• Home
  • Articles
  • [Feb-2024] CrowdStrike CCFR CCFR-201 Exam Practice Dumps [Q26-Q46]

[Feb-2024] CrowdStrike CCFR CCFR-201 Exam Practice Dumps [Q26-Q46]

Share

[Feb-2024] CrowdStrike CCFR CCFR-201 Exam Practice Dumps

2024 CCFR-201 Premium Files Test pdf - Free Dumps Collection

NEW QUESTION # 26
The function of Machine Learning Exclusions is to___________.

  • A. stop all detections for a specific pattern ID
  • B. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
  • C. stop all sensor data collection for the matching path(s)
  • D. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.


NEW QUESTION # 27
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

  • A. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
  • B. It contains the TargetProcessld_decimal value for other related events
  • C. It contains an internal value not useful for an investigation
  • D. It contains the TargetProcessld_decimal value for the process that made the DNS request

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.


NEW QUESTION # 28
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

  • A. The associated detection will be suppressed and the associated process would have been allowed to run
  • B. The associated IOA will still generate a detection but the associated process would have been allowed to run
  • C. The process specified is not sent to the Falcon Sandbox for analysis
  • D. The sensor will stop sending events from the process specified in the regex pattern

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.


NEW QUESTION # 29
Where can you find hosts that are in Reduced Functionality Mode?

  • A. Host Search
  • B. Executive Summary dashboard
  • C. Installation Tokens
  • D. Event Search

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.


NEW QUESTION # 30
What information is contained within a Process Timeline?

  • A. Only detection process-related events within a given timeframe
  • B. A view of activities on Mac or Linux hosts
  • C. All cloudable events for a specific host
  • D. All cloudable process-related events within a given timeframe

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. You can specify a timeframe to limit the events to a certain period1. The tool works for any host platform, not just Mac or Linux1.


NEW QUESTION # 31
When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

  • A. From detection, click the VT Hash button to pivot to VirusTotal to investigate further
  • B. From detection, use API manager to create a custom blocklist
  • C. Do nothing, as this file is common and well known
  • D. From detection, submit to FalconX for deep dive analysis

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1. A global prevalence of common means that the file is widely distributed and likely benign1. However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1. One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1. You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.


NEW QUESTION # 32
The Bulk Domain Search tool contains Domain information along with which of the following?

  • A. Port Information
  • B. Process Information
  • C. Threat Actor Information
  • D. IP Lookup Information

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.


NEW QUESTION # 33
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?

  • A. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
  • B. Filter on 'Hostname: Alex' and 'Status: In-Progress'
  • C. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*
  • D. Filter on'Analyst: Alex'

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such asstatus, severity, tactic, technique, etc2. To view 'in-progress' detections assigned to Falcon Analyst Alex, you can filter on 'Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex2.


NEW QUESTION # 34
Which of the following is NOT a filter available on the Detections page?

  • A. Severity
  • B. Time
  • C. Triggering File
  • D. CrowdScore

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.


NEW QUESTION # 35
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

  • A. A managed sensor has an active prevention policy
  • B. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained
  • C. An unmanaged neighbor is in a segmented area of the network
  • D. A managed neighbor has an installed and provisioned sensor

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.


NEW QUESTION # 36
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

  • A. Scheduled tasks registered prior to the detection
  • B. Executions of schtasks.exe after the detection
  • C. Pivot to a Hash search for taskeng.exe
  • D. User logons after the detection

Answer: A

Explanation:
Explanation
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.


NEW QUESTION # 37
What is the difference between a Host Search and a Host Timeline?

  • A. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
  • B. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
  • C. A Host Timeline only includes process execution events and user account activity
  • D. There is no difference - Host Search and Host Timeline are different names for the same search page

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.


NEW QUESTION # 38
Which statement is TRUE regarding the "Bulk Domains" search?

  • A. The "Bulk Domains" search will allow you to blocklist your queried domains
  • B. It will show a list of computers and process that performed a lookup of any of the domains in your search
  • C. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.


NEW QUESTION # 39
What happens when you open the full detection details?

  • A. The process explorer opens and the detection copies to the clipboard
  • B. Theprocess explorer opens and the detection is removed from the console
  • C. The process explorer opens and you're able to view the processes and process relationships
  • D. The process explorer opens and the Event Search query is run for the detection

Answer: C

Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.


NEW QUESTION # 40
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

  • A. Identifies users associated with the specified hashes
  • B. Identifies a detailed list of all process executions for the specified hashes
  • C. Identifies hosts that loaded or executed the specified hashes
  • D. Identifies detections related to the specified hashes

Answer: C

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.


NEW QUESTION # 41
A list of managed and unmanaged neighbors for an endpoint can be found:

  • A. only by searching event data using Event Search
  • B. under "Audit" by running Sensor Visibility Exclusions Audit
  • C. by reviewing "Groups" in Host Management under the Hosts page
  • D. by using Hosts page in the Investigate tool

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.


NEW QUESTION # 42
Which option indicates a hash is allowlisted?

  • A. No Action
  • B. Always Block
  • C. Ignore
  • D. Allow

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.


NEW QUESTION # 43
What happens when a hash is set to Always Block through IOC Management?

  • A. Execution is prevented and detection alerts are suppressed
  • B. Execution is prevented on all hosts by default
  • C. The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists
  • D. Execution is prevented on selected host groups

Answer: B

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOC Management allows you to manage indicators of compromise (IOCs), which are artifacts such as hashes, IP addresses, or domains that are associated with malicious activities2. You can set different actions for IOCs, such as Allow, No Action, or Always Block2. When you set a hash to Always Block through IOC Management, you are preventing that file from executing on any host in your organization by default2. This action also generates a detection alert when the file is blocked2.


NEW QUESTION # 44
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

  • A. ContextProcessld_decimal and aid
  • B. ResponsibleProcessld_decimal and aid
  • C. ParentProcessld_decimal and aid
  • D. TargetProcessld_decimal and aid

Answer: D

Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)2. These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.


NEW QUESTION # 45
From a detection, what is the fastest way to see children and sibling process information?

  • A. Select Full Detection Details from the detection
  • B. Right-click the process and select "Follow Process Chain"
  • C. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Answer: A

Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


NEW QUESTION # 46
......

Get ready to pass the CCFR-201 Exam right now using our CrowdStrike CCFR Exam Package: https://www.real4prep.com/CCFR-201-exam.html

A fully updated 2024 CCFR-201 Exam Dumps exam guide from training expert Real4Prep: https://drive.google.com/open?id=1cGd0oFQQk-a4q-DXjrPVmawSune2jSNl

Related Articles

more
CrowdStrike CCFR-201 Certification Practice Exam