Browse Exams Pricing

ExamsCCFR-201BQuestions

CCFR-201B Exam Questions

70 real CCFR-201B exam questions with expert-verified answers and explanations. Page 1 of 2.

Question #1
What are Event Actions?
Question #2
Where are quarantined files stored on Windows hosts?
Question #3
How long does detection data remain in the CrowdStrike Cloud before purging begins?
Question #4
Which is TRUE regarding a file released from quarantine?
Question #5
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?
Question #6
The Bulk Domain Search tool contains Domain information along with which of the following?
Question #7
The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?
Question #8
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
Question #9
What do IOA exclusions help you achieve?
Question #10
When examining a raw DNS request event, you see a field called ContextProcessId_decimal. What is the purpose of that field?
Question #11
The function of Machine Learning Exclusions is to _____________.
Question #12
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
Question #13
In the Hash Search tool, which of the following is listed under Process Executions?
Question #14
What is the difference between a Host Search and a Host Timeline?
Question #15
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?
Question #16
What is an advantage of using the IP Search tool?
Question #17
What happens when you open the full detection details?
Question #18
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so y...
Question #19
Which of the following is NOT a valid event type?
Question #20
When examining raw event data, what is the purpose of the field called ParentProcessId_decimal?
Question #21
Which of the following is returned from the IP Search tool?
Question #22
What types of events are returned by a Process Timeline?
Question #23
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
Question #24
From a detection, what is the fastest way to see children and sibling process information?
Question #25
A list of managed and unmanaged neighbors for an endpoint can be found:
Question #26
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
Question #27
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
Question #28
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
Question #29
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?
Question #30
When analyzing an executable with a global prevalence of common; but you do not know what the executable is, what is the best course of action?
Question #31
Which of the following is an example of a MITRE ATT&CK tactic?
Question #32
What happens when a hash is set to Always Block through IOC Management?
Question #33
Which of the following is NOT a filter available on the Detections page?
Question #34
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
Question #35
How long are quarantined files stored on the host?
Question #36
Which statement is TRUE regarding the "Bulk Domains" search?
Question #37
How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top 'CMD.EXE')?
Question #38
What does pivoting to an Event Search from a detection do?
Question #39
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?
Question #40
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?
Question #41
What happens when a hash is allowlisted?
Question #42
The primary purpose for running a Hash Search is to:
Question #43
What does the Full Detection Details option provide?
Question #44
Which option indicates a hash is allowlisted?
Question #45
Where can you find hosts that are in Reduced Functionality Mode?
Question #46
When reviewing a Host Timeline, which of the following filters is available?
Question #47
How does a DNSRequest event link to its responsible process?
Question #48
What information does the MITRE ATT&CK Framework provide?
Question #49
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
Question #50
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

Page 1 of 2Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.