CCFH-202B Exam Questions

Which of the following would be the correct field name to find the name of an event?

Event Search data is recorded with which time zone?

How do you rename fields while using transforming commands such as table, chart, and stats?

SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?

Which of the following queries will return the parent processes responsible for launching badprogram exe?

You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName

Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?

Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?

Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?

In the MITRE ATT&CK Framework (version 11 - the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?

In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?

What information is provided from the MITRE ATT&CK framework in a detection's Execution Details?

You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?

The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because:

Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?

What topics are presented in the Hunting and Investigation Guide?

Which of the following does the Hunting and Investigation Guide contain?

Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connection...

What is the main purpose of the Mac Sensor report?

Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?

Which of the following best describes the purpose of the Mac Sensor report?

In the Powershell Hunt report, what does the "score" signify?

In the Powershell Hunt report, what does the filtering condition of commandLine! ="*badstring* " do?

What Investigate tool would you use to allow an analyst to view all events for a specific host?

What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

What elements are required to properly execute a Process Timeline?

What information is provided when using IP Search to look up an IP address?

What kind of activity does a User Search help you investigate?

To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, expand and refer to the _______dashboard panel.

When performing a raw event search via the Events search page, what are Event Actions?

What information is shown in Host Search?

You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each doma...

Which field in a DNS Request event points to the responsible process?

Which of the following is a suspicious process behavior?

Which field should you reference in order to find the system time of a *FileWritten event?

What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host. What is this type of analysis ca...

Refer to Exhibit. Falcon detected the above file attempting to execute. At initial glance, what indicators can we use to provide an initial analysis of the file?

A benefit of using a threat hunting framework is that it:

Which of the following is an example of a Falcon threat hunting lead?

The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when which PowerShell Command line parameter is present?

Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?

Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?

What is the difference between a Host Search and a Host Timeline?

The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains "hostnameS". What does this User Name indicate?

Which of the following is TRUE about a Hash Search?

With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines...

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against y...