Questions for the CCFR-201 were updated on : Nov 21 ,2025
What happens when you open the full detection details?
B
Explanation:
According to the [CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide], when you
open the full detection details from a detection alert or dashboard item, you are taken to a page
where you can view detailed information about the detection, such as detection ID, severity, tactic,
technique, description, etc. You can also view the events generated by the processes involved in the
detection in different ways, such as process tree, process timeline, or process activity. The process
tree view is also known as the process explorer, which provides a graphical representation of the
process hierarchy and activity. You can view the processes and process relationships by expanding or
collapsing nodes in the tree. You can also see the event types and timestamps for each process.
How long are quarantined files stored in the CrowdStrike Cloud?
B
Explanation:
According to the [CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide], when you
quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it
from its original location to a secure location on the host where it cannot be executed. The file is also
encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the
CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90
days before they are deleted.
You receive an email from a third-party vendor that one of their services is compromised, the vendor
names a specific IP address that the compromised service was using. Where would you input this
indicator to find any activity related to this IP address?
A
Explanation:
According to the [CrowdStrike website], the Discover page is where you can search for and analyze
various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are
associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses,
Remote or Network Logon Activity, etc., to perform different types of searches and view the results
in different ways. If you want to search for any activity related to an IP address that was
compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the
IP address and see a summary of information from Falcon events that contain that IP address, such
as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and
organizational unit of the host that communicated with that IP address.
Sensor Visibility Exclusion patterns are written in which syntax?
A
Explanation:
According to the [CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide], Sensor
Visibility Exclusions allow you to exclude files or directories from being monitored by the sensor. This
can reduce the amount of data sent to the CrowdStrike Cloud and improve performance. Sensor
Visibility Exclusion patterns are written in Glob Syntax, which is a simple pattern matching syntax
that supports wildcards, such as *, ?, and . For example, you can use *.exe to exclude all files with
.exe extension.
Which of the following is NOT a valid event type?
B
Explanation:
According to the [CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+], event types are categories of events that are generated by the sensor for various activities,
such as process executions, file writes, registry modifications, network connections, etc. There are
many valid event types, such as StartOfProcess, ProcessRollup2, DnsRequest, etc. However,
EndOfProcess is not a valid event type, as there is no such event that records the end of a process.
How long are quarantined files stored on the host?
C
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, quarantined
files are never deleted from the host unless you manually delete them or release them from
quarantine2
.
When you release a file from quarantine, you are restoring it to its original location and
allowing it to execute on any host in your organization2
.
This action also removes the file from the
quarantine list and deletes it from the CrowdStrike Cloud2
.
Where are quarantined files stored on Windows hosts?
B
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, when you
quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it
from its original location to a secure location on the host where it cannot be executed2
.
The file is
also encrypted and renamed with a random string of characters2
.
On Windows hosts, quarantined
files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2
.
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the
following?
D
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given
process, such as process creation, network connections, file writes, registry modifications, etc1
.
The
tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the
process ID)1
.
You can jump to a Process Timeline from many views, such as Hash Search, Host
Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those
views1
.
This will automatically populate the aid and TargetProcessId_decimal parameters for the
Process Timeline tool1
.
In the Hash Search tool, which of the following is listed under Process Executions?
C
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a
summary of information from Falcon events that contain those hashes1
.
The summary includes the
hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and
organizational unit of the host that loaded or executed those hashes1
.
You can also see a count of
detections and incidents related to those hashes1
.
Under Process Executions, you can see the
process name and command line for each hash execution1
.
You are notified by a third-party that a program may have redirected traffic to a malicious domain.
Which Falcon page will assist you in searching for any domain request information related to this
notice?
B
Explanation:
According to the [CrowdStrike website], the Investigate page is where you can search for and analyze
various types of data collected by the Falcon platform, such as events, hosts, processes, hashes,
domains, IPs, etc1
.
You can use various tools, such as Event Search, Host Search, Process Timeline,
Hash Search, Bulk Domain Search, etc., to perform different types of searches and view the results in
different ways1
.
If you want to search for any domain request information related to a notice from a
third-party, you can use the Investigate page to do so1
.
For example, you can use the Bulk Domain
Search tool to search for the malicious domain and see which hosts and processes communicated
with it1
.
You can also use the Event Search tool to search for DNSRequest events that contain the
malicious domain and see more details about the query and response1
.
What does pivoting to an Event Search from a detection do?
B
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and
provides you with a number of Event Actions1
.
Insight events are low-level events that are generated
by the sensor for various activities, such as process executions, file writes, registry modifications,
network connections, etc1
.
You can view these events in a table format and use various filters and
fields to narrow down the results1
.
You can also select one or more events and perform various
actions, such as show a process timeline, show a host timeline, show associated event data, show a
+/- 10-minute window of events, etc1
.
These actions can help you investigate and analyze events
more efficiently and effectively1
.
What are Event Actions?
A
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and
searches1
.
They are available in various tools, such as Event Search, Process Timeline, Host Timeline,
etc1
.
You can select one or more events and perform various actions, such as show a process
timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events,
etc1
.
These actions can help you investigate and analyze events more efficiently and effectively1
.
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
C
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and
activity1
.
It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity,
etc1
.
The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced
Functionality Mode)1
.
RFM is a state where a sensor has limited functionality due to various reasons,
such as license expiration, network issues, tampering attempts, or unsupported versions1
.
You can
see the number and percentage of sensors in RFM and the reasons why they are in RFM1
.
What happens when a hash is set to Always Block through IOC Management?
A
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOC
Management allows you to manage indicators of compromise (IOCs), which are artifacts such as
hashes, IP addresses, or domains that are associated with malicious activities2
.
You can set different
actions for IOCs, such as Allow, No Action, or Always Block2
.
When you set a hash to Always Block
through IOC Management, you are preventing that file from executing on any host in your
organization by default2
.
This action also generates a detection alert when the file is blocked2
.
When analyzing an executable with a global prevalence of common; but you do not know what the
executable is. what is the best course of action?
B
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all
CrowdStrike customer environments1
.
A global prevalence of common means that the file is widely
distributed and likely benign1
.
However, if you do not know what the executable is, you may want to
investigate it further to confirm its legitimacy and functionality1
.
One way to do that is to click the VT
Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and
URLs for viruses, malware, and other threats1
.
You can then see more information about the file,
such as its name, size, type, signatures, detections, comments, etc1
.