Free CrowdStrike Certified Falcon Hunter Exam CCFH-202 Exam Practice Test

What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

• Hash Search
• IP Search
• Domain Search
• User Search

What information is provided when using IP Search to look up an IP address?

• Both internal and external IPs
• Suspicious IP addresses
• External IPs only
• Internal IPs only

What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

• PID
• Process ID or Parent Process ID
• CID
• Process Timeline Link

Which of the following is an example of a Falcon threat hunting lead?

• A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
• Security appliance logs showing potentially bad traffic to an unknown external IP address
• A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
• An external report describing a unique 5 character file extension for ransomware encrypted files

Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?

• Scheduled searches
• Hunt reports
• Sensor reports
• Timeline reports

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:

• A zero-day vulnerability is being exploited on a Microsoft Exchange server
• A publicly available web application has been hacked and is causing the lockouts
• Users are locking their accounts out because they recently changed their passwords
• A password guessing attack is being executed against remote access mechanisms such as VPN

What information is provided from the MITRE ATT&CK framework in a detection's Execution Details?

• Grouping Tag
• Command Line
• Technique ID
• Triggering Indicator

Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?

• event_simpleName=DnsRequest DomainName=www randomdomain com
• event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
• Dns=randomdomain com
• ComputerName=localhost DnsRequest "randomdomain com"

With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?

• Choose the template you would like to configure, setup how often you would like the alert to run, and then schedule the alert
• Choose the template you would like to configure, preview the search results, and then schedule the alert
• Create the query for the alert, setup the email template for the alert, and then set the schedule for the alert
• Create a new custom template, configure the email template, and then create the custom query for the alert

Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

• Using the "| stats count by" command at the end of a search string in Event Search
• Using the "|stats count" command at the end of a search string in Event Search
• Using the "|eval" command at the end of a search string in Event Search
• Exporting Event Search results to a spreadsheet and aggregating the results