• Home
  • Articles
  • [Dec 18, 2023] Get to the Top with CCFR-201 Practice Exam Questions [Q37-Q59]

[Dec 18, 2023] Get to the Top with CCFR-201 Practice Exam Questions [Q37-Q59]

Share

[Dec 18, 2023] Get to the Top with CCFR-201 Practice Exam Questions

Use Real CCFR-201 Dumps Free Sample Questions and Practice Test Engine

NEW QUESTION # 37
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

  • A. A managed neighbor has an installed and provisioned sensor
  • B. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained
  • C. An unmanaged neighbor is in a segmented area of the network
  • D. A managed sensor has an active prevention policy

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.


NEW QUESTION # 38
Which statement is TRUE regarding the "Bulk Domains" search?

  • A. The "Bulk Domains" search will allow you to blocklist your queried domains
  • B. It will show a list of computers and process that performed a lookup of any of the domains in your search
  • C. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.


NEW QUESTION # 39
What action is used when you want to save a prevention hash for later use?

  • A. Always Block
  • B. No Action
  • C. Never Block
  • D. Always Allow

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.


NEW QUESTION # 40
What information does the MITRE ATT&CKFramework provide?

  • A. It is a system that attributes an attack techniques to a specific threat actor
  • B. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
  • C. It provides best practices for different cybersecurity domains, such as Identify and Access Management
  • D. It provides a step-by-step cyber incident response strategy

Answer: B

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.


NEW QUESTION # 41
Which is TRUE regarding a file released from quarantine?

  • A. It will not generate future machine learning detections on the associated host
  • B. It is deleted
  • C. It is allowed to execute on all hosts
  • D. No executions are allowed for 14 days after release

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


NEW QUESTION # 42
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies hosts that loaded or executed the specified hashes
  • B. Identifies users associated with the specified hashes
  • C. Identifies a detailed list of all process executions for the specified hashes
  • D. Identifies detections related to the specified hashes

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 43
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?

  • A. Credential Access via OS Credential Dumping
  • B. Machine Learning via Cloud-Based ML
  • C. Malware via PUP
  • D. Falcon Intel via Intelligence Indicator - Domain

Answer: A

Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.


NEW QUESTION # 44
From a detection, what is the fastest way to see children and sibling process information?

  • A. Select Full Detection Details from the detection
  • B. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • C. Right-click the process and select "Follow Process Chain"
  • D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


NEW QUESTION # 45
What does the Full Detection Details option provide?

  • A. It provides a visualization of program ancestry via the Process Tree View
  • B. It provides a visualization of program ancestry via the Process Activity View
  • C. It provides detailed list of detection events via the Process Table View
  • D. It provides a detailed list of detection events via the Process Tree View

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.


NEW QUESTION # 46
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

  • A. User logons after the detection
  • B. Scheduled tasks registered prior to the detection
  • C. Executions of schtasks.exe after the detection
  • D. Pivot to a Hash search for taskeng.exe

Answer: B

Explanation:
Explanation
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.


NEW QUESTION # 47
What happens when you open the full detection details?

  • A. Theprocess explorer opens and the detection is removed from the console
  • B. The process explorer opens and the detection copies to the clipboard
  • C. The process explorer opens and the Event Search query is run for the detection
  • D. The process explorer opens and you're able to view the processes and process relationships

Answer: D

Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.


NEW QUESTION # 48
A list of managed and unmanaged neighbors for an endpoint can be found:

  • A. under "Audit" by running Sensor Visibility Exclusions Audit
  • B. only by searching event data using Event Search
  • C. by reviewing "Groups" in Host Management under the Hosts page
  • D. by using Hosts page in the Investigate tool

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.


NEW QUESTION # 49
When reviewing a Host Timeline, which of the following filters is available?

  • A. User Name
  • B. Event Types
  • C. Detection ID
  • D. Severity

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.


NEW QUESTION # 50
When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

  • A. From detection, click the VT Hash button to pivot to VirusTotal to investigate further
  • B. Do nothing, as this file is common and well known
  • C. From detection, submit to FalconX for deep dive analysis
  • D. From detection, use API manager to create a custom blocklist

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1. A global prevalence of common means that the file is widely distributed and likely benign1. However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1. One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1. You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.


NEW QUESTION # 51
What do IOA exclusions help you achieve?

  • A. Reduce false positives of behavioral detections from IOA based detections only
  • B. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  • C. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
  • D. Reduce false positives of behavioral detections from IOA based detections based on a file hash

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.


NEW QUESTION # 52
In the Hash Search tool, which of the following is listed under Process Executions?

  • A. File Signature
  • B. Sensor Version
  • C. Operating System
  • D. Command Line

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. Under Process Executions, you can see the process name and command line for each hash execution1.


NEW QUESTION # 53
Which of the following is NOT a valid event type?

  • A. StartofProcess
  • B. DnsRequest
  • C. ProcessRollup2
  • D. EndofProcess

Answer: D

Explanation:
Explanation
According to the [CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+], event types are categories of events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc. There are many valid event types, such as StartOfProcess, ProcessRollup2, DnsRequest, etc. However, EndOfProcess is not a valid event type, as there is no such event that records the end of a process.


NEW QUESTION # 54
The primary purpose for running a Hash Search is to:

  • A. review information surrounding a hash's related activity
  • B. review the processes involved with a detection
  • C. determine the origin of the detection
  • D. determine any network connections

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash's related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.


NEW QUESTION # 55
How long does detection data remain in the CrowdStrike Cloud before purging begins?

  • A. 30 Days
  • B. 14 Days
  • C. 90 Days
  • D. 45 Days

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.


NEW QUESTION # 56
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

  • A. UTCtime
  • B. PID
  • C. ProcessTimeline Link
  • D. Process ID or Parent Process ID

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)1. You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1. This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.


NEW QUESTION # 57
What is the difference between a Host Search and a Host Timeline?

  • A. A Host Timeline only includes process execution events and user account activity
  • B. There is no difference - Host Search and Host Timeline are different names for the same search page
  • C. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
  • D. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.


NEW QUESTION # 58
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

  • A. An adversary is trying to keep access through persistence using external remote services
  • B. adversary is trying to keep access through persistence using application skimming
  • C. An adversary is trying to keep access through persistence using browser extensions
  • D. An adversary is trying to keep access through persistence by creating an account

Answer: D

Explanation:
Explanation
According to the [CrowdStrike website], the MITRE-Based Falcon Detections Framework is a way of categorizing and describing detections based on the MITRE ATT&CK knowledge base ofadversary behaviors and techniques. The framework uses three levels of granularity: category, tactic, and technique. The category is the highest level and represents the main objective of an adversary, such as initial access, execution, credential access, etc. The tactic is the second level and represents the sub-objective of an adversary within a category, such as persistence, privilege escalation, defense evasion, etc. The technique is the lowest level and represents the specific way an adversary can achieve a tactic, such as create account, modify registry, obfuscated files or information, etc. Therefore, the correct way to interpret Keep Access > Persistence > Create Account is that an adversary is trying to keep access through persistence by creating an account.


NEW QUESTION # 59
......

Pass CrowdStrike CCFR-201 exam - questions - convert Tets Engine to PDF: https://itexambus.passleadervce.com/CrowdStrike-CCFR/reliable-CCFR-201-exam-learning-guide.html

Related Articles

more
CrowdStrike CCFR-201 Certification Practice Exam