CCFR-201 Free Practice Test

In the Hash Search tool, which of the following is listed under Process Executions?

1. A. Operating System
2. B. File Signature
3. C. Command Line
4. D. Sensor Version

Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. Under Process Executions, you can see the process name and command line for each hash execution1.

What action is used when you want to save a prevention hash for later use?

1. A. Always Block
2. B. Never Block
3. C. Always Allow
4. D. No Action

Correct Answer: A
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.

The Bulk Domain Search tool contains Domain information along with which of the following?

1. A. Process Information
2. B. Port Information
3. C. IP Lookup Information
4. D. Threat Actor Information

Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains1. The summary includes the domain name, IP address, country, city, ISP, ASN, geolocation, hostname, sensor ID, OS, process name, command line, and organizational unit of the host that communicated with those domains1. This means that the tool contains domain information along with IP lookup information1.

How long does detection data remain in the CrowdStrike Cloud before purging begins?

1. A. 90 Days
2. B. 45 Days
3. C. 30 Days
4. D. 14 Days

Correct Answer: A
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, detection data is stored in the CrowdStrike Cloud for 90 days before purging begins2. This means that you can access and view detections from the past 90 days using the Falcon platform or API2. If you want to retain detection data for longer than 90 days, you can use FDR to replicate it to your own storage system2.

Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?

1. A. You can't export detailed event data from a detection, you have to use the Process Timeline or an Event Search
2. B. In Full Detection Details, you expand the nodes of the process tree you wish to expand and then click the "Export Process Events" button
3. C. In Full Detection Details, you choose the "View Process Activity" option and then export from that view
4. D. From the Detections Dashboard, you right-click the event type you wish to export and choose CS
5. E. JSON or XML

Correct Answer: C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
✑ You can use the Process Timeline tool and click on ??Export CSV?? button at the top right corner1.
✑ You can use the Event Search tool and select one or more events and click on ??Export CSV?? button at the top right corner1.
✑ You can use the Full Detection Details tool and choose the ??View Process Activity?? option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on ??Export CSV?? button at the top right corner1.