Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70track

Free CrowdStrike CCFR-201b Practice Exam with Questions & Answers | Set: 4

Questions 31

A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?

Options:
A.

It is deleted from the disk and a log is sent to the cloud.

B.

It is moved to the CrowdStrike Cloud and removed from the local host immediately.

C.

It is compressed, password protected, and moved to the Quarantine folder on the endpoint.

D.

It is renamed to a .tmp extension and moved to the Windows Recycle Bin.

CrowdStrike CCFR-201b Premium Access
Questions 32

Which Executive Summary dashboard item indicates sensors running with unsupported versions?

Options:
A.

Detections by Severity

B.

Inactive Sensors

C.

Sensors in RFM

D.

Active Sensors

Questions 33

CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?

Options:
A.

10%

B.

20%

C.

50%

D.

100%

Questions 34

Responders use ' IP Search ' to track connections to malicious infrastructure. Which of the following statements about the IP Search is FALSE?

Options:
A.

It identifies every host that connected to a specific IP.

B.

It provides Intel data if the IP is known to CrowdStrike.

C.

The search only allows for one IP to be entered at a time.

D.

It shows the first and last time the IP was seen in the environment.

Questions 35

While reviewing the high-level organizational structure of a complex detection in the Falcon console, a responder identifies several layers of activity. Which of the following is NOT officially recognized as an Objective Layer within the CrowdStrike detection hierarchy?

Options:
A.

Contact Controlled Systems

B.

Lateral Movement

C.

Gain Access

D.

Follow Through

Questions 36

CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?

Options:
A.

Isolate the host from the network.

B.

Review the process tree to understand the origin of the activity.

C.

Perform an OSINT search for the suspicious hash.

D.

Resolve the detection as a True Positive.

Questions 37

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

Options:
A.

Identifies a detailed list of all process executions for the specified hashes

B.

Identifies hosts that loaded or executed the specified hashes

C.

Identifies users associated with the specified hashes

D.

Identifies detections related to the specified hashes

Questions 38

In various telemetry events like ' FileWrite ' or ' NetworkConnect ' , Falcon identifies the process that performed the action. Which field will always identify this " acting " process?

Options:
A.

ContextProcessId_decimal

B.

TargetProcessId_decimal

C.

ParentProcessId_decimal

D.

OwnerProcessId_decimal

Questions 39

A list of managed and unmanaged neighbors for an endpoint can be found:

Options:
A.

by using Hosts page in the Investigate tool

B.

by reviewing " Groups " in Host Management under the Hosts page

C.

under " Audit " by running Sensor Visibility Exclusions Audit

D.

only by searching event data using Event Search

Questions 40

A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:

Options:
A.

Technique

B.

Tactic

C.

Objective

D.

Indicator