Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

CrowdStrike CCFR-201b - CrowdStrike Certified Falcon Responder

Page: 3 / 6
Total 209 questions

In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?

A.

During the ' Understand the detection ' phase.

B.

During the ' Understand process(es) involved ' phase.

C.

During the ' Examine what is normal for the system ' phase.

D.

After the incident has been fully remediated.

During an advanced hunting session, a responder is writing a custom query in the Event Search tool to track the lineage of a suspicious process. They notice a field labeled TargetProcessId_decimal. Which of the following sentences accurately describes the technical significance of this value within the CrowdStrike telemetry ecosystem?

A.

It is the standard Process ID (PID) assigned by the Windows Task Manager.

B.

It is a sensor-assigned, environment-wide unique decimal identifier for that specific process instance.

C.

It represents the memory offset where the process ' s primary thread began.

D.

It is a count of the total number of child processes spawned by that executable.

What happens when a hash is allowlisted?

A.

Execution is prevented, but detection alerts are suppressed

B.

Execution is allowed on all hosts, including all other Falcon customers

C.

The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists

D.

Execution is allowed on all hosts that fall under the organization ' s CID

If a file has a prevalence of ' Local: Low ' and ' Global: High ' , what does this typically indicate to a responder?

A.

The file is a targeted piece of malware specifically designed for the company.

B.

The file is common off-the-shelf software or malware seen across many environments.

C.

The file is a custom script written by a local administrator.

D.

The file is a unique configuration file for a proprietary application.

A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?

A.

Host Timeline

B.

Process Timeline

C.

User Timeline

D.

Administrative Timeline

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

A.

Host Search

B.

Event Search

C.

Hash Search

D.

User Search

What information is contained within a Process Timeline?

A.

All cloudable process-related events within a given timeframe

B.

All cloudable events for a specific host

C.

Only detection process-related events within a given timeframe

D.

A view of activities on Mac or Linux hosts

The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?

A.

Average time to resolve a detection.

B.

Total number of detections resolved by each analyst.

C.

The top 10 hosts/users/files with the most detections.

D.

The breakdown of True Positive vs. False Positive resolutions.

A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:

A.

Technique

B.

Tactic

C.

Objective

D.

Indicator

Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?

A.

ProcessRollup2

B.

FileCreation

C.

NetworkConnect

D.

RegistryUpdate