You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?
Answer(s): C
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.
Where can you find hosts that are in Reduced Functionality Mode?
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname.
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?
Answer(s): D
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform. You can use various filters to narrow down the detections based on criteria such as status, severity, tactic, technique, etc. To view `in-progress' detections assigned to Falcon Analyst Alex, you can filter on `Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex.
The Process Activity View provides a rows-and-columns style view of the events generated in a detection. Why might this be helpful?
Answer(s): A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc.
Post your Comments and Discuss CrowdStrike CCFR-201 exam with other Community members:
Blue Commented on June 09, 2025 Intesteresting questions from exam perspective AUSTRALIA
To protect our content from bots for real learners like you, we ask you to register for free. Sign in or sign up now to continue with the CCFR-201 material!