How long are quarantined files stored on the host?
Correct Answer:C
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2. When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2. This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.
The primary purpose for running a Hash Search is to:
Correct Answer:D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash??s related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.
When reviewing a Host Timeline, which of the following filters is available?
Correct Answer:B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Timeline tool allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1. You can use various filters to narrow down the events based on criteria such as event type, timestamp range, file name, registry key, network destination, etc1. However, there is no filter for severity, user name, or detection ID, as these are not attributes of the events1.
After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?
Correct Answer:A
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
Correct Answer:C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, there are three ways to export process event data from a detection in .CSV format1:
✑ You can use the Process Timeline tool and click on ??Export CSV?? button at the top right corner1.
✑ You can use the Event Search tool and select one or more events and click on ??Export CSV?? button at the top right corner1.
✑ You can use the Full Detection Details tool and choose the ??View Process Activity?? option from any process node in the process tree view1. This will show you all events generated bythat process in a rows-and-columns style view1. You can then click on ??Export CSV?? button at the top right corner1.