CCFH-202
Free trial
Verified
Question 1
Which of the following is a suspicious process behavior?
- A: PowerShell running an execution policy of RemoteSigned
- B: An Internet browser (eg., Internet Explorer) performing multiple DNS requests
- C: PowerShell launching a PowerShell script
- D: Non-network processes (e.g., notepad.exe) making an outbound network connection
Question 2
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search?
- A: utc_time
- B: conv_time
- C: _time
- D: time
Question 3
Which of the following would be the correct field name to find the name of an event?
- A: Event_SimpleName
- B: Event_Simple_Name
- C: EVENT_SIMPLE_NAME
- D: event_simpleName
Question 4
Event Search data is recorded with which time zone?
- A: PST
- B: GMT
- C: EST
- D: UTC
Question 5
Which of the following Event Search queries would only find the DNS lookups to the domain: www.randomdomain.com?
- A: event_simpleName=DnsRequest DomainName=www.randomdomain.com
- B: event_simpleName=DnsRequest DomainName=randomdomain.com ComputerName=localhost
- C: Dns=randomdomain.com
- D: ComputerName=localhost DnsRequest “randomdomain.com”
Question 6
How do you rename fields while using transforming commands such as table, chart, and stats?
- A: By renaming the fields with the “rename” command after the transforming command. e.g. “stats count by ComputerName | rename count AS total_count”
- B: You cannot rename fields as it would affect sub-queries and statistical analysis
- C: By using the “renamed” keyword after the field name. e.g. “stats count renamed totalcount by ComputerName”
- D: By specifying the desired name after the field name. e.g. “stats count totalcount by ComputerName”
Question 7
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?
- A: now
- B: typeof
- C: strftime
- D: relative_time
Question 8
Which of the following queries will return the parent processes responsible for launching badprogram.exe?
- A: [search (ParentProcess) where name=badprogram.exe ] | table ParentProcessName _time
- B: event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessId_decimal AS TargetProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
- C: [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
- D: event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
Question 9
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?
- A: fields
- B: distinctcount
- C: table
- D: values
Question 10
When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName
- A: The text of the query
- B: The results of the Statistics tab
- C: No data. Results can only be exported when the “table” command is used
- D: All events in the Events tab
Question 11
The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:
- A: A zero-day vulnerability is being exploited on a Microsoft Exchange server
- B: A publicly available web application has been hacked and is causing the lockouts
- C: Users are locking their accounts out because they recently changed their passwords
- D: A password guessing attack is being executed against remote access mechanisms such as VPN
Question 12
Which field should you reference in order to find the system time of a *FileWritten event?
- A: ContextTimeStamp_decimal
- B: FileTimeStamp_decimal
- C: ProcessStartTime_decimal
- D: timestamp
Question 13
To find events that are outliers inside a network, ___________is the best hunting method to use.
- A: time-based
- B: machine learning
- C: searching
- D: stacking
Question 14
Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?
- A: Workflows
- B: Event Search
- C: Scheduled Searches
- D: Scheduled Reports
Question 15
Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?
- A: Hunt-and-Peck Search Methodology
- B: Stacking (Frequency Analysis)
- C: Time-based Searching
- D: Machine Learning
Question 16
Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine
- A: OR
- B: IN
- C: NOT
- D: AND
Question 17
You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query. aid=my-aid ImageFileName=________ event_simpleName=ProcessRollup2
- A: *$Recycle.Bin^
- B: *$Recycle.Bin*
- C: ^$Recycle.Bin*
- D: ^$Recycle.Bin%
Question 18
Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
- A: Using the “| stats count by” command at the end of a search string in Event Search
- B: Using the “|stats count” command at the end of a search string in Event Search
- C: Using the “|eval” command at the end of a search string in Event Search
- D: Exporting Event Search results to a spreadsheet and aggregating the results
That’s the end of your free questions
You’ve reached the preview limit for CCFH-202Consider upgrading to gain full access!
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!