Baixe o app para aproveitar ainda mais
Prévia do material em texto
CCFH-202 CrowdStrike Certified Falcon Hunter exam dumps questions are the best material for you to test all the related CrowdStrike exam topics. By using the CCFH-202 exam dumps questions and practicing your skills, you can increase your confidence and chances of passing the CCFH-202 exam. Features of Dumpsinfo’s products Instant Download Free Update in 3 Months Money back guarantee PDF and Software 24/7 Customer Support Besides, Dumpsinfo also provides unlimited access. You can get all Dumpsinfo files at lowest price. CrowdStrike Certified Falcon Hunter CCFH-202 exam free dumps questions are available below for you to study. Full version: CCFH-202 Exam Dumps Questions 1.What information is shown in Host Search? A. Quarantined Files B. Prevention Policies C. Intel Reports D. Processes and Services Answer: D Explanation: Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search. 1 / 5 https://www.dumpsinfo.com/unlimited-access/ https://www.dumpsinfo.com/exam/ccfh-202 Reference: https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/ 2.Refer to Exhibit. Falcon detected the above file attempting to execute. At initial glance; what indicators can we use to provide an initial analysis of the file? A. VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled B. File name, path, Local and Global prevalence within the environment C. File path, hard disk volume number, and IOC Management action D. Local prevalence, IOC Management action, and Event Search Answer: B Explanation: The file name, path, Local and Global prevalence are indicators that can provide an initial analysis of the file without relying on external sources or tools. The file name can indicate the purpose or origin of the file, such as if it is a legitimate application or a malicious payload. The file path can indicate where the file was located or executed from, such as if it was in a temporary or system directory. The Local and Global prevalence can indicate how common or rare the file is within the environment or across all Falcon customers, which can help assess the risk or impact of the file. Reference: https://www.crowdstrike.com/blog/tech-center/understanding-file-prevalence-in- crowdstrike-falcon/ 3.Which of the following best describes the purpose of the Mac Sensor report? A. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed B. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections C. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed D. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads Answer: D Explanation: This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon 2 / 5 https://www.dumpsinfo.com/ sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts. Reference: https://www.crowdstrike.com/blog/tech-center/mac-sensor-report-in-crowdstrike-falcon/ 4.The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following: A. A zero-day vulnerability is being exploited on a Microsoft Exchange server B. A publicly available web application has been hacked and is causing the lockouts C. Users are locking their accounts out because they recently changed their passwords D. A password guessing attack is being executed against remote access mechanisms such as VPN Answer: D Explanation: A hunting hypothesis is a statement that describes a possible malicious activity that can be tested with data and analysis. A good hunting hypothesis should be specific, testable, and relevant to the problem or goal. In this case, the best hunting hypothesis from the following is that a password guessing attack is being executed against remote access mechanisms such as VPN, as it explains the possible cause and method of the user account lockouts in a specific and testable way. A zero- day vulnerability on a Microsoft Exchange server is too vague and does not explain how it relates to the lockouts. A hacked web application is also too vague and does not specify how it causes the lockouts. Users locking their accounts out because they recently changed their passwords is not a malicious activity and does not account for the increase in calls. Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-framework/ 5.In the Powershell Hunt report, what does the "score" signify? A. Number of hosts that ran the PowerShell script B. How recently the PowerShell script executed C. Maliciousness score determined by NGAV D. A cumulative score of the various potential command line switches Answer: D Explanation: In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV. Reference: https://www.crowdstrike.com/blog/tech-center/powershell-hunt-report-in-crowdstrike- falcon/ 6.What topics are presented in the Hunting and Investigation Guide? A. Detailed tutorial on writing advanced queries such as sub-searches and joins B. Detailed summary of event names, descriptions, and some key data fields for hunting and investigation C. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon D. Recommended platform configurations and prevention settings to ensure detections are generated for hunting leads Answer: C Explanation: 3 / 5 https://www.dumpsinfo.com/ This is the correct answer for the same reason as above. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names and descriptions, or recommended platform configurations and prevention settings. Reference: https://falcon.crowdstrike.com/support/documentation/44/hunting-and-investigation 7.Which field in a DNS Request event points to the responsible process? A. ContextProcessld_readable B. TargetProcessld_decimal C. ContextProcessld_decimal D. ParentProcessId_decimal Answer: A Explanation: The ContextProcessld_readable field in a DNS Request event points to the responsible process. The ContextProcessld_readable field is the readable representation of the process identifier for the process that initiated the DNS request. It can be used to identify which process was communicating with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal,and ParentProcessId_decimal fields do not point to the responsible process. Reference: https://falcon.crowdstrike.com/support/documentation/44/events-data-dictionary 8.Event Search data is recorded with which time zone? A. PST B. GMT C. EST D. UTC Answer: D Explanation: Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search data is recorded with. Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-crowdstrike- falcon/ 9.Which of the following would be the correct field name to find the name of an event? A. Event_SimpleName B. Event_Simple_Name C. EVENT_SIMPLE_NAME D. event_simpleName Answer: A Explanation: Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event. Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/ 4 / 5 https://www.dumpsinfo.com/ Powered by TCPDF (www.tcpdf.org) 5 / 5 https://www.dumpsinfo.com/ http://www.tcpdf.org
Compartilhar