Practice Free CCFR-201b Exam Online Questions
From a detection, what is the fastest way to see children and sibling process information?
- A . Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
- B . Select Full Detection Details from the detection
- C . Right-click the process and select "Follow Process Chain"
- D . Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.
Which use cases are supported by applying ATT&CK techniques within Falcon workflows? (Choose two)
- A . Tuning machine learning exclusion rules
- B . Building behavioral rules for custom detections
- C . Understanding lateral movement indicators
- D . Automatically launching sandbox detonations
When investigating a host-wide security incident involving multiple users, responders should use the __________ timeline.
- A . Event Search
- B . Process
- C . Host
- D . IOC
Which view helps analysts identify the origin and descendants of a suspicious process?
- A . View as Disk
- B . Process Tree
- C . Registry View
- D . Host Configuration
Advanced Event Search in Falcon supports a look-back period of up to __________ days depending on the retention policy.
- A . 1
- B . 7
- C . 30
- D . 90
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?
- A . Falcon Intel via Intelligence Indicator – Domain
- B . Machine Learning via Cloud-Based ML
- C . Malware via PUP
- D . Credential Access via OS Credential Dumping
D
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system
memory or disk storage by using tools such as Mimikatz or ProcDump.
Which three use cases justify performing an Event Search in Falcon? (Choose three)
- A . Identify process injection attempts
- B . Track sensor update versions
- C . Confirm unauthorized registry modifications
- D . Validate command-line usage by PowerShell
Which type of information is crucial when documenting an incident during an investigation?
- A . Social media accounts of affected users
- B . Timeline of events
- C . Employee performance reviews
- D . Software installation dates
In detection analysis, what does a false positive indicate?
- A . A real security threat has been identified
- B . No threat exists, but an alert was triggered
- C . The system is functioning as expected
- D . An actual breach occurred
In Event Search, what filter would you apply to exclude events from a known safe process?
- A . process_name:"safe_process.exe"
- B . exclude_process:"safe_process.exe"
- C . remove_process:"safe_process.exe"
- D . filter_process:"safe_process.exe"