Updated PDF (New 2024) Actual CrowdStrike CCFH-202 Exam Questions
Verified CCFH-202 Exam Dumps PDF [2024] Access using Prep4away
NEW QUESTION # 10
Which of the following is TRUE about a Hash Search?
- A. The Hash Search provides Process Execution History
- B. The Hash Search is available on Linux
- C. Wildcard searches are not permitted with the Hash Search
- D. Module Load History is not presented in a Hash Search
Answer: A
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.
NEW QUESTION # 11
What elements are required to properly execute a Process Timeline?
- A. Hostname and Local Process ID
- B. Agent ID (AID) and Target Process ID
- C. Target Process ID only
- D. Agent ID (AID) only
Answer: B
Explanation:
The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline.
NEW QUESTION # 12
In the Powershell Hunt report, what does the "score" signify?
- A. How recently the PowerShell script executed
- B. A cumulative score of the various potential command line switches
- C. Maliciousness score determined by NGAV
- D. Number of hosts that ran the PowerShell script
Answer: B
Explanation:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.
NEW QUESTION # 13
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?
- A. fields
- B. distinct count
- C. table
- D. values
Answer: C
Explanation:
The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.
NEW QUESTION # 14
Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?
- A. Emailing the intended victim with a malware attachment
- B. Installing a backdoor on the victim endpoint
- C. Discovering internet-facing servers
- D. Loading a malicious payload into a common DLL
Answer: C
Explanation:
Discovering internet-facing servers is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain. The RECONNAISSANCE phase is where the adversary researches and identifies targets, vulnerabilities, and attack vectors. Discovering internet-facing servers is a way for the adversary to find potential entry points or weaknesses in the target network.
NEW QUESTION # 15
Which of the following would be the correct field name to find the name of an event?
- A. event_simpleName
- B. Event_SimpleName
- C. EVENT_SIMPLE_NAME
- D. Event_Simple_Name
Answer: B
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event.
NEW QUESTION # 16
What topics are presented in the Hunting and Investigation Guide?
- A. Detailed summary of event names, descriptions, and some key data fields for hunting and investigation
- B. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon
- C. Recommended platform configurations and prevention settings to ensure detections are generated for hunting leads
- D. Detailed tutorial on writing advanced queries such as sub-searches and joins
Answer: B
Explanation:
This is the correct answer for the same reason as above. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names and descriptions, or recommended platform configurations and prevention settings.
NEW QUESTION # 17
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?
- A. event_simpleName=DnsRequest DomainName=www randomdomain com
- B. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
- C. ComputerName=localhost DnsRequest "randomdomain com"
- D. Dns=randomdomain com
Answer: A
Explanation:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.
NEW QUESTION # 18
You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query.
- A. *$Recycle Bin^
- B. ^$Recycle.Bin%^
- C. *$Recycle Bin*
- D. ^$Recycle Bin*
Answer: C
Explanation:
This option is the correct one to complete the following EAM query:
event_simpleName=ProcessRollup2 FileName=$Recycle Bin
This query would search for any process execution that used a file stored in the Recycle Bin on a Windows host, as the asterisk (*) is a wildcard character that matches any number of characters before or after the specified string. The other options are not correct, as they use different wildcard characters that do not match the desired pattern.
NEW QUESTION # 19
Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?
- A. Time-based Searching
- B. Stacking (Frequency Analysis)
- C. Machine Learning
- D. Hunt-and-Peck Search Methodology
Answer: B
Explanation:
Stacking (Frequency Analysis) is a recommended technique to find unique outliers among a set of data in the Falcon Event Search. As explained above, stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Hunt-and-Peck Search Methodology, Time-based Searching, and Machine Learning are not specific techniques to find unique outliers among a set of data.
NEW QUESTION # 20
A benefit of using a threat hunting framework is that it:
- A. Automatically generates incident reports
- B. Provides high fidelity threat actor attribution
- C. Provides actionable, repeatable steps to conduct threat hunting
- D. Eliminates false positives
Answer: C
Explanation:
A threat hunting framework is a methodology that guides threat hunters in planning, executing, and improving their threat hunting activities. A benefit of using a threat hunting framework is that it provides actionable, repeatable steps to conduct threat hunting in a consistent and efficient manner. A threat hunting framework does not automatically generate incident reports, eliminate false positives, or provide high fidelity threat actor attribution, as these are dependent on other factors such as data sources, tools, and analysis skills.
NEW QUESTION # 21
You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?
- A. IP Addresses Search
- B. Create a custom alert for each domain
- C. Allowed Domain Summary Report
- D. Bulk Domain Search
Answer: D
Explanation:
Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization's acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.
NEW QUESTION # 22
Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?
- A. Linux Sensor report
- B. Sensor Policy Daily report
- C. Mac Sensor report
- D. Sensor Health report
Answer: A
Explanation:
The Linux Sensor report is where an analyst would find information about shells spawned by root, Kernel Module loads, and wget/curl usage. The Linux Sensor report is a pre-defined report that provides a summary view of selected activities on Linux hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Linux hosts within a specified time range. The Sensor Health report, the Sensor Policy Daily report, and the Mac Sensor report do not provide the same information.
NEW QUESTION # 23
Which of the following best describes the purpose of the Mac Sensor report?
- A. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections
- B. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
- C. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
- D. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads
Answer: D
Explanation:
This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts.
NEW QUESTION # 24
Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?
- A. Event Search
- B. Scheduled Searches
- C. Scheduled Reports
- D. Workflows
Answer: B
Explanation:
Scheduled Searches are a way to create event searches that run automatically and recur on a schedule that you set. You can use Scheduled Searches to monitor your environment for specific conditions or patterns, generate reports or alerts, or enrich your data with additional fields or tags. Workflows, Event Search, and Scheduled Reports are not ways to create event searches that run automatically and recur on a schedule.
NEW QUESTION # 25
What information is shown in Host Search?
- A. Intel Reports
- B. Processes and Services
- C. Quarantined Files
- D. Prevention Policies
Answer: B
Explanation:
Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search.
NEW QUESTION # 26
What Investigate tool would you use to allow an analyst to view all events for a specific host?
- A. Process Timeline
- B. Bulk Timeline
- C. Host Search
- D. Host Timeline
Answer: D
Explanation:
The Host Timeline is the Investigate tool that you would use to allow an analyst to view all events for a specific host. The Host Timeline shows a graphical representation of all events that occurred on a host within a specified time range. It allows an analyst to zoom in and out, filter by event type or name, and drill down into event details. The Bulk Timeline, the Host Search, and the Process Timeline are not Investigate tools that you would use to view all events for a specific host.
NEW QUESTION # 27
What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?
- A. CID
- B. PID
- C. Process ID or Parent Process ID
- D. Process Timeline Link
Answer: D
Explanation:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline.
NEW QUESTION # 28
Which of the following does the Hunting and Investigation Guide contain?
- A. Example Event Search queries useful for threat hunting
- B. Example Event Search queries useful for Falcon platform configuration
- C. A list of all event types and their syntax
- D. A list of all event types specifically used for hunting and their syntax
Answer: A
Explanation:
The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.
NEW QUESTION # 29
Which field should you reference in order to find the system time of a *FileWritten event?
- A. timestamp
- B. ContextTimeStamp_decimal
- C. ProcessStartTime_decimal
- D. FileTimeStamp_decimal
Answer: B
Explanation:
ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written.
NEW QUESTION # 30
Which of the following queries will return the parent processes responsible for launching badprogram exe?
- A. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
- B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
- C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
- D. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
Answer: B
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.
NEW QUESTION # 31
Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?
- A. Command & Control
- B. Exploitation
- C. Delivery
- D. Actions on Objectives
Answer: A
Explanation:
Lateral movement through a victim environment is an example of the Command & Control stage of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber attack, from reconnaissance to actions on objectives. The Command & Control stage is where the adversary establishes and maintains communication with the compromised systems and moves laterally to expand their access and control.
NEW QUESTION # 32
Which field in a DNS Request event points to the responsible process?
- A. ParentProcessId_decimal
- B. ContextProcessld_decimal
- C. ContextProcessld_readable
- D. TargetProcessld_decimal
Answer: C
Explanation:
The ContextProcessld_readable field in a DNS Request event points to the responsible process. The ContextProcessld_readable field is the readable representation of the process identifier for the process that initiated the DNS request. It can be used to identify which process was communicating with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal, and ParentProcessId_decimal fields do not point to the responsible process.
NEW QUESTION # 33
While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains "hostnameS " What does this User Name indicate?
- A. The Falcon sensor could not determine the User Name
- B. The User Name is a System User
- C. The User Name is not relevant for the dashboard
- D. There is no User Name associated with the event
Answer: D
Explanation:
When you see "hostnameS" in the User Name column in the Host Search page, it means that there is no User Name associated with the event. This can happen when the event is related to a system process or service that does not have a user context. It does not mean that the User Name is a System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could not determine the User Name.
NEW QUESTION # 34
In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?
- A. Exploitation
- B. Command & control
- C. Weaponization
- D. Installation
Answer: C
Explanation:
Weaponization is the stage of the Cyber Kill Chain where the actor does not interact with the victim endpoint(s). Weaponization is where the actor prepares or packages the exploit or payload that will be used to compromise the target. This stage does not involve any communication or interaction with the victim endpoint(s), as it is done by the actor before delivering the weaponized content. Exploitation, Command & Control, and Installation are all stages where the actor interacts with the victim endpoint(s), either by executing code, establishing communication, or installing malware.
NEW QUESTION # 35
......
CrowdStrike CCFH-202 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
Try Best CCFH-202 Exam Questions from Training Expert Prep4away: https://www.prep4away.com/CrowdStrike-certification/braindumps.CCFH-202.ete.file.html
Practice Examples and Dumps & Tips for 2024 Latest CCFH-202 Valid Tests Dumps: https://drive.google.com/open?id=1NJS4G6ak5aX8yVy-q53-NMK5e9wS8elT