crowdstrike ccfr-201 practice test

Exam Title: CrowdStrike Certified Falcon Responder

Last update: Nov 27 ,2025
Question 1

Which is TRUE regarding a file released from quarantine?

  • A. No executions are allowed for 14 days after release
  • B. It is allowed to execute on all hosts
  • C. It is deleted
  • D. It will not generate future machine learning detections on the associated host
Answer:

B


Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, when you
release a file from quarantine, you are restoring it to its original location and allowing it to execute
on any host in your organization2
.
This action also removes the file from the quarantine list and
deletes it from the CrowdStrike Cloud2
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 2

Which of the following is an example of a MITRE ATT&CK tactic?

  • A. Eternal Blue
  • B. Defense Evasion
  • C. Emotet
  • D. Phishing
Answer:

B


Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary
behaviors and techniques based on real-world observations. The knowledge base is organized into
tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access,
persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve
those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of
the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection
or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are
examples of techniques, not tactics.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 3

You notice that taskeng.exe is one of the processes involved in a detection. What activity should you
investigate next?

  • A. User logons after the detection
  • B. Executions of schtasks.exe after the detection
  • C. Scheduled tasks registered prior to the detection
  • D. Pivot to a Hash search for taskeng.exe
Answer:

C


Explanation:
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is
responsible for running scheduled tasks. However, some malware may use this process or create a
fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you
should investigate whether there are any scheduled tasks registered prior to the detection that may
have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler
to view or manage scheduled tasks.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 4

Where can you find hosts that are in Reduced Functionality Mode?

  • A. Event Search
  • B. Executive Summary dashboard
  • C. Host Search
  • D. Installation Tokens
Answer:

C


Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host’s sensor has limited functionality
due to various reasons, such as license expiration, network issues, tampering attempts, etc1
.
You can
find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1
.
You
can also view details about why a host is in RFM by clicking on its hostname1
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 5

From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst
Alex?

  • A. Filter on'Analyst: Alex'
  • B. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
  • C. Filter on 'Hostname: Alex' and 'Status: In-Progress'
  • D. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*
Answer:

D


Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections
page allows you to view and manage detections generated by the CrowdStrike Falcon platform2
.
You
can use various filters to narrow down the detections based on criteria such as status, severity, tactic,
technique, etc2
.
To view ‘in-progress’ detections assigned to Falcon Analyst Alex, you can filter on
‘Status: In-Progress’ and 'Assigned-to: Alex*'2
.
The asterisk (*) is a wildcard that matches any
characters after Alex2
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 6

The Process Activity View provides a rows-and-columns style view of the events generated in a
detection. Why might this be helpful?

  • A. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
  • B. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
  • C. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
  • D. The Process Activity View creates a count of event types only, which can be useful when scoping the event
Answer:

A


Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a
detection in a rows-and-columns style view1
.
This can be helpful because it creates a consolidated
view of all detection events for that process that can be exported for further analysis1
.
You can also
sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name,
registry key, network destination, etc1
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 7

After running an Event Search, you can select many Event Actions depending on your results. Which
of the following is NOT an option for any Event Action?

  • A. Draw Process Explorer
  • B. Show a +/- 10-minute window of events
  • C. Show a Process Timeline for the responsible process
  • D. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
Answer:

A


Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event
type, timestamp, hostname, IP address, etc1
.
You can also select one or more events and perform
various actions, such as show a process timeline, show a host timeline, show associated event data,
show a +/- 10-minute window of events, etc1
.
However, there is no option to draw a process
explorer, which is a graphical representation of the process hierarchy and activity1
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 8

Which option indicates a hash is allowlisted?

  • A. No Action
  • B. Allow
  • C. Ignore
  • D. Always Block
Answer:

B


Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist
feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s
machine learning engine or indicators of attack (IOAs)2
.
This can reduce false positives and improve
performance2
.
When you allowlist a hash, you are allowing that file to execute on any host that
belongs to your organization’s CID (customer ID)2
.
The option to indicate that a hash is allowlisted is
"Allow"2
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 9

Which of the following tactic and technique combinations is sourced from MITRE ATT&CK
information?

  • A. Falcon Intel via Intelligence Indicator - Domain
  • B. Machine Learning via Cloud-Based ML
  • C. Malware via PUP
  • D. Credential Access via OS Credential Dumping
Answer:

D


Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary
behaviors and techniques based on real-world observations. The knowledge base is organized into
tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access,
persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve
those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS
Credential Dumping is an example of a tactic and technique combination sourced from MITRE
ATT&CK information, which describes how adversaries can obtain credentials from operating system
memory or disk storage by using tools such as Mimikatz or ProcDump.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 10

What do IOA exclusions help you achieve?

  • A. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  • B. Reduce false positives of behavioral detections from IOA based detections only
  • C. Reduce false positives of behavioral detections from IOA based detections based on a file hash
  • D. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
Answer:

B


Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions
allow you to exclude files or directories from being detected or blocked by CrowdStrike’s indicators
of attack (IOAs), which are behavioral rules that identify malicious activities2
.
This can reduce false
positives and improve performance2
.
IOA exclusions only apply to IOA based detections, not other
types of detections such as machine learning, custom IOA, or OverWatch2
.

vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Page 1 out of 5
Viewing questions 1-10 out of 60
Go To
page 2