Practice Free CCFR-201b Exam Online Questions
Question #81
Which is TRUE regarding a file released from quarantine?
- A . No executions are allowed for 14 days after release
- B . It is allowed to execute on all hosts
- C . It is deleted
- D . It will not generate future machine learning detections on the associated host
Correct Answer: B
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
Question #82
In the MITRE ATT&CK® framework, which of the following is a valid technique under the Credential Dumping category?
- A . Application Layer Protocol
- B . Acquire Credentials
- C . LSASS Memory
- D . Data from Information Repositories
Correct Answer: C
Question #83
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence.
Which answer best defines Local Prevalence?
- A . Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet
- B . Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
- C . Local Prevalence is the Virus Total score for the hash of the triggering file
- D . Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
Correct Answer: B
B
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.
B
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.
Question #84
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search.
What can be determined from the results?
- A . Identifies a detailed list of all process executions for the specified hashes
- B . Identifies hosts that loaded or executed the specified hashes
- C . Identifies users associated with the specified hashes
- D . Identifies detections related to the specified hashes
Correct Answer: B
B
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.
B
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.
Question #85
The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?
- A . The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
- B . The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
- C . The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
- D . The Process Activity View creates a count of event types only, which can be useful when scoping the event
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.
Question #86
Which two data points are typically included in Process Explorer? (Choose two)
- A . Command-line arguments
- B . System Uptime
- C . User who initiated the process
- D . Network adapter type
Correct Answer: AC
Question #87
What action is used when you want to save a prevention hash for later use?
- A . Always Block
- B . Never Block
- C . Always Allow
- D . No Action
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
Question #88
In Falcon, the __________ provides geographic and threat-intel data related to an external IP address.
- A . Detection view
- B . Event Search
- C . IP Search
- D . Host Timeline
Correct Answer: C
Question #89
What Falcon feature visually represents process relationships during a detection investigation?
- A . View as Process Tree
- B . Host Timeline
- C . Investigate Panel
- D . Activity Dashboard
Correct Answer: A
Question #90
What role does the ‘Event Type’ filter play in the Event Search process?
- A . It limits the view to a specific category of events
- B . It displays all hostnames
- C . It changes the interface language
- D . It downloads event data to your local machine
Correct Answer: A