The CrowdStrike CCFR exam preparation guide is designed to provide candidates with necessary information about the Falcon Responder exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the CrowdStrike Certified Falcon Responder (CCFR) exam.
It is recommended for all the candidates to refer the CCFR objectives and sample questions provided in this preparation guide. The CrowdStrike Falcon Responder certification is mainly targeted to the candidates who want to build their career in Falcon Platform domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual CrowdStrike Falcon Responder exam.
CrowdStrike CCFR Exam Summary:
|
Exam Name
|
CrowdStrike Falcon Responder |
| Exam Code | CCFR |
| Exam Price | $250 USD |
| Duration | 90 minutes |
| Number of Questions | 60 |
| Passing Score | 80% |
| Recommended Training / Books | CCFR Training |
| Schedule Exam | PEARSON VUE |
| Sample Questions | CrowdStrike CCFR Sample Questions |
| Recommended Practice | CrowdStrike Certified Falcon Responder (CCFR) Practice Test |
CrowdStrike Falcon Responder Syllabus:
| Section | Objectives |
|---|---|
| ATT&CK Frameworks |
- Understand what information the MITRE ATT&CK framework provides - Apply MITRE ATT&CK tactics and techniques within Falcon to provide context to a detection |
| Detection Analysis |
- Recommend courses of action based on the analysis of information provided with Falcon - Interpret information displayed in the Endpoint security > Activity dashboard
- Interpret information displayed in Endpoint security > Endpoint detections
- Determine appropriate response to an activity based on detection source
- Understand use cases for built-in OSINT tools - Explain what contextual event data is available in detection (IP/DNS/Disk/etc.) - Triage a detection using filtering, grouping and sort-by - Evaluate the impact of internal and external prevalance
- Evaluate an activity and determine a response based on information displayed in the Full
Detection view
- Interpret the data provided in the View As Process Tree, View As Process Table and View As Process Activity
- Indentify managed/unmanaged Neighbors for an endpoint during a Host Search - Understand an IOC and the different types of actions available via Falcon - Distinguish the uses cases for various Has Management Actions (Block, Block and Hide Detection, Detect Only, Allow, No action) - Understand the effects of allowlisting and blocklisting - Explain the effects of machine learning exclusion rules, sensor visibility exclusions, and IOA exclusions - Apply best practices to quarantined files |
| Event Search |
- Perform an Event Advanced Search from a detection and refine a search using event actions - Determine when and why to use specific event actions - Distinguish between commonly used event types |
| Event Investigation |
- Explain what information a Process Timeline will provide - Explain what information a Hosts Timeline will provide - Understand when to pivot to a Process Timeline or Process Explorer from an Event Search - Analyze process relationships (parent/child/sibling) using the information contained in the Full Detection Details |
| Search Tools |
- Analyze the information provided in a User Search - Analyze the information provided in an IP Search - Analyze the information provided in a Hash Search - Analyze the information provided in Host Search results - Analyze the information provided in a Bulk Domain Search |
| Real Time Response (RTR) |
- Explain the technical capabilities of Falcon Real Time Response - Identify administrative requirements for Real Time Response settings - Determine when and how to connect to a host - Investigate a threat within Falcon and use RTR commands to remediate it - Utilize custom scripts in RTR to remediate a threat - Set up a Workflow with RTR custom scripts - Review audit logs to audit RTR activity |