CCFH-202

A benefit of using a threat hunting framework is that it:A . Automatically generates incident reports B. Eliminates false positives C. Provides high fidelity threat actor attribution D. Provides actionable, repeatable steps to conduct threat huntingView AnswerAnswer: D Explanation: A threat hunting framework is a methodology that guides threat hunters...

How do you rename fields while using transforming commands such as table, chart, and stats?A . By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count" B. You cannot rename fields as it would affect sub-queries and statistical...

Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?A . event_simpleName=DnsRequest DomainName=www randomdomain com B. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost C. Dns=randomdomain com D. ComputerName=localhost DnsRequest "randomdomain com"View AnswerAnswer: A Explanation: This Event Search query would only find the DNS lookups...

Which of the following would be the correct field name to find the name of an event?A . Event_SimpleName B. Event_Simple_Name C. EVENT_SIMPLE_NAME D. event_simpleNameView AnswerAnswer: A Explanation: Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that...

An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host What is this type of analysis called?A . Visualization of hosts B. Statistical analysis C. Temporal analysis D. Machine LearningView AnswerAnswer: C Explanation: Temporal analysis...

SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^A . now B. typeof C. strftime D. relative timeView AnswerAnswer: C Explanation: The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes...

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:A . A zero-day vulnerability is being exploited...

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerNameA . The text of the query B. The results of the Statistics tab C. No data Results can only be exported when the "table"...

Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?A . Model hunting framework B. Competitive analysis C. Analysis of competing hypotheses D. Key assumptions checkView AnswerAnswer: C Explanation: Analysis of competing hypotheses is a structured analytic technique that contrasts different hypotheses to determine...

Which of the following is a suspicious process behavior?A . PowerShell running an execution policy of RemoteSigned B. An Internet browser (eg, Internet Explorer) performing multiple DNS requests C. PowerShell launching a PowerShell script D. Non-network processes (eg, notepad exe) making an outbound network connectionView AnswerAnswer: D Explanation: Non-network processes...