CrowdStrike CCFR-201 CrowdStrike Certified Falcon Responder Exam Practice Test

Page: 1 / 14
Total 60 questions
Question 1

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?



Answer : B

According to the [CrowdStrike website], the Investigate page is where you can search for and analyze various types of data collected by the Falcon platform, such as events, hosts, processes, hashes, domains, IPs, etc1.You can use various tools, such as Event Search, Host Search, Process Timeline, Hash Search, Bulk Domain Search, etc., to perform different types of searches and view the results in different ways1.If you want to search for any domain request information related to a notice from a third-party, you can use the Investigate page to do so1.For example, you can use the Bulk Domain Search tool to search for the malicious domain and see which hosts and processes communicated with it1.You can also use the Event Search tool to search for DNSRequest events that contain the malicious domain and see more details about the query and response1.


Question 2

Which Executive Summary dashboard item indicates sensors running with unsupported versions?



Answer : C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1.It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1.The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1.RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1.You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.


Question 3

What happens when a hash is set to Always Block through IOC Management?



Answer : A

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOC Management allows you to manage indicators of compromise (IOCs), which are artifacts such as hashes, IP addresses, or domains that are associated with malicious activities2.You can set different actions for IOCs, such as Allow, No Action, or Always Block2.When you set a hash to Always Block through IOC Management, you are preventing that file from executing on any host in your organization by default2.This action also generates a detection alert when the file is blocked2.


Question 4

What happens when a quarantined file is released?



Answer : D

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1.This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.


Question 5

The primary purpose for running a Hash Search is to:



Answer : D

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1.The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1.You can also see a count of detections and incidents related to those hashes1.The primary purpose for running a Hash Search is to review information surrounding a hash's related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.


Question 6

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?



Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1.This field can be used to trace the process lineage and identify malicious or suspicious activities1.


Question 7

What is the difference between a Host Search and a Host Timeline?



Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1.The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1.The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1.The events include process executions, file writes, registry modifications, network connections, user logins, etc1.


Page:    1 / 14   
Total 60 questions