Practice Free CCFR-201b Exam Online Questions
In Falcon Event Search, which operator is used to exclude specific terms from a query?
- A . AND
- B . NOT
- C . OR
- D . XOR
To remediate threats using RTR, custom scripts must be added to the __________ before they can be executed.
- A . Host timeline
- B . Action Center
- C . Custom Script Library
- D . Detection Workflow
Which of the following is a valid reason to pivot from a detection to a Real Time Response session?
- A . To retrieve system logs from a third-party firewall
- B . To block internet access for all devices in the subnet
- C . To isolate a suspicious host for further investigation
- D . To reassign a license to another device
Which option indicates a hash is allowlisted?
- A . No Action
- B . Allow
- C . Ignore
- D . Always Block
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization’s CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.
What role does system documentation play in event investigation?
- A . It is not necessary for investigations
- B . It provides context and helps in understanding configurations
- C . It increases risk of data loss
- D . It is only useful for compliance audits
What does assigning a MITRE technique to a detection help an analyst achieve in Falcon?
- A . It disables further logging for that detection
- B . It converts the detection into a file hash
- C . It provides behavioral context to support incident analysis
- D . It initiates a threat containment workflow
Which three views are available for analyzing detection process relationships in Falcon? (Choose three)
- A . View as Timeline
- B . View as Process Tree
- C . View as Process Table
- D . View as Process Activity
To quickly isolate a suspicious endpoint from the network, you would apply the __________ action in Falcon.
- A . Real Time Response
- B . Quarantine
- C . Investigate
- D . Process Kill
Which actions can analysts take from within the Hash Search results? (Choose two)
- A . Allowlist the hash
- B . Push to quarantine
- C . View file metadata
- D . Block hash across the organization
A list of managed and unmanaged neighbors for an endpoint can be found:
- A . by using Hosts page in the Investigate tool
- B . by reviewing "Groups" in Host Management under the Hosts page
- C . under "Audit" by running Sensor Visibility Exclusions Audit
- D . only by searching event data using Event Search
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.