CCFR-201 Premium PDF & Test Engine Files with 63 Questions & Answers
Get 100% Real CCFR-201 Exam Questions, Accurate & Verified Answers As Seen in the Real Exam!
CrowdStrike CCFR-201 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 19
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
- A. It disables detection generation from that path, however the sensor can still perform prevention actions
- B. It excludes sensor monitoring and event collection for the trusted file path
- C. It excludes host information from Detections and Incidents generated within that file path location
- D. It prevents file uploads to the CrowdStrike cloud from that file path
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.
NEW QUESTION # 20
What is an advantage of using the IP Search tool?
- A. IP searches provide manufacture and timezone data that can not be accessed anywhere else
- B. IP searches offer shortcuts to launch response actions and network containment on target hosts
- C. IP searches provide host, process, and organizational unit data without the need to write a query
- D. IP searches allow for multiple comma separated IPv6 addresses as input
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.
NEW QUESTION # 21
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?
- A. It contains an internal value not useful for an investigation
- B. It contains the TargetProcessld_decimal value for other related events
- C. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
- D. It contains the TargetProcessld_decimal value for the process that made the DNS request
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.
NEW QUESTION # 22
Which of the following is an example of a MITRE ATT&CK tactic?
- A. Defense Evasion
- B. Phishing
- C. Eternal Blue
- D. Emotet
Answer: A
Explanation:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.
NEW QUESTION # 23
Which of the following is NOT a filter available on the Detections page?
- A. Triggering File
- B. Time
- C. Severity
- D. CrowdScore
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.
NEW QUESTION # 24
When reviewing a Host Timeline, which of the following filters is available?
- A. Severity
- B. Detection ID
- C. Event Types
- D. User Name
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.
NEW QUESTION # 25
Where can you find hosts that are in Reduced Functionality Mode?
- A. Event Search
- B. Executive Summary dashboard
- C. Installation Tokens
- D. Host Search
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.
NEW QUESTION # 26
What action is used when you want to save a prevention hash for later use?
- A. No Action
- B. Never Block
- C. Always Block
- D. Always Allow
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
NEW QUESTION # 27
How long are quarantined files stored on the host?
- A. 90 Days
- B. Quarantined files are never deleted from the host
- C. 30 Days
- D. 45 Days
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
NEW QUESTION # 28
The function of Machine Learning Exclusions is to___________.
- A. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
- B. stop all detections for a specific pattern ID
- C. stop all sensor data collection for the matching path(s)
- D. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.
NEW QUESTION # 29
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
- A. ParentProcessld_decimal and aid
- B. ResponsibleProcessld_decimal and aid
- C. ContextProcessld_decimal and aid
- D. TargetProcessld_decimal and aid
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)2. These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.
NEW QUESTION # 30
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
- A. Identifies a detailed list of all process executions for the specified hashes
- B. Identifies users associated with the specified hashes
- C. Identifies hosts that loaded or executed the specified hashes
- D. Identifies detections related to the specified hashes
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.
NEW QUESTION # 31
What action is used when you want to save a prevention hash for later use?
- A. No Action
- B. Never Block
- C. Always Block
- D. Always Allow
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
NEW QUESTION # 32
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.
NEW QUESTION # 33
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?
- A. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
- B. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
- C. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
- D. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.
NEW QUESTION # 34
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?
- A. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*
- B. Filter on'Analyst: Alex'
- C. Filter on 'Hostname: Alex' and 'Status: In-Progress'
- D. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such asstatus, severity, tactic, technique, etc2. To view 'in-progress' detections assigned to Falcon Analyst Alex, you can filter on 'Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex2.
NEW QUESTION # 35
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?
- A. The associated detection will be suppressed and the associated process would have been allowed to run
- B. The sensor will stop sending events from the process specified in the regex pattern
- C. The associated IOA will still generate a detection but the associated process would have been allowed to run
- D. The process specified is not sent to the Falcon Sandbox for analysis
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.
NEW QUESTION # 36
What happens when a quarantined file is released?
- A. It is allowed to execute on the host
- B. It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host
- C. It is allowed to execute on all hosts
- D. It is deleted
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.
NEW QUESTION # 37
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
- A. PID
- B. Process ID or Parent Process ID
- C. UTCtime
- D. ProcessTimeline Link
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)1. You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1. This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.
NEW QUESTION # 38
Where are quarantined files stored on Windows hosts?
- A. Windows\temp\Drivers\CrowdStrike\Quarantine
- B. Windows\Quarantine
- C. Windows\System32\Drivers\CrowdStrike\Quarantine
- D. Windows\System32\
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2. The file is also encrypted and renamed with a random string of characters2. On Windows hosts, quarantined files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2.
NEW QUESTION # 39
......
CCFR-201 Premium Files Practice Valid Exam Dumps Question: https://www.examtorrent.com/CCFR-201-valid-vce-dumps.html
Practice with CCFR-201 Dumps for CrowdStrike CCFR Certified Exam Questions & Answer: https://drive.google.com/open?id=15zY6GX5vAV4p3TD969gG0p1cWwIGW0kQ
