Is the CCFR-201 practice exam free?

Yes. ExamCademy offers all 60 CCFR-201 practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the CCFR-201 practice questions?

All CCFR-201 questions are community-created and reviewed by moderators to align with CrowdStrike's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the CCFR-201 exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official CrowdStrike documentation and hands-on experience for best results.

CCFR-201 Practice Exam — Free 60+ Questions

60Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

Event Search

Event Search

Question 22

Detection Analysis

Question 23

Search Tools

Question 24

Detection Analysis

That's the end of the Preview

This exam has 60 community-verified practice questions. Create a free account to access all questions, comments, and explanations.

Topics covered:

ATT&CK FrameworksDetection AnalysisEvent SearchEvent InvestigationSearch ToolsReal Time Response (RTR)

Log In / Sign Up

Page 1 of 3 • Questions 1-25 of 60

1 2 3

→

Know a question that should be here? Contribute to this exam

When reviewing a Host Timeline, which of the following filters is available?

A Severity
B Event Types
C User Name
D Detection ID

From a detection, what is the fastest way to see children and sibling process information?

A Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessId_decimal)
B Select Full Detection Details from the detection
C Right-click the process and select "Follow Process Chain"
D Select the Process Timeline feature, enter the AID, Target Process ID, and Parent Process ID

Which of the following is NOT a filter available on the Detections page?

A Severity
B CrowdScore
C Time
D Triggering File

What are Event Actions?

A Automated searches that can be used to pivot between related events and searches
B Pivotable hyperlinks available in a Host Search
C Custom event data queries bookmarked by the currently signed in Falcon user
D Raw Falcon event data

Which is TRUE regarding a file released from quarantine?

A No executions are allowed for 14 days after release
B It is allowed to execute on all hosts
C It is deleted
D It will not generate future machine learning detections on the associated host

Where can you find hosts that are in Reduced Functionality Mode?

A Event Search
B Executive Summary dashboard
C Host Search
D Installation Tokens

How does a DNSRequest event link to its responsible process?

A Via both its ContextProcessId_decimal and ParentProcessId_decimal fields
B Via its ParentProcessId_decimal field
C Via its ContextProcessId_decimal field
D Via its TargetProcessId_decimal field

What is an advantage of using a Process Timeline?

A Process related events can be filtered to display specific event types
B Suspicious processes are color-coded based on their frequency and legitimacy over time
C Processes responsible for spikes in CPU performance are displayed over time
D A visual representation of Parent-Child and Sibling process relationships is provided

The Bulk Domain Search tool contains Domain information along with which of the following?

A Process Information
B Port Information
C IP Lookup Information
D Threat Actor Information

Where are quarantined files stored on Windows hosts?

A Windows\Quarantine
B Windows\System32\Drivers\CrowdStrike\Quarantine
C Windows\System32\
D Windows\temp\Drivers\CrowdStrike\Quarantine

After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

A Draw Process Explorer
B Show a +/- 10-minute window of events
C Show a Process Timeline for the responsible process
D Show Associated Event Data (from TargetProcessId_decimal or ContextProcessId decimal)

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

A Identifies a detailed list of all process executions for the specified hashes
B Identifies hosts that loaded or executed the specified hashes
C Identifies users associated with the specified hashes
D Identifies detections related to the specified hashes

The function of Machine Learning Exclusions is to _____________.

A stop all detections for a specific pattern ID
B stop all sensor data collection for the matching path(s)
C stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
D stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

What information does the MITRE ATT&CK Framework provide?

A It provides best practices for different cybersecurity domains, such as Identify and Access Management
B It provides a step-by-step cyber incident response strategy
C It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
D It is a system that attributes attack techniques to a specific threat actor

Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

A An adversary is trying to keep access through persistence by creating an account
B An adversary is trying to keep access through persistence using browser extensions
C An adversary is trying to keep access through persistence using external remote services
D An adversary is trying to keep access through persistence using application skimming

When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

A The process specified is not sent to the Falcon Sandbox for analysis
B The associated detection will be suppressed and the associated process would have been allowed to run
C The sensor will stop sending events from the process specified in the regex pattern
D The associated IOA will still generate a detection but the associated process would have been allowed to run

How long does detection data remain in the CrowdStrike Cloud before purging begins?

A 90 Days
B 45 Days
C 30 Days
D 14 Days

What action is used when you want to save a prevention hash for later use?

A Always Block
B Never Block
C Always Allow
D No Action

You receive an email from a third-party vendor that one of their services is compromised, the vendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

A IP Addresses
B Remote or Network Logon Activity
C Remote Access Graph
D Hash Executions

In the Hash Search tool, which of the following is listed under Process Executions?

A Operating System
B File Signature
C Command Line
D Sensor Version

What is the difference between a Host Search and a Host Timeline?

A Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
B A Host Timeline only includes process execution events and user account activity
C Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
D There is no difference - Host Search and Host Timeline are different names for the same search page

What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

A A managed neighbor is currently network contained and an unmanaged neighbor is uncontained
B A managed neighbor has an installed and provisioned sensor
C An unmanaged neighbor is in a segmented area of the network
D A managed sensor has an active prevention policy

What is an advantage of using the IP Search tool?

A IP searches provide manufacture and timezone data that can not be accessed anywhere else
B IP searches allow for multiple comma separated IPv6 addresses as input
C IP searches offer shortcuts to launch response actions and network containment on target hosts
D IP searches provide host, process, and organizational unit data without the need to write a query

What happens when you open the full detection details?

A The process explorer opens and the detection is removed from the console
B The process explorer opens and you’re able to view the processes and process relationships
C The process explorer opens and the detection copies to the clipboard
D The process explorer opens and the Event Search query is run for the detection

CCFR-201Preview

About the CCFR-201 Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

That's the end of the Preview

CCFR-201Preview

About the CCFR-201 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

That's the end of the Preview