CCFH-202 Questions PDF [2023] Use Valid New dump to Clear Exam [Q18-Q41]

Rate this post

CCFH-202 Questions PDF [2023] Use Valid New dump to Clear Exam

Passing CrowdStrike CCFH-202 Exam Using 2023 Practice Tests

CrowdStrike CCFH-202 Exam Syllabus Topics:

Topic	Details
Topic 1	Utilize the MITRE ATT&CK Framework to model threat actor behaviors Explain what information a bulk (Destination) IP search provides
Topic 2	Identify the vulnerability exploited from an initial attack vector Explain what information is in the Events Data Dictionary
Topic 3	Explain what information a Source IP Search provides Explain what the “table” command does and demonstrate how it can be used for formatting output
Topic 4	Locate built-in Hunting reports and explain what they provide Identify alternative analytical interpretations to minimize and reduce false positives
Topic 5	Convert and format Unix times to UTC-readable time Evaluate information for reliability, validity and relevance for use in the process of elimination
Topic 6	Explain what information a Mac Sensor Report will provide Conduct hypothesis and hunting lead generation to prove them out using Falcon tools
Topic 7	Explain what information a Hash Execution Search provides Explain what information a Bulk Domain Search provides

Q18. Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?

Scheduled searches

Hunt reports

Sensor reports

Timeline reports

Q19. Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?

Hunt-and-Peck Search Methodology

Stacking (Frequency Analysis)

Time-based Searching

Machine Learning

Q20. Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?

utc_time

conv_time

_time

time

Q21. In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?

Exploitation

Weaponization

Command & control

Installation

Q22. Which of the following queries will return the parent processes responsible for launching badprogram exe?

[search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time

event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

[search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time

event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

Q23. A benefit of using a threat hunting framework is that it:

Automatically generates incident reports

Eliminates false positives

Provides high fidelity threat actor attribution

Provides actionable, repeatable steps to conduct threat hunting

Q24. To find events that are outliers inside a network,___________is the best hunting method to use.

time-based

machine learning

searching

stacking

Q25. What information is provided when using IP Search to look up an IP address?

Both internal and external IPs

Suspicious IP addresses

External IPs only

Internal IPs only

Q26. Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?

Workflows

Event Search

Scheduled Searches

Scheduled Reports

Q27. Which of the following best describes the purpose of the Mac Sensor report?

The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed

The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections

The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed

The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads

Q28. Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?

Command & Control

Actions on Objectives

Exploitation

Delivery

Q29. You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?

fields

distinct count

table

values

Q30. With Custom Alerts you are able to configure email alerts using predefined templates so you’re notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?

Choose the template you would like to configure, setup how often you would like the alert to run, and then schedule the alert

Choose the template you would like to configure, preview the search results, and then schedule the alert

Create the query for the alert, setup the email template for the alert, and then set the schedule for the alert

Create a new custom template, configure the email template, and then create the custom query for the alert

Q31. The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:

It provides pre-defined queries you can customize to meet your specific threat hunting needs

It provides a list of all the detect names and descriptions found in the Falcon Cloud

It provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console

It provides a list of compatible splunk commands used to query event data

Q32. Which of the following is an example of a Falcon threat hunting lead?

A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories

Security appliance logs showing potentially bad traffic to an unknown external IP address

A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage

An external report describing a unique 5 character file extension for ransomware encrypted files

Q33. Which of the following would be the correct field name to find the name of an event?

Event_SimpleName

Event_Simple_Name

EVENT_SIMPLE_NAME

event_simpleName

Q34. You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?

Events Data Dictionary

Streaming API Event Dictionary

Hunting and Investigation

Event stream APIs

Q35. Which of the following does the Hunting and Investigation Guide contain?

A list of all event types and their syntax

A list of all event types specifically used for hunting and their syntax

Example Event Search queries useful for threat hunting

Example Event Search queries useful for Falcon platform configuration

Q36. How do you rename fields while using transforming commands such as table, chart, and stats?

By renaming the fields with the “rename” command after the transforming command e.g. “stats count by ComputerName | rename count AS total_count”

You cannot rename fields as it would affect sub-queries and statistical analysis

By using the “renamed” keyword after the field name eg “stats count renamed totalcount by ComputerName”

By specifying the desired name after the field name eg “stats count totalcount by ComputerName”

Q37. Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?

MISP

OWASP Threat Dragon

OpenXDR

MITRE ATT&CK Navigator

Q38. Event Search data is recorded with which time zone?

PST

GMT

EST

UTC

Q39. The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

ContextProcessld_decimal

RawProcessld_decimal

ParentProcessld_decimal

RpcProcessld_decimal

Q40. What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

PID

Process ID or Parent Process ID

CID

Process Timeline Link

Q41. The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when which PowerShell Command line parameter is present?

-Command

-Hidden

-e

-nop