Easily To Pass New CCFR-201 Verified & Correct Answers [May 13, 2024 [Q37-Q56]

Posted On May 13, 2024

Easily To Pass New CCFR-201 Verified & Correct Answers [May 13, 2024

Free CCFR-201 Exam Files Downloaded Instantly

NO.37 The function of Machine Learning Exclusions is to___________.

stop all detections for a specific pattern ID

stop all sensor data collection for the matching path(s)

Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud

stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud

NO.38 When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

It contains an internal value not useful for an investigation

It contains the TargetProcessld_decimal value of the child process

It contains the Sensorld_decimal value for related events

It contains the TargetProcessld_decimal of the parent process

NO.39 Where are quarantined files stored on Windows hosts?

WindowsQuarantine

WindowsSystem32DriversCrowdStrikeQuarantine

WindowsSystem32

WindowstempDriversCrowdStrikeQuarantine

NO.40 The Bulk Domain Search tool contains Domain information along with which of the following?

Process Information

Port Information

IP Lookup Information

Threat Actor Information

NO.41 In the “Full Detection Details”, which view will provide an exportable text listing of events like DNS requests.
Registry Operations, and Network Operations?

Thedata is unable to be exported

View as Process Tree

View as Process Timeline

View as Process Activity

NO.42 You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?

ProcessTimeline Link

PID

UTCtime

Process ID or Parent Process ID

NO.43 When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

The process specified is not sent to the Falcon Sandbox for analysis

The associated detection will be suppressed and the associated process would have been allowed to run

The sensor will stop sending events from the process specified in the regex pattern

The associated IOA will still generate a detection but the associated process would have been allowed to run

NO.44 You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

Identifies a detailed list of all process executions for the specified hashes

Identifies hosts that loaded or executed the specified hashes

Identifies users associated with the specified hashes

Identifies detections related to the specified hashes

NO.45 After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

Draw Process Explorer

Show a +/- 10-minute window of events

Show a Process Timeline for the responsible process

Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)

NO.46 What does pivoting to an Event Search from a detection do?

It gives you the ability to search for similar events on other endpoints quickly

It takes you to the raw Insight event data and provides you with a number of Event Actions

It takes you to a Process Timeline for that detection so you can see all related events

It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

NO.47 Which of the following is an example of a MITRE ATT&CK tactic?

Eternal Blue

Defense Evasion

Emotet

Phishing

NO.48 Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

An adversary is trying to keep access through persistence by creating an account

An adversary is trying to keep access through persistence using browser extensions

An adversary is trying to keep access through persistence using external remote services

adversary is trying to keep access through persistence using application skimming

NO.49 What happens when a hash is set to Always Block through IOC Management?

Execution is prevented on all hosts by default

Execution is prevented on selected host groups

Execution is prevented and detection alerts are suppressed

The hash is submitted for approval to be blocked from execution once confirmed by Falcon specialists

NO.50 Which of the following is returned from the IP Search tool?

IP Summary information from Falcon events containing the given IP

Threat Graph Data for the given IP from Falcon sensors

Unmanaged host data from system ARP tables for the given IPD.IP Detection Summary information for detection events containing the given IP

NO.51 What types of events are returned by a Process Timeline?

Only detection events

All cloudable events

Only process events

Only network events

NO.52 When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?

Do nothing, as this file is common and well known

From detection, click the VT Hash button to pivot to VirusTotal to investigate further

From detection, use API manager to create a custom blocklist

From detection, submit to FalconX for deep dive analysis

NO.53 What is an advantage of using a Process Timeline?

Process related events can be filtered to display specific event types

Suspicious processes are color-coded based on their frequency and legitimacy over time

Processes responsible for spikes in CPU performance are displayed overtime

A visual representation of Parent-Child and Sibling process relationships is provided

NO.54 Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?

Falcon Intel via Intelligence Indicator – Domain

Machine Learning via Cloud-Based ML