CrowdStrike CCFR CCFR-201b試験ガイド: ゼロから合格までの準備ガイド
CrowdStrike Certified Falcon Responder (CCFR) 認定試験は、CrowdStrike Falcon? コンソールでの検出イベントに対応する受験者の知識、スキル、能力を評価するように設計されています。CCFR-201b試験の最新バージョンは 2024 年 6 月 3 日にリリースされ、古いバージョンは 2024 年 7 月 31 日に廃止されます。
試験の概要:
試験コード: CCFR-201b
試験時間: 90 分
質問数: 60
テスト言語: 英語
テスト形式: Pearson VUE を通じてオンラインまたはテスト センターで利用可能
試験内容は次のとおりです。
- Falcon コンソールでの予備的なイベントの優先順位付け
- 検出イベントのフィルタリング、グループ化、割り当て、注釈、ステータス変更を管理します
- ホスト検索、ホスト タイムライン、プロセス タイムライン、ユーザー検索などの基本的な調査タスクを実行します。
- ドメイン名、IPアドレス、ハッシュ値、その他の指標に対する基本的なアクティブ脅威ハンティング
試験準備に関する提案:
トレーニング コース: Falcon プラットフォームの機能と操作を深く理解するために、CrowdStrike University が提供する関連トレーニング コースに参加することを強くお勧めします。
実務経験: 学んだ知識をより深く理解し、適用するために、Falcon プラットフォームを使用した少なくとも 6 か月の実務経験。
試験ガイド: 試験の準備をする際には、すべての試験トピックを包括的にカバーするために、必ず最新の CCFR 試験ガイドを参照してください。
登録プロセス:
- ピアソン VUE 公式 Web サイトからアカウントを作成し、試験を予約します。
- 試験料金はクレジット カードまたは試験バウチャーで支払うことができます。
CrowdStrike CCFR 資格認定を取得すると、Falcon コンソール内でセキュリティ インシデントに効果的に対応し、管理できるようになり、キャリアに重要な資格が追加されます。
CrowdStrike CCFR-201b 模擬テスト
以下は、CrowdStrike Certified Falcon Responder (CCFR-201b) 認定試験のシラバスと共通テストのポイントに基づいた最新の模擬試験問題で、多肢選択問題、シナリオ問題、運用問題が含まれます。
---
Section 1: Multiple Choice Questions
1. In the CrowdStrike Falcon console, "Detections" are primarily used to:
A) Record the health status of Falcon agent endpoints
B) Analyze known vulnerabilities and patch status
C) Monitor potential threats detected by Falcon sensors
D) Manage user access and permission settings
Correct Answer: C
---
2. In CrowdStrike Falcon, how do you confirm whether a detection event is a false positive? (Choose two)
A) Check the detection's MITRE ATT&CK mapping for correlation with known malicious activity
B) Observe process tree and behavioral analysis to determine if it matches the behavior of legitimate applications
C) Ignore the detection as Falcon automatically handles false positives
D) Delete all similar detections in the Falcon console to prevent duplicate alerts
Correct Answer: A, B
---
3. In the `Process Timeline` view of the Falcon console, what is the best way to investigate malicious processes?
A) Rely only on the event scores provided by Falcon
B) Find all processes related to `cmd.exe` to determine their source
C) Focus on anomalous process execution paths, command line arguments, and parent process relationships
D) Terminate all running `.exe` processes to avoid further infection
Correct Answer: C
---
4. In the Falcon Insight Endpoint Detection and Response (EDR) system, which of the following methods is best for active threat hunting?
A) Filter "Critical" level detections in the `Detections` view
B) View events only in the past 24 hours
C) Use `IOC Search` to query suspicious domains, IPs, and file hashes
D) Delete all infected hosts in the `Host Management` tab
Correct answer: C
---
5. In the `Host Search` option of the Falcon console, which action can help analyze potential threats?
A) Search detection records for a specific endpoint using `hostname`
B) Check only the `CPU Usage` metric to determine if there are malicious processes
C) Disable Falcon sensors to reduce false positives
D) Simply disconnect all connections to the Falcon server
Correct Answer: A
---
Section 2: Scenario Questions
6. Scenario:
Your company SOC team found that an end-user device in the Falcon console `Detections` view generated multiple "Suspicious Process Execution" alerts. The security analyst needs to take the following actions to investigate.
Question: Please arrange the correct investigation steps in the following order:
1) Check the `Process Timeline` view to analyze the parent-child relationship of the process
2) Query the `Host Timeline` of the device to confirm whether there is any abnormal activity
3) Use `IOC Search` to query the detection log and match known threat indicators (such as malicious IP)
4) Perform the `Contain` operation to block external network access to the host
5) Submit suspicious files to `Falcon Sandbox` for behavioral analysis
Correct order: 2 → 1 → 3 → 5 → 4
---
Part 3: Operational questions
7. Falcon endpoint detection analysis
Your company found that the Falcon console of an endpoint shows the following detection:
```
Event Type: Suspicious Command Execution
Command Line: powershell -nop -w hidden -exec bypass -enc JABXAG...
Parent Process: explorer.exe
MITRE ATT&CK Mapping: T1086 (PowerShell Execution)
```
Question: Which of the following is the best incident response step? (Choose three)
A) Use the `Contain` feature of the Falcon console to isolate the infected host
B) Run the `Falcon Real-Time Response (RTR)` command to check for suspicious files in the `C:\Users\Public` directory
C) Immediately deactivate the Falcon agent on all endpoints to prevent false positives from affecting normal business
D) Analyze the behavior path of the PowerShell process in the `Threat Graph` view
Correct answer: A, B, D
---
8. Endpoint Threat Hunting
Your organization's security team wants to use Falcon for active threat hunting to detect known Cobalt Strike attacks.
Question: In the Falcon console, which query is best for finding traces of Cobalt Strike attacks?
A) Find devices with CPU usage above 90% in `Host Management`
B) Query `Cobalt Strike` for known file hashes and command line patterns in `IOC Search`
C) Filter all processes started with `cmd.exe` via `Falcon Host Search`
D) Filter events at the `Informational` level in the `Detections` view
Correct answer: B
---
Section 4: Open Questions
9. What key features does Falcon RTR (Real-Time Response) provide to help analyze and respond to security incidents?
Sample Answer:
Real-time remote terminal access, allowing SOC analysts to connect directly to infected hosts
Execute PowerShell or CMD commands to investigate potentially malicious processes
Retrieve system files or memory dumps for further forensic analysis
Terminate malicious processes and isolate hosts to prevent the spread of threats
認証
お支払方法
お問い合わせ
安全なお支払い
