CrowdStrike CrowdStrike Falcon Certification Program CCFR-201 Questions & Answers
Question 1:
Which of the following is NOT a filter available on the Detections page?
A. Severity
B. CrowdScore
C. Time
D. Triggering File
Correct Answer: D
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.
Question 2:
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?
A. It contains the TargetProcessld_decimal value for other related events
B. It contains an internal value not useful for an investigation
C. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
D. It contains the TargetProcessld_decimal value for the process that made the DNS request
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.
Question 3:
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
A. SHA256 and TargetProcessld_decimal
B. SHA256 and ParentProcessld_decimal
C. aid and ParentProcessld_decimal
D. aid and TargetProcessld_decimal
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.
Question 4:
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?
A. It contains an internal value not useful for an investigation
B. It contains the TargetProcessld_decimal value of the child process
C. It contains the Sensorld_decimal value for related events
D. It contains the TargetProcessld_decimal of the parent process
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.
Question 5:
What information does the MITRE ATTandCKFramework provide?
A. It provides best practices for different cybersecurity domains, such as Identify and Access Management
B. It provides a step-by-step cyber incident response strategy
C. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
D. It is a system that attributes an attack techniques to a specific threat actor
Correct Answer: C
According to the [MITRE ATTandCK website], MITRE ATTandCK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.
Question 6:
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
A. ParentProcessld_decimal and aid
B. ResponsibleProcessld_decimal and aid
C. ContextProcessld_decimal and aid
D. TargetProcessld_decimal and aid
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)2. These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.
Question 7:
When reviewing a Host Timeline, which of the following filters is available?
A. Severity
B. Event Types
C. User Name
D. Detection ID
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.
Question 8:
What is the difference between a Host Search and a Host Timeline?
A. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
B. A Host Timeline only includes process execution events and user account activity
C. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
D. There is no difference - Host Search and Host Timeline are different names for the same search page
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.
Question 9:
You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?
A. Falcon X
B. Investigate
C. Discover
D. Spotlight
Correct Answer: B
According to the [CrowdStrike website], the Investigate page is where you can search for and analyze various types of data collected by the Falcon platform, such as events, hosts, processes, hashes, domains, IPs, etc1. You can use various tools, such as Event Search, Host Search, Process Timeline, Hash Search, Bulk Domain Search, etc., to perform different types of searches and view the results in different ways1. If you want to search for any domain request information related to a notice from a third-party, you can use the Investigate page to do so1. For example, you can use the Bulk Domain Search tool to search for the malicious domain and see which hosts and processes communicated with it1. You can also use the Event Search tool to search for DNSRequest events that contain the malicious domain and see more details about the query and response1.
Question 10:
How does a DNSRequest event link to its responsible process?
A. Via both its ContextProcessld__decimal and ParentProcessld_decimal fields
B. Via its ParentProcessld_decimal field
C. Via its ContextProcessld_decimal field
D. Via its TargetProcessld_decimal field
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2. The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2. The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2. You can use this field to trace the process lineage and identify malicious or suspicious activities2.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.