New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

CrowdStrike CCFH-202 CrowdStrike Certified Falcon Hunter Exam Practice Test

Page: 1 / 6
Total 60 questions

CrowdStrike Certified Falcon Hunter Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:

Options:

A.

A zero-day vulnerability is being exploited on a Microsoft Exchange server

B.

A publicly available web application has been hacked and is causing the lockouts

C.

Users are locking their accounts out because they recently changed their passwords

D.

A password guessing attack is being executed against remote access mechanisms such as VPN

Question 2

Which field should you reference in order to find the system time of a *FileWritten event?

Options:

A.

ContextTimeStamp_decimal

B.

FileTimeStamp_decimal

C.

ProcessStartTime_decimal

D.

timestamp

Question 3

You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?

Options:

A.

Create a custom alert for each domain

B.

Allowed Domain Summary Report

C.

Bulk Domain Search

D.

IP Addresses Search

Question 4

What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

Options:

A.

PID

B.

Process ID or Parent Process ID

C.

CID

D.

Process Timeline Link

Question 5

You need details about key data fields and sensor events which you may expect to find fromHosts running the Falcon sensor.Which documentation should you access?

Options:

A.

Events Data Dictionary

B.

Streaming API Event Dictionary

C.

Hunting and Investigation

D.

Event stream APIs

Question 6

What information is provided from the MITRE ATT&CK framework in a detection's Execution Details?

Options:

A.

Grouping Tag

B.

Command Line

C.

Technique ID

D.

Triggering Indicator

Question 7

The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

Options:

A.

ContextProcessld_decimal

B.

RawProcessld_decimal

C.

ParentProcessld_decimal

D.

RpcProcessld_decimal

Question 8

Which of the following does the Hunting and Investigation Guide contain?

Options:

A.

A list of all event types and their syntax

B.

A list of all event types specifically used for hunting and their syntax

C.

Example Event Search queries useful for threat hunting

D.

Example Event Search queries useful for Falcon platform configuration

Question 9

How do you rename fields while using transforming commands such as table, chart, and stats?

Options:

A.

By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count"

B.

You cannot rename fields as it would affect sub-queries and statistical analysis

C.

By using the "renamed" keyword after the field name eg "stats count renamed totalcount by ComputerName"

D.

By specifying the desired name after the field name eg "stats count totalcount by ComputerName"

Page: 1 / 6
Total 60 questions