After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
A. SHA256 and TargetProcessld_decimal
B. SHA256 and ParentProcessld_decimal
C. aid and ParentProcessld_decimal
D. aid and TargetProcessld_decimal
How does a DNSRequest event link to its responsible process?
A. Via both its ContextProcessld__decimal and ParentProcessld_decimal fields
B. Via its ParentProcessld_decimal field
C. Via its ContextProcessld_decimal field
D. Via its TargetProcessld_decimal field
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
A. An adversary is trying to keep access through persistence by creating an account
B. An adversary is trying to keep access through persistence using browser extensions
C. An adversary is trying to keep access through persistence using external remote services
D. adversary is trying to keep access through persistence using application skimming
How long are quarantined files stored on the host?
A. 45 Days
B. 30 Days
C. Quarantined files are never deleted from the host
D. 90 Days
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
A. It excludes host information from Detections and Incidents generated within that file path location
B. It prevents file uploads to the CrowdStrike cloud from that file path
C. It excludes sensor monitoring and event collection for the trusted file path
D. It disables detection generation from that path, however the sensor can still perform prevention actions
Which of the following is NOT a valid event type?
A. StartofProcess
B. EndofProcess
C. ProcessRollup2
D. DnsRequest
What does pivoting to an Event Search from a detection do?
A. It gives you the ability to search for similar events on other endpoints quickly
B. It takes you to the raw Insight event data and provides you with a number of Event Actions
C. It takes you to a Process Timeline for that detection so you can see all related events
D. It allows you to input an event type, such as DNS Request or ASEP write, and search for those events within the detection
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
A. 500
B. 750
C. 1000
D. 1200
Which statement is TRUE regarding the "Bulk Domains" search?
A. It will show a list of computers and process that performed a lookup of any of the domains in your search
B. The "Bulk Domains" search will allow you to blocklist your queried domains
C. The "Bulk Domains" search will show IP address and port information for any associated connectionsD.You should only pivot to the "Bulk Domains" search tool after completing an investigation
A list of managed and unmanaged neighbors for an endpoint can be found:
A. by using Hosts page in the Investigate tool
B. by reviewing "Groups" in Host Management under the Hosts page
C. under "Audit" by running Sensor Visibility Exclusions Audit
D. only by searching event data using Event Search
Where are quarantined files stored on Windows hosts?
A. Windows\Quarantine
B. Windows\System32\Drivers\CrowdStrike\Quarantine
C. Windows\System32\
D. Windows\temp\Drivers\CrowdStrike\Quarantine
In the "Full Detection Details", which view will provide an exportable text listing of events like DNS requests. Registry Operations, and Network Operations?
A. Thedata is unable to be exported
B. View as Process Tree
C. View as Process Timeline
D. View as Process Activity
When you configure and apply an IOA exclusion, what impact does it have on the host and what you see in the console?
A. The process specified is not sent to the Falcon Sandbox for analysis
B. The associated detection will be suppressed and the associated process would have been allowed to run
C. The sensor will stop sending events from the process specified in the regex pattern
D. The associated IOA will still generate a detection but the associated process would have been allowed to run
Which of the following tactic and technique combinations is sourced from MITRE ATTandCK information?
A. Falcon Intel via Intelligence Indicator - Domain
B. Machine Learning via Cloud-Based ML
C. Malware via PUP
D. Credential Access via OS Credential Dumping
What happens when you open the full detection details?
A. Theprocess explorer opens and the detection is removed from the console
B. The process explorer opens and you're able to view the processes and process relationships
C. The process explorer opens and the detection copies to the clipboard
D. The process explorer opens and the Event Search query is run for the detection