
[2025年04月]更新のCCFR-201問題集完全版解答でCrowdStrike CCFR試験学習ガイド
試験問題と解答CCFR-201学習ガイド
質問 # 23
What is the difference between a Host Search and a Host Timeline?
- A. Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
- B. There is no difference - Host Search and Host Timeline are different names for the same search page
- C. A Host Timeline only includes process execution events and user account activity
- D. Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
正解:D
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.
質問 # 24
When reviewing a Host Timeline, which of the following filters is available?
- A. User Name
- B. Event Types
- C. Detection ID
- D. Severity
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.
質問 # 25
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence.
Which answer best defines Local Prevalence?
- A. Local prevalence is the frequency with which the hash of the triggering file is seen across all CrowdStrike customer environments
- B. Local Prevalence tells you how common the hash of the triggering file is within your environment (CID)
- C. Local prevalence is the frequency with which the hash of the triggering file is seen across the entire Internet
- D. Local Prevalence is the Virus Total score for the hash of the triggering file
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Global Prevalence and Local Prevalence are two fields that provide information about how common or rare a file is based on its hash value2. Global Prevalence tells you how frequently the hash of the triggering file is seen across all CrowdStrike customer environments2. Local Prevalence tells you how frequently the hash of the triggering file is seen within your environment (CID)2. These fields can help you assess the risk and impact of a detection2.
質問 # 26
What information does the MITRE ATT&CKFramework provide?
- A. It provides best practices for different cybersecurity domains, such as Identify and Access Management
- B. It is a system that attributes an attack techniques to a specific threat actor
- C. It provides a step-by-step cyber incident response strategy
- D. It provides the phases of an adversary's lifecycle, the platforms they are known to attack, and the specific methods they use
正解:D
解説:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. The knowledge base also covers different platforms that adversaries target, such as Windows, Linux, Mac, Android, iOS, etc., and different phases of an adversary's lifecycle, such as reconnaissance, resource development, execution, command and control, etc.
質問 # 27
What types of events are returned by a Process Timeline?
- A. Only process events
- B. All cloudable events
- C. Only network events
- D. Only detection events
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a comprehensive view of what a process was doing on a host1.
質問 # 28
What is an advantage of using the IP Search tool?
- A. IP searches offer shortcuts to launch response actions and network containment on target hosts
- B. IP searches allow for multiple comma separated IPv6 addresses as input
- C. IP searches provide manufacture and timezone data that can not be accessed anywhere else
- D. IP searches provide host, process, and organizational unit data without the need to write a query
正解:D
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.
質問 # 29
What happens when a hash is allowlisted?
- A. Execution is allowed on all hosts that fall under the organization's CID
- B. Execution is prevented, but detection alerts are suppressed
- C. The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists
- D. Execution is allowed on all hosts, including all other Falcon customers
正解:A
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike's machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization's CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.
質問 # 30
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
- A. UTCtime
- B. PID
- C. Process ID or Parent Process ID
- D. ProcessTimeline Link
正解:C
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. The tool requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID)1. You can jump to a Process Timeline from many views, such as Hash Search, Host Timeline, Event Search, etc., by clicking on either the Process ID or Parent Process ID fields in those views1. This will automatically populate the aid and TargetProcessId_decimal parameters for the Process Timeline tool1.
質問 # 31
What do IOA exclusions help you achieve?
- A. Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
- B. Reduce false positives of behavioral detections from IOA based detections only
- C. Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
- D. Reduce false positives of behavioral detections from IOA based detections based on a file hash
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.
質問 # 32
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
- A. Remote Access Graph
- B. Hash Executions
- C. IP Addresses
- D. Remote or Network Logon Activity
正解:C
解説:
Explanation
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.
質問 # 33
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in
.CSV format?
- A. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
- B. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
- C. From the Detections Dashboard, you right-click the event type you wish to export and choose CSV.JSON or XML
- D. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
正解:D
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
You can use the Process Timeline tool and click on "Export CSV" button at the top right corner1.
You can use the Event Search tool and select one or more events and click on "Export CSV" button at the top right corner1.
You can use the Full Detection Details tool and choose the "View Process Activity" option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on "Export CSV" button at the top right corner1.
質問 # 34
From a detection, what is the fastest way to see children and sibling process information?
- A. Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessld_decimal)
- B. Right-click the process and select "Follow Process Chain"
- C. Select Full Detection Details from the detection
- D. Select the Process Timeline feature, enter the AID. Target Process ID, and Parent Process ID
正解:C
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.
質問 # 35
How long are quarantined files stored on the host?
- A. Quarantined files are never deleted from the host
- B. 90 Days
- C. 45 Days
- D. 30 Days
正解:A
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
質問 # 36
Which of the following is an example of a MITRE ATT&CK tactic?
- A. Eternal Blue
- B. Emotet
- C. Phishing
- D. Defense Evasion
正解:D
解説:
Explanation
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.
質問 # 37
What does the Full Detection Details option provide?
- A. It provides a detailed list of detection events via the Process Tree View
- B. It provides a visualization of program ancestry via the Process Tree View
- C. It provides detailed list of detection events via the Process Table View
- D. It provides a visualization of program ancestry via the Process Activity View
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details option allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a visualization of program ancestry, which shows the parent-child and sibling relationships among the processes1. You can also see the event types and timestamps for each process1.
質問 # 38
What are Event Actions?
- A. Custom event data queries bookmarked by the currently signed in Falcon user
- B. Pivotable hyperlinks available in a Host Search
- C. Raw Falcon event data
- D. Automated searches that can be used to pivot between related events and searches
正解:D
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Event Actions are automated searches that can be used to pivot between related events and searches1. They are available in various tools, such as Event Search, Process Timeline, Host Timeline, etc1. You can select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.
質問 # 39
What is the difference between Managed and Unmanaged Neighbors in the Falcon console?
- A. An unmanaged neighbor is in a segmented area of the network
- B. A managed sensor has an active prevention policy
- C. A managed neighbor has an installed and provisioned sensor
- D. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained
正解:C
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.
質問 # 40
What happens when you open the full detection details?
- A. The process explorer opens and the detection copies to the clipboard
- B. The process explorer opens and the Event Search query is run for the detection
- C. Theprocess explorer opens and the detection is removed from the console
- D. The process explorer opens and you're able to view the processes and process relationships
正解:D
解説:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you open the full detection details from a detection alert or dashboard item, you are taken to a page where you can view detailed information about the detection, such as detection ID, severity, tactic, technique, description, etc. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity. The process tree view is also known as the process explorer, which provides a graphical representation of the process hierarchy and activity. You can view the processes and process relationships by expanding or collapsing nodes in the tree. You can also see the event types and timestamps for each process.
質問 # 41
What does pivoting to an Event Search from a detection do?
- A. It takes you to a Process Timeline for that detection so you can see all related events
- B. It takes you to the raw Insight event data and provides you with a number of Event Actions
- C. It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection
- D. It gives you the ability to search for similar events on other endpoints quickly
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and provides you with a number of Event Actions1. Insight events are low-level events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc1. You can view these events in a table format and use various filters and fields to narrow down the results1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.
質問 # 42
Where are quarantined files stored on Windows hosts?
- A. Windows\Quarantine
- B. Windows\System32\Drivers\CrowdStrike\Quarantine
- C. Windows\System32\
- D. Windows\temp\Drivers\CrowdStrike\Quarantine
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed2. The file is also encrypted and renamed with a random string of characters2. On Windows hosts, quarantined files are stored in C:\Windows\System32\Drivers\CrowdStrike\Quarantine folder2.
質問 # 43
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?
- A. It contains the TargetProcessld_decimal value for the process that made the DNS request
- B. It contains the TargetProcessld_decimal value for other related events
- C. It contains an internal value not useful for an investigation
- D. It contains the ContextProcessld_decimal value for the parent process that made the DNS request
正解:A
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ContextProcessld_decimal field contains the decimal value of the process ID of the process that generated the event1. This field can be used to trace the process lineage and identify malicious or suspicious activities1. For a DNS request event, this field indicates which process made the DNS request1.
質問 # 44
Sensor Visibility Exclusion patterns are written in which syntax?
- A. Kleene Star Syntax
- B. RegEx
- C. Glob Syntax
- D. SPL(Splunk)
正解:C
解説:
Explanation
According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], Sensor Visibility Exclusions allow you to exclude files or directories from being monitored by the sensor. This can reduce the amount of data sent to the CrowdStrike Cloud and improve performance. Sensor Visibility Exclusion patterns are written in Glob Syntax, which is a simple pattern matching syntax that supports wildcards, such as *, ?, and . For example, you can use *.exe to exclude all files with .exe extension.
質問 # 45
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?
- A. The associated IOA will still generate a detection but the associated process would have been allowed to run
- B. The associated detection will be suppressed and the associated process would have been allowed to run
- C. The sensor will stop sending events from the process specified in the regex pattern
- D. The process specified is not sent to the Falcon Sandbox for analysis
正解:B
解説:
Explanation
According to the CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike's indicators of attack (IOAs), which are behavioral rules that identify malicious activities1. This can reduce false positives and improve performance1. When you configure and apply an IOA exclusion, the impact is that the associated detection will be suppressed and theassociated process would have been allowed to run1. This means that you will not see any alerts or events related to that IOA in the console1.
質問 # 46
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
- A. Sensors in RFM
- B. Active Sensors
- C. Detections by Severity
- D. Inactive Sensors
正解:A
解説:
Explanation
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Executive Summary dashboard provides an overview of your sensor health and activity1. It includes various items, such as Active Sensors, Inactive Sensors, Detections by Severity, etc1. The item that indicates sensors running with unsupported versions is Sensors in RFM (Reduced Functionality Mode)1. RFM is a state where a sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, or unsupported versions1. You can see the number and percentage of sensors in RFM and the reasons why they are in RFM1.
質問 # 47
......
CrowdStrike Certified Falcon Responder無料で更新される100%試験高合格率保証:https://jp.fast2test.com/CCFR-201-premium-file.html