • B. Threat Actor Information
  • C. IP Lookup Information
  • D. Process Information

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.


NEW QUESTION # 33
How long does detection data remain in the CrowdStrike Cloud before purging begins?

  • A. 14 Days
  • B. 45 Days
  • C. 30 Days
  • D. 90 Days

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.


NEW QUESTION # 34
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests.
Registry Operations, and Network Operations?

  • A. View as Process Timeline
  • B. Thedata is unable to be exported
  • C. View as Process Activity
  • D. View as Process Tree

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.


NEW QUESTION # 35
What do IOA exclusions help you achieve?

  • A. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  • B. Reduce false positives of behavioral detections from IOA based detections only
  • C. Reduce false positives of behavioral detections from IOA based detections based on a file hash
  • D. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.


NEW QUESTION # 36
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?

  • A. Credential Access via OS Credential Dumping
  • B. Malware via PUP
  • C. Machine Learning via Cloud-Based ML
  • D. Falcon Intel via Intelligence Indicator - Domain

Answer: A

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.


NEW QUESTION # 37
Which is TRUE regarding a file released from quarantine?

  • A. It is allowed to execute on all hosts
  • B. It will not generate future machine learning detections on the associated host
  • C. No executions are allowed for 14 days after release
  • D. It is deleted

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 38
What information is contained within a Process Timeline?

  • A. All cloudable process-related events within a given timeframe
  • B. A view of activities on Mac or Linux hosts
  • C. All cloudable events for a specific host
  • D. Only detection process-related events within a given timeframe

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. You can specify a timeframe to limit the events to a certain period1. The tool works for any host platform, not just Mac or Linux1.


NEW QUESTION # 39
......

CCFR-201 Premium Files Practice Valid Exam Dumps Question: https://freecert.test4sure.com/CCFR-201-exam-materials.html

Related Blogs

more
CrowdStrike CCFR-201 Certification Practice Exam

Copyright © 2026 TEST4SURE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.