CrowdStrike CCFR-201b Exam Questions Instant Access

Question 1

When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?

ALocal prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet

BLocal Prevalence tells you how common the hash of the triggering file is within your environment (CID)

CLocal Prevalence is the Virus Total score for the hash of the triggering file

DLocal prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments

Answer : B

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2.Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2.Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2.These fields can help you assess the risk and impact of a detection2.

Question 2

The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?

AThe Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis

BThe Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine

CThe Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process

DThe Process Activity View creates a count of event types only, which can be useful when scoping the event

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1.This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1.You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.

Question 3

Which is TRUE regarding a file released from quarantine?

ANo executions are allowed for 14 days after release

BIt is allowed to execute on all hosts

CIt is deleted

DIt will not generate future machine learning detections on the associated host

Answer : B

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2.This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.

Question 4

What happens when you create a Sensor Visibility Exclusion for a trusted file path?

AIt excludes host information from Detections and Incidents generated within that file path location

BIt prevents file uploads to the CrowdStrike cloud from that file path

CIt excludes sensor monitoring and event collection for the trusted file path

DIt disables detection generation from that path, however the sensor can still perform prevention actions

Answer : C

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2.This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.

Question 5

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

AIt contains the TargetProcessld_decimal value for other related events

BIt contains an internal value not useful for an investigation

CIt contains the ContextProcessld_decimal value for the parent process that made the DNS request

DIt contains the TargetProcessld_decimal value for the process that made the DNS request

Answer : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1.This field can be used to trace the process lineage and identify malicious or suspicious activities1.For a DNS request event, this field indicates which process made the DNS request1.

Question 6

Which of the following is returned from the IP Search tool?

AIP Summary information from Falcon events containing the given IP

BThreat Graph Data for the given IP from Falcon sensors

CUnmanaged host data from system ARP tables for the given IP D. IP Detection Summary information for detection events containing the given IP

Answer : A

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1.The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.

Question 7

How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top CMD.EXE')?

AProcess ID (Descending, highest on bottom)

BTime started (Descending, most recent on bottom)

CTime started (Ascending, most recent on top)

DProcess ID (Ascending, highest on top)

Answer : B

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1.You can also see the event types and timestamps for each process1.The processes on the same plane are ordered by time started in descending order, meaning that the most recent process is at the bottom and the oldest process is at the top1.For example, in the image you sent me, CMD.EXE is the oldest process and VMTOOLSD.EXE is the most recent process on that plane1.

CrowdStrike Certified Falcon Responder CCFR-201b Exam Questions