CrowdStrike Certified Falcon Hunter CCFH-202 Dumps Full Questions with Free PDF Questions to Pass
100% Updated CrowdStrike CCFH-202 Enterprise PDF Dumps
CrowdStrike CCFH-202 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
NEW QUESTION # 36
A benefit of using a threat hunting framework is that it:
- A. Automatically generates incident reports
- B. Provides actionable, repeatable steps to conduct threat hunting
- C. Eliminates false positives
- D. Provides high fidelity threat actor attribution
Answer: B
Explanation:
A threat hunting framework is a methodology that guides threat hunters in planning, executing, and improving their threat hunting activities. A benefit of using a threat hunting framework is that it provides actionable, repeatable steps to conduct threat hunting in a consistent and efficient manner. A threat hunting framework does not automatically generate incident reports, eliminate false positives, or provide high fidelity threat actor attribution, as these are dependent on other factors such as data sources, tools, and analysis skills.
NEW QUESTION # 37
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:
- A. It provides a list of all the detect names and descriptions found in the Falcon Cloud
- B. It provides a list of compatible splunk commands used to query event data
- C. It provides pre-defined queries you can customize to meet your specific threat hunting needs
- D. It provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console
Answer: D
Explanation:
This is the correct answer for the same reason as above. The Events Data Dictionary provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console, which is useful for writing hunting queries. It does not provide pre-defined queries, detect names and descriptions, or compatible splunk commands.
NEW QUESTION # 38
When performing a raw event search via the Events search page, what are Event Actions?
- A. Event Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search
- B. Event Actions contains an audit information log of actions an analyst took in regards to a specific detection
- C. Event Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc
- D. Event Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only
Answer: A
Explanation:
When performing a raw event search via the Events search page, Event Actions are pivotable workflows that allow you to perform various tasks related to the event or the host. For example, you can connect to a host using Real Time Response, run pre-made event searches based on the event type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the event name defined in the Events Data Dictionary.
NEW QUESTION # 39
Which of the following is an example of a Falcon threat hunting lead?
- A. Security appliance logs showing potentially bad traffic to an unknown external IP address
- B. An external report describing a unique 5 character file extension for ransomware encrypted files
- C. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
- D. A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
Answer: C
Explanation:
A Falcon threat hunting lead is a piece of information that can be used to initiate or guide a threat hunting activity within the Falcon platform. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories is an example of a Falcon threat hunting lead, as it can indicate potential malicious activity that can be further investigated using Falcon data and features. Security appliance logs, help desk tickets, and external reports are not examples of Falcon threat hunting leads, as they are not directly related to the Falcon platform or data.
NEW QUESTION # 40
You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?
- A. Hunting and Investigation
- B. Streaming API Event Dictionary
- C. Event stream APIs
- D. Events Data Dictionary
Answer: D
Explanation:
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because it provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console. The Events Data Dictionary describes each event type, field name, data type, description, and example value that can be used to query and analyze event data. The Streaming API Event Dictionary, Hunting and Investigation, and Event stream APIs are not documentation that provide details about key data fields and sensor events.
NEW QUESTION # 41
Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
- A. Exporting Event Search results to a spreadsheet and aggregating the results
- B. Using the "|stats count" command at the end of a search string in Event Search
- C. Using the "|eval" command at the end of a search string in Event Search
- D. Using the "| stats count by" command at the end of a search string in Event Search
Answer: D
Explanation:
This is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers. The stats command is used to calculate summary statistics on the results of a search or subsearch, such as count, sum, average, etc. The count by option is used to count the number of events for each distinct value of a field or fields and display them in a table. This can help find rare or common values that could indicate anomalies or deviations from normal behavior.
NEW QUESTION # 42
Which of the following does the Hunting and Investigation Guide contain?
- A. Example Event Search queries useful for Falcon platform configuration
- B. Example Event Search queries useful for threat hunting
- C. A list of all event types specifically used for hunting and their syntax
- D. A list of all event types and their syntax
Answer: B
Explanation:
The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.
NEW QUESTION # 43
You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?
- A. Bulk Domain Search
- B. IP Addresses Search
- C. Allowed Domain Summary Report
- D. Create a custom alert for each domain
Answer: A
Explanation:
Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization's acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.
NEW QUESTION # 44
What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?
- A. Process ID or Parent Process ID
- B. PID
- C. CID
- D. Process Timeline Link
Answer: D
Explanation:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline.
NEW QUESTION # 45
In the Powershell Hunt report, what does the "score" signify?
- A. Number of hosts that ran the PowerShell script
- B. How recently the PowerShell script executed
- C. Maliciousness score determined by NGAV
- D. A cumulative score of the various potential command line switches
Answer: D
Explanation:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.
NEW QUESTION # 46
Which of the following is TRUE about a Hash Search?
- A. The Hash Search is available on Linux
- B. Wildcard searches are not permitted with the Hash Search
- C. Module Load History is not presented in a Hash Search
- D. The Hash Search provides Process Execution History
Answer: D
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.
NEW QUESTION # 47
Which field should you reference in order to find the system time of a *FileWritten event?
- A. ContextTimeStamp_decimal
- B. timestamp
- C. ProcessStartTime_decimal
- D. FileTimeStamp_decimal
Answer: A
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written.
NEW QUESTION # 48
Which of the following queries will return the parent processes responsible for launching badprogram exe?
- A. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
- B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
- C. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
- D. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
Answer: B
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.
NEW QUESTION # 49
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?
- A. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
- B. Dns=randomdomain com
- C. ComputerName=localhost DnsRequest "randomdomain com"
- D. event_simpleName=DnsRequest DomainName=www randomdomain com
Answer: D
Explanation:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.
NEW QUESTION # 50
Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?
- A. MITRE ATT&CK Navigator
- B. OWASP Threat Dragon
- C. MISP
- D. OpenXDR
Answer: A
Explanation:
MITRE ATT&CK Navigator is a tool that allows a threat hunter to populate and colorize all known adversary techniques in a single view. It is based on the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics. The tool enables threat hunters to create custom matrices, layers, annotations, and filters to explore and model specific adversary techniques, with links to intelligence and case studies.
NEW QUESTION # 51
While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains "hostnameS " What does this User Name indicate?
- A. The Falcon sensor could not determine the User Name
- B. There is no User Name associated with the event
- C. The User Name is a System User
- D. The User Name is not relevant for the dashboard
Answer: B
Explanation:
When you see "hostnameS" in the User Name column in the Host Search page, it means that there is no User Name associated with the event. This can happen when the event is related to a system process or service that does not have a user context. It does not mean that the User Name is a System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could not determine the User Name.
NEW QUESTION # 52
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?
- A. utc_time
- B. _time
- C. time
- D. conv_time
Answer: B
Explanation:
_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.
NEW QUESTION # 53
In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?
- A. Weaponization
- B. Command & control
- C. Exploitation
- D. Installation
Answer: A
Explanation:
Weaponization is the stage of the Cyber Kill Chain where the actor does not interact with the victim endpoint(s). Weaponization is where the actor prepares or packages the exploit or payload that will be used to compromise the target. This stage does not involve any communication or interaction with the victim endpoint(s), as it is done by the actor before delivering the weaponized content. Exploitation, Command & Control, and Installation are all stages where the actor interacts with the victim endpoint(s), either by executing code, establishing communication, or installing malware.
NEW QUESTION # 54
Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?
- A. Lockheed Martin Cyber Kill Chain
- B. MITRE ATT&CK
- C. Director of National Intelligence Cyber Threat Framework
- D. NIST 800-171 Cyber Threat Framework
Answer: B
Explanation:
MITRE ATT&CK is a threat framework that allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies. It is a knowledge base of adversary behaviors and tactics that covers various platforms, domains, and scenarios. It provides a common language and structure for threat hunters to understand and analyze threats, as well as to share findings and recommendations.
NEW QUESTION # 55
Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?
- A. Key assumptions check
- B. Competitive analysis
- C. Analysis of competing hypotheses
- D. Model hunting framework
Answer: C
Explanation:
Analysis of competing hypotheses is a structured analytic technique that contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis. It involves listing all the possible hypotheses, identifying the evidence and assumptions for each hypothesis, evaluating the consistency and reliability of the evidence and assumptions, and rating the likelihood of each hypothesis based on the evidence and assumptions.
NEW QUESTION # 56
What is the difference between a Host Search and a Host Timeline?
- A. You access a Host Search from a detection to show you every recorded process event related to the detection and you can only populate the Host Timeline fields manually
- B. There is no difference. You just get to them different ways
- C. Host Search is used for detection investigation and Host Timeline is used for proactive hunting
- D. A Host Search organizes the data in useful event categories like process executions and network connections, a Host Timeline provides an uncategorized view of recorded events in chronological order
Answer: D
Explanation:
This is the difference between a Host Search and a Host Timeline. A Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. A Host Timeline is an Investigate tool that allows you to view all events in chronological order, without any categorization. Both tools can be used for detection investigation and proactive hunting, depending on the use case and preference. You can access a Host Search from a detection or manually enter the host details. You can also populate the Host Timeline fields manually or from other pages in Falcon.
NEW QUESTION # 57
Which of the following best describes the purpose of the Mac Sensor report?
- A. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
- B. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
- C. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads
- D. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections
Answer: C
Explanation:
This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts.
NEW QUESTION # 58
Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?
- A. Scheduled Reports
- B. Workflows
- C. Scheduled Searches
- D. Event Search
Answer: C
Explanation:
Scheduled Searches are a way to create event searches that run automatically and recur on a schedule that you set. You can use Scheduled Searches to monitor your environment for specific conditions or patterns, generate reports or alerts, or enrich your data with additional fields or tags. Workflows, Event Search, and Scheduled Reports are not ways to create event searches that run automatically and recur on a schedule.
NEW QUESTION # 59
......
Use Valid Exam CCFH-202 by VCEDumps Books For Free Website: https://www.vcedumps.com/CCFH-202-examcollection.html
Free CrowdStrike Certified Falcon Hunter CCFH-202 Official Cert Guide PDF Download: https://drive.google.com/open?id=1FL8HI5rXT2F-k_DCR2Ky2R8HMemNeEKS
