CCFR-201のPDF問題集で2024年05月23日最近更新された問題 [Q22-Q45] | PassTest (2024)

CCFR-201のPDF問題集で2024年05月23日最近更新された問題 [Q22-Q45] | PassTest (1)

CCFR-201のPDF問題集で2024年05月23日最近更新された問題 [Q22-Q45] | PassTest (2)

CCFR-201のPDF問題集で2024年05月23日最近更新された問題

CCFR-201試験問題有効なCCFR-201問題集PDF

質問 # 22
From a detection, what is the fastest way to see children and sibling process information?

  • A. Select Full Detection Details from the detection
  • B. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
  • C. Right-click the process and select "Follow Process Chain"
  • D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.


質問 # 23
The Bulk Domain Search tool contains Domain information along with which of the following?

  • A. Threat Actor Information
  • B. IP Lookup Information
  • C. Process Information
  • D. Port Information

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.


質問 # 24
Which is TRUE regarding a file released from quarantine?

  • A. No executions are allowed for 14 days after release
  • B. It will not generate future machine learning detections on the associated host
  • C. It is deleted
  • D. It is allowed to execute on all hosts

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


質問 # 25
When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

  • A. Do nothing, as this file is common and well known
  • B. From detection, click the VT Hash button to pivot to VirusTotal to investigate further
  • C. From detection, submit to FalconX for deep dive analysis
  • D. From detection, use API manager to create a custom blocklist

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1. A global prevalence of common means that the file is widely distributed and likely benign1. However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1. One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1. You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.


質問 # 26
How long does detection data remain in the CrowdStrike Cloud before purging begins?

  • A. 90 Days
  • B. 30 Days
  • C. 45 Days
  • D. 14 Days

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.


質問 # 27
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

  • A. SHA256 and ParentProcessld_decimal
  • B. aid and TargetProcessld_decimal
  • C. aid and ParentProcessld_decimal
  • D. SHA256 and TargetProcessld_decimal

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.


質問 # 28
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests.
Registry Operations, and Network Operations?

  • A. View as Process Timeline
  • B. View as Process Tree
  • C. Thedata is unable to be exported
  • D. View as Process Activity

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.


質問 # 29
What happens when a hash is set to Always Block through IOC Management?

  • A. Execution is prevented on selected host groups
  • B. Execution is prevented and detection alerts are suppressed
  • C. The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists
  • D. Execution is prevented on all hosts by default

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOC Management allows you to manage indicators of compromise (IOCs), which are artifacts such as hashes, IP addresses, or domains that are associated with malicious activities2. You can set different actions for IOCs, such as Allow, No Action, or Always Block2. When you set a hash to Always Block through IOC Management, you are preventing that file from executing on any host in your organization by default2. This action also generates a detection alert when the file is blocked2.


質問 # 30
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

  • A. ContextProcessld_decimal and aid
  • B. ParentProcessld_decimal and aid
  • C. ResponsibleProcessld_decimal and aid
  • D. TargetProcessld_decimal and aid

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)2. These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.


質問 # 31
What types of events are returned by a Process Timeline?

  • A. Only detection events
  • B. All cloudable events
  • C. Only process events
  • D. Only network events

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.


質問 # 32
What is the difference between a Host Search and a Host Timeline?

  • A. A Host Timeline only includes process execution events and user account activity
  • B. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
  • C. There is no difference - Host Search and Host Timeline are different names for the same search page
  • D. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.


質問 # 33
How long are quarantined files stored on the host?

  • A. 30 Days
  • B. 45 Days
  • C. 90 Days
  • D. Quarantined files are never deleted from the host

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


質問 # 34
What is an advantage of using the IP Search tool?

  • A. IP searches allow for multiple comma separated IPv6 addresses as input
  • B. IP searches provide manufacture and timezone data that can not be accessed anywhere else
  • C. IP searches provide host, process, and organizational unit data without the need to write a query
  • D. IP searches offer shortcuts to launch response actions and network containment on target hosts

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.


質問 # 35
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

  • A. adversary is trying to keep access through persistence using application skimming
  • B. An adversary is trying to keep access through persistence using browser extensions
  • C. An adversary is trying to keep access through persistence using external remote services
  • D. An adversary is trying to keep access through persistence by creating an account

正解:D

解説:
Explanation
According to the [CrowdStrike website], the MITRE-Based Falcon Detections Framework is a way of categorizing and describing detections based on the MITRE ATT&CK knowledge base ofadversary behaviors and techniques. The framework uses three levels of granularity: category, tactic, and technique. The category is the highest level and represents the main objective of an adversary, such as initial access, execution, credential access, etc. The tactic is the second level and represents the sub-objective of an adversary within a category, such as persistence, privilege escalation, defense evasion, etc. The technique is the lowest level and represents the specific way an adversary can achieve a tactic, such as create account, modify registry, obfuscated files or information, etc. Therefore, the correct way to interpret Keep Access > Persistence > Create Account is that an adversary is trying to keep access through persistence by creating an account.


質問 # 36
What happens when a quarantined file is released?

  • A. It is allowed to execute on the host
  • B. It is deleted
  • C. It is moved into theC:\CrowdStrike\Quarantine\Releasedfolder on the host
  • D. It is allowed to execute on all hosts

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization1. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud1.


質問 # 37
The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?

  • A. The Process Activity View creates a count of event types only, which can be useful when scoping the event
  • B. The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
  • C. The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
  • D. The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.


質問 # 38
Which Executive Summary dashboard item indicates sensors running with unsupported versions?

  • A. Active Sensors
  • B. Inactive Sensors
  • C. Detections by Severity
  • D. Sensors in RFM

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.


質問 # 39
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

  • A. It contains an internal value not useful for an investigation
  • B. It contains the TargetProcessld_decimal value for other related events
  • C. It contains the TargetProcessld_decimal value for the process that made the DNS request
  • D. It contains the ContextProcessld_decimal value for the parent process that made the DNS request

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.


質問 # 40
What do IOA exclusions help you achieve?

  • A. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
  • B. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
  • C. Reduce false positives of behavioral detections from IOA based detections only
  • D. Reduce false positives of behavioral detections from IOA based detections based on a file hash

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.


質問 # 41
Which of the following is NOT a filter available on the Detections page?

  • A. Triggering File
  • B. CrowdScore
  • C. Severity
  • D. Time

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.


質問 # 42
How does a DNSRequest event link to its responsible process?

  • A. Via both its ContextProcessld__decimal and ParentProcessld_decimal fields
  • B. Via its TargetProcessld_decimal field
  • C. Via its ParentProcessld_decimal field
  • D. Via its ContextProcessld_decimal field

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2. The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2. The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2. You can use this field to trace the process lineage and identify malicious or suspicious activities2.


質問 # 43
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?

  • A. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
  • B. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
  • C. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
  • D. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.


質問 # 44
What is an advantage of using a Process Timeline?

  • A. Processes responsible for spikes in CPU performance are displayed overtime
  • B. A visual representation of Parent-Child and Sibling process relationships is provided
  • C. Suspicious processes are color-coded based on their frequency and legitimacy over time
  • D. Process related events can be filtered to display specific event types

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc2. This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation2.


質問 # 45
......

CCFR-201問題集合格確定させる練習には63問があります:https://www.passtest.jp/CrowdStrike/CCFR-201-shiken.html

CCFR-201のPDF問題集で2024年05月23日最近更新された問題 [Q22-Q45] | PassTest (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Eusebia Nader

Last Updated:

Views: 5444

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.