Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
A. An adversary is trying to keep access through persistence by creating an account
B. An adversary is trying to keep access through persistence using browser extensions
C. An adversary is trying to keep access through persistence using external remote services
D. adversary is trying to keep access through persistence using application skimming
Correct Answer: A
According to the [CrowdStrike website], the MITRE-Based Falcon Detections Framework is a way of categorizing and describing detections based on the MITRE ATTandCK knowledge base ofadversary behaviors and techniques. The framework uses three levels of granularity: category, tactic, and technique. The category is the highest level and represents the main objective of an adversary, such as initial access, execution, credential access, etc. The tactic is the second level and represents the sub-objective of an adversary within a category, such as persistence, privilege escalation, defense evasion, etc. The technique is the lowest level and represents the specific way an adversary can achieve a tactic, such as create account, modify registry, obfuscated files or information, etc. Therefore, the correct way to interpret Keep Access > Persistence > Create Account is that an adversary is trying to keep access through persistence by creating an account.
Question 12:
Sensor Visibility Exclusion patterns are written in which syntax?
A. Glob Syntax
B. Kleene Star Syntax
C. RegEx
D. SPL(Splunk)
Correct Answer: A
According to the [CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide], Sensor Visibility Exclusions allow you to exclude files or directories from being monitored by the sensor. This can reduce the amount of data sent to the CrowdStrike Cloud and improve performance. Sensor Visibility Exclusion patterns are written in Glob Syntax, which is a simple pattern matching syntax that supports wildcards, such as *, ?, and . For example, you can use *.exe to exclude all files with .exe extension.
Question 13:
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
A. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
B. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
C. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
D. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can
then click on "Export CSV" button at the top right corner1.
Question 14:
Which option indicates a hash is allowlisted?
A. No Action
B. Allow
C. Ignore
D. Always Block
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.
Question 15:
The function of Machine Learning Exclusions is to___________.
A. stop all detections for a specific pattern ID
B. stop all sensor data collection for the matching path(s)
C. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
D. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
Correct Answer: D
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.
Question 16:
How long are quarantined files stored on the host?
A. 45 Days
B. 30 Days
C. Quarantined files are never deleted from the host
D. 90 Days
Correct Answer: C
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
Question 17:
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
A. Detections by Severity
B. Inactive Sensors
C. Sensors in RFM
D. Active Sensors
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.
Question 18:
What do IOA exclusions help you achieve?
A. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
B. Reduce false positives of behavioral detections from IOA based detections only
C. Reduce false positives of behavioral detections from IOA based detections based on a file hash
D. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.
Question 19:
What types of events are returned by a Process Timeline?
A. Only detection events
B. All cloudable events
C. Only process events
D. Only network events
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.
Question 20:
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?
A. User logons after the detection
B. Executions of schtasks.exe after the detection
C. Scheduled tasks registered prior to the detection
D. Pivot to a Hash search for taskeng.exe
Correct Answer: C
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.