Practice Free CCFR-201b Exam Online Questions
What is the purpose of a detection rule in a security tool?
- A . To format alerts for easy readability
- B . To define criteria for identifying potential threats
- C . To initiate automatic responses to all incidents
- D . To monitor end-user behavior
What information can you view about an endpoint in Falcon RTR during a live session?
- A . Network configuration
- B . File system layout
- C . Active user sessions
- D . All of the above
From the Full Detection Details panel, the __________ can be used to identify which process launched the suspicious activity.
- A . Registry tab
- B . Parent process ID
- C . Real Time Response console
- D . File hash view
Which of the following best describes the function of the ‘limit’ clause in a search query?
- A . It restricts the fields that are returned in the results
- B . It sets the maximum number of results returned
- C . It groups results based on a criterion
- D . It categorizes results by severity
Which type of data is most relevant during an event investigation in Falcon?
- A . Market research data
- B . User demographic data
- C . Software installation records
- D . Endpoint and process activity logs
What is a key purpose of the Host Search tool in Falcon?
- A . To compare quarantine file hashes
- B . To pivot directly to process lineage data
- C . To locate a specific host and view its detection history
- D . To apply allowlisting rules to hosts
In Falcon RTR, what does the "file fetch" action accomplish?
- A . It uploads files to the Falcon platform
- B . It deletes files on the endpoint
- C . It downloads files from a remote endpoint
- D . It monitors file changes
Which option allows you to save a search query in the Falcon platform for future reference?
- A . Export
- B . Bookmark
- C . Save Search
- D . Schedule
What do IOA exclusions help you achieve?
- A . Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
- B . Reduce false positives of behavioral detections from IOA based detections only
- C . Reduce false positives of behavioral detections from IOA based detections based on a file hash
- D . Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike’s indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.
Which condition must be met before executing Falcon Real Time Response (RTR) commands on an endpoint?
- A . The endpoint must have the latest antivirus definitions installed
- B . The endpoint must be assigned to a specific host group
- C . The user must have RTR role permissions and the endpoint must be online
- D . The system must have all pending OS updates applied