What does the Full Detection Details option provide?
A. It provides a visualization of program ancestry via the Process Tree View
B. It provides a visualization of program ancestry via the Process Activity View
C. It provides detailed list of detection events via the Process Table View
D. It provides a detailed list of detection events via the Process Tree View
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.
Question 52:
The Bulk Domain Search tool contains Domain information along with which of the following?
A. Process Information
B. Port Information
C. IP Lookup Information
D. Threat Actor Information
Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.
Question 53:
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
A. Draw Process Explorer
B. Show a +/- 10-minute window of events
C. Show a Process Timeline for the responsible process
D. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
Question 54:
Which of the following is returned from the IP Search tool?
A. IP Summary information from Falcon events containing the given IP
B. Threat Graph Data for the given IP from Falcon sensors
C. Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP
Correct Answer: A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.
Question 55:
Which of the following tactic and technique combinations is sourced from MITRE ATTandCK information?
A. Falcon Intel via Intelligence Indicator - Domain
B. Machine Learning via Cloud-Based ML
C. Malware via PUP
D. Credential Access via OS Credential Dumping
Correct Answer: D
According to the [MITRE ATTandCK website], MITRE ATTandCK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATTandCK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.
Question 56:
What action is used when you want to save a prevention hash for later use?
A. Always Block
B. Never Block
C. Always Allow
D. No Action
Correct Answer: A
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
Question 57:
What happens when a hash is allowlisted?
A. Execution is prevented, but detection alerts are suppressed
B. Execution is allowed on all hosts, including all other Falcon customers
C. The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists
D. Execution is allowed on all hosts that fall under the organization's CID
Correct Answer: D
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.
Question 58:
What happens when you open the full detection details?
A. Theprocess explorer opens and the detection is removed from the console
B. The process explorer opens and you're able to view the processes and process relationships
C. The process explorer opens and the detection copies to the clipboard
D. The process explorer opens and the Event Search query is run for the detection
Correct Answer: B
According to the [CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.
Question 59:
How long does detection data remain in the CrowdStrike Cloud before purging begins?
A. 90 Days
B. 45 Days
C. 30 Days
D. 14 Days
Correct Answer: A
According to the CrowdStrike Falcon?Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.
Question 60:
Which of the following is an example of a MITRE ATTandCK tactic?
A. Eternal Blue
B. Defense Evasion
C. Emotet
D. Phishing
Correct Answer: B
According to the [MITRE ATTandCK website], MITRE ATTandCK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATTandCK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CrowdStrike exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCFR-201 exam preparations and CrowdStrike certification application, do not hesitate to visit our Vcedump.com to find your solutions here.