CrowdStrike CCFR-201 Exam Practice Questions (P. 3)
- Full Access (60 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #11
What action is used when you want to save a prevention hash for later use?
- AAlways Block
- BNever Block
- CAlways Allow
- DNo Action
Correct Answer:
A
A
GPT-4o - Answer
Always Block is indeed the correct answer for saving a prevention hash for later use. By selecting 'Always Block', the Falcon platform catalogs the hash as harmful, ensuring it’s watched and blocked in future encounters across all protected systems. This is essential for maintaining consistent security standards and preventing malware from re-entering your network environment.
Question #12
You receive an email from a third-party vendor that one of their services is compromised, the vendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
- AIP Addresses
- BRemote or Network Logon Activity
- CRemote Access Graph
- DHash Executions
Correct Answer:
A
A
GPT-4o - Answer
Absolutely, plugging that specific IP address under the 'IP Addresses' section is right on the money. This part of the Falcon interface is designed to directly track activity connected to IP indicators, helping you zero in on potential security events linked to that IP. This way, you can quickly see if it impacted your environment and take the necessary actions! Super useful for a speedy response.
Question #13
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
- AParentProcessId_decimal and aid
- BResponsibleProcessId_decimal and aid
- CContextProcessId_decimal and aid
- DTargetProcessId_decimal and aid
Correct Answer:
B
B
GPT-4o - Answer
To track which files were opened by a specific process in the event search, you'll indeed need the 'ResponsibleProcessId_decimal' alongside the 'aid.' These fields are critical as they directly link the file activity to the correct process and aid identifies the device concerned, ensuring accurate and narrowed down tracking in a crowded data environment. Always double-check field names in your dataset since terminology might slightly differ in various interfaces or updates.
Question #14
How long are quarantined files stored in the CrowdStrike Cloud?
- A45 Days
- B90 Days
- C30 Days
- DQuarantined files are not deleted
Correct Answer:
B
B
GPT-4o - Answer
Quarantined files in the CrowdStrike Cloud are automatically deleted 90 days after the date of quarantine. It's important to distinguish between deletion timelines on hosts, where files are deleted after 30 days, and the cloud, where the duration extends to 90 days. This distinction is crucial to managing your cybersecurity protocols effectively.
Question #15
You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?
- AFalcon X
- BInvestigate
- CDiscover
- DSpotlight
Correct Answer:
B
B
GPT-4o - Answer
The Investigate page in Falcon is the go-to resource when you're looking into domain request information, especially following alerts about potentially malicious activity. It's specifically designed to help you dig into the details and context around such notifications, ensuring you can trace and understand the pathways of suspicious traffic efficiently.
All Pages