nerdexam
CrowdStrike

CCFH-202B · Question #55

CCFH-202B Question #55: Real Exam Question with Answer & Explanation

The correct answer is A. OR. The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this: event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe The OR operator is

Question

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine

Options

  • AOR
  • BIN
  • CNOT
  • DAND

Explanation

The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this: event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CCFH-202B Practice