Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

CrowdStrike CCFR-201b - CrowdStrike Certified Falcon Responder

Page: 2 / 6
Total 209 questions

When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?

A.

Selecting a Rule Type (e.g., Process Creation).

B.

Specifying the Severity level of the resulting detection.

C.

Assigning a specific host group to the IOA rule at the time of creation.

D.

Providing a unique name for the rule.

Detections in Falcon are classified by their origin. Which of the following is NOT a recognized type of detection?

A.

Machine Learning

B.

Behavioral

C.

Intelligence

D.

Custom IOA

How does a DNSRequest event link to its responsible process?

A.

Via both its ContextProcessld__decimal and ParentProcessld_decimal fields

B.

Via its ParentProcessld_decimal field

C.

Via its ContextProcessld_decimal field

D.

Via its TargetProcessld_decimal field

When reviewing CrowdScore Incidents, which of the following statements is INCORRECT?

A.

Incidents aggregate related detections to reduce alert fatigue.

B.

Incidents are defined as inactive after 10 hours pass without any new related activity.

C.

A high CrowdScore indicates a higher likelihood of a sophisticated or widespread attack.

D.

CrowdScore is only visible to users with the ' Falcon Administrator ' role.

After an investigation, the following malicious artifacts have been identified:

    C:\Users*\AppData\iamnotmalware.exe

    C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iamnotmalware.lnk

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamnotmalware_really

What method will remove all associated artifacts from hosts that trigger future related detections?

A.

Create a Quarantine Rule that will quarantine all identified artifacts across the entire environment

B.

Create Custom IOA rules to prevent the execution of these artifacts

C.

Create a workflow to trigger on a new endpoint detection, query the telemetry data of the endpoint for known artifacts, and select Remove All Associated Artifacts as an action

D.

Create a workflow to trigger on a new endpoint detection, conditions that match the detection, and as an action a PowerShell script to kill associated processes and remove all artifacts

What happens when you open the full detection details?

A.

Theprocess explorer opens and the detection is removed from the console

B.

The process explorer opens and you ' re able to view the processes and process relationships

C.

The process explorer opens and the detection copies to the clipboard

D.

The process explorer opens and the Event Search query is run for the detection

When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

A.

Do nothing, as this file is common and well known

B.

From detection, click the VT Hash button to pivot to VirusTotal to investigate further

C.

From detection, use API manager to create a custom blocklist

D.

From detection, submit to FalconX for deep dive analysis

The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?

A.

The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis

B.

The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine

C.

The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process

D.

The Process Activity View creates a count of event types only, which can be useful when scoping the event

What types of events are returned by a Process Timeline?

A.

Only detection events

B.

All cloudable events

C.

Only process events

D.

Only network events

What action is needed to ensure Falcon does not block or generate a detection for a process by using the file hash?

A.

Create a Custom IOC with an action of allow for the hash

B.

Create a Machine Learning Exclusion with an action of allow for the hash

C.

Create a Custom IOA with an action of allow for the hash

D.

Create an IOA Exclusion with an action of allow for the hash