CrowdStrike CCFR-201b Exam Questions Instant Access

Question 1

What are Event Actions?

AAutomated searches that can be used to pivot between related events and searches

BPivotable hyperlinks available in a Host Search

CCustom event data queries bookmarked by the currently signed in Falcon user

DRaw Falcon event data

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and searches1.They are available in various tools, such as Event Search, Process Timeline, Host Timeline, etc1.You can select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.These actions can help you investigate and analyze events more efficiently and effectively1.

Question 2

What is an advantage of using a Process Timeline?

AProcess related events can be filtered to display specific event types

BSuspicious processes are color-coded based on their frequency and legitimacy over time

CProcesses responsible for spikes in CPU performance are displayed overtime

DA visual representation of Parent-Child and Sibling process relationships is provided

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc2.This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation2.

Question 3

What does pivoting to an Event Search from a detection do?

AIt gives you the ability to search for similar events on other endpoints quickly

BIt takes you to the raw Insight event data and provides you with a number of Event Actions

CIt takes you to a Process Timeline for that detection so you can see all related events

DIt allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

Answer : B

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and provides you with a number of Event Actions1.Insight events are low-level events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc1.You can view these events in a table format and use various filters and fields to narrow down the results1.You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.These actions can help you investigate and analyze events more efficiently and effectively1.

Question 4

The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?

AThe Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis

BThe Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine

CThe Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process

DThe Process Activity View creates a count of event types only, which can be useful when scoping the event

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1.This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1.You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.

Question 5

What action is used when you want to save a prevention hash for later use?

AAlways Block

BNever Block

CAlways Allow

DNo Action

Answer : A

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2.This action can be used to prevent known malicious files from running on your endpoints2.

Question 6

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

AParentProcessld_decimal and aid

BResponsibleProcessld_decimal and aid

CContextProcessld_decimal and aid

DTargetProcessld_decimal and aid

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.

Question 7

How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top CMD.EXE')?

AProcess ID (Descending, highest on bottom)

BTime started (Descending, most recent on bottom)

CTime started (Ascending, most recent on top)

DProcess ID (Ascending, highest on top)

Answer : B

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1.You can also see the event types and timestamps for each process1.The processes on the same plane are ordered by time started in descending order, meaning that the most recent process is at the bottom and the oldest process is at the top1.For example, in the image you sent me, CMD.EXE is the oldest process and VMTOOLSD.EXE is the most recent process on that plane1.

CrowdStrike Certified Falcon Responder CCFR-201b Exam Questions