CrowdStrike Certified Falcon Responder Questions and Answers
Question 5
Which statement is TRUE regarding the "Bulk Domains" search?
Options:
A.
It will show a list of computers and process that performed a lookup of any of the domains in your search
B.
The "Bulk Domains" search will allow you to blocklist your queried domains
C.
The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation
Answer:
A
Explanation:
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your search2. This can help you identify potential threats or vulnerabilities in your network2.
Question 6
The primary purpose for running a Hash Search is to:
Options:
A.
determine any network connections
B.
review the processes involved with a detection
C.
determine the origin of the detection
D.
review information surrounding a hash's related activity
Answer:
D
Explanation:
Explanation:
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1. The primary purpose for running a Hash Search is to review information surrounding a hash’s related activity, such as which hosts and processes were involved, where they were located, and whether they triggered any alerts1.
Question 7
What do IOA exclusions help you achieve?
Options:
A.
Reduce false positives based on Next-Gen Antivirus settings in the Prevention Policy
B.
Reduce false positives of behavioral detections from IOA based detections only
C.
Reduce false positives of behavioral detections from IOA based detections based on a file hash
D.
Reduce false positives of behavioral detections from Custom IOA and OverWatch detections only
Answer:
B
Explanation:
Explanation:
According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, IOA exclusions allow you to exclude files or directories from being detected or blocked by CrowdStrike’s indicators of attack (IOAs), which are behavioral rules that identify malicious activities2. This can reduce false positives and improve performance2. IOA exclusions only apply to IOA based detections, not other types of detections such as machine learning, custom IOA, or OverWatch2.
Question 8
How long are quarantined files stored in the CrowdStrike Cloud?
Options:
A.
45 Days
B.
90 Days
C.
Days
D.
Quarantined files are not deleted
Answer:
B
Explanation:
Explanation:
According to the [CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide], when you quarantine a file from a host using IOC Management or Real Time Response (RTR), you are moving it from its original location to a secure location on the host where it cannot be executed. The file is also encrypted and renamed with a random string of characters. A copy of the file is also uploaded to the CrowdStrike Cloud for further analysis. Quarantined files are stored in the CrowdStrike Cloud for 90 days before they are deleted.