CCFH-202B Exam Questions

To find events that are outliers inside a network,___________is the best hunting method to use.

Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?

Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a si...

You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query. aid=my-aid I...

Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

Refer to Exhibit. What type of attack would this process tree indicate?

Which pre-defined reports offer information surrounding activities that typically indicate suspicious activity occurring on a system?

Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?

When looking at a process tree, what do the nodes represent?

Suspicious RDP connections have been observed on a host within your environment. How do you utilize Event Search to show all connections on this specific host?

To best determine the root cause of an enterprise wide infection you would:

Which of the following process trees should raise the most suspicion that adversary activity may be present on a web server?

When searching for all events related to a specific process which field(s) should be selected in a query from the Event Actions drop down menu?

Your environment has several PowerShell scripts running that are Base64 encoded. Which of the following areas of Falcon will show you the decoded PowerShell commands?

Where in the Falcon console do you find hunting reports?

Which report would you use to find when a specific user last reset their password?

How would you find a list of executables running from the Recycle Bin across your environment?

Which document in the Support and Resources section will help you write queries by providing prebuilt examples that you could modify? One such example shows execution of common rec...

What document in the Support and Resources section will provide you with a breakdown of event types and related fields?

The MITRE ATT&CK Framework includes all of the following matrices, except:

Which information is returned after querying a hash on the Hash Search page?

When configuring a custom alert, how do you separate recipient email addresses if including more than 1 recipient?

Your organization's next-gen firewall has detected evidence of DNS beaconing occurring from an internal source. The firewall provides you with the beaconing host's internal (privat...

When reviewing a DNS request in the Event Search, you're curious which process made the request. Which Event Action would be the quickest way to show you the process?

What kind of IP addresses are found using an IP Search?

Which event_simpleName has a field that contains the command line used to create a process?

You have found a hash-based indicator of compromise (IOC) in an intelligence report and want to determine if the program has run in your environment. Which search would provide all...

While on the Statistics tab in Event Search you can click on results to perform a number of actions. If you select "Exclude from results" what happens?

Event Search queries in Falcon are powered by which query language?

What is the purpose of the rename command in this query? event_simpleName=ProcessRollup2 [search event_simpleName=ProcessRollup2 FileName=excel.exe | rename TargetProcessId_decimal...

Which event field contains the Falcon generated ID for a process?

You initiate a search with the following query: event_simpleName=UserLogon | table _time ComputerName UserName What results will display?

What command will eliminate duplicates from a query?

During an investigation you find out that files are being written to disc by a malicious process. While many are displayed in the detections as context items, you want to see all f...

When looking at a detection's details, you can pivot to an Event Search. What is the purpose of this Event Search?

What part of the Investigate module should you use when you want to write custom queries to analyze, explore, or hunt for suspicious or malicious activity in your environment?