CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. CrowdStrike
  5. CCFR-201

Free CCFR-201 Exam Braindumps (page: 5)

Page 4 of 16
PDF with 60 Questions

You notice that taskeng.exe is one of the processes involved in a detection.
What activity should you investigate next?

  1. User logons after the detection
  2. Executions of schtasks.exe after the detection
  3. Scheduled tasks registered prior to the detection
  4. Pivot to a Hash search for taskeng.exe

Answer(s): C

Explanation:

According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.



Where can you find hosts that are in Reduced Functionality Mode?

  1. Event Search
  2. Executive Summary dashboard
  3. Host Search
  4. Installation Tokens

Answer(s): C

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host's sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname.



From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst Alex?

  1. Filter on'Analyst: Alex'
  2. Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
  3. Filter on 'Hostname: Alex' and 'Status: In-Progress'
  4. Filter on 'Status: In-Progress' and 'Assigned-to: Alex*

Answer(s): D

Explanation:

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform. You can use various filters to narrow down the detections based on criteria such as status, severity, tactic, technique, etc. To view `in-progress' detections assigned to Falcon Analyst Alex, you can filter on `Status: In-Progress' and 'Assigned-to: Alex*'2. The asterisk (*) is a wildcard that matches any characters after Alex.



The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?

  1. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
  2. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
  3. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
  4. The Process Activity View creates a count of event types only, which can be useful when scoping the event

Answer(s): A

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc.






Post your Comments and Discuss CrowdStrike CCFR-201 exam with other Community members:

CCFR-201 Discussions & Posts