Practice Free CCFR-201b Exam Online Questions
Which of the following attributes can be viewed in the IP Search interface? (Choose three)
- A . Total bytes transferred
- B . Endpoint hostnames connected to the IP
- C . Known threat tags or reputation
- D . Process name launched by the IP
What is the default port used by Falcon RTR to establish a connection with a managed host?
- A . 22
- B . 443
- C . 8443
- D . 80
The primary purpose for running a Hash Search is to:
- A . determine any network connections
- B . review the processes involved with a detection
- C . determine the origin of the detection
- D . review information surrounding a hash’s related activity
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash’s related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.
What does internal prevalence indicate in Falcon detection analysis?
- A . Number of endpoints globally affected
- B . Number of times an indicator was seen in the external threat landscape
- C . Number of times an indicator appeared within your environment
- D . The geographic location of the threat
When executing a command within Falcon RTR, what is the expected behavior for long-running processes?
- A . They will timeout immediately
- B . They will continue running until the endpoint is rebooted
- C . They will be interrupted
- D . The command will run in the background
What key detail can be found in the Full Detection Details under process relationships?
- A . MAC address of the system
- B . Network speed
- C . Parent and child process hierarchy
- D . Audit log entries
What is a common indicator of compromise (IoC) that investigators search for in logs?
- A . Suspicious or unusual IP addresses/domains
- B . High CPU usage
- C . Password resets
- D . Unsuccessful login attempts
From the Detections page, how can you view ‘in-progress’ detections assigned to Falcon Analyst Alex?
- A . Filter on ‘Analyst: Alex’
- B . Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
- C . Filter on ‘Hostname: Alex’ and ‘Status: In-Progress’
- D . Filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as status, severity, tactic, technique, etc2. To view ‘in-progress’ detections assigned to Falcon Analyst Alex, you can filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*’2. The asterisk (*) is a wildcard that matches any characters after Alex2.
Which key data points can be obtained from an IP Search within Falcon? (Choose two)
- A . All failed login attempts from the IP
- B . List of endpoints contacted by the IP
- C . Process names launched from that IP
- D . External geolocation and threat reputation
Which two options are valid pivot points from an Event Search in Falcon? (Choose two)
- A . Process Timeline
- B . Policy Editor
- C . Process Explorer
- D . Sensor Configuration