Practice Free CCFR-201b Exam Online Questions
How are tactics represented within the MITRE ATT&CK framework?
- A . As stages of a cyber kill chain
- B . As network flow rules
- C . As adversarial objectives or goals
- D . As firewall configuration templates
Which of the following are actionable steps an analyst can take from the User Search results panel? (Choose two)
- A . Block the user from accessing any host
- B . View the detections tied to the user
- C . Pivot to Host Search
- D . Download audit logs directly
Which Falcon feature allows analysts to perform advanced searches across endpoint data?
- A . Falcon Discover
- B . Falcon Overwatch
- C . Falcon Intelligence
- D . Event Search
Which two exclusions can be configured to minimize false positives in Falcon detections? (Choose two)
- A . Sensor visibility exclusions
- B . DNS blocklists
- C . Machine learning exclusions
- D . IP allowlists
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
- A . You can’t export detailed event data from a detection, you have to use the Process Timeline or an Event Search
- B . In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
- C . In Full Detection Details, you choose the "View Process Activity" option and then export from that view
- D . From the Detections Dashboard, you right-click the event type you wish to export and choose CSV. JSON or XML
C
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on “Export CSV” button at the top right corner1.
You can use the Event Search tool and select one or more events and click on “Export CSV” button at the top right corner1.
You can use the Full Detection Details tool and choose the “View Process Activity” option from any process node in the process tree view1. This will show you all events generated by that process in a rows-and-columns style view1. You can then click on “Export CSV” button at the top right corner1.
Which Falcon feature lets analysts isolate threats by interacting with a command shell on the endpoint?
- A . Process Explorer
- B . Event Search
- C . Real Time Response
- D . Host Inventory
When investigating an event, what is typically the first responder action?
- A . Notify management
- B . Identify and secure the affected systems
- C . Analyze logs for anomalies
- D . Gather evidence
During an investigation, logs from which of the following sources might provide critical information?
- A . Application logs
- B . System logs
- C . Network logs
- D . All of the above
Which two effects can occur when applying a blocklist policy on a hash in Falcon? (Choose two)
- A . The file will be uploaded to the cloud
- B . The file will be deleted immediately
- C . Execution will be prevented
- D . Detection alerts will be generated
What types of events are returned by a Process Timeline?
- A . Only detection events
- B . All cloud able events
- C . Only process events
- D . Only network events
B
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.