Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the CrowdStrike CCFR CCFR-201b Questions and answers with CertsForce

Viewing page 3 out of 6 pages
Viewing questions 21-30 out of questions
Questions # 21:

In various telemetry events like ' FileWrite ' or ' NetworkConnect ' , Falcon identifies the process that performed the action. Which field will always identify this " acting " process?

Options:

A.

ContextProcessId_decimal


B.

TargetProcessId_decimal


C.

ParentProcessId_decimal


D.

OwnerProcessId_decimal


Expert Solution
Questions # 22:

Where are quarantined files stored on Windows hosts?

Options:

A.

Windows\Quarantine


B.

Windows\System32\Drivers\CrowdStrike\Quarantine


C.

Windows\System32\


D.

Windows\temp\Drivers\CrowdStrike\Quarantine


Expert Solution
Questions # 23:

Administrators can define their own criteria for alerts. Which of the following is an example of a custom detection within the Falcon platform?

Options:

A.

Sensor-based Malware Detections


B.

Blacklisted Hashes


C.

Overwatch Managed Detections


D.

Behavioral IOA Detections


Expert Solution
Questions # 24:

When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?

Options:

A.

Filename-based allowlist


B.

Hash-based allowlist


C.

Path-based allowlist


D.

Command-line allowlist


Expert Solution
Questions # 25:

When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

Options:

A.

It contains an internal value not useful for an investigation


B.

It contains the TargetProcessld_decimal value of the child process


C.

It contains the Sensorld_decimal value for related events


D.

It contains the TargetProcessld_decimal of the parent process


Expert Solution
Questions # 26:

The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

Options:

A.

500


B.

750


C.

1000


D.

1200


Expert Solution
Questions # 27:

What happens when a quarantined file is released?

Options:

A.

It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host


B.

It is allowed to execute on the host


C.

It is deleted


D.

It is allowed to execute on all hosts


Expert Solution
Questions # 28:

In the Hash Search tool, which of the following is listed under Process Executions?

Options:

A.

Operating System


B.

File Signature


C.

Command Line


D.

Sensor Version


Expert Solution
Questions # 29:

While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?

Options:

A.

Timestamp


B.

Event Name


C.

PID (Process ID)


D.

CPU Temperature


Expert Solution
Questions # 30:

During an advanced hunting session, a responder is writing a custom query in the Event Search tool to track the lineage of a suspicious process. They notice a field labeled TargetProcessId_decimal. Which of the following sentences accurately describes the technical significance of this value within the CrowdStrike telemetry ecosystem?

Options:

A.

It is the standard Process ID (PID) assigned by the Windows Task Manager.


B.

It is a sensor-assigned, environment-wide unique decimal identifier for that specific process instance.


C.

It represents the memory offset where the process ' s primary thread began.


D.

It is a count of the total number of child processes spawned by that executable.


Expert Solution
Viewing page 3 out of 6 pages
Viewing questions 21-30 out of questions