In the Hash Search tool, which of the following is listed under Process Executions?
A. Operating System
B. File Signature
C. Command Line
D. Sensor Version
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. Under Process Executions, you can see the process name and command line for each hash execution1.
Question 22:
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
A. It excludes host information from Detections and Incidents generated within that file path location
B. It prevents file uploads to the CrowdStrike cloud from that file path
C. It excludes sensor monitoring and event collection for the trusted file path
D. It disables detection generation from that path, however the sensor can still perform prevention actions
Correct Answer: C
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.
Question 23:
Which of the following is NOT a valid event type?
A. StartofProcess
B. EndofProcess
C. ProcessRollup2
D. DnsRequest
Correct Answer: B
According to the [CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+], event types are categories of events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc. There are many valid event types, such as StartOfProcess, ProcessRollup2, DnsRequest, etc. However, EndOfProcess is not a valid event type, as there is no such event that records the end of a process.
Question 24:
What happens when a quarantined file is released?
A. It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host
B. It is allowed to execute on the host
C. It is deleted
D. It is allowed to execute on all hosts
Correct Answer: D
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.
Question 25:
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?
A. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained
B. A managed neighbor has an installed and provisioned sensor
C. An unmanaged neighbor is in a segmented area of the network
D. A managed sensor has an active prevention policy
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.
Question 26:
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?
A. Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet
B. Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
C. Local Prevalence is the Virus Total score for the hash of the triggering file
D. Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.
Question 27:
What is an advantage of using the IP Search tool?
A. IP searches provide manufacture and timezone data that can not be accessed anywhere else
B. IP searches allow for multiple comma separated IPv6 addresses as input
C. IP searches offer shortcuts to launch response actions and network containment on target hosts
D. IP searches provide host, process, and organizational unit data without the need to write a query
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.
Question 28:
What does pivoting to an Event Search from a detection do?
A. It gives you the ability to search for similar events on other endpoints quickly
B. It takes you to the raw Insight event data and provides you with a number of Event Actions
C. It takes you to a Process Timeline for that detection so you can see all related events
D. It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and provides you with a number of Event Actions1. Insight events are low-level events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc1. You can view these events in a table format and use various filters and fields to narrow down the results1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10- minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.
Question 29:
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
A. 500
B. 750
C. 1000
D. 1200
Correct Answer: C
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.
Question 30:
Which statement is TRUE regarding the "Bulk Domains" search?
A. It will show a list of computers and process that performed a lookup of any of the domains in your search
B. The "Bulk Domains" search will allow you to blocklist your queried domains
C. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.