CCFH-202 Sample Questions Answers

User Search is a search page that allows a threat hunter to search for user activity across endpoints and correlate it with other events. This can help differentiate testing, DevOPs, or general user activity from adversary behavior by identifying anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files.

In the Powershell Hunt report, the filtering condition of commandLine! ="badstring " prevents command lines containing “badstring” from being displayed. The ! operator isused to negate or exclude a condition from the search results. The * operator is used as a wildcard to match any number of characters before or after the specified string. Therefore, commandLine! ="badstring " means to filter out any command line that has “badstring” anywhere in it. The other options are not correct, as they do not describe what the filtering condition does.

Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization’s acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.

This is the correct answer for the same reason as above. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads. It does not display a listing of all Mac hosts with or without a Falcon sensor installed, nor does it provide a detection focused view of known malicious activities occurring on Mac hosts.

 To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, you need to expand and refer to the Suspicious File Activity dashboard panel. The Suspicious File Activity dashboard panel shows information such as files written to removable media, files written to system directories by non-system processes, files written to startup folders, etc. The other dashboard panels do not show files written to removable media.

The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.

When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count ofevents by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.

The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.

 The Hunting and Investigation guide is the Falcon documentation guide that you should reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It covers various topics such as process execution, network connections, registry activity, scheduled tasks, and more.

The ContextProcessld_readable field in a DNS Request event points to the responsible process. The ContextProcessld_readable field is the readable representation of the process identifier for the process that initiated the DNS request. It can be used to identify which process was communicating with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal, and ParentProcessId_decimal fields do not point to the responsible process.

ContextTimeStamp_decimal is the field that shows the system time of the event that triggered the sensor to send data to the cloud. In this case, it would be the time when the file was written. FileTimeStamp_decimal is the field that shows the last modified time of the file, which may not be the same as the time when the file was written. ProcessStartTime_decimal is the field that shows the start time of the process that performed the file write operation, which may not be the same as the time when the file was written. Timestamp is the field that shows the time when the sensor data was received by the cloud, which may not be the same as the time when the file was written.

The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in aHash Search, along with other information such as File Write History and Detection History.

When performing a raw event search via the Events search page, Event Actions are pivotable workflows that allow you to perform various tasks related to the event or the host. For example, you can connect to a host using Real Time Response, run pre-made event searches based on the event type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the event name defined in the Events Data Dictionary.

This is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers. The stats command is used to calculate summary statistics on the results of a search or subsearch, such as count, sum, average, etc. The count by option is used to count the number of events for each distinct value of a field or fields anddisplay them in a table. This can help find rare or common values that could indicate anomalies or deviations from normal behavior.

Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field names for finding the name of an event.