Practice Free CCFR-201b Exam Online Questions
What type of events can you search for using the Event Search feature in CrowdStrike Falcon?
- A . Only malware detection events
- B . User authentication events only
- C . Only network-related events
- D . Any endpoint-related events
In the context of event investigation, what does the term “chain of events” refer to?
- A . The sequence of user interactions in an application
- B . The order of actions taken during an incident
- C . The timeline of system updates
- D . The order of commands used in scripting
What information does the MITRE ATT&CK ® Framework provide?
- A . It provides best practices for different cybersecurity domains, such as Identify and Access Management
- B . It provides a step-by-step cyber incident response strategy
- C . It provides the phases of an adversary’s lifecycle, the platforms they are known to attack, and the specific methods they use
- D . It is a system that attributes an attack techniques to a specific threat actor
C
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary’s lifecycle, such as reconnaissance, resource development, execution, command and control, etc.
What is the first step an analyst should take when investigating a potential security incident?
- A . Contain the threat
- B . Analyze logs
- C . Identify the scope
- D . Gather evidence
Which two actions are available after filtering Event Search results in Falcon? (Choose two)
- A . Add file hashes to sensor exclusion
- B . Generate detection from an event
- C . Launch Real Time Response session
- D . Export events to CSV for offline review
You’re investigating suspicious behavior linked to a user.
Which key indicators should you examine in the User Search view to assess the threat context? (Choose two)
- A . Number of failed login attempts
- B . User’s IP subnet
- C . Number of hosts the user has accessed
- D . Number of detections associated with the user
Which detection technique relies on predefined rules and patterns?
- A . Anomaly detection
- B . Signature-based detection
- C . Behavioral analysis
- D . Heuristic analysis
What does the ‘Persistence’ tactic represent in the context of the MITRE ATT&CK® Framework?
- A . Techniques that adversaries use to manipulate data
- B . Techniques that enable an adversary to maintain their foothold
- C . Techniques to escalate privileges
- D . Techniques for finalizing an attack
Which tool in CrowdStrike Falcon allows you to perform a deep dive into endpoint activity across your organization?
- A . Falcon Insights
- B . Falcon Overwatch
- C . Falcon Device Control
- D . Falcon Search
After pivoting to an event search from a detection, you locate the ProcessRollup2 event.
Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
- A . SHA256 and TargetProcessld_decimal
- B . SHA256 and ParentProcessld_decimal
- C . aid and ParentProcessld_decimal
- D . aid and TargetProcessld_decimal
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.