Free CrowdStrike Certified Falcon Hunter Exam CCFH-202 Exam Practice Test

Which of the following would be the correct field name to find the name of an event?

• Event_SimpleName
• Event_Simple_Name
• EVENT_SIMPLE_NAME
• event_simpleName

When performing a raw event search via the Events search page, what are Event Actions?

• Event Actions contains an audit information log of actions an analyst took in regards to a specific detection
• Event Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only
• Event Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search
• Event Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc

In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?

• Exploitation
• Weaponization
• Command & control
• Installation

Which of the following queries will return the parent processes responsible for launching badprogram exe?

• [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
• event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
• [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
• event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

What elements are required to properly execute a Process Timeline?

• Agent ID (AID) and Target Process ID
• Agent ID (AID) only
• Hostname and Local Process ID
• Target Process ID only

Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?

• MITRE ATT&CK
• Lockheed Martin Cyber Kill Chain
• Director of National Intelligence Cyber Threat Framework
• NIST 800-171 Cyber Threat Framework

Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?

• Sensor Health report
• Linux Sensor report
• Sensor Policy Daily report
• Mac Sensor report

Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

• Using the "| stats count by" command at the end of a search string in Event Search
• Using the "|stats count" command at the end of a search string in Event Search
• Using the "|eval" command at the end of a search string in Event Search
• Exporting Event Search results to a spreadsheet and aggregating the results

Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?

• utc_time
• conv_time
• _time
• time

With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?

• Choose the template you would like to configure, setup how often you would like the alert to run, and then schedule the alert
• Choose the template you would like to configure, preview the search results, and then schedule the alert
• Create the query for the alert, setup the email template for the alert, and then set the schedule for the alert
• Create a new custom template, configure the email template, and then create the custom query for the alert