Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. CrowdStrike
  5. CCFR-201

CrowdStrike CCFR-201 Exam
CrowdStrike Certified Falcon Responder (Page 4 )

Updated On: 30-Jan-2026
Page 2 of 13
PDF with 60 Questions

After pivoting to an event search from a detection, you locate the ProcessRollup2 event.
Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

  1. SHA256 and TargetProcessld_decimal
  2. SHA256 and ParentProcessld_decimal
  3. aid and ParentProcessld_decimal
  4. aid and TargetProcessld_decimal

Answer(s): D

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host.



Which statement is TRUE regarding the "Bulk Domains" search?

  1. It will show a list of computers and process that performed a lookup of any of the domains in your search
  2. The "Bulk Domains" search will allow you to blocklist your queried domains
  3. The "Bulk Domains" search will show IP address and port information for any associated connections D. You should only pivot to the "Bulk Domains" search tool after completing an investigation

Answer(s): A

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search. This can help you identify potential threats or vulnerabilities in your network.



From a detection, what is the fastest way to see children and sibling process information?

  1. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  2. Select Full Detection Details from the detection
  3. Right-click the process and select "Follow Process Chain"
  4. Select the Process Timeline feature, enter the AI Target Process ID, and Parent Process ID

Answer(s): B

Explanation:

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view provides a graphical representation of the process hierarchy and activity. You can see children and sibling processes information by expanding or collapsing nodes in the tree.



What is an advantage of using a Process Timeline?

  1. Process related events can be filtered to display specific event types
  2. Suspicious processes are color-coded based on their frequency and legitimacy over time
  3. Processes responsible for spikes in CPU performance are displayed overtime
  4. A visual representation of Parent-Child and Sibling process relationships is provided

Answer(s): A

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc. You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc. This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation.



What does the Full Detection Details option provide?

  1. It provides a visualization of program ancestry via the Process Tree View
  2. It provides a visualization of program ancestry via the Process Activity View
  3. It provides detailed list of detection events via the Process Table View
  4. It provides a detailed list of detection events via the Process Tree View

Answer(s): A

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes. You can also see the event types and timestamps for each process.



Viewing page 4 of 13
Viewing questions 16 - 20 out of 60 questions



Post your Comments and Discuss CrowdStrike CCFR-201 exam prep with other Community members:

Join the CCFR-201 Discussion