CCFH-202 V1

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:A . A zero-day vulnerability is being exploited...

Which field should you reference in order to find the system time of a *FileWritten event?A . ContextTimeStamp_decimalB . FileTimeStamp_decimalC . ProcessStartTime_decimalD . timestampView AnswerAnswer: A Explanation: ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In...

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerNameA . The text of the queryB . The results of the Statistics tabC . No data Results can only be exported when the "table"...

A benefit of using a threat hunting framework is that it:A . Automatically generates incident reportsB . Eliminates false positivesC . Provides high fidelity threat actor attributionD . Provides actionable, repeatable steps to conduct threat huntingView AnswerAnswer: D Explanation: A threat hunting framework is a methodology that guides threat hunters...

Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?A . event_simpleName=DnsRequest DomainName=www randomdomain comB . event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhostC . Dns=randomdomain comD . ComputerName=localhost DnsRequest "randomdomain com"View AnswerAnswer: A Explanation: This Event Search query would only find the DNS lookups...

Which of the following would be the correct field name to find the name of an event?A . Event_SimpleNameB . Event_Simple_NameC . EVENT_SIMPLE_NAMED . event_simpleNameView AnswerAnswer: D Explanation: Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that...

Which of the following is a suspicious process behavior?A . PowerShell running an execution policy of RemoteSignedB . An Internet browser (eg, Internet Explorer) performing multiple DNS requestsC . PowerShell launching a PowerShell scriptD . Non-network processes (eg, notepad exe) making an outbound network connectionView AnswerAnswer: D Explanation: Non-network processes...

You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?A . fieldsB . distinct countC . tableD . valuesView AnswerAnswer: C Explanation: The table command is used to produce a list...

Event Search data is recorded with which time zone?A . PSTB . GMTC . ESTD . UTCView AnswerAnswer: D Explanation: Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST...

Which of the following queries will return the parent processes responsible for launching badprogram exe?A . [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _timeB . event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _timeC . [search (ProcessList) where Name=badprogram.exe...