Depending on the subscription level, " Cloudable Events " (standard telemetry) have a specific retention period. What is the minimum period of time that these events are retained?
Refer to the image.

You receive the detection displayed in the image above on a host in your environment.
Assuming you have the correct permissions, where would you navigate to remotely connect to the host and investigate further?
Executive dashboards provide a high-level view of security. Which of the following CANNOT be seen from the Executive Summary Dashboard?
During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?
CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?
The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?
A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:
How are processes on the same plane ordered (bottom ' VMTOOLSD.EXE ' to top CMD.EXE ' )?


CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?
During a targeted investigation into a potentially compromised internal administrative account, a responder utilizes the User Search functionality within the Investigate menu. The goal is to identify if the account was leveraged to drop or launch unauthorized binaries across multiple systems in the environment. Which specific data category is natively visible in the User Search results to facilitate this check?
Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?
A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?
When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?
Which tool or search type is recommended as the " best search " to use when performing the " Examine what ' s normal for this system " step in an investigation?
After an investigation, the following malicious artifacts have been identified:
C:\Users*\AppData\iamnotmalware.exe
C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iamnotmalware.lnk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamnotmalware_really
What method will remove all associated artifacts from hosts that trigger future related detections?
Refer to Image:

You are investigating a network connection in event search.
Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?
A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?
Which of the following tactic and technique combinations is sourced from MITRE ATT AND CK information?
In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?
During the incident response process, a responder must update the status of a detection. Which of the following options is NOT a valid detection status recognized by the Falcon console?
The User Search results are organized into several categories. Which of the following is NOT a sub-heading in the User Search?
From the Detections page, how can you view ' in-progress ' detections assigned to Falcon Analyst Alex?
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?
A responder is unsure about the difference between ' Detection ' and ' Prevention ' settings. Where can they find information about Detection and Prevention Policies?
While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?
The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?
Evaluate the following process tree observed in a detection:
root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe
Based on the parent-child relationships, which entry source is most likely?
During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?
From a detection, what is the fastest way to see children and sibling process information?
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?
A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?
Detections in Falcon are classified by their origin. Which of the following is NOT a recognized type of detection?
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
An analyst needs to perform local sandbox analysis on a malicious file. When they download a quarantined file from the Falcon UI, what is the file format and the default password?
A responder needs to categorize an incident based on the high-level goals of the attacker. Which of the following lists correctly identifies the " Objectives " as they are natively defined and used within the Falcon platform?
How long does detection data remain in the CrowdStrike Cloud before purging begins?
Refer to the image.

In the Full Detection View while viewing the Process Tree you see an attack outlined as in the image above.
Based on what you see, what happened during the attack?
To understand how a threat moved on a system, a responder must know the role of common processes. Which of the following statements best describes the standard functionality of explorer.exe?
While most searches are accessible from a detection, some require a manual jump. Which search is not available as a direct pivot from a detection?
Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
Which Executive Summary dashboard item indicates sensors running with unsupported versions?