CrowdStrike CCFR-201 - CrowdStrike Certified Falcon Responder Exam
Page: 1 / 12
Total 60 questions
Question #1 (Topic: Exam A)
Where can you find hosts that are in Reduced Functionality Mode?
A. Event Search
B. Executive Summary dashboard
C. Host Search
D. Installation Tokens
Answer: C
Question #2 (Topic: Exam A)
When reviewing a Host Timeline, which of the following filters is available?
A. Severity
B. Event Types
C. User Name
D. Detection ID
Answer: B
Question #3 (Topic: Exam A)
How does a DNSRequest event link to its responsible process?
A. Via both its ContextProcessId_decimal and ParentProcessId_decimal fields
B. Via its ParentProcessId_decimal field
C. Via its ContextProcessId_decimal field
D. Via its TargetProcessId_decimal field
Answer: C
Question #4 (Topic: Exam A)
What information does the MITRE ATT&CK Framework provide?
A. It provides best practices for different cybersecurity domains, such as Identify and Access Management
B. It provides a step-by-step cyber incident response strategy
C. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
D. It is a system that attributes attack techniques to a specific threat actor
Answer: C
Question #5 (Topic: Exam A)
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
A. An adversary is trying to keep access through persistence by creating an account
B. An adversary is trying to keep access through persistence using browser extensions
C. An adversary is trying to keep access through persistence using external remote services
D. An adversary is trying to keep access through persistence using application skimming
Answer: A
