CrowdStrike Certified Falcon Hunter CCFH-202 Exam Dumps

Prévia do material em texto

CCFH-202 CrowdStrike Certified Falcon Hunter exam dumps questions are the
best material for you to test all the related CrowdStrike exam topics. By using the
CCFH-202 exam dumps questions and practicing your skills, you can increase
your confidence and chances of passing the CCFH-202 exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.
CrowdStrike Certified Falcon Hunter CCFH-202 exam free dumps questions
are available below for you to study. 
Full version: CCFH-202 Exam Dumps Questions
1.What information is shown in Host Search?
A. Quarantined Files
B. Prevention Policies
C. Intel Reports
D. Processes and Services
Answer: D
Explanation:
Processes and Services is one of the information that is shown in Host Search. Host Search is an
Investigate tool that allows you to view events by category, such as process executions, network
connections, file writes, etc. Processes and Services is one of the categories that shows information
such as process name, command line, parent process name, parent command line, etc. for each
process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not
shown in Host Search.
 1 / 5
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/ccfh-202
Reference: https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/
2.Refer to Exhibit.
Falcon detected the above file attempting to execute.
At initial glance; what indicators can we use to provide an initial analysis of the file?
A. VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
B. File name, path, Local and Global prevalence within the environment
C. File path, hard disk volume number, and IOC Management action
D. Local prevalence, IOC Management action, and Event Search
Answer: B
Explanation:
The file name, path, Local and Global prevalence are indicators that can provide an initial analysis of
the file without relying on external sources or tools. The file name can indicate the purpose or origin of
the file, such as if it is a legitimate application or a malicious payload. The file path can indicate where
the file was located or executed from, such as if it was in a temporary or system directory. The Local
and Global prevalence can indicate how common or rare the file is within the environment or across
all Falcon customers, which can help assess the risk or impact of the file.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-file-prevalence-in-
crowdstrike-falcon/
3.Which of the following best describes the purpose of the Mac Sensor report?
A. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
B. The Mac Sensor report provides a detection focused view of known malicious activities occurring
on Mac hosts, including machine-learning and indicator-based detections
C. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
D. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts,
including items of interest that may be hunting or investigation leads
Answer: D
Explanation:
This is the correct answer for the same reason as above. The Mac Sensor report provides a
comprehensive view of activities occurring on Mac hosts, including items of interest that may be
hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon
 2 / 5
https://www.dumpsinfo.com/
sensor installed, nor does it provide a detection focused view of known malicious activities occurring
on Mac hosts.
Reference: https://www.crowdstrike.com/blog/tech-center/mac-sensor-report-in-crowdstrike-falcon/
4.The help desk is reporting an increase in calls related to user accounts being locked out over the
last few days. You suspect that this could be an attack by an adversary against your organization.
Select the best hunting hypothesis from the following:
A. A zero-day vulnerability is being exploited on a Microsoft Exchange server
B. A publicly available web application has been hacked and is causing the lockouts
C. Users are locking their accounts out because they recently changed their passwords
D. A password guessing attack is being executed against remote access mechanisms such as VPN
Answer: D
Explanation:
A hunting hypothesis is a statement that describes a possible malicious activity that can be tested
with data and analysis. A good hunting hypothesis should be specific, testable, and relevant to the
problem or goal. In this case, the best hunting hypothesis from the following is that a password
guessing attack is being executed against remote access mechanisms such as VPN, as it explains
the possible cause and method of the user account lockouts in a specific and testable way. A zero-
day vulnerability on a Microsoft Exchange server is too vague and does not explain how it relates to
the lockouts. A hacked web application is also too vague and does not specify how it causes the
lockouts. Users locking their accounts out because they recently changed their passwords is not a
malicious activity and does not account for the increase in calls.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-framework/
5.In the Powershell Hunt report, what does the "score" signify?
A. Number of hosts that ran the PowerShell script
B. How recently the PowerShell script executed
C. Maliciousness score determined by NGAV
D. A cumulative score of the various potential command line switches
Answer: D
Explanation:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential
command line switches that were used in the PowerShell script execution. The score is based on a
weighted system that assigns different values to different switches based on their potential
maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value
than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how
recently the PowerShell script executed, or the maliciousness score determined by NGAV.
Reference: https://www.crowdstrike.com/blog/tech-center/powershell-hunt-report-in-crowdstrike-
falcon/
6.What topics are presented in the Hunting and Investigation Guide?
A. Detailed tutorial on writing advanced queries such as sub-searches and joins
B. Detailed summary of event names, descriptions, and some key data fields for hunting and
investigation
C. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon
D. Recommended platform configurations and prevention settings to ensure detections are generated
for hunting leads
Answer: C
Explanation:
 3 / 5
https://www.dumpsinfo.com/
This is the correct answer for the same reason as above. The Hunting and Investigation guide
provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It
does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names
and descriptions, or recommended platform configurations and prevention settings.
Reference: https://falcon.crowdstrike.com/support/documentation/44/hunting-and-investigation
7.Which field in a DNS Request event points to the responsible process?
A. ContextProcessld_readable
B. TargetProcessld_decimal
C. ContextProcessld_decimal
D. ParentProcessId_decimal
Answer: A
Explanation:
The ContextProcessld_readable field in a DNS Request event points to the responsible process. The
ContextProcessld_readable field is the readable representation of the process identifier for the
process that initiated the DNS request. It can be used to identify which process was communicating
with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal,and
ParentProcessId_decimal fields do not point to the responsible process.
Reference: https://falcon.crowdstrike.com/support/documentation/44/events-data-dictionary
8.Event Search data is recorded with which time zone?
A. PST
B. GMT
C. EST
D. UTC
Answer: D
Explanation:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard
time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT
(Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search
data is recorded with.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-crowdstrike-
falcon/
9.Which of the following would be the correct field name to find the name of an event?
A. Event_SimpleName
B. Event_Simple_Name
C. EVENT_SIMPLE_NAME
D. event_simpleName
Answer: A
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It
is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or
FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field
names for finding the name of an event.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
 4 / 5
https://www.dumpsinfo.com/
Powered by TCPDF (www.tcpdf.org)
 5 / 5
https://www.dumpsinfo.com/
http://www.tcpdf.org