CCFH-202 Demo and Sample
Note: Answers are below each question.
Samples are taken from full version.
Latest CCFH-202 Exam Questions and Practice Tests 2024 - Killexams.com
CCFH-202 Dumps CCFH-202 Braindumps
CCFH-202 Real Questions CCFH-202 Practice Test CCFH-202 Actual Questions
CrowdStrike
CCFH-202
CrowdStrike Certified Falcon Hunter (CCFH) Certification
https://killexams.com/pass4sure/exam-detail/CCFH-202
Question: 212
An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host What is this type of analysis called?
Visualization of hosts
Statistical analysis
Temporal analysis
Machine Learning
Answer: C
Explanation:
Temporal analysis is a type of analysis that focuses on the timing and sequence of events in order to identify patterns, trends, or anomalies. By sorting all recent detections in the Falcon platform to identify the oldest, an analyst can perform temporal analysis to determine the possible first victim host and trace back the origin of an attack.
Reference: https://www.crowdstrike.com/blog/tech-center/temporal-analysis-in-crowdstrike-falcon/
Question: 213
Refer to Exhibit.
Falcon detected the above file attempting to execute.
At initial glance; what indicators can we use to provide an initial analysis of the file?
VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
File name, path, Local and Global prevalence within the environment
File path, hard disk volume number, and IOC Management action
Local prevalence, IOC Management action, and Event Search
Answer: B
Explanation:
The file name, path, Local and Global prevalence are indicators that can provide an initial analysis of the file without relying on external sources or tools. The file name can indicate the purpose or origin of the file, such as if it is a legitimate application or a malicious payload. The file path can indicate where the file was located or executed from, such as if it was in a temporary or system directory. The Local and Global prevalence can indicate how common or rare the file is within the environment or across all Falcon customers, which can help assess the risk or impact of the file.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-file-prevalence-in-crowdstrike-falcon/
Question: 213
A benefit of using a threat hunting framework is that it:
Automatically generates incident reports
Eliminates false positives
Provides high fidelity threat actor attribution
Provides actionable, repeatable steps to conduct threat hunting
Answer: D
Explanation:
A threat hunting framework is a methodology that guides threat hunters in planning, executing, and improving their threat hunting activities. A benefit of using a threat hunting framework is that it provides actionable, repeatable steps to conduct threat hunting in a consistent and efficient manner. A threat hunting framework does not automatically generate incident reports, eliminate false positives, or provide high fidelity threat actor attribution, as these are dependent on other factors such as data sources, tools, and analysis skills.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-framework/
Question: 214
Which of the following is an example of a Falcon threat hunting lead?
A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
Security appliance logs showing potentially bad traffic to an unknown external IP address
A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
An external report describing a unique 5 character file extension for ransomware encrypted files
Answer: A
Explanation:
A Falcon threat hunting lead is a piece of information that can be used to initiate or guide a threat hunting activity within the Falcon platform. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories is an example of a Falcon threat hunting lead, as it can indicate potential malicious activity that can be further investigated using Falcon data and features. Security appliance logs, help desk tickets, and external reports are not examples of Falcon threat hunting leads, as they are not directly related to the Falcon platform or data.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-leads-in-crowdstrike-falcon/
Question: 215
The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when which PowerShell Command line parameter is present?
-Command
-Hidden
-e
-nop
Answer: A
Explanation:
The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when the - Command parameter is present. The -Command parameter allows PowerShell to execute a specified script block or string. If the script block or string is encoded using Base64 or other methods, the Falcon Detections page will try to
decode it and show the original command. The - Hidden, -e, and -nop parameters are not related to encoding or decoding PowerShell commands.
Reference: https://www.crowdstrike.com/blog/tech-center/decoding-powershell-commands-in-crowdstrike-falcon/
Question: 216
Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?
Model hunting framework
Competitive analysis
Analysis of competing hypotheses
Key assumptions check
Answer: C
Explanation:
Analysis of competing hypotheses is a structured analytic technique that contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis. It involves listing all the possible hypotheses, identifying the evidence and assumptions for each hypothesis, evaluating the consistency and reliability of the evidence and assumptions, and rating the likelihood of each hypothesis based on the evidence and assumptions.
Reference: https://www.crowdstrike.com/blog/tech-center/analysis-of-competing-hypotheses/
Question: 217
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?
utc_time
conv_time
_time
time
Answer: C
Explanation:
_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in- crowdstrike-falcon/
Which of the following would be the correct field name to find the name of an event?
Event_SimpleName
Event_Simple_Name
EVENT_SIMPLE_NAME
event_simpleName
Answer: B
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
Question: 219
Event Search data is recorded with which time zone?
PST
GMT
EST
UTC
Answer: D
Explanation:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search data is recorded with.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-crowdstrike-falcon/
Question: 220
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?
event_simpleName=DnsRequestDomainName=www randomdomain com
event_simpleName=DnsRequestDomainName=randomdomain com ComputerName=localhost
Dns=randomdomain com
ComputerName=localhost DnsRequest "randomdomain com"
Explanation:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
Question: 221
How do you rename fields while using transforming commands such as table, chart, and stats?
By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count"
You cannot rename fields as it would affect sub-queries and statistical analysis
By using the "renamed" keyword after the field name eg "stats count renamed totalcount by ComputerName"
By specifying the desired name after the field name eg "stats count totalcount by ComputerName"
Answer: A
Explanation:
The rename command is used to rename fields while using transforming commands such as table, chart, and stats. It can be used after the transforming command and specify the old and new field names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical analysis, as long as you use the correct field names in your queries. The renamed keyword and the desired name after the field name are not valid ways to rename fields.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Rename
Question: 222
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^
now
typeof
strftime
relative time
Answer: C
Explanation:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.
Reference:https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/CommonEvalFunctions
Question: 223
Which of the following queries will return the parent processes responsible for launching badprogram exe?
[search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName
_time
[search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName
_time
Answer: B
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.
Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/
Question: 224
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?
fields
distinct count
table
values
Answer: C
Explanation:
The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Table
Question: 225
When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName
The text of the query
The results of the Statistics tab
No data Results can only be exported when the "table" command is used
All events in the Events tab
Answer: B
Explanation:
When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count of events by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Search/Exportsearchresults
Question: 226
The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:
A zero-day vulnerability is being exploited on a Microsoft Exchange server
A publicly available web application has been hacked and is causing the lockouts
Users are locking their accounts out because they recently changed their passwords
A password guessing attack is being executed against remote access mechanisms such as VPN
Answer: D
Explanation:
A hunting hypothesis is a statement that describes a possible malicious activity that can be tested with data and analysis. A good hunting hypothesis should be specific, testable, and relevant to the problem or goal. In this case, the best hunting hypothesis from the following is that a password guessing attack is being executed against remote access mechanisms such as VPN, as it explains the possible cause and method of the user account lockouts in a specific and testable way. A zero-day vulnerability on a Microsoft Exchange server is too vague and does not explain how it relates to the lockouts. A hacked web application is also too vague and does not specify how it causes the lockouts. Users locking their accounts out because they recently changed their passwords is not a malicious activity and does not account for the increase in calls.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-framework/
Question: 227
To find events that are outliers inside a network, is the best hunting method to use.
time-based
machine learning
searching
stacking
Answer: D
Explanation:
Stacking (Frequency Analysis) is the best hunting method to use to find events that are outliers inside a network. Stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Time-based searching, machine learning, and searching are not specific hunting methods to find outliers.
Reference: https://www.crowdstrike.com/blog/tech-center/stacking-in-crowdstrike-falcon/
6$03/( 48(67,216
7KHVH TXHVWLRQV DUH IRU GHPR SXUSRVH RQO\ )XOO YHUVLRQ LV XS WR GDWH DQG FRQWDLQV DFWXDO TXHVWLRQV DQG DQVZHUV
.LOOH[DPV FRP LV DQ RQOLQH SODWIRUP WKDW RIIHUV D ZLGH UDQJH RI VHUYLFHV UHODWHG WR FHUWLILFDWLRQ H[DP SUHSDUDWLRQ 7KH SODWIRUP SURYLGHV DFWXDO TXHVWLRQV H[DP GXPSV DQG SUDFWLFH WHVWV WR KHOS LQGLYLGXDOV SUHSDUH IRU YDULRXV FHUWLILFDWLRQ H[DPV ZLWK FRQILGHQFH +HUH DUH VRPH NH\ IHDWXUHV DQG VHUYLFHV RIIHUHG E\ .LOOH[DPV FRP
$FWXDO ([DP 4XHVWLRQV .LOOH[DPV FRP SURYLGHV DFWXDO H[DP TXHVWLRQV WKDW DUH H[SHULHQFHG LQ WHVW FHQWHUV 7KHVH TXHVWLRQV DUH XSGDWHG UHJXODUO\ WR HQVXUH WKH\ DUH XS WR GDWH DQG UHOHYDQW WR WKH ODWHVW H[DP V\OODEXV %\ VWXG\LQJ WKHVH DFWXDO TXHVWLRQV FDQGLGDWHV FDQ IDPLOLDUL]H WKHPVHOYHV ZLWK WKH FRQWHQW DQG IRUPDW RI WKH UHDO H[DP
([DP 'XPSV .LOOH[DPV FRP RIIHUV H[DP GXPSV LQ 3') IRUPDW 7KHVH GXPSV FRQWDLQ D FRPSUHKHQVLYH FROOHFWLRQ RI TXHVWLRQV DQG DQVZHUV WKDW FRYHU WKH H[DP WRSLFV %\ XVLQJ WKHVH GXPSV FDQGLGDWHV FDQ HQKDQFH WKHLU NQRZOHGJH DQG LPSURYH WKHLU FKDQFHV RI VXFFHVV LQ WKH FHUWLILFDWLRQ H[DP
3UDFWLFH 7HVWV .LOOH[DPV FRP SURYLGHV SUDFWLFH WHVWV WKURXJK WKHLU GHVNWRS 9&( H[DP VLPXODWRU DQG RQOLQH WHVW HQJLQH 7KHVH SUDFWLFH WHVWV VLPXODWH WKH UHDO H[DP HQYLURQPHQW DQG KHOS FDQGLGDWHV DVVHVV WKHLU UHDGLQHVV IRU WKH DFWXDO H[DP 7KH SUDFWLFH WHVWV FRYHU D ZLGH UDQJH RI TXHVWLRQV DQG HQDEOH FDQGLGDWHV WR LGHQWLI\ WKHLU VWUHQJWKV DQG ZHDNQHVVHV
*XDUDQWHHG 6XFFHVV .LOOH[DPV FRP RIIHUV D VXFFHVV JXDUDQWHH ZLWK WKHLU H[DP GXPSV 7KH\ FODLP WKDW E\ XVLQJ WKHLU PDWHULDOV FDQGLGDWHV ZLOO SDVV WKHLU H[DPV RQ WKH ILUVW DWWHPSW RU WKH\ ZLOO UHIXQG WKH SXUFKDVH SULFH 7KLV JXDUDQWHH SURYLGHV DVVXUDQFH DQG FRQILGHQFH WR LQGLYLGXDOV SUHSDULQJ IRU FHUWLILFDWLRQ H[DPV
8SGDWHG &RQWHQW .LOOH[DPV FRP UHJXODUO\ XSGDWHV LWV TXHVWLRQ EDQN DQG H[DP GXPSV WR HQVXUH WKDW WKH\ DUH FXUUHQW DQG UHIOHFW WKH ODWHVW FKDQJHV LQ WKH H[DP V\OODEXV 7KLV KHOSV FDQGLGDWHV VWD\ XS WR GDWH ZLWK WKH H[DP FRQWHQW DQG LQFUHDVHV WKHLU FKDQFHV RI VXFFHVV
7HFKQLFDO 6XSSRUW .LOOH[DPV FRP SURYLGHV IUHH [ WHFKQLFDO VXSSRUW WR DVVLVW FDQGLGDWHV ZLWK DQ\ TXHULHV RU LVVXHV WKH\ PD\ HQFRXQWHU ZKLOH XVLQJ WKHLU VHUYLFHV 7KHLU FHUWLILHG H[SHUWV DUH DYDLODEOH WR SURYLGH JXLGDQFH DQG KHOS FDQGLGDWHV WKURXJKRXW WKHLU H[DP SUHSDUDWLRQ MRXUQH\
'PS .PSF FYBNT WJTJU IUUQT LJMMFYBNT DPN WFOEPST FYBN MJTU
.LOO \RXU H[DP DW )LUVW $WWHPSW *XDUDQWHHG
View Practice Questions »