Question 1

What action is used when you want to save a prevention hash for later use?

Options :

A : Always Block

B : Never Block

C : Always Allow

D : No Action

Answer: A

Question 2

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

Options :

A : ParentProcessId_decimal and aid

B : ResponsibleProcessId_decimal and aid

C : ContextProcessId_decimal and aid

D : TargetProcessId_decimal and aid

Answer: B

Question 3

From a detection, what is the fastest way to see children and sibling process information?

Options :

A : Select the Event Search option. Then from the Event Actions, select Show Associated Event Data (From TargetProcessId_decimal)

B : Select Full Detection Details from the detection

C : Right-click the process and select "Follow Process Chain"

D : Select the Process Timeline feature, enter the AID, Target Process ID, and Parent Process ID

Answer: C

Question 4

You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?

Options :

A : User logons after the detection

B : Executions of schtasks.exe after the detection

C : Scheduled tasks registered prior to the detection

D : Pivot to a Hash search for taskeng.exe

Answer: C

Question 5

Where can you find hosts that are in Reduced Functionality Mode?

Options :

A : Event Search

B : Executive Summary dashboard

C : Host Search

D : Installation Tokens

Answer: C

Free CCFR-201b Mock Exam – Practice Online Confidently

Buying Options: