Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the CrowdStrike CCFR CCFR-201b Questions and answers with CertsForce

Viewing page 2 out of 6 pages
Viewing questions 11-20 out of questions
Questions # 11:

Which of the following statements about the ' Detection Activity ' report is FALSE?

Options:

A.

It provides a summary of all alerts over a selected time period.


B.

It can be filtered by host name or severity.


C.

Clicking on a ProcessID value within the report pivots to a pre-populated Event Search.


D.

The report can be exported to a CSV file.


Expert Solution
Questions # 12:

An analyst is triaging a detection that has been categorized under the ‘Follow Through’ Objective Layer. Based on the Falcon technical documentation, which of the following adversary tactics is most likely to be observed within this specific layer?

Options:

A.

Credential Access through memory scraping


B.

Collection of sensitive data for exfiltration


C.

Initial Access via a drive-by download


D.

Discovery of local network shares and services


Expert Solution
Questions # 13:

When viewing the summary list on the ' Endpoint Detections ' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?

Options:

A.

The exact time the Falcon sensor was first installed on the host.


B.

The timestamp of the last activity recorded for that specific detection.


C.

The time the detection was first assigned to a human analyst.


D.

The file creation time for the primary process involved in the alert.


Expert Solution
Questions # 14:

What is an advantage of using the IP Search tool?

Options:

A.

IP searches provide manufacture and timezone data that can not be accessed anywhere else


B.

IP searches allow for multiple comma separated IPv6 addresses as input


C.

IP searches offer shortcuts to launch response actions and network containment on target hosts


D.

IP searches provide host, process, and organizational unit data without the need to write a query


Expert Solution
Questions # 15:

From the Detections page, how can you view ' in-progress ' detections assigned to Falcon Analyst Alex?

Options:

A.

Filter on ' Analyst: Alex '


B.

Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections


C.

Filter on ' Hostname: Alex ' and ' Status: In-Progress '


D.

Filter on ' Status: In-Progress ' and ' Assigned-to: Alex*


Expert Solution
Questions # 16:

While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?

Options:

A.

The percentage of the CPU being consumed by the network and disk.


B.

The specific number of telemetry events recorded for network and disk activity by that process.


C.

The total size in megabytes of the data sent over the network and written to disk.


D.

The number of other hosts that have seen similar network and disk activity.


Expert Solution
Questions # 17:

A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?

Options:

A.

Host Search


B.

Event Search


C.

Hash Search


D.

User Search


Expert Solution
Questions # 18:

To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?

Options:

A.

The External IP and the Username of the logged-in user.


B.

The Agent ID (AID) and the Target Process ID (TargetProcessId_decimal).


C.

The MAC Address of the host and the SHA256 hash of the file.


D.

The Policy ID and the timestamp of the first event.


Expert Solution
Questions # 19:

When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

Options:

A.

It contains the TargetProcessld_decimal value for other related events


B.

It contains an internal value not useful for an investigation


C.

It contains the ContextProcessld_decimal value for the parent process that made the DNS request


D.

It contains the TargetProcessld_decimal value for the process that made the DNS request


Expert Solution
Questions # 20:

Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?

Options:

A.

Grouped by Process


B.

Grouped by Alert


C.

Grouped by File Path


D.

Grouped by Severity


Expert Solution
Viewing page 2 out of 6 pages
Viewing questions 11-20 out of questions