How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top CMD.EXE')?
A. Process ID (Descending, highest on bottom)
B. Time started (Descending, most recent on bottom)
C. Time started (Ascending, most recent on top)
D. Process ID (Ascending, highest on top)
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1. The processes on the same plane are ordered by time started in descending order, meaning that the most recent process is at the bottom and the oldest process is at the top1. For example, in the image you sent me, CMD.EXE is the oldest process and VMTOOLSD.EXE is the most recent process on that plane1.
Question 42:
What are Event Actions?
A. Automated searches that can be used to pivot between related events and searches
B. Pivotable hyperlinks available in a Host Search
C. Custom event data queries bookmarked by the currently signed in Falcon user
D. Raw Falcon event data
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and searches1. They are available in various tools, such as Event Search, Process Timeline, Host Timeline, etc1. You can select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.
Question 43:
From a detection, what is the fastest way to see children and sibling process information?
A. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
B. Select Full Detection Details from the detection
C. Right-click the process and select "Follow Process Chain"
D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.
Question 44:
Where can you find hosts that are in Reduced Functionality Mode?
A. Event Search
B. Executive Summary dashboard
C. Host Search
D. Installation Tokens
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.
Question 45:
The primary purpose for running a Hash Search is to:
A. determine any network connections
B. review the processes involved with a detection
C. determine the origin of the detection
D. review information surrounding a hash's related activity
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash's related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.
Question 46:
You receive an email from a third-party vendor that one of their services is compromised, thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
A. IP Addresses
B. Remote or Network Logon Activity
C. Remote Access Graph
D. Hash Executions
Correct Answer: A
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.
Question 47:
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?
A. Thedata is unable to be exported
B. View as Process Tree
C. View as Process Timeline
D. View as Process Activity
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-andcolumns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.
Question 48:
When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?
A. Do nothing, as this file is common and well known
B. From detection, click the VT Hash button to pivot to VirusTotal to investigate further
C. From detection, use API manager to create a custom blocklist
D. From detection, submit to FalconX for deep dive analysis
Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1. A global prevalence of common means that the file is widely distributed and likely benign1. However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1. One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1. You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.
Question 49:
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?
A. The process specified is not sent to the Falcon Sandbox for analysis
B. The associated detection will be suppressed and the associated process would have been allowed to run
C. The sensor will stop sending events from the process specified in the regex pattern
D. The associated IOA will still generate a detection but the associated process would have been allowed to run
Correct Answer: B
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.
Question 50:
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
A. ProcessTimeline Link
B. PID
C. UTCtime
D. Process ID or Parent Process ID
Correct Answer: D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)1. You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1. This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
