CrowdStrike CCFR-201b Exam Questions Instant Access

Question 1

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

AIt contains an internal value not useful for an investigation

BIt contains the TargetProcessld_decimal value of the child process

CIt contains the Sensorld_decimal value for related events

DIt contains the TargetProcessld_decimal of the parent process

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1.This field can be used to trace the process lineage and identify malicious or suspicious activities1.

Question 2

How does a DNSRequest event link to its responsible process?

AVia both its ContextProcessld__decimal and ParentProcessld_decimal fields

BVia its ParentProcessld_decimal field

CVia its ContextProcessld_decimal field

DVia its TargetProcessld_decimal field

Answer : C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.

Question 3

The function of Machine Learning Exclusions is to___________.

Astop all detections for a specific pattern ID

Bstop all sensor data collection for the matching path(s)

CStop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud

Dstop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

Answer : D

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improve performance2.You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.

Question 4

After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

ADraw Process Explorer

BShow a +/- 10-minute window of events

CShow a Process Timeline for the responsible process

DShow Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1.You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1.However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.

Question 5

You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

AProcessTimeline Link

BPID

CUTCtime

DProcess ID or Parent Process ID

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)1.You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1.This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.

Question 6

What happens when a hash is set to Always Block through IOC Management?

AExecution is prevented on all hosts by default

BExecution is prevented on selected host groups

CExecution is prevented and detection alerts are suppressed

DThe hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

Answer : A

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOC Management allows you to manage indicators of compromise (IOCs), which are artifacts such as hashes, IP addresses, or domains that are associated with malicious activities2.You can set different actions for IOCs, such as Allow, No Action, or Always Block2.When you set a hash to Always Block through IOC Management, you are preventing that file from executing on any host in your organization by default2.This action also generates a detection alert when the file is blocked2.

Question 7

Which of the following is NOT a filter available on the Detections page?

ASeverity

BCrowdScore

CTime

DTriggering File

Answer : D

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2.You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2.However, there is no filter for triggering file, which is the file that caused the detection2.

CrowdStrike Certified Falcon Responder CCFR-201b Exam Questions