Baixe o app para aproveitar ainda mais
Prévia do material em texto
CCFH-202 Exam Name: CrowdStrike Certified Falcon Hunter Full version: 60 Q&As Full version of CCFH-202 Dumps Share some CCFH-202 exam dumps below. 1. Which of the following is TRUE about a Hash Search? A. Wildcard searches are not permitted with the Hash Search B. The Hash Search provides Process Execution History C. The Hash Search is available on Linux D. Module Load History is not presented in a Hash Search 1 / 6 https://www.certqueen.com/CCFH-202.html Answer: B Explanation: The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History. Reference: https://www.crowdstrike.com/blog/tech-center/hash-search-in-crowdstrike-falcon/ 2. Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes? A. Real Time Response and Network Containment B. Hunting and Investigation C. Events Data Dictionary D. Incident and Detection Monitoring Answer: B Explanation: The Hunting and Investigation document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes. As explained above, the Hunting and Investigation document is a guide that provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. The other documents do not provide the same information. Reference: https://falcon.crowdstrike.com/support/documentation/44/hunting-and-investigation 3. What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search? A. PID B. Process ID or Parent Process ID C. CID D. Process Timeline Link Answer: D 2 / 6 Explanation: The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline. Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike- falcon/ 4. Which of the following queries will return the parent processes responsible for launching badprogram exe? A. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time Answer: D Explanation: This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax. Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/ 5. Which field should you reference in order to find the system time of a *FileWritten event? A. ContextTimeStamp_decimal B. FileTimeStamp_decimal C. ProcessStartTime_decimal D. timestamp Answer: A 3 / 6 Explanation: ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written. Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in- crowdstrike-falcon/ 6. What elements are required to properly execute a Process Timeline? A. Agent ID (AID) and Target Process ID B. Agent ID (AID) only C. Hostname and Local Process ID D. Target Process ID only Answer: A Explanation: The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline. Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike- falcon/ 7. Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain? A. Command & Control B. Actions on Objectives C. Exploitation D. Delivery Answer: A 4 / 6 Explanation: Lateral movement through a victim environment is an example of the Command & Control stage of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber attack, from reconnaissance to actions on objectives. The Command & Control stage is where the adversary establishes and maintains communication with the compromised systems and moves laterally to expand their access and control. Reference: https://www.crowdstrike.com/blog/tech-center/cyber-kill-chain/ 8. Event Search data is recorded with which time zone? A. PST B. GMT C. EST D. UTC Answer: D Explanation: Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search data is recorded with. Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in- crowdstrike-falcon/ 9. Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis? A. Model hunting framework B. Competitive analysis C. Analysis of competing hypotheses D. Key assumptionscheck Answer: C Explanation: Analysis of competing hypotheses is a structured analytic technique that contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis. It involves listing all the possible hypotheses, identifying the evidence and assumptions for each hypothesis, evaluating the consistency and reliability of the evidence and assumptions, and rating the likelihood of each hypothesis based on the evidence and assumptions. Reference: https://www.crowdstrike.com/blog/tech-center/analysis-of-competing-hypotheses/ 5 / 6 More Hot Exams are available. 350-401 ENCOR Exam Dumps 350-801 CLCOR Exam Dumps 200-301 CCNA Exam Dumps Powered by TCPDF (www.tcpdf.org) 6 / 6 https://www.certqueen.com/promotion.asp https://www.certqueen.com/350-401.html https://www.certqueen.com/350-801.html https://www.certqueen.com/200-301.html http://www.tcpdf.org
Compartilhar