CCFH-202 V1

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerNameA . The text of the queryB . The results of the Statistics tabC . No data Results can only be exported when the "table"...

A benefit of using a threat hunting framework is that it:A . Automatically generates incident reportsB . Eliminates false positivesC . Provides high fidelity threat actor attributionD . Provides actionable, repeatable steps to conduct threat huntingView AnswerAnswer: D Explanation: A threat hunting framework is a methodology that guides threat hunters...

Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?A . event_simpleName=DnsRequest DomainName=www randomdomain comB . event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhostC . Dns=randomdomain comD . ComputerName=localhost DnsRequest "randomdomain com"View AnswerAnswer: A Explanation: This Event Search query would only find the DNS lookups...

Which of the following would be the correct field name to find the name of an event?A . Event_SimpleNameB . Event_Simple_NameC . EVENT_SIMPLE_NAMED . event_simpleNameView AnswerAnswer: D Explanation: Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that...

Which of the following is a suspicious process behavior?A . PowerShell running an execution policy of RemoteSignedB . An Internet browser (eg, Internet Explorer) performing multiple DNS requestsC . PowerShell launching a PowerShell scriptD . Non-network processes (eg, notepad exe) making an outbound network connectionView AnswerAnswer: D Explanation: Non-network processes...

You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?A . fieldsB . distinct countC . tableD . valuesView AnswerAnswer: C Explanation: The table command is used to produce a list...

Event Search data is recorded with which time zone?A . PSTB . GMTC . ESTD . UTCView AnswerAnswer: D Explanation: Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST...

Which of the following queries will return the parent processes responsible for launching badprogram exe?A . [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _timeB . event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _timeC . [search (ProcessList) where Name=badprogram.exe...

How do you rename fields while using transforming commands such as table, chart, and stats?A . By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count"B . You cannot rename fields as it would affect sub-queries and statistical...

Which of the following is an example of a Falcon threat hunting lead?A . A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directoriesB . Security appliance logs showing potentially bad traffic to an unknown external IP addressC . A help desk ticket...