リリースCrowdStrike CCFR-201更新された問題PDF [Q10-Q27]

Share

リリースCrowdStrike CCFR-201更新された問題PDF

CCFR-201問題集と練習テスト(63試験問題)

質問 # 10
Which option indicates a hash is allowlisted?

  • A. No Action
  • B. Allow
  • C. Ignore
  • D. Always Block

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.


質問 # 11
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?

  • A. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
  • B. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
  • C. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
  • D. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search

正解:B

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.


質問 # 12
What information does the MITRE ATT&CKFramework provide?

  • A. It provides best practices for different cybersecurity domains, such as Identify and Access Management
  • B. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
  • C. It is a system that attributes an attack techniques to a specific threat actor
  • D. It provides a step-by-step cyber incident response strategy

正解:B

解説:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.


質問 # 13
You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?

  • A. Falcon X
  • B. Spotlight
  • C. Investigate
  • D. Discover

正解:C

解説:
Explanation
According to the [CrowdStrike website], the Investigate page is where you can search for and analyze various types of data collected by the Falcon platform, such as events, hosts, processes, hashes, domains, IPs, etc1. You can use various tools, such as Event Search, Host Search, Process Timeline, Hash Search, Bulk Domain Search, etc., to perform different types of searches and view the results in different ways1. If you want to search for any domain request information related to a notice from a third-party, you can use the Investigate page to do so1. For example, you can use the Bulk Domain Search tool to search for the malicious domain and see which hosts and processes communicated with it1. You can also use the Event Search tool to search for DNSRequest events that contain the malicious domain and see more details about the query and response1.


質問 # 14
Which statement is TRUE regarding the "Bulk Domains" search?

  • A. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation
  • B. The "Bulk Domains" search will allow you to blocklist your queried domains
  • C. It will show a list of computers and process that performed a lookup of any of the domains in your search

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.


質問 # 15
How does a DNSRequest event link to its responsible process?

  • A. Via both its ContextProcessld__decimal and ParentProcessld_decimal fields
  • B. Via its TargetProcessld_decimal field
  • C. Via its ContextProcessld_decimal field
  • D. Via its ParentProcessld_decimal field

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2. The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2. The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2. You can use this field to trace the process lineage and identify malicious or suspicious activities2.


質問 # 16
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?

  • A. It contains the TargetProcessld_decimal value of the child process
  • B. It contains an internal value not useful for an investigation
  • C. It contains the Sensorld_decimal value for related events
  • D. It contains the TargetProcessld_decimal of the parent process

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.


質問 # 17
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Falcon platform will show a maximum of 1000 detections per day for a single AID1. This is a limitimposed by the Falcon API, which is used to retrieve the detections from the CrowdStrike Cloud1. If there are more than 1000 detections per day for a single AID, only the first 1000 will be shown1.


質問 # 18
What happens when you open the full detection details?

  • A. The process explorer opens and you're able to view the processes and process relationships
  • B. The process explorer opens and the detection copies to the clipboard
  • C. Theprocess explorer opens and the detection is removed from the console
  • D. The process explorer opens and the Event Search query is run for the detection

正解:A

解説:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.


質問 # 19
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?

  • A. It contains the TargetProcessld_decimal value for other related events
  • B. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
  • C. It contains an internal value not useful for an investigation
  • D. It contains the TargetProcessld_decimal value for the process that made the DNS request

正解:D

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.


質問 # 20
Which is TRUE regarding a file released from quarantine?

  • A. It will not generate future machine learning detections on the associated host
  • B. No executions are allowed for 14 days after release
  • C. It is allowed to execute on all hosts
  • D. It is deleted

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


質問 # 21
Which is TRUE regarding a file released from quarantine?

  • A. It will not generate future machine learning detections on the associated host
  • B. No executions are allowed for 14 days after release
  • C. It is allowed to execute on all hosts
  • D. It is deleted

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.


質問 # 22
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?

  • A. The process specified is not sent to the Falcon Sandbox for analysis
  • B. The sensor will stop sending events from the process specified in the regex pattern
  • C. The associated detection will be suppressed and the associated process would have been allowed to run
  • D. The associated IOA will still generate a detection but the associated process would have been allowed to run

正解:C

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.


質問 # 23
How long are quarantined files stored in the CrowdStrike Cloud?

  • A. 90 Days
  • B. 45 Days
  • C. Days
  • D. Quarantined files are not deleted

正解:A

解説:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.


質問 # 24
How are processes on the same plane ordered (bottom 'VMTOOLSD.EXE' to top CMD.EXE')?

  • A. Time started (Descending, most recent on bottom)
  • B. Process ID (Ascending, highest on top)
  • C. Process ID (Descending, highest on bottom)
  • D. Time started (Ascending, most recent on top)

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1. The processes on the same plane are ordered by time started in descending order, meaning that the most recent process is at the bottom and the oldest process is at the top1. For example, in the image you sent me, CMD.EXE is the oldest process and VMTOOLSD.EXE is the most recent process on that plane1.


質問 # 25
What happens when you create a Sensor Visibility Exclusion for a trusted file path?

  • A. It excludes sensor monitoring and event collection for the trusted file path
  • B. It excludes host information from Detections and Incidents generated within that file path location
  • C. It disables detection generation from that path, however the sensor can still perform prevention actions
  • D. It prevents file uploads to the CrowdStrike cloud from that file path

正解:A

解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.


質問 # 26
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

  • A. User logons after the detection
  • B. Scheduled tasks registered prior to the detection
  • C. Executions of schtasks.exe after the detection
  • D. Pivot to a Hash search for taskeng.exe

正解:B

解説:
Explanation
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.


質問 # 27
......

CCFR-201試験問題集合格させるのは更新されたのは2024年年最新の認証済み試験問題:https://jp.fast2test.com/CCFR-201-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어