[May-2025] Download Real CCFR-201 Exam Dumps for candidates. 100% Free Dump Files
Prepare Important Exam with CCFR-201 Exam Dumps(2025)
NEW QUESTION # 37
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests.
Registry Operations, and Network Operations?
- A. View as Process Tree
- B. View as Process Timeline
- C. Thedata is unable to be exported
- D. View as Process Activity
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.
NEW QUESTION # 38
Which of the following is NOT a filter available on the Detections page?
- A. CrowdScore
- B. Time
- C. Triggering File
- D. Severity
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as severity, CrowdScore, time, tactic, technique, etc2. However, there is no filter for triggering file, which is the file that caused the detection2.
NEW QUESTION # 39
Which is TRUE regarding a file released from quarantine?
- A. It will not generate future machine learning detections on the associated host
- B. It is allowed to execute on all hosts
- C. No executions are allowed for 14 days after release
- D. It is deleted
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
NEW QUESTION # 40
How long are quarantined files stored in the CrowdStrike Cloud?
- A. 90 Days
- B. Days
- C. 45 Days
- D. Quarantined files are not deleted
Answer: A
Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.
NEW QUESTION # 41
Where are quarantined files stored on Windows hosts?
- A. Windows\Quarantine
- B. Windows\temp\Drivers\CrowdStrike\Quarantine
- C. Windows\System32\
- D. Windows\System32\Drivers\CrowdStrike\Quarantine
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2. The file is also encrypted and renamed with a random string of characters2. On Windows hosts, quarantined files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2.
NEW QUESTION # 42
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
- A. Show a +/- 10-minute window of events
- B. Draw Process Explorer
- C. Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
- D. Show a Process Timeline for the responsible process
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
NEW QUESTION # 43
What is the difference between a Host Search and a Host Timeline?
- A. A Host Timeline only includes process execution events and user account activity
- B. There is no difference - Host Search and Host Timeline are different names for the same search page
- C. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
- D. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.
NEW QUESTION # 44
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
- A. Hash Executions
- B. Remote Access Graph
- C. IP Addresses
- D. Remote or Network Logon Activity
Answer: C
Explanation:
Explanation
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.
NEW QUESTION # 45
How long does detection data remain in the CrowdStrike Cloud before purging begins?
- A. 30 Days
- B. 90 Days
- C. 45 Days
- D. 14 Days
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.
NEW QUESTION # 46
What happens when you open the full detection details?
- A. The process explorer opens and you're able to view the processes and process relationships
- B. The process explorer opens and the Event Search query is run for the detection
- C. The process explorer opens and the detection copies to the clipboard
- D. Theprocess explorer opens and the detection is removed from the console
Answer: A
Explanation:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.
NEW QUESTION # 47
What types of events are returned by a Process Timeline?
- A. Only detection events
- B. Only process events
- C. All cloudable events
- D. Only network events
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.
NEW QUESTION # 48
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence.
Which answer best defines Local Prevalence?
- A. Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
- B. Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
- C. Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet
- D. Local Prevalence is the Virus Total score for the hash of the triggering file
Answer: B
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.
NEW QUESTION # 49
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.
NEW QUESTION # 50
What action is used when you want to save a prevention hash for later use?
- A. Always Allow
- B. No Action
- C. Always Block
- D. Never Block
Answer: C
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
NEW QUESTION # 51
The function of Machine Learning Exclusions is to___________.
- A. stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
- B. Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
- C. stop all sensor data collection for the matching path(s)
- D. stop all detections for a specific pattern ID
Answer: A
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike's machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload the excluded files to the CrowdStrike Cloud or not2.
NEW QUESTION # 52
When analyzing an executable with a global prevalence of common; but you do not know what the executable is. what is the best course of action?
- A. From detection, submit to FalconX for deep dive analysis
- B. Do nothing, as this file is common and well known
- C. From detection, use API manager to create a custom blocklist
- D. From detection, click the VT Hash button to pivot to VirusTotal to investigate further
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, global prevalence is a field that indicates how frequently the hash of a file is seen across all CrowdStrike customer environments1. A global prevalence of common means that the file is widely distributed and likely benign1. However, if you do not know what the executable is, you may want to investigate it further to confirm its legitimacy and functionality1. One way to do that is to click the VT Hash button from the detection, which will pivot you to VirusTotal, a service that analyzes files and URLs for viruses, malware, and other threats1. You can then see more information about the file, such as its name, size, type, signatures, detections, comments, etc1.
NEW QUESTION # 53
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
- A. adversary is trying to keep access through persistence using application skimming
- B. An adversary is trying to keep access through persistence using external remote services
- C. An adversary is trying to keep access through persistence using browser extensions
- D. An adversary is trying to keep access through persistence by creating an account
Answer: D
Explanation:
Explanation
According to the [CrowdStrike website], the MITRE-Based Falcon Detections Framework is a way of categorizing and describing detections based on the MITRE ATT&CK knowledge base ofadversary behaviors and techniques. The framework uses three levels of granularity: category, tactic, and technique. The category is the highest level and represents the main objective of an adversary, such as initial access, execution, credential access, etc. The tactic is the second level and represents the sub-objective of an adversary within a category, such as persistence, privilege escalation, defense evasion, etc. The technique is the lowest level and represents the specific way an adversary can achieve a tactic, such as create account, modify registry, obfuscated files or information, etc. Therefore, the correct way to interpret Keep Access > Persistence > Create Account is that an adversary is trying to keep access through persistence by creating an account.
NEW QUESTION # 54
What is an advantage of using a Process Timeline?
- A. A visual representation of Parent-Child and Sibling process relationships is provided
- B. Suspicious processes are color-coded based on their frequency and legitimacy over time
- C. Processes responsible for spikes in CPU performance are displayed overtime
- D. Process related events can be filtered to display specific event types
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2. You can also filter the events by various criteria, such as event type, timestamp range, file name, registry key, network destination, etc2. This is an advantage of using the Process Timeline tool because it allows you to focus on specific events that are relevant to your investigation2.
NEW QUESTION # 55
From a detection, what is the fastest way to see children and sibling process information?
- A. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID
- B. Right-click the process and select "Follow Process Chain"
- C. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
- D. Select Full Detection Details from the detection
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.
NEW QUESTION # 56
The primary purpose for running a Hash Search is to:
- A. determine the origin of the detection
- B. determine any network connections
- C. review the processes involved with a detection
- D. review information surrounding a hash's related activity
Answer: D
Explanation:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash's related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.
NEW QUESTION # 57
......
CrowdStrike CCFR-201 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
CCFR-201 Questions - Truly Beneficial For Your CrowdStrike Exam: https://troytec.getvalidtest.com/CCFR-201-brain-dumps.html