After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two
field values are you required to obtain to perform a Process Timeline search so you can determine
what the process was doing?
D
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+
,
the
Process
Timeline
search
requires
two
parameters: aid (agent
ID)
and TargetProcessId_decimal (the decimal value of the process ID).
These fields can be obtained from
the ProcessRollup2 event, which contains information about processes that have executed on a
host1
.
The function of Machine Learning Exclusions is to___________.
D
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Machine
Learning Exclusions allow you to exclude files or directories from being scanned by CrowdStrike’s
machine learning engine, which can reduce false positives and improve performance2
.
You can also
choose whether to upload the excluded files to the CrowdStrike Cloud or not2
.
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
C
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Sensor
Visibility Exclusions allow you to exclude certain files or directories from being monitored by the
CrowdStrike sensor, which can reduce noise and improve performance2
.
This means that no events
will be collected or sent to the CrowdStrike Cloud for those files or directories2
.
What types of events are returned by a Process Timeline?
B
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Process Timeline search returns all cloudable events associated with a given process,
such as process creation, network connections, file writes, registry modifications, etc1
.
This allows
you to see a comprehensive view of what a process was doing on a host1
.
What is the difference between a Host Search and a Host Timeline?
A
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the Host Search allows you to search for hosts based on various criteria, such as hostname,
IP address, OS, etc1
.
The results are displayed in an organized view by type, such as detections,
incidents, processes, network connections, etc1
.
The Host Timeline allows you to view all events
recorded by the sensor for a given host in a chronological order1
.
The events include process
executions, file writes, registry modifications, network connections, user logins, etc1
.
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?
D
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the ParentProcessld_decimal field contains the decimal value of the process ID of the parent
process that spawned or injected into the target process1
.
This field can be used to trace the process
lineage and identify malicious or suspicious activities1
.
What action is used when you want to save a prevention hash for later use?
A
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Always
Block action allows you to block a file from executing on any host in your organization based on its
hash value2
.
This action can be used to prevent known malicious files from running on your
endpoints2
.
A list of managed and unmanaged neighbors for an endpoint can be found:
A
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use
the Hosts page in the Investigate tool to view information about your endpoints, such as hostname,
IP address, OS, sensor version, etc2
.
You can also see a list of managed and unmanaged neighbors for
each endpoint, which are other devices that have communicated with that endpoint over the
network2
.
This can help you identify potential threats or vulnerabilities in your network2
.
What happens when a hash is allowlisted?
D
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist
feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike’s
machine learning engine or indicators of attack (IOAs)2
.
This can reduce false positives and improve
performance2
.
When you allowlist a hash, you are allowing that file to execute on any host that
belongs to your organization’s CID (customer ID)2
.
This does not affect other Falcon customers or
hosts outside your CID2
.
Which of the following is returned from the IP Search tool?
A
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, the IP Search tool allows you to search for an IP address and view a summary of information
from Falcon events that contain that IP address1
.
The summary includes the hostname, sensor ID,
OS, country, city, ISP, ASN, and geolocation of the host that communicated with that IP address1
.
Which is TRUE regarding a file released from quarantine?
B
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, when you
release a file from quarantine, you are restoring it to its original location and allowing it to execute
on any host in your organization2
.
This action also removes the file from the quarantine list and
deletes it from the CrowdStrike Cloud2
.
Which of the following is an example of a MITRE ATT&CK tactic?
B
Explanation:
According to the [MITRE ATT&CK website], MITRE ATT&CK is a knowledge base of adversary
behaviors and techniques based on real-world observations. The knowledge base is organized into
tactics and techniques, where tactics are the high-level goals of an adversary, such as initial access,
persistence, lateral movement, etc., and techniques are the specific ways an adversary can achieve
those goals, such as phishing, credential dumping, remote file copy, etc. Defense Evasion is one of
the tactics defined by MITRE ATT&CK, which covers actions that adversaries take to avoid detection
or prevent security controls from blocking their activities. Eternal Blue, Emotet, and Phishing are
examples of techniques, not tactics.
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you
investigate next?
C
Explanation:
According to the [Microsoft website], taskeng.exe is a legitimate Windows process that is
responsible for running scheduled tasks. However, some malware may use this process or create a
fake one to execute malicious code. Therefore, if you notice taskeng.exe involved in a detection, you
should investigate whether there are any scheduled tasks registered prior to the detection that may
have triggered or injected into taskeng.exe. You can use tools such as schtasks.exe or Task Scheduler
to view or manage scheduled tasks.
Where can you find hosts that are in Reduced Functionality Mode?
C
Explanation:
According to the
CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide
v3.1.5+, Reduced Functionality Mode (RFM) is a state where a host’s sensor has limited functionality
due to various reasons, such as license expiration, network issues, tampering attempts, etc1
.
You can
find hosts that are in RFM by using the Host Search tool and filtering by Sensor Status = RFM1
.
You
can also view details about why a host is in RFM by clicking on its hostname1
.
From the Detections page, how can you view 'in-progress' detections assigned to Falcon Analyst
Alex?
D
Explanation:
According to the
CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Detections
page allows you to view and manage detections generated by the CrowdStrike Falcon platform2
.
You
can use various filters to narrow down the detections based on criteria such as status, severity, tactic,
technique, etc2
.
To view ‘in-progress’ detections assigned to Falcon Analyst Alex, you can filter on
‘Status: In-Progress’ and 'Assigned-to: Alex*'2
.
The asterisk (*) is a wildcard that matches any
characters after Alex2
.