CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. CrowdStrike
  5. CCFR-201

Free CCFR-201 Exam Braindumps (page: 6)

Page 5 of 16
PDF with 60 Questions

After running an Event Search, you can select many Event Actions depending on your results.
Which of the following is NOT an option for any Event Action?

  1. Draw Process Explorer
  2. Show a +/- 10-minute window of events
  3. Show a Process Timeline for the responsible process
  4. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)

Answer(s): A

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity.



Which option indicates a hash is allowlisted?

  1. No Action
  2. Allow
  3. Ignore
  4. Always Block

Answer(s): B

Explanation:

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance.
When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.



Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?

  1. Falcon Intel via Intelligence Indicator - Domain
  2. Machine Learning via Cloud-Based ML
  3. Malware via PUP
  4. Credential Access via OS Credential Dumping

Answer(s): D

Explanation:

According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.



What do IOA exclusions help you achieve?

  1. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  2. Reduce false positives of behavioral detections from IOA based detections only
  3. Reduce false positives of behavioral detections from IOA based detections based on a file hash
  4. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only

Answer(s): B

Explanation:

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities. This can reduce false positives and improve performance. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch.






Post your Comments and Discuss CrowdStrike CCFR-201 exam with other Community members:

CCFR-201 Discussions & Posts