Question #1
After pivoting to an event search from a detection, you locate the ProcessRollup2 event.
Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
- A . SHA256 and TargetProcessld_decimal
- B . SHA256 and ParentProcessld_decimal
- C . aid and ParentProcessld_decimal
- D . aid and TargetProcessld_decimal
Correct Answer: D
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.
Question #2
The function of Machine Learning Exclusions is to___________.
- A . stop all detections for a specific pattern ID
- B . stop all sensor data collection for the matching path(s)
- C . Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud
- D . stop all ML-based detections and preventions for the matching path(s) and/or stop files from being uploaded to the CrowdStrike Cloud
Correct Answer: C
C
Explanation:
Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud: This option is aligned with the primary purpose of ML exclusions. It suggests that while the system will still detect and record the events (and upload files for analysis), it will not take automatic preventive actions based on machine learning decisions for the excluded paths or patterns.
This setting is useful for scenarios where certain processes or activities are known to be safe in a particular environment and should not trigger preventive actions, even though they might be flagged by ML algorithms.
C
Explanation:
Stop all Machine Learning Preventions but a detection will still be generated and files will still be uploaded to the CrowdStrike Cloud: This option is aligned with the primary purpose of ML exclusions. It suggests that while the system will still detect and record the events (and upload files for analysis), it will not take automatic preventive actions based on machine learning decisions for the excluded paths or patterns.
This setting is useful for scenarios where certain processes or activities are known to be safe in a particular environment and should not trigger preventive actions, even though they might be flagged by ML algorithms.
Question #3
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
- A . It excludes host information from Detections and Incidents generated within that file path location
- B . It prevents file uploads to the CrowdStrike cloud from that file path
- C . It excludes sensor monitoring and event collection for the trusted file path
- D . It disables detection generation from that path, however the sensor can still perform prevention actions
Correct Answer: C
C
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.
C
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Sensor Visibility Exclusions allow you to exclude certain files or directories from being monitored by the CrowdStrike sensor, which can reduce noise and improve performance2. This means that no events will be collected or sent to the CrowdStrike Cloud for those files or directories2.
Question #4
What types of events are returned by a Process Timeline?
- A . Only detection events
- B . All cloudable events
- C . Only process events
- D . Only network events
Correct Answer: C
C
Explanation:
Only process events: This option suggests that the timeline focuses exclusively on events directly related to the process in question. This would typically include events like process creation, modification, interactions with other processes, and termination C essentially tracking the life cycle of the process.
This ensures that the timeline provides a focused and detailed view of the specific process’s activities and interactions, which is essential for thorough analysis and investigation in cybersecurity contexts.
C
Explanation:
Only process events: This option suggests that the timeline focuses exclusively on events directly related to the process in question. This would typically include events like process creation, modification, interactions with other processes, and termination C essentially tracking the life cycle of the process.
This ensures that the timeline provides a focused and detailed view of the specific process’s activities and interactions, which is essential for thorough analysis and investigation in cybersecurity contexts.
Question #5
What is the difference between a Host Search and a Host Timeline?
- A . Results from a Host Search return information in an organized view by type, while a Host Timeline returns a view of all events recorded by the sensor
- B . A Host Timeline only includes process execution events and user account activity
- C . Results from a Host Timeline include process executions and related events organized by data type. A Host Search returns a temporal view of all events for the given host
- D . There is no difference – Host Search and Host Timeline are different names for the same search
page
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname, IP address, OS, etc1. The results are displayed in an organized view by type, such as detections, incidents, processes, network connections, etc1. The Host Timeline allows you to view all events recorded by the sensor for a given host in a chronological order1. The events include process executions, file writes, registry modifications, network connections, user logins, etc1.
Question #6
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?
- A . It contains an internal value not useful for an investigation
- B . It contains the TargetProcessld_decimal value of the child process
- C . It contains the Sensorld_decimal value for related events
- D . It contains the TargetProcessld_decimal of the parent process
Correct Answer: D
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.
D
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent process that spawned or injected into the target process1. This field can be used to trace the process lineage and identify malicious or suspicious activities1.
Question #7
What action is used when you want to save a prevention hash for later use?
- A . Always Block
- B . Never Block
- C . Always Allow
- D . No Action
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always Block action allows you to block a file from executing on any host in your organization based on its hash value2. This action can be used to prevent known malicious files from running on your endpoints2.
Question #8
A list of managed and unmanaged neighbors for an endpoint can be found:
- A . by using Hosts page in the Investigate tool
- B . by reviewing "Groups" in Host Management under the Hosts page
- C . under "Audit" by running Sensor Visibility Exclusions Audit
- D . only by searching event data using Event Search
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.
A
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your network2.
Question #9
What happens when a hash is allowlisted?
- A . Execution is prevented, but detection alerts are suppressed
- B . Execution is allowed on all hosts, including all other Falcon customers
- C . The hash is submitted for approval to be allowed to execute once confirmed by Falcon specialists
- D . Execution is allowed on all hosts that fall under the organization’s CID
Correct Answer: D
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization’s CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization’s CID (customer ID)2. This does not affect other Falcon customers or hosts outside your CID2.
Question #10
Which of the following is returned from the IP Search tool?
- A . IP Summary information from Falcon events containing the given IP
- B . Threat Graph Data for the given IP from Falcon sensors
- C . Unmanaged host data from system ARP tables for the given IP
- D . IP Detection Summary information for detection events containing the given IP
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1.
Question #11
Which is TRUE regarding a file released from quarantine?
- A . No executions are allowed for 14 days after release
- B . It is allowed to execute on all hosts
- C . It is deleted
- D . It will not generate future machine learning detections on the associated host
Correct Answer: D
D
Explanation:
Releasing a file from quarantine typically indicates that it has been reviewed and deemed not harmful, or that it was falsely identified as a threat. Consequently, the file is allowed to execute without being continually flagged by the machine learning detection system, at least on the host from which it was initially quarantined. This helps in reducing false positives and managing system resources more efficiently.
D
Explanation:
Releasing a file from quarantine typically indicates that it has been reviewed and deemed not harmful, or that it was falsely identified as a threat. Consequently, the file is allowed to execute without being continually flagged by the machine learning detection system, at least on the host from which it was initially quarantined. This helps in reducing false positives and managing system resources more efficiently.
Question #12
Which of the following is an example of a MITRE ATT&CK tactic?
- A . Eternal Blue
- B . Defense Evasion
- C . Emotet
- D . Phishing
Correct Answer: B
B
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.
B
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are examples of techniques, not tactics.
Question #13
You notice that taskeng.exe is one of the processes involved in a detection.
What activity should you investigate next?
- A . User logons after the detection
- B . Executions of schtasks.exe after the detection
- C . Scheduled tasks registered prior to the detection
- D . Pivot to a Hash search for taskeng.exe
Correct Answer: C
C
Explanation:
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.
C
Explanation:
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is responsible for running scheduled tasks. However, some malware may use this process or create a fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you should investigate whether there are any scheduled tasks registered prior to the detection that may have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler to view or manage scheduled tasks.
Question #14
Where can you find hosts that are in Reduced Functionality Mode?
- A . Event Search
- B . Executive Summary dashboard
- C . Host Search
- D . Installation Tokens
Correct Answer: C
C
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host’s sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.
C
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host’s sensor has limited functionality due to various reasons, such as license expiration, network issues, tampering attempts, etc1. You can find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1. You can also view details about why a host is in RFM by clicking on its hostname1.
Question #15
From the Detections page, how can you view ‘in-progress’ detections assigned to Falcon Analyst Alex?
- A . Filter on’Analyst: Alex’
- B . Alex does not have the correct role permissions as a Falcon Analyst to be assigned detections
- C . Filter on ‘Hostname: Alex’ and ‘Status: In-Progress’
- D . Filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*
Correct Answer: D
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as status, severity, tactic, technique, etc2. To view ‘in-progress’ detections assigned to Falcon Analyst Alex, you can filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*’2. The asterisk (*) is a wildcard that matches any characters after Alex2.
D
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections page allows you to view and manage detections generated by the CrowdStrike Falcon platform2. You can use various filters to narrow down the detections based on criteria such as status, severity, tactic, technique, etc2. To view ‘in-progress’ detections assigned to Falcon Analyst Alex, you can filter on ‘Status: In-Progress’ and ‘Assigned-to: Alex*’2. The asterisk (*) is a wildcard that matches any characters after Alex2.
Question #16
The Process Activity View provides a rows-and-columns style view of the events generated in a detection.
Why might this be helpful?
- A . The Process Activity View creates a consolidated view of all detection events for that process that can be exported for further analysis
- B . The Process Activity View will show the Detection time of the earliest recorded activity which might indicate first affected machine
- C . The Process Activity View only creates a summary of Dynamic Link Libraries (DLLs) loaded by a process
- D . The Process Activity View creates a count of event types only, which can be useful when scoping the event
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Activity View allows you to view all events generated by a process involved in a detection in a rows-and-columns style view1. This can be helpful because it creates a consolidated view of all detection events for that process that can be exported for further analysis1. You can also sort, filter, and pivot on the events by various fields, such as event type, timestamp, file name, registry key, network destination, etc1.
Question #17
After running an Event Search, you can select many Event Actions depending on your results.
Which of the following is NOT an option for any Event Action?
- A . Draw Process Explorer
- B . Show a +/- 10-minute window of events
- C . Show a Process Timeline for the responsible process
- D . Show Associated Event Data (from TargetProcessld_decimal or ContextProcessld_decimal)
Correct Answer: A
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
A
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Event Search tool allows you to search for events based on various criteria, such as event type, timestamp, hostname, IP address, etc1. You can also select one or more events and perform various actions, such as show a process timeline, show a host timeline, show associated event data, show a +/- 10-minute window of events, etc1. However, there is no option to draw a process explorer, which is a graphical representation of the process hierarchy and activity1.
Question #18
Which option indicates a hash is allowlisted?
- A . No Action
- B . Allow
- C . Ignore
- D . Always Block
Correct Answer: B
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization’s CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization’s CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.
Question #19
Which of the following tactic and technique combinations is sourced from MITRE ATT&CK information?
- A . Falcon Intel via Intelligence Indicator – Domain
- B . Machine Learning via Cloud-Based ML
- C . Malware via PUP
- D . Credential Access via OS Credential Dumping
Correct Answer: D
D
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.
D
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary behaviors and techniques based on real-world observations. The knowledge base is organized into tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access, persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve those goals, such as phishing, credential dumping, remote file copy, etc. Credential Access via OS Credential Dumping is an example of a tactic and technique combination sourced from MITRE ATT&CK information, which describes how adversaries can obtain credentials from operating system memory or disk storage by using tools such as Mimikatz or ProcDump.
Question #20
What do IOA exclusions help you achieve?
- A . Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
- B . Reduce false positives of behavioral detections from IOA based detections only
- C . Reduce false positives of behavioral detections from IOA based detections based on a file hash
- D . Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
Correct Answer: B
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike’s indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.
B
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike’s indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.