Free CCFR-201 Exam Dumps

Question 11

What does pivoting to an Event Search from a detection do?

A. It gives you the ability to search for similar events on other endpoints quickly
B. It takes you to the raw Insight event data and provides you with a number of Event Actions
C. It takes you to a Process Timeline for that detection so you can see all related events
D. It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection

Correct Answer:B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes you to the raw Insight event data and provides you with a number of Event Actions1. Insight events are low-level events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc1. You can view these events in a table format and use various filters and fields to narrow down the results1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10- minute window of events, etc1. These actions can help you investigate and analyze events more efficiently and effectively1.

Question 12

Which of the following is an example of a MITRE ATT&CK tactic?

A. Eternal Blue
B. Defense Evasion
C. Emotet
D. Phishing

Correct Answer:B
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.

Question 13

In the Hash Search tool, which of the following is listed under Process Executions?

A. Operating System
B. File Signature
C. Command Line
D. Sensor Version

Correct Answer:C
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. Under Process Executions, you can see the process name and command line for each hash execution1.

Question 14

What is an advantage of using the IP Search tool?

A. IP searches provide manufacture and timezone data that can not be accessed anywhere else
B. IP searches allow for multiple comma separated IPv6 addresses as input
C. IP searches offer shortcuts to launch response actions and network containment on target hosts
D. IP searches provide host, process, and organizational unit data without the need to write a query

Correct Answer:D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.

Question 15

Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?

A. An adversary is trying to keep access through persistence by creating an account
B. An adversary is trying to keep access through persistence using browser extensions
C. An adversary is trying to keep access through persistence using external remote services
D. adversary is trying to keep access through persistence using application skimming

Correct Answer:A
According to the [CrowdStrike website], the MITRE-Based Falcon Detections Framework is a way of categorizing and describing detections based on the MITRE ATT&CK knowledge base ofadversary behaviors and techniques. The framework uses three levels of granularity: category, tactic, and technique. The category is the highest level and represents the main objective of an adversary, such as initial access, execution, credential access, etc. The tactic is the second level and represents the sub-objective of an adversary within a category, such as persistence, privilege escalation, defense evasion, etc. The technique is the lowest level and represents the specific way an adversary can achieve a tactic, such as create account, modify registry, obfuscated files or information, etc. Therefore, the correct way to interpret Keep Access > Persistence > Create Account is that an adversary is trying to keep access through persistence by creating an account.