When a responder needs to take data out of the Falcon console for external analysis, which of the following is NOT an option when exporting searches?
You notice that taskeng.exe is one of the processes involved in a detection. What activity should you investigate next?
An adversary is attempting to disable security features by modifying the system registry. Which of the following native Windows processes is specifically designed to create, modify, and delete Registry keys via the command line?
From a detection, what is the fastest way to see children and sibling process information?
Multiple detections with the process schtasks.exe begin to alert in the UI. The process executes the following command line on several unique hosts:
schtasks.exe /Query /TN " Qljsscdqr "
What is the most efficient way to identify which hosts are executing this scheduled task?
To perform a deep-dive investigation into a specific detection, a responder needs to pivot to a process timeline. What is the minimum information required to be gathered from the detection before making this pivot?
What must be true about a custom script before it can be executed from within a Fusion SOAR Workflow?
You are notified by a third-party that a program may have redirected traffic to a malicious domain. Which Falcon page will assist you in searching for any domain request information related to this notice?
A responder is analyzing a process tree where a suspicious executable is listed as a direct child of services.exe. In this scenario, which source is most likely responsible for the execution?
The Falcon sensor is designed to provide deep visibility into endpoint activity, yet it is not omniscient. According to the Cyber Kill Chain model, which of the following stages does the Falcon sensor typically NOT have visibility over?
A responder releases a file from quarantine on a specific workstation. What is the default scope of the allowlist that is created during this process?
Refer to the image.

Within a Host Search, you have filtered for cmd.exe in the Process executions table and now need to pivot to a process timeline.
Which item in the table do you select to pivot to the Process Timeline?
Aside from a Process Timeline or Event Search, how do you export process event data from a detection in .CSV format?
You are writing a script that your colleagues could run on any Windows machine using Real Time Response (RTR). The script you have written is over the 40-KB limit.
How should you run the script to avoid technical issues?
During the configuration of a new IOA rule, the administrator must decide what action the sensor should take. Which of the following is NOT a valid IOA rule action?
You receive an email from a third-party vendor that one of their services is compromised,thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?
A responder is looking at event telemetry and sees an event named ' ProcessRollup2 ' . Which sentence best describes what this event type represents?
When a responder is looking at the ' Full Detection Details ' page, they can toggle between several views. Which of the following is NOT a layout option available for viewing these details?
In the ' Investigate > Hunt > Linux Sensors ' dashboard, responders can view various Linux-specific activities. Which of the following sub-titling is NOT displayed in this dashboard?
You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?
Which of the following sentences best describes the primary objective of ' Real-time Analysis ' within the Falcon platform?
The Falcon console is divided into several modules. Timelines (Host and Process) are technically a part of which Falcon page?
What happens when you create a Sensor Visibility Exclusion for a trusted file path?
While reviewing the high-level organizational structure of a complex detection in the Falcon console, a responder identifies several layers of activity. Which of the following is NOT officially recognized as an Objective Layer within the CrowdStrike detection hierarchy?
When training a new team member on how to interpret Falcon telemetry, a senior responder explains the definition of a ' Tactic ' . Which of the following sentences best captures the technical definition of a Tactic in this context?
When using ' User Search ' to investigate a potentially compromised account, which of the following is NOT a filter available in the User Search?
Responders often need to organize detections to identify trends across the environment. Which of the following is NOT a grouping option currently available on the ' Endpoint Detections ' page?
Which of the following sentences best describes the technical visibility provided by the ' Host Timeline ' view?
The Falcon sensor can take several automated actions to protect an endpoint. Which of the following is NOT an action that Falcon takes upon detection?
Falcon uses specific identifiers to track processes across the environment. Which of the following sentences best describes what the ' TargetProcessId_decimal ' raw data represents?
When reviewing the data within a process timeline, what specific type of information is being displayed to the responder?
A responder is unsure about the difference between ' Detection ' and ' Prevention ' settings. Where can they find information about Detection and Prevention Policies?
Host Search is a powerful investigation tool. From which of the following sources is a responder most likely to pivot directly to a Host Search?
You are tasked with remediating adware for a host using a custom script via Real Time Response (RTR). When running the script, you get an error that the script is timing out.
How can you resolve this issue?
Responders often use Process Explorer to visualize process behavior. Which of the following is NOT a valid way to pivot to a Process Explorer view?
An analyst notices a detection that has been automatically flagged with the ' New Activity ' status. Which of the following statements best describes what this status indicates?
An analyst wants to see the raw events behind a specific detection. Which icon in the UI allows them to pivot directly to an event search?
You are responding to a cybersecurity incident and observe several outbound network connections from host Bob-Desktop. Upon review, you determine this to be a result of a Threat Actor ' s attempt to exfiltrate data.
What action should you take to stop the exfiltration using the Falcon Platform?
You are pre-staging a Custom IOC for later use and want to save a file hash for later use after approval.
Which action should you use?
Following a detection involving a suspected ransomware binary, the Falcon sensor automatically takes a prevention action to prevent the file from executing. An analyst needs to retrieve this file for local sandbox analysis. Considering the default configuration, for how many days will this file remain stored in the encrypted quarantine folder on the local endpoint?
A security responder is investigating a detection where a low-privileged process attempted to manipulate a system token to gain administrative rights. Within the specific terminology used by the Falcon console, ' Privilege Escalation ' is classified as a:
CrowdStrike provides ' Overwatch Best Practices ' for triaging alerts. According to these guidelines, what is the next step a responder should take immediately after the ' Understand the detection ' step?
A responder has identified a suspicious PowerShell script executing on a domain controller. To perform a deep-dive forensic analysis of every action taken by that specific process—including network connections and file modifications—the analyst needs to pivot to a Process Timeline. What is the absolute minimum telemetry data required to generate this auto-filled view?
Refer to Image:

You are investigating a network connection in event search.
Which option next to the raw event data should you select to pivot to a graphical representation for all the processes related to the network connection event?
While the host timeline is comprehensive, some data is not included in that specific view. Which of the following CANNOT be seen directly from the host timeline?
When an analyst downloads a quarantined file from the Falcon UI for offline analysis, what is the specific file format and the required password for extraction?