While investigating a detection, you pivot to the Advanced Event Search.
Which field would you filter by to return events executing from a specific directory on the host?
CrowdStrike implements a specific framework within the Falcon console to help responders categorize detections based on the adversary’s ultimate goals and the technical means used to achieve them. This classification system, which maps activity to known industry standards, is known as the:
Sensor Visibility Exclusion patterns are written in which syntax?
Administrators can define their own criteria for alerts. Which of the following is an example of a custom detection within the Falcon platform?
The Activity Dashboard is a core feature for security teams. What is the primary purpose of this dashboard?
When a responder chooses to ' Release ' a file from quarantine because it was determined to be a false positive, what type of allowlist is automatically created in the background?
When investigating system-level persistence, it is critical to know what the services.exe process is responsible for. What is its primary function?
You are pre-staging a Custom IOC for later use and want to save a file hash for later use after approval.
Which action should you use?
What information is contained within a Process Timeline?
An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?
In the full detection tree view, icons provide visual cues about the telemetry. What does the specific icon representing a ' Falcon ' (blue bird) indicate to the responder?
If the Falcon sensor identifies suspicious behavioral patterns—such as a process attempting to dump memory from lsass.exe—what specific type of detection will be generated?
The Falcon sensor can automatically upload quarantined files to the CrowdStrike Cloud for further analysis. What is the maximum size allowed for a quarantined file to be uploaded?
To manage the lifecycle of security incidents and review new alerts, a responder must navigate through the Falcon sidebar to which specific location?
A responder is using ' Host Search ' to gather baseline data on a machine. Which of the following pieces of information is NOT provided by the Host Search results?
The Falcon platform will show a maximum of how many detections per day for a single Agent Identifier (AID)?
An analyst is triaging a detection that has been categorized under the ‘Follow Through’ Objective Layer. Based on the Falcon technical documentation, which of the following adversary tactics is most likely to be observed within this specific layer?
In the ' Graph View ' of a detection, processes are connected by arrows. Which of the following does a yellow arrow connecting two processes indicate?
The primary purpose for running a Hash Search is to:
To speed up investigations, Falcon uses ' event workflows ' . Which of the following sentences best describes what event workflows are?
When reviewing a Host Timeline, which of the following filters is available?
How are processes on the same plane ordered (bottom ' VMTOOLSD.EXE ' to top CMD.EXE ' )?


To maintain a logical flow during an incident post-mortem, CrowdStrike recommends describing adversary activity using a specific three-part sentence structure. Which combination best completes this sentence: " The adversary was trying to [1], by [2] , using [3] " ?
Which of the following subtitles/sub-views cannot be seen in the results of a ' Hash Search ' ?
The function of Machine Learning Exclusions is to___________.
What actions are available for domain name-based Indicators of Compromise (IOCs) in Falcon?
A responder wants to verify why a certain quarantined file was not uploaded to the cloud. Which specific policy dictates whether quarantined files are permitted to be uploaded?
An administrator needs to download a file for analysis that was blocked by the sensor. Where are quarantine files located within the Falcon UI?
During the triage of a detection involving a newly created persistent task, which specific indicator is most important for a responder to identify the actual intent of the service?
Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?
When performing a ' Hash Search ' , which of the following is NOT a filter available for use?
When examining a detection process tree, several fields are provided to give context. Which of the following is NOT included in the standard fields of a detection process tree?
Filtering is essential for managing a high volume of alerts. Which of the following filters is available by default within the ' Endpoint Detections ' dashboard to help narrow down specific threats?
From a detection, what is the fastest way to see children and sibling process information?
You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.
How can you resolve this issue?
While quarantined files stay on the local host for 30 days by default, how many days does a quarantined file remain stored in the CrowdStrike Cloud?
In the ' User Search - File Written ' section, a responder can see various files dropped by a user. Which of the following file types CANNOT be seen from this view?
When examining a raw DNS request event, you see a field called ContextProcessld_decimal. What is the purpose of that field?
You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?
Depending on the subscription level, " Cloudable Events " (standard telemetry) have a specific retention period. What is the minimum period of time that these events are retained?
CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?
What happens when a hash is allowlisted?
Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
What does the Full Detection Details option provide?
Which specific event type in the Falcon telemetry is associated with the creation of a new ' TargetProcessId_decimal ' ?
A responder is focused on a specific malicious script and wants to see everything that the script ' s process did. Which timeline is the best tool for this task?
What happens when a hash is set to Always Block through IOC Management?
You can jump to a Process Timeline from many views, like a Hash Search, by clicking which of the following?
The ' Detection Resolutions ' dashboard helps track team performance. Which of the following CANNOT be seen from this dashboard?
A responder needs to find a specific sequence of network connections that did not trigger a detection. Which search tool allows them to search for anything within the raw telemetry?
Evaluate the following process tree observed in a detection:
root > smss.exe > winlogon.exe > userinit.exe > explorer.exe > windows_media_player_y35s21-4ak.exe
Based on the parent-child relationships, which entry source is most likely?
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
Which of the following sentences best describes the primary use of ' Retrospective Analysis ' ?
Which of the following is returned from the IP Search tool?
The MITRE-Based Falcon Detections Framework is a core component of the Falcon UI. What is the primary operational advantage provided by this framework to a Tier 1 responder?
A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?
The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?
If an organization is experiencing several false positives from a specific Machine Learning (ML) detection group and wants to create a tightly-scoped allowlist, which grouping should they use first?
How does a DNSRequest event link to its responsible process?