CrowdStrike Certified Falcon Hunter (CCFH-202b) Free Practice Test

Question 1

Which of the following best describes the purpose of the Mac Sensor report?

A. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed

B. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed

C. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads

D. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:

A. A password guessing attack is being executed against remote access mechanisms such as VPN

B. A zero-day vulnerability is being exploited on a Microsoft Exchange server

C. A publicly available web application has been hacked and is causing the lockouts

D. Users are locking their accounts out because they recently changed their passwords

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes?

A. Incident and Detection Monitoring

B. Real Time Response and Network Containment

C. Hunting and Investigation

D. Events Data Dictionary

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?

A. Streaming API Event Dictionary

B. Event stream APIs

C. Hunting and Investigation

D. Events Data Dictionary

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?

A. Scheduled Reports

B. Workflows

C. Event Search

D. Scheduled Searches

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains "hostnameS " What does this User Name indicate?

A. The Falcon sensor could not determine the User Name

B. The User Name is a System User

C. There is no User Name associated with the event

D. The User Name is not relevant for the dashboard

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

Refer to Exhibit.

What type of attack would this process tree indicate?

A. Web Application Attack

B. Brute Forcing Attack

C. Phishing Attack

D. Man-in-the-middle Attack

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

CrowdStrike Certified Falcon Hunter (CCFH-202b) Free Practice Test