Falcon detected the above file attempting to execute. At initial glance, what indicators can we use to provide an initial analysis of the file?
AVirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
BFile name, path, Local and Global prevalence within the environment
CFile path, hard disk volume number, and IOC Management action
DLocal prevalence, IOC Management action, and Event Search
Event Search data is recorded with which time zone?
APST
BGMT
CEST
DUTC
Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
AUsing the “| stats count by” command at the end of a search string in Event Search
BUsing the “|stats count” command at the end of a search string in Event Search
CUsing the “|eval” command at the end of a search string in Event Search
DExporting Event Search results to a spreadsheet and aggregating the results
Lateral movement through a victim environment is an example of which stage of the Cyber Kill Chain?
ACommand & Control
BActions on Objectives
CExploitation
DDelivery
In the MITRE ATT&CK Framework (version 11 - the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?
APersistence and Execution
BImpact and Collection
CPrivilege Escalation and Initial Access
DReconnaissance and Resource Development
Which of the following is TRUE about a Hash Search?
AWildcard searches are not permitted with the Hash Search
BThe Hash Search provides Process Execution History
CThe Hash Search is available on Linux
DModule Load History is not presented in a Hash Search
When performing a raw event search via the Events search page, what are Event Actions?
AEvent Actions contains an audit information log of actions an analyst took in regards to a specific detection.
BEvent Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only.
CEvent Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search.
DEvent Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc.
Which of the following best describes the purpose of the Mac Sensor report?
AThe Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
BThe Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections
CThe Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
DThe Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads
In the Powershell Hunt report, what does the “score” signify?
ANumber of hosts that ran the PowerShell script
BHow recently the PowerShell script executed
CMaliciousness score determined by NGAV
DA cumulative score of the various potential command line switches
When reviewing a DNS request in the Event Search, you're curious which process made the request. Which Event Action would be the quickest way to show you the process?
AShow Associated Event Data (from TargetProcessID_decimal)
BShow Parent Process
CShow Responsible Process Data
DPivot - Host Search
You have found a hash-based indicator of compromise (IOC) in an intelligence report and want to determine if the program has run in your environment. Which search would provide all of the process’ executions over the timeframe specified?
ABulk Host Audit
BIOC Search
CProcess Search
DHash Search
What is the purpose of the rename command in this query?
event_simpleName=ProcessRollup2 [search event_simpleName=ProcessRollup2 FileName=excel.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid ParentProcessId_decimal] | stats count by FileName CommandLine
AIt runs a sub-search to locate all detections where excel.exe was blocked
BIt renames a field to drive the main search in order to locate all children processes of excel.exe
CIt joins all combinations of parent / children processes involving excel.exe
DIt renames a field to drive the main search in order to locate all parent processes of excel.exe
What information is provided when using IP Search to look up an IP address?
ABoth internal and external IPs
BSuspicious IP addresses
CExternal IPs only
DInternal IPs only
Which field in a DNS Request event points to the responsible process?
AContextProcessId_readable
BTargetProcessId_decimal
CContextProcessId_decimal
DParentProcessId_decimal
Which of the following does the Hunting and Investigation Guide contain?
AA list of all event types and their syntax
BA list of all event types specifically used for hunting and their syntax
CExample Event Search queries useful for threat hunting
DExample Event Search queries useful for Falcon platform configuration
Which of the following Event Search queries would only find the DNS lookups to the domain: www.randomdomain.com?
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?
Anow
Btypeof
Cstrftime
Drelative_time
When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName
AThe text of the query
BThe results of the Statistics tab
CNo data. Results can only be exported when the “table” command is used
DAll events in the Events tab
During an investigation you find out that files are being written to disc by a malicious process. While many are displayed in the detections as context items, you want to see all files written to your host by this process.
Which report would you use to find when a specific user last reset their password?
AFalcon UI Audit Trail
BRemote Access Graph Visibility Report
CUser Timeline
DLogon Activities Visibility Report
Which of the following is a suspicious process behavior?
APowerShell running an execution policy of RemoteSigned
BAn Internet browser (eg., Internet Explorer) performing multiple DNS requests
CPowerShell launching a PowerShell script
DNon-network processes (e.g., notepad.exe) making an outbound network connection
Which of the following is an example of a Falcon threat hunting lead?
AA routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
BSecurity appliance logs showing potentially bad traffic to an unknown external IP address
CA help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
DAn external report describing a unique 5 character file extension for ransomware encrypted files
A benefit of using a threat hunting framework is that it:
AAutomatically generates incident reports
BEliminates false positives
CProvides high fidelity threat actor attribution
DProvides actionable, repeatable steps to conduct threat hunting
An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host. What is this type of analysis called?
AVisualization of hosts
BStatistical analysis
CTemporal analysis
DMachine Learning
What part of the Investigate module should you use when you want to write custom queries to analyze, explore, or hunt for suspicious or malicious activity in your environment?
Preview
