Get Real CCFH-202 Exam Dumps [Apr-2024] Practice Tests
Last CCFH-202 practice test reviews: Practice Test CrowdStrike dumps
CrowdStrike CCFH-202 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
NEW QUESTION # 15
Which of the following is TRUE about a Hash Search?
- A. The Hash Search provides Process Execution History
- B. Wildcard searches are not permitted with the Hash Search
- C. Module Load History is not presented in a Hash Search
- D. The Hash Search is available on Linux
Answer: A
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.
NEW QUESTION # 16
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^
- A. relative time
- B. strftime
- C. typeof
- D. now
Answer: B
Explanation:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.
NEW QUESTION # 17
The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?
- A. ParentProcessld_decimal
- B. RpcProcessld_decimal
- C. RawProcessld_decimal
- D. ContextProcessld_decimal
Answer: A
Explanation:
The ParentProcessld_decimal event field is what the Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns with when the cloudable Event data contains it. The ParentProcessld_decimal event field is the decimal representation of the process identifier for the parent process of the target process. It can be used to trace the process ancestry and identify potential malicious activity. The ContextProcessld_decimal, RawProcessld_decimal, and RpcProcessld_decimal event fields are not used to populate the Parent Process ID and the Parent File columns.
NEW QUESTION # 18
Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?
- A. Lockheed Martin Cyber Kill Chain
- B. Director of National Intelligence Cyber Threat Framework
- C. MITRE ATT&CK
- D. NIST 800-171 Cyber Threat Framework
Answer: C
Explanation:
MITRE ATT&CK is a threat framework that allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies. It is a knowledge base of adversary behaviors and tactics that covers various platforms, domains, and scenarios. It provides a common language and structure for threat hunters to understand and analyze threats, as well as to share findings and recommendations.
NEW QUESTION # 19
An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host What is this type of analysis called?
- A. Statistical analysis
- B. Visualization of hosts
- C. Temporal analysis
- D. Machine Learning
Answer: C
Explanation:
Temporal analysis is a type of analysis that focuses on the timing and sequence of events in order to identify patterns, trends, or anomalies. By sorting all recent detections in the Falcon platform to identify the oldest, an analyst can perform temporal analysis to determine the possible first victim host and trace back the origin of an attack.
NEW QUESTION # 20
In the Powershell Hunt report, what does the "score" signify?
- A. How recently the PowerShell script executed
- B. Number of hosts that ran the PowerShell script
- C. Maliciousness score determined by NGAV
- D. A cumulative score of the various potential command line switches
Answer: D
Explanation:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.
NEW QUESTION # 21
Which field should you reference in order to find the system time of a *FileWritten event?
- A. ProcessStartTime_decimal
- B. ContextTimeStamp_decimal
- C. FileTimeStamp_decimal
- D. timestamp
Answer: B
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written.
NEW QUESTION # 22
Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?
- A. Command & Control
- B. Actions on Objectives
- C. Delivery
- D. Exploitation
Answer: A
Explanation:
Lateral movement through a victim environment is an example of the Command & Control stage of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber attack, from reconnaissance to actions on objectives. The Command & Control stage is where the adversary establishes and maintains communication with the compromised systems and moves laterally to expand their access and control.
NEW QUESTION # 23
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?
- A. conv_time
- B. time
- C. _time
- D. utc_time
Answer: C
Explanation:
_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.
NEW QUESTION # 24
What is the difference between a Host Search and a Host Timeline?
- A. A Host Search organizes the data in useful event categories like process executions and network connections, a Host Timeline provides an uncategorized view of recorded events in chronological order
- B. There is no difference. You just get to them different ways
- C. You access a Host Search from a detection to show you every recorded process event related to the detection and you can only populate the Host Timeline fields manually
- D. Host Search is used for detection investigation and Host Timeline is used for proactive hunting
Answer: A
Explanation:
This is the difference between a Host Search and a Host Timeline. A Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. A Host Timeline is an Investigate tool that allows you to view all events in chronological order, without any categorization. Both tools can be used for detection investigation and proactive hunting, depending on the use case and preference. You can access a Host Search from a detection or manually enter the host details. You can also populate the Host Timeline fields manually or from other pages in Falcon.
NEW QUESTION # 25
Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?
- A. Events Data Dictionary
- B. MITRE-Based Falcon Detections Framework
- C. Hunting and Investigation
- D. Customizable Dashboards
Answer: C
Explanation:
The Hunting and Investigation guide is the Falcon documentation guide that you should reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It covers various topics such as process execution, network connections, registry activity, scheduled tasks, and more.
NEW QUESTION # 26
Which of the following queries will return the parent processes responsible for launching badprogram exe?
- A. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
- B. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
- C. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
- D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
Answer: D
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.
NEW QUESTION # 27
With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?
- A. Choose the template you would like to configure, preview the search results, and then schedule the alert
- B. Create a new custom template, configure the email template, and then create the custom query for the alert
- C. Choose the template you would like to configure, setup how often you would like the alert to run, and then schedule the alert
- D. Create the query for the alert, setup the email template for the alert, and then set the schedule for the alert
Answer: A
Explanation:
These are the steps required to properly create a custom alert rule. Custom Alerts are a feature that allows you to configure email alerts using predefined templates so you're notified about specific activity in your environment. You can choose from various templates that cover different use cases, such as suspicious PowerShell activity, network connections to risky countries, etc. You can also preview the search results of the template before scheduling the alert. You do not need to create the query for the alert, setup the email template for the alert, or create a new custom template, as these are already provided by the predefined templates.
NEW QUESTION # 28
What information is provided when using IP Search to look up an IP address?
- A. External IPs only
- B. Internal IPs only
- C. Both internal and external IPs
- D. Suspicious IP addresses
Answer: A
Explanation:
IP Search is an Investigate tool that allows you to look up information about external IPs only. It shows information such as geolocation, network connection events, detection history, etc. for each external IP address that has communicated with your hosts. It does not show information about internal IPs, suspicious IPs, or both internal and external IPs.
NEW QUESTION # 29
Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?
- A. Sensor Policy Daily report
- B. Linux Sensor report
- C. Sensor Health report
- D. Mac Sensor report
Answer: B
Explanation:
The Linux Sensor report is where an analyst would find information about shells spawned by root, Kernel Module loads, and wget/curl usage. The Linux Sensor report is a pre-defined report that provides a summary view of selected activities on Linux hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Linux hosts within a specified time range. The Sensor Health report, the Sensor Policy Daily report, and the Mac Sensor report do not provide the same information.
NEW QUESTION # 30
You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?
- A. IP Addresses Search
- B. Allowed Domain Summary Report
- C. Bulk Domain Search
- D. Create a custom alert for each domain
Answer: C
Explanation:
Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization's acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.
NEW QUESTION # 31
To find events that are outliers inside a network,___________is the best hunting method to use.
- A. time-based
- B. searching
- C. stacking
- D. machine learning
Answer: C
Explanation:
Stacking (Frequency Analysis) is the best hunting method to use to find events that are outliers inside a network. Stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Time-based searching, machine learning, and searching are not specific hunting methods to find outliers.
NEW QUESTION # 32
Which of the following would be the correct field name to find the name of an event?
- A. Event_SimpleName
- B. event_simpleName
- C. EVENT_SIMPLE_NAME
- D. Event_Simple_Name
Answer: A
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event.
NEW QUESTION # 33
......
Get Ready to Pass the CCFH-202 exam with CrowdStrike Latest Practice Exam : https://examcollection.dumpsvalid.com/CCFH-202-brain-dumps.html