Curious about Actual CrowdStrike CCFR (CCFR-201) Exam Questions?

Correct : C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.

Correct : C

According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.

Correct : B

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1.This can reduce false positives and improve performance1.When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and the associated process would have been allowed to run1.This means that you will not see any alerts or events related to that IOA in the console1.

Correct : B

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1.A global prevalence of common means that the file is widely distributed and likely benign1.However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1.One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1.You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.

Correct : D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)1.You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1.This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.