CCFH-202 CrowdStrike Certified Falcon Hunter Updated Dumps

Prévia do material em texto

CCFH-202
Exam Name: CrowdStrike Certified Falcon Hunter
Full version: 60 Q&As
Full version of CCFH-202 Dumps
Share some CCFH-202 exam dumps below.
1. Which of the following is TRUE about a Hash Search?
A. Wildcard searches are not permitted with the Hash Search
B. The Hash Search provides Process Execution History
C. The Hash Search is available on Linux
D. Module Load History is not presented in a Hash Search
 1 / 6
https://www.certqueen.com/CCFH-202.html
Answer: B
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its
process execution history across all hosts in your environment. It shows information such as
process name, command line, parent process name, parent command line, etc. for each
execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as
they are at least four characters long. The Hash Search is available on Linux, as well as
Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other
information such as File Write History and Detection History.
Reference: https://www.crowdstrike.com/blog/tech-center/hash-search-in-crowdstrike-falcon/
2. Which document provides information on best practices for writing Splunk-based hunting
queries, predefined queries which may be customized to hunt for suspicious network
connections, and predefined queries which may be customized to hunt for suspicious
processes?
A. Real Time Response and Network Containment
B. Hunting and Investigation
C. Events Data Dictionary
D. Incident and Detection Monitoring
Answer: B
Explanation:
The Hunting and Investigation document provides information on best practices for writing
Splunk-based hunting queries, predefined queries which may be customized to hunt for
suspicious network connections, and predefined queries which may be customized to hunt for
suspicious processes. As explained above, the Hunting and Investigation document is a guide
that provides sample hunting queries, select walkthroughs, and best practices for hunting with
Falcon. The other documents do not provide the same information.
Reference: https://falcon.crowdstrike.com/support/documentation/44/hunting-and-investigation
3. What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash
Search?
A. PID
B. Process ID or Parent Process ID
C. CID
D. Process Timeline Link
Answer: D
 2 / 6
Explanation:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in
Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three
horizontal bars with dots on them. It appears next to each process name or ID on various pages
in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on
it will open a new tab with the Process Timeline for that process. The PID, the Process ID or
Parent Process ID, and the CID are not what you click to jump to a Process Timeline.
Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike-
falcon/
4. Which of the following queries will return the parent processes responsible for launching
badprogram exe?
A. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
B. event_simpleName=processrollup2 [search event_simpleName=processrollup2
FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal |
fields aid TargetProcessld_decimal] | stats count by FileName _time
C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table
ParentProcessName _time
D. event_simpleName=processrollup2 [search event_simpleName=processrollup2
FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal |
fields aid TargetProcessld_decimal] | stats count by FileName _time
Answer: D
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using
a subsearch to find the processrollup2 events where FileName is badprogram.exe, then
renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter
for the main search, then using stats to count the occurrences of each FileName by _time. The
other queries will either not return the parent processes or use incorrect field names or syntax.
Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/
5. Which field should you reference in order to find the system time of a *FileWritten event?
A. ContextTimeStamp_decimal
B. FileTimeStamp_decimal
C. ProcessStartTime_decimal
D. timestamp
Answer: A
 3 / 6
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that triggered
the sensor to send data to the cloud. In this case, it would be the time when the file was written.
FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not
be the same as the time when the file was written. ProcessStartTime_decimal is the field that
shows the start time of the process that performed the file write operation, which may not be the
same as the time when the file was written. Timestamp is the field that shows the time when the
sensor data was received by the cloud, which may not be the same as the time when the file
was written.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-
crowdstrike-falcon/
6. What elements are required to properly execute a Process Timeline?
A. Agent ID (AID) and Target Process ID
B. Agent ID (AID) only
C. Hostname and Local Process ID
D. Target Process ID only
Answer: A
Explanation:
The Agent ID (AID) and the Target Process ID are the elements that are required to properly
execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a
Falcon sensor installed. The Target Process ID is the decimal representation of the process
identifier for the process that you want to investigate. These two elements are used to query the
cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname
and Local Process ID, and the Target Process ID only are not sufficient to execute a Process
Timeline.
Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike-
falcon/
7. Lateral movement through a victim environment is an example of which stage of the Cyber
Kill Chain?
A. Command & Control
B. Actions on Objectives
C. Exploitation
D. Delivery
Answer: A
 4 / 6
Explanation:
Lateral movement through a victim environment is an example of the Command & Control stage
of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber
attack, from reconnaissance to actions on objectives. The Command & Control stage is where
the adversary establishes and maintains communication with the compromised systems and
moves laterally to expand their access and control.
Reference: https://www.crowdstrike.com/blog/tech-center/cyber-kill-chain/
8. Event Search data is recorded with which time zone?
A. PST
B. GMT
C. EST
D. UTC
Answer: D
Explanation:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a
standard time zone that is used as a reference point for other time zones. PST (Pacific
Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the
time zones that Event Search data is recorded with.
Reference: https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-
crowdstrike-falcon/
9. Which structured analytic technique contrasts different hypotheses to determine which is the
best leading (prioritized) hypothesis?
A. Model hunting framework
B. Competitive analysis
C. Analysis of competing hypotheses
D. Key assumptionscheck
Answer: C
Explanation:
Analysis of competing hypotheses is a structured analytic technique that contrasts different
hypotheses to determine which is the best leading (prioritized) hypothesis. It involves listing all
the possible hypotheses, identifying the evidence and assumptions for each hypothesis,
evaluating the consistency and reliability of the evidence and assumptions, and rating the
likelihood of each hypothesis based on the evidence and assumptions.
Reference: https://www.crowdstrike.com/blog/tech-center/analysis-of-competing-hypotheses/
 5 / 6
 
More Hot Exams are available.
350-401 ENCOR Exam Dumps
350-801 CLCOR Exam Dumps
200-301 CCNA Exam Dumps
Powered by TCPDF (www.tcpdf.org)
 6 / 6
https://www.certqueen.com/promotion.asp
https://www.certqueen.com/350-401.html
https://www.certqueen.com/350-801.html
https://www.certqueen.com/200-301.html
http://www.tcpdf.org