What information is contained within a Process Timeline?
A. All cloudable process-related events within a given timeframe
B. All cloudable events for a specific host
C. Only detection process-related events within a given timeframe
D. A view of activities on Mac or Linux hosts
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. You can specify a timeframe to limit the events to a certain period1. The tool works for any host platform, not just Mac or Linux1.
Question 32:
Which is TRUE regarding a file released from quarantine?
A. No executions are allowed for 14 days after release
B. It is allowed to execute on all hosts
C. It is deleted
D. It will not generate future machine learning detections on the associated host
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
Question 33:
What is an advantage of using a Process Timeline?
A. Process related events can be filtered to display specific event types
B. Suspicious processes are color-coded based on their frequency and legitimacy over time
C. Processes responsible for spikes in CPU performance are displayed overtime
D. A visual representation of Parent-Child and Sibling process relationships is provided
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc2. This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation2.
Question 34:
How long are quarantined files stored in the CrowdStrike Cloud?
A. 45 Days
B. 90 Days
C. Days
D. Quarantined files are not deleted
Correct Answer: B
According to the [CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.
Question 35:
The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?
A. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
B. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
C. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
D. The Process Activity View creates a count of event types only, which can be useful when scoping the event
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.
Question 36:
A list of managed and unmanaged neighbors for an endpoint can be found:
A. by using Hosts page in the Investigate tool
B. by reviewing "Groups" in Host Management under the Hosts page
C. under "Audit" by running Sensor Visibility Exclusions Audit
D. only by searching event data using Event Search
Correct Answer: A
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.
Question 37:
What happens when a hash is set to Always Block through IOC Management?
A. Execution is prevented on all hosts by default
B. Execution is prevented on selected host groups
C. Execution is prevented and detection alerts are suppressed
D. The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists
Correct Answer: A
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, IOC Management allows you to manage indicators of compromise (IOCs), which are artifacts such as hashes, IP addresses, or domains that are associated with malicious activities2. You can set different actions for IOCs, such as Allow, No Action, or Always Block2. When you set a hash to Always Block through IOC Management, you are preventing that file from executing on any host in your organization by default2. This action also generates a detection alert when the file is blocked2.
Question 38:
Where are quarantined files stored on Windows hosts?
A. Windows\Quarantine
B. Windows\System32\Drivers\CrowdStrike\Quarantine
C. Windows\System32\
D. Windows\temp\Drivers\CrowdStrike\Quarantine
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2. The file is also encrypted and renamed with a random string of characters2. On Windows hosts, quarantined files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2.
Question 39:
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
A. Identifies a detailed list of all process executions for the specified hashes
B. Identifies hosts that loaded or executed the specified hashes
C. Identifies users associated with the specified hashes
D. Identifies detections related to the specified hashes
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.
Question 40:
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?
A. Filter on'Analyst: Alex'
B. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
C. Filter on 'Hostname: Alex' and 'Status: In-Progress'
D. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*
Correct Answer: D
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such asstatus, severity, tactic, technique, etc2. To view `in- progress' detections assigned to Falcon Analyst Alex, you can filter on `Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex2.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.