Mar-2024 Pass Your CCFH-202 Exam at the First Try with 100% Real Exam
Get Real Exam Questions for CCFH-202 with New Questions
NEW QUESTION # 30
Which of the following is TRUE about a Hash Search?
- A. Wildcard searches are not permitted with the Hash Search
- B. The Hash Search provides Process Execution History
- C. Module Load History is not presented in a Hash Search
- D. The Hash Search is available on Linux
Answer: B
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.
NEW QUESTION # 31
You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?
- A. Event stream APIs
- B. Events Data Dictionary
- C. Streaming API Event Dictionary
- D. Hunting and Investigation
Answer: B
Explanation:
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because it provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console. The Events Data Dictionary describes each event type, field name, data type, description, and example value that can be used to query and analyze event data. The Streaming API Event Dictionary, Hunting and Investigation, and Event stream APIs are not documentation that provide details about key data fields and sensor events.
NEW QUESTION # 32
Which of the following would be the correct field name to find the name of an event?
- A. event_simpleName
- B. Event_SimpleName
- C. Event_Simple_Name
- D. EVENT_SIMPLE_NAME
Answer: B
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event.
NEW QUESTION # 33
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^
- A. now
- B. typeof
- C. relative time
- D. strftime
Answer: D
Explanation:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.
NEW QUESTION # 34
To find events that are outliers inside a network,___________is the best hunting method to use.
- A. stacking
- B. searching
- C. machine learning
- D. time-based
Answer: A
Explanation:
Stacking (Frequency Analysis) is the best hunting method to use to find events that are outliers inside a network. Stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Time-based searching, machine learning, and searching are not specific hunting methods to find outliers.
NEW QUESTION # 35
Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?
- A. Discovering internet-facing servers
- B. Installing a backdoor on the victim endpoint
- C. Emailing the intended victim with a malware attachment
- D. Loading a malicious payload into a common DLL
Answer: A
Explanation:
Discovering internet-facing servers is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain. The RECONNAISSANCE phase is where the adversary researches and identifies targets, vulnerabilities, and attack vectors. Discovering internet-facing servers is a way for the adversary to find potential entry points or weaknesses in the target network.
NEW QUESTION # 36
Adversaries commonly execute discovery commands such as netexe, ipconfig.exe, and whoami exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query?
- A. IN
- B. NOT
- C. OR
- D. AND
Answer: C
Explanation:
The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this:
event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.
NEW QUESTION # 37
Which of the following does the Hunting and Investigation Guide contain?
- A. A list of all event types and their syntax
- B. A list of all event types specifically used for hunting and their syntax
- C. Example Event Search queries useful for threat hunting
- D. Example Event Search queries useful for Falcon platform configuration
Answer: C
Explanation:
The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.
NEW QUESTION # 38
What kind of activity does a User Search help you investigate?
- A. A list of DNS queries by the specified user account
- B. A history of Falcon Ul logon activity
- C. A count of failed user logon activity
- D. A list of process activity executed by the specified user account
Answer: D
Explanation:
User Search is an Investigate tool that helps you investigate a list of process activity executed by the specified user account. It shows information such as process name, command line, parent process name, parent command line, etc. for each process that was executed by the user account on any host in your environment. It does not show a history of Falcon UI logon activity, a count of failed user logon activity, or a list of DNS queries by the specified user account.
NEW QUESTION # 39
Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?
- A. Hunting and Investigation
- B. Events Data Dictionary
- C. MITRE-Based Falcon Detections Framework
- D. Customizable Dashboards
Answer: A
Explanation:
The Hunting and Investigation guide is the Falcon documentation guide that you should reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It covers various topics such as process execution, network connections, registry activity, scheduled tasks, and more.
NEW QUESTION # 40
The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:
- A. A password guessing attack is being executed against remote access mechanisms such as VPN
- B. A publicly available web application has been hacked and is causing the lockouts
- C. A zero-day vulnerability is being exploited on a Microsoft Exchange server
- D. Users are locking their accounts out because they recently changed their passwords
Answer: A
Explanation:
A hunting hypothesis is a statement that describes a possible malicious activity that can be tested with data and analysis. A good hunting hypothesis should be specific, testable, and relevant to the problem or goal. In this case, the best hunting hypothesis from the following is that a password guessing attack is being executed against remote access mechanisms such as VPN, as it explains the possible cause and method of the user account lockouts in a specific and testable way. A zero-day vulnerability on a Microsoft Exchange server is too vague and does not explain how it relates to the lockouts. A hacked web application is also too vague and does not specify how it causes the lockouts. Users locking their accounts out because they recently changed their passwords is not a malicious activity and does not account for the increase in calls.
NEW QUESTION # 41
Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?
- A. Timeline reports
- B. Sensor reports
- C. Scheduled searches
- D. Hunt reports
Answer: D
Explanation:
Hunt reports are pre-defined reports that offer information surrounding activities that typically indicate suspicious activity occurring on a system. They are based on common threat hunting use cases and queries, and they provide visualizations and summaries of the results. Hunt reports can help threat hunters quickly identify and investigate potential threats in their environment.
NEW QUESTION # 42
Which field should you reference in order to find the system time of a *FileWritten event?
- A. timestamp
- B. ContextTimeStamp_decimal
- C. ProcessStartTime_decimal
- D. FileTimeStamp_decimal
Answer: B
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written.
NEW QUESTION # 43
Which of the following best describes the purpose of the Mac Sensor report?
- A. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
- B. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads
- C. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
- D. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections
Answer: B
Explanation:
This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts.
NEW QUESTION # 44
You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query.
- A. ^$Recycle.Bin%^
- B. ^$Recycle Bin*
- C. *$Recycle Bin*
- D. *$Recycle Bin^
Answer: C
Explanation:
This option is the correct one to complete the following EAM query:
event_simpleName=ProcessRollup2 FileName=$Recycle Bin
This query would search for any process execution that used a file stored in the Recycle Bin on a Windows host, as the asterisk (*) is a wildcard character that matches any number of characters before or after the specified string. The other options are not correct, as they use different wildcard characters that do not match the desired pattern.
NEW QUESTION # 45
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?
- A. _time
- B. conv_time
- C. time
- D. utc_time
Answer: A
Explanation:
_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.
NEW QUESTION # 46
What information is shown in Host Search?
- A. Prevention Policies
- B. Quarantined Files
- C. Processes and Services
- D. Intel Reports
Answer: C
Explanation:
Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search.
NEW QUESTION # 47
Refer to Exhibit.
What type of attack would this process tree indicate?
- A. Web Application Attack
- B. Brute Forcing Attack
- C. Man-in-the-middle Attack
- D. Phishing Attack
Answer: D
Explanation:
This process tree indicates a phishing attack, as it shows a user opening an email attachment (outlook.exe) that launches a malicious macro (cmd.exe) that downloads and executes a payload (powershell.exe) that connects to a remote server (svchost.exe). A phishing attack is a type of social engineering attack that uses deceptive emails or messages to trick users into opening malicious attachments or links that can compromise their systems or credentials.
NEW QUESTION # 48
Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?
- A. Machine Learning
- B. Stacking (Frequency Analysis)
- C. Time-based Searching
- D. Hunt-and-Peck Search Methodology
Answer: B
Explanation:
Stacking (Frequency Analysis) is a recommended technique to find unique outliers among a set of data in the Falcon Event Search. As explained above, stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Hunt-and-Peck Search Methodology, Time-based Searching, and Machine Learning are not specific techniques to find unique outliers among a set of data.
NEW QUESTION # 49
What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?
- A. PID
- B. Process Timeline Link
- C. Process ID or Parent Process ID
- D. CID
Answer: B
Explanation:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline.
NEW QUESTION # 50
In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?
- A. Command & control
- B. Exploitation
- C. Weaponization
- D. Installation
Answer: C
Explanation:
Weaponization is the stage of the Cyber Kill Chain where the actor does not interact with the victim endpoint(s). Weaponization is where the actor prepares or packages the exploit or payload that will be used to compromise the target. This stage does not involve any communication or interaction with the victim endpoint(s), as it is done by the actor before delivering the weaponized content. Exploitation, Command & Control, and Installation are all stages where the actor interacts with the victim endpoint(s), either by executing code, establishing communication, or installing malware.
NEW QUESTION # 51
What topics are presented in the Hunting and Investigation Guide?
- A. Detailed summary of event names, descriptions, and some key data fields for hunting and investigation
- B. Recommended platform configurations and prevention settings to ensure detections are generated for hunting leads
- C. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon
- D. Detailed tutorial on writing advanced queries such as sub-searches and joins
Answer: C
Explanation:
This is the correct answer for the same reason as above. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names and descriptions, or recommended platform configurations and prevention settings.
NEW QUESTION # 52
In the Powershell Hunt report, what does the filtering condition of commandLine! ="*badstring* " do?
- A. Displays only the command lines containing "badstring"
- B. Highlights only the command lines containing "badstring"
- C. Highlights "badstring" in all command lines in the output
- D. Prevents command lines containing "badstring" from being displayed
Answer: D
Explanation:
In the Powershell Hunt report, the filtering condition of commandLine! ="badstring " prevents command lines containing "badstring" from being displayed. The ! operator is used to negate or exclude a condition from the search results. The * operator is used as a wildcard to match any number of characters before or after the specified string. Therefore, commandLine! ="badstring " means to filter out any command line that has "badstring" anywhere in it. The other options are not correct, as they do not describe what the filtering condition does.
NEW QUESTION # 53
How do you rename fields while using transforming commands such as table, chart, and stats?
- A. You cannot rename fields as it would affect sub-queries and statistical analysis
- B. By using the "renamed" keyword after the field name eg "stats count renamed totalcount by ComputerName"
- C. By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count"
- D. By specifying the desired name after the field name eg "stats count totalcount by ComputerName"
Answer: C
Explanation:
The rename command is used to rename fields while using transforming commands such as table, chart, and stats. It can be used after the transforming command and specify the old and new field names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical analysis, as long as you use the correct field names in your queries. The renamed keyword and the desired name after the field name are not valid ways to rename fields.
NEW QUESTION # 54
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:
- A. It provides a list of all the detect names and descriptions found in the Falcon Cloud
- B. It provides pre-defined queries you can customize to meet your specific threat hunting needs
- C. It provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console
- D. It provides a list of compatible splunk commands used to query event data
Answer: C
Explanation:
This is the correct answer for the same reason as above. The Events Data Dictionary provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console, which is useful for writing hunting queries. It does not provide pre-defined queries, detect names and descriptions, or compatible splunk commands.
NEW QUESTION # 55
......
CrowdStrike CCFH-202 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
Updated CCFH-202 Certification Exam Sample Questions: https://www.testsimulate.com/CCFH-202-study-materials.html