Question 1

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process
Timeline search so you can determine what the process was doing?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two
parameters: aid (agent ID) and TargetProcessId_decimal (the decimal value of the process ID). These fields can be obtained from the ProcessRollup2 event,
which contains information about processes that have executed on a host1.

Question 2

You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain
request information related to this notice?

Accepted Answer

According to the [CrowdStrike website], the Investigate page is where you can search for and analyze various types of data collected by the Falcon platform, such
as events, hosts, processes, hashes, domains, IPs, etc1. You can use various tools, such as Event Search, Host Search, Process Timeline, Hash Search, Bulk
Domain Search, etc., to perform different types of searches and view the results in different ways1. If you want to search for any domain request information
related to a notice from a third-party, you can use the Investigate page to do so1. For example, you can use the Bulk Domain Search tool to search for the
malicious domain and see which hosts and processes communicated with it1. You can also use the Event Search tool to search for DNSRequest events that
contain the malicious domain and see more details about the query and response1.

Question 3

How does a DNSRequest event link to its responsible process?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a
DNS query made by a process2. The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2. The field that links a DNSRequest
event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2. You
can use this field to trace the process lineage and identify malicious or suspicious activities2.

Question 4

The function of Machine Learning Exclusions is to .

Accepted Answer

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, Machine Learning Exclusions allow you to exclude files or directories from
being scanned by CrowdStrike??s machine learning engine, which can reduce false positives and improveperformance2. You can also choose whether to upload
the excluded files to the CrowdStrike Cloud or not2.

Question 5

What types of events are returned by a Process Timeline?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search returns all cloudable
events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc1. This allows you to see a
comprehensive view of what a process was doing on a host1.

Question 6

What is an advantage of using the IP Search tool?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the IP Search tool allows you to search for an IP
address and view a summary of information from Falcon events that contain that IP address1. The summary includes the hostname, sensor ID, OS, country, city,
ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address1. This is an advantage of using
the IP Search tool because it provides host, process, and organizational unit data without the need to write a query1.

Question 7

What does pivoting to an Event Search from a detection do?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, pivoting to an Event Search from a detection takes
you to the raw Insight event data and provides you with a number of Event Actions1. Insight events are low-level events that are generated by the sensor for
various activities, such as process executions, file writes, registry modifications, network connections, etc1. You can view these events in a table format and use
various filters and fields to narrow down the results1. You can also select one or more events and perform various actions, such as show a process timeline, show
a host timeline, show associated event data, show a +/- 10- minute window of events, etc1. These actions can help you investigate and analyze events more
efficiently and effectively1.

Question 8

Which statement is TRUE regarding the "Bulk Domains" search?

Accepted Answer

According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Bulk Domain Search tool allows you to search
for one or more domains and view a summary of information from Falcon events that contain those domains2. The summary includes the hostname, sensor ID,
OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that performed a lookup of any of the domains in your
search2. This can help you identify potential threats or vulnerabilities in your network2.

Question 9

A list of managed and unmanaged neighbors for an endpoint can be found:

Accepted Answer

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, you can use the Hosts page in the Investigate tool to view information
about your endpoints, such as hostname, IP address, OS, sensor version, etc2. You can also see a list of managed and unmanaged neighbors for each endpoint,
which are other devices that have communicated with that endpoint over the network2. This can help you identify potential threats or vulnerabilities in your
network2.

Question 10

From a detection, what is the fastest way to see children and sibling process information?

Accepted Answer

According to the CrowdStrike Falcon® Data Replicator (FDR) Add-on for Splunk Guide, the Full Detection Details tool allows you to view detailed information
about a detection, such as detection ID, severity, tactic, technique, description, etc1. You can also view the events generated by the processes involved in the
detection in different ways, such as process tree, process timeline, or process activity1. The process tree view provides a graphical representation of the process
hierarchy and activity1. You can see children and sibling processes information by expanding or collapsing nodes in the tree1.