Free CCFR-201 Exam Braindumps (page: 7)

Page 6 of 16

When reviewing a Host Timeline, which of the following filters is available?

  1. Severity
  2. Event Types
  3. User Name
  4. Detection ID

Answer(s): B

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order. The events include process executions, file writes, registry modifications,

network connections, user logins, etc. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events.



In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?

  1. The data is unable to be exported
  2. View as Process Tree
  3. View as Process Timeline
  4. View as Process Activity

Answer(s): D

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc. You can also export this view to a CSV file for further analysis.



When examining a raw DNS request event, you see a field called ContextProcessld_decimal.
What is the purpose of that field?

  1. It contains the TargetProcessld_decimal value for other related events
  2. It contains an internal value not useful for an investigation
  3. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
  4. It contains the TargetProcessld_decimal value for the process that made the DNS request

Answer(s): D

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event. This field can be used to trace the process lineage and identify malicious or suspicious activities. For a DNS request event, this field indicates which process made the DNS request.



You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search.
What can be determined from the results?

  1. Identifies a detailed list of all process executions for the specified hashes
  2. Identifies hosts that loaded or executed the specified hashes
  3. Identifies users associated with the specified hashes
  4. Identifies detections related to the specified hashes

Answer(s): B

Explanation:

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes. You can also see a count of detections and incidents related to those hashes.






Post your Comments and Discuss CrowdStrike CCFR-201 exam with other Community members:

CCFR-201 Discussions & Posts