CrowdStrike Certified Falcon Responder Questions and Answers
When navigating the ' Custom IOA ' creation wizard, a user must select a rule type. Which of the following is NOT a valid IOA rule type available for selection?
The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?
What does the Full Detection Details option provide?
During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?
To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?
What action is needed to ensure Falcon does not block or generate a detection for a process by using the file hash?
When an organization needs to detect a specific behavior that is unique to their environment, they can create a Custom IOA. Which of the following is NOT required when configuring a custom IOA from scratch?
Executive dashboards provide a high-level view of security. Which of the following CANNOT be seen from the Executive Summary Dashboard?
Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?
Which statement is TRUE regarding the " Bulk Domains " search?
An executive asks for a definition of ' CrowdScore ' . Which of the following sentences best describes what CrowdScore is?
While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
When a responder is looking at the ' Full Detection Details ' page, they can toggle between several views. Which of the following is NOT a layout option available for viewing these details?
What are Event Actions?
CrowdStrike supports various deployment types. What is a ' POD sensor ' ?
Responders often use Process Explorer to visualize process behavior. Which of the following is NOT a valid way to pivot to a Process Explorer view?
What types of events are returned by a Process Timeline?
What is an advantage of using a Process Timeline?
When viewing the summary list on the ' Endpoint Detections ' page, an analyst sees a column for the timestamp. What does the timestamp in this specific summary view represent?
Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?
When managing files within the ' Quarantined Files ' dashboard, which of the following is NOT a valid action available to the responder?
If a local administrator needs to inspect the quarantine directory directly on a machine, where are quarantine files located on a Windows Endpoint?
While examining the ' Process Details ' sidebar of a detection, a responder sees the following icons: " 25 Network Operations " and " 277 Disk Operations " . What does this contextual data represent?
How long are quarantined files stored in the CrowdStrike Cloud?
CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?
Responders must understand the limitations and capabilities of custom rules. Which of the following statements about custom IOAs is FALSE?
What information is contained within a Process Timeline?
In the Falcon console, detections can be automated or manual. Which of the following options represents a manual detection?
To understand how a threat moved on a system, a responder must know the role of common processes. Which of the following statements best describes the standard functionality of explorer.exe?
A responder is explaining the quarantine process to a system administrator. What happens technically when a file is quarantined by the Falcon sensor?
What do IOA exclusions help you achieve?
To track the relationship between a parent and its child, Falcon uses specific ID fields. What raw data is used as the ' ParentProcessId_decimal ' when a process spawns a child process?
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?
By default, when a file is quarantined by the Falcon sensor to prevent execution, how many days does that file remain on the host ' s local disk?
When examining raw event data, what is the purpose of the field called ParentProcessld_decimal?
When an analyst downloads a quarantined file from the Falcon UI for offline analysis, what is the specific file format and the required password for extraction?
Where can you find hosts that are in Reduced Functionality Mode?
A responder needs to view a high-level overview of the environment ' s security posture. Where can they find the ' Activity Dashboard ' ?
When navigating the main ' Detections ' page, several filters are available in the dropdown menu. Which of the following is NOT a filter available in this menu?
The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?
In the Falcon Overwatch Best Practice workflow, at what specific point is a responder encouraged to utilize OSINT (Open Source Intelligence) searches?
What happens when you open the full detection details?
Which Executive Summary dashboard item indicates sensors running with unsupported versions?
CrowdScore is a metric used to identify the severity of an ongoing incident. What percentage of increase in a CrowdScore is considered a strong indication of a coordinated attack?
The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?
Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?
The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?
While most searches are accessible from a detection, some require a manual jump. Which search is not available as a direct pivot from a detection?
The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?
The Bulk Domain Search tool contains Domain information along with which of the following?
When looking at the details of a detection, there are two fields called Global Prevalence and Local Prevalence. Which answer best defines Local Prevalence?
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
What is the difference between a Host Search and a Host Timeline?
When an analyst is trying to pinpoint the exact moment an endpoint came online after being shut down for the weekend, which timeline view is the best to use?
In the context of raw event searching, the term ' ProcessRollup2 ' refers to a value within which field?
While reviewing the ' Detection Method ' field for a high-severity alert, a responder sees the label ' Post-Exploit ' . This terminology is used by CrowdStrike to identify a specific:
What must be true about a custom script before it can be executed from within a Fusion SOAR Workflow?