CrowdStrike Certified Falcon Responder CCFR-201 Exam Practice Test

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.

Answer : A

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2.This action can be used to prevent known malicious files from running on your endpoints2.

Answer : D

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improve performance2.You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1.The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.

Answer : C

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:

You can use the Process Timeline tool and click on ''Export CSV'' button at the top right corner1.

You can use the Event Search tool and select one or more events and click on ''Export CSV'' button at the top right corner1.

You can use the Full Detection Details tool and choose the ''View Process Activity'' option from any process node in the process tree view1.This will show you all events generated by that process in a rows-and-columns style view1.You can then click on ''Export CSV'' button at the top right corner1.

Answer : C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1.It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1.The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1.RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1.You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.

Answer : B

According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.