CrowdStrike CCFR-201 Exam Actual Questions

According to theCrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide, quarantined files are never deleted from the host unless you manually delete them or release them from quarantine2.When you release a file from quarantine, you are restoring it to its original location and allowing it to execute on any host in your organization2.This action also removes the file from the quarantine list and deletes it from the CrowdStrike Cloud2.

According to the [CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+], event types are categories of events that are generated by the sensor for various activities, such as process executions, file writes, registry modifications, network connections, etc. There are many valid event types, such as StartOfProcess, ProcessRollup2, DnsRequest, etc. However, EndOfProcess is not a valid event type, as there is no such event that records the end of a process.

According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], Sensor Visibility Exclusions allow you to exclude files or directories from being monitored by the sensor. This can reduce the amount of data sent to the CrowdStrike Cloud and improve performance. Sensor Visibility Exclusion patterns are written in Glob Syntax, which is a simple pattern matching syntax that supports wildcards, such as *, ?, and . For example, you can use *.exe to exclude all files with .exe extension.

According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.

According to the [CrowdStrike Falcon Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.