CCFR-201 CrowdStrike Exam Questions and Free Practice Test

Question 13

How long are quarantined files stored in the CrowdStrike Cloud?

A. 45 Days

B. 90 Days

C. Days

D. Quarantined files are not deleted

Correct Answer:B
According to the [CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.

Question 14

In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?

A. Thedata is unable to be exported

B. View as Process Tree

C. View as Process Timeline

D. View as Process Activity

Correct Answer:D
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Full Detection Details tool allows you to view detailed information about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the detection in different ways, such as process tree, process timeline, or process activity1. The process activity view provides a rows-and-columns style view of the events, such as DNS requests, registry operations, network operations, etc1. You can also export this view to a CSV file for further analysis1.

Question 15

What is the difference between Managed and Unmanaged Neighbors in the Falcon console?

A. A managed neighbor is currently network contained and an unmanaged neighbor is uncontained

B. A managed neighbor has an installed and provisioned sensor

C. An unmanaged neighbor is in a segmented area of the network

D. A managed sensor has an active prevention policy

Correct Answer:B
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint, which are other devices that have communicated with that endpoint over the network2. A managed neighbor is a device that has an installed and provisioned sensor that reports to the CrowdStrike
Cloud2. An unmanaged neighbor is a device that does not have an installed or provisioned sensor2.

Question 16

Which option indicates a hash is allowlisted?

A. No Action

B. Allow

C. Ignore

D. Always Block

Correct Answer:B
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the allowlist feature allows you to exclude files or directories from being scanned or blocked by CrowdStrike??s machine learning engine or indicators of attack (IOAs)2. This can reduce false positives and improve performance2. When you allowlist a hash, you are allowing that file to execute on any host that belongs to your organization??s CID (customer ID)2. The option to indicate that a hash is allowlisted is "Allow"2.

START CCFR-201 EXAM