CrowdStrike CCFR-201 Online Practice Questions and Exam Preparation

CrowdStrike CCFR-201 Online Questions & Answers

• Question 1:

  Which of the following is an example of a MITRE ATTandCK tactic?

  A. Eternal Blue
  B. Defense Evasion
  C. Emotet
  D. Phishing
  B. Defense Evasion

  ---

  explanation:

  Explanation/Reference:

  According to the [MITRE ATTandCK website], MITRE ATTandCK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATTandCK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.

• Question 2:

  How long does detection data remain in the CrowdStrike Cloud before purging begins?

  A. 90 Days
  B. 45 Days
  C. 30 Days
  D. 14 Days
  A. 90 Days

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.

• Question 3:

  What happens when you open the full detection details?

  A. Theprocess explorer opens and the detection is removed from the console
  B. The process explorer opens and you're able to view the processes and process relationships
  C. The process explorer opens and the detection copies to the clipboard
  D. The process explorer opens and the Event Search query is run for the detection
  B. The process explorer opens and you're able to view the processes and process relationships

  ---

  explanation:

  Explanation/Reference:

  According to the [CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.

• Question 4:

  What happens when a hash is allowlisted?

  A. Execution is prevented, but detection alerts are suppressed
  B. Execution is allowed on all hosts, including all other Falcon customers
  C. The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists
  D. Execution is allowed on all hosts that fall under the organization's CID
  D. Execution is allowed on all hosts that fall under the organization's CID

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.

• Question 5:

  What action is used when you want to save a prevention hash for later use?

  A. Always Block
  B. Never Block
  C. Always Allow
  D. No Action
  A. Always Block

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.

• Question 6:

  Which of the following tactic and technique combinations is sourced from MITRE ATTandCK information?

  A. Falcon Intel via Intelligence Indicator - Domain
  B. Machine Learning via Cloud-Based ML
  C. Malware via PUP
  D. Credential Access via OS Credential Dumping
  D. Credential Access via OS Credential Dumping

  ---

  explanation:

  Explanation/Reference:

  According to the [MITRE ATTandCK website], MITRE ATTandCK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATTandCK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.

• Question 7:

  Which of the following is returned from the IP Search tool?

  A. IP Summary information from Falcon events containing the given IP
  B. Threat Graph Data for the given IP from Falcon sensors
  C. Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP
  A. IP Summary information from Falcon events containing the given IP

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.

• Question 8:

  After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

  A. Draw Process Explorer
  B. Show a +/- 10-minute window of events
  C. Show a Process Timeline for the responsible process
  D. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
  A. Draw Process Explorer
  C. Show a Process Timeline for the responsible process
  D. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)

• Question 9:

  The Bulk Domain Search tool contains Domain information along with which of the following?

  A. Process Information
  B. Port Information
  C. IP Lookup Information
  D. Threat Actor Information
  C. IP Lookup Information

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.

• Question 10:

  What does the Full Detection Details option provide?

  A. It provides a visualization of program ancestry via the Process Tree View
  B. It provides a visualization of program ancestry via the Process Activity View
  C. It provides detailed list of detection events via the Process Table View
  D. It provides a detailed list of detection events via the Process Tree View
  A. It provides a visualization of program ancestry via the Process Tree View

  ---

  explanation:

  Explanation/Reference:

  According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.