Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 1 / 6 Exam : CCFR-201b Title : https://www.cert007.com/exam/ccfr-201b/ CrowdStrike Certified Falcon Responder - 2024 Version Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 2 / 6 1.In the MITRE ATT&CK ® framework, which of the following is a valid technique under the Credential Dumping category? A. Application Layer Protocol B. Acquire Credentials C. LSASS Memory D. Data from Information Repositories Answer: C 2.Which FQL search parameter is used to filter events by a specific user account? A. UserName B. file_hash C. process_name D. event_type Answer: A 3.What role does machine learning play in detection analysis? A. It replaces human analysts completely B. It generates financial reports C. It improves the accuracy of threat detection D. It simplifies software installation Answer: C 4.When executing a command within Falcon RTR, what is the expected behavior for long-running processes? A. They will timeout immediately B. They will continue running until the endpoint is rebooted C. They will be interrupted D. The command will run in the background Answer: D 5.Which two exclusions can be configured to minimize false positives in Falcon detections? (Choose two) A. Sensor visibility exclusions B. DNS blocklists C. Machine learning exclusions D. IP allowlists Answer: AC 6.What can the "File Hash" filter help you identify in Falcon Search? A. File access times B. Specific files associated with incidents C. User activity history D. Process execution order Answer: B Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 3 / 6 7.Which Falcon tool allows viewing multiple related processes in a table format? A. View as Process Table B. Host Timeline C. Event Search Summary D. File Activity Tracker Answer: A 8.You're investigating suspicious behavior linked to a user. Which key indicators should you examine in the User Search view to assess the threat context? (Choose two) A. Number of failed login attempts B. User ’ s IP subnet C. Number of hosts the user has accessed D. Number of detections associated with the user Answer: CD 9.When initiating an Event Search from a detection, what is the first step analysts typically perform? A. Configure IOC rules B. Choose a host timeline C. Open the Event Search console D. Click “ Investigate ” and expand related process tree Answer: D 10.In the context of detection analysis, what should be regularly updated to ensure effectiveness? A. Company policies B. Detection signatures and algorithms C. Software licenses D. Hardware components Answer: B 11.What is the default port used by Falcon RTR to establish a connection with a managed host? A. 22 B. 443 C. 8443 D. 80 Answer: B 12.The __________ view enables analysts to explore the sequential behavior of one or more processes associated with a detection. A. Host Timeline B. Process Activity C. Audit Log D. Detections Dashboard Answer: B Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 4 / 6 13.In Falcon, the __________ provides geographic and threat-intel data related to an external IP address. A. Detection view B. Event Search C. IP Search D. Host Timeline Answer: C 14.Which two host actions are recommended after confirming a high-severity detection in Falcon? (Choose two) A. Disable the endpoint sensor B. Quarantine the host C. Apply a blocklist to related hashes D. Increase detection thresholds Answer: BC 15.User Search can help correlate suspicious behavior by showing all of the following except: A. Processes launched by the user B. Group policies applied to the user C. Detection events involving the user D. Hostnames where the user has logged in Answer: B 16.Which role (with appropriate RTR permissions) is required to execute Real Time Response commands in Falcon? A. Analyst role B. Investigator role C. RTR Administrator role D. Falcon Viewer role Answer: C 17.How can the MITRE ATT&CK ® Framework be used by security teams? A. To design software products B. To assess security controls and improve detection capabilities C. To enforce compliance regulations D. To establish network policies Answer: B 18.When using the search tools in CrowdStrike Falcon, what is the maximum number of results that can typically be returned in a single query? A. 100 B. 1,000 C. 10,000 D. 100,000 Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 5 / 6 Answer: C 19.Which Falcon capability allows you to search raw telemetry data associated with a detection? A. Real Time Response B. Process Timeline C. Event Search D. Threat Graph Answer: C 20.What type of information does event timeline analysis provide during an investigation? A. Sequential events leading to an incident B. Hardware specifications C. User satisfaction data D. Market trends Answer: A 21.Which of the following is a key component of threat detection in CrowdStrike Falcon and other SIEM-like systems? A. Incident response teams B. Data ingestion C. User training D. Physical security Answer: B 22.When performing a Hash Search, what information is NOT typically returned? A. Process name using the hash B. File size C. Domains resolved by the hash D. Detections associated with the hash Answer: C 23.What type of events can you search for using the Event Search feature in CrowdStrike Falcon? A. Only malware detection events B. User authentication events only C. Only network-related events D. Any endpoint-related events Answer: D 24.Which of the following use cases best justifies using the Bulk Domain Search tool? A. Investigating a failed login B. Searching across domains used by phishing campaigns C. Reviewing endpoint configuration D. Listing sensor versions by hostname Answer: B Pass CrowdStrike CCFR-201b Exam | Latest CCFR-201b Dumps & Practice Exams - Cert007 6 / 6 25.Which tool in CrowdStrike Falcon allows you to perform a deep dive into endpoint activity across your organization? A. Falcon Insights B. Falcon Overwatch C. Falcon Device Control D. Falcon Search Answer: A 26.Which statement accurately reflects how techniques and sub-techniques relate in the ATT&CK framework? A. Sub-techniques are independent and unrelated B. Techniques are subsets of sub-techniques C. Techniques represent general behavior, and sub-techniques provide more specific detail D. Sub-techniques represent the same behavior across all platforms Answer: C 27.Which function does the "Export" feature in Event Search provide? A. Allows you to delete event records B. Provides a visual representation of data C. Enables saving search results to a file D. Sends real-time alerts to users Answer: C 28.When reviewing an internal IP address via IP Search, which fields would help determine potential lateral movement? (Choose two) A. Host group name B. List of destination IPs C. Connected hosts D. MAC address Answer: BC