Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

CCFH-202 by CrowdStrike - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Which of the following would be the correct field name to find the name of an event?

A Event_SimpleName
B Event_Simple_Name
C EVENT_SIMPLE_NAME
D event_simpleName

Question 4

Event Search data is recorded with which time zone?

A PST
B GMT
C EST
D UTC

Question 5

Which of the following Event Search queries would only find the DNS lookups to the domain: www.randomdomain.com?

A event_simpleName=DnsRequest DomainName=www.randomdomain.com
B event_simpleName=DnsRequest DomainName=randomdomain.com ComputerName=localhost
C Dns=randomdomain.com
D ComputerName=localhost DnsRequest “randomdomain.com”

Question 6

How do you rename fields while using transforming commands such as table, chart, and stats?

A By renaming the fields with the “rename” command after the transforming command. e.g. “stats count by ComputerName | rename count AS total_count”
B You cannot rename fields as it would affect sub-queries and statistical analysis
C By using the “renamed” keyword after the field name. e.g. “stats count renamed totalcount by ComputerName”
D By specifying the desired name after the field name. e.g. “stats count totalcount by ComputerName”

Question 7

SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?

A now
B typeof
C strftime
D relative_time

Question 8

Which of the following queries will return the parent processes responsible for launching badprogram.exe?

A [search (ParentProcess) where name=badprogram.exe ] | table ParentProcessName _time
B event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessId_decimal AS TargetProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
C [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
D event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time

Question 9

You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?

A fields
B distinctcount
C table
D values

Question 10

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName

A The text of the query
B The results of the Statistics tab
C No data. Results can only be exported when the “table” command is used
D All events in the Events tab

Question 11

The help desk is reporting an increase in calls related to user accounts being locked out over the last few days. You suspect that this could be an attack by an adversary against your organization. Select the best hunting hypothesis from the following:

A A zero-day vulnerability is being exploited on a Microsoft Exchange server
B A publicly available web application has been hacked and is causing the lockouts
C Users are locking their accounts out because they recently changed their passwords
D A password guessing attack is being executed against remote access mechanisms such as VPN

Question 12

Which field should you reference in order to find the system time of a *FileWritten event?

A ContextTimeStamp_decimal
B FileTimeStamp_decimal
C ProcessStartTime_decimal
D timestamp

Question 13

To find events that are outliers inside a network, ___________is the best hunting method to use.

A time-based
B machine learning
C searching
D stacking

Question 14

Which of the following is a way to create event searches that run automatically and recur on a schedule that you set?

A Workflows
B Event Search
C Scheduled Searches
D Scheduled Reports

Question 15

Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?

A Hunt-and-Peck Search Methodology
B Stacking (Frequency Analysis)
C Time-based Searching
D Machine Learning

Question 16

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine

A OR
B IN
C NOT
D AND

Question 17

You would like to search for ANY process execution that used a file stored in the Recycle Bin on a Windows host. Select the option to complete the following EAM query. aid=my-aid ImageFileName=________ event_simpleName=ProcessRollup2

A *$Recycle.Bin^
B $Recycle.Bin
C ^$Recycle.Bin*
D ^$Recycle.Bin%

Question 18

Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

A Using the “| stats count by” command at the end of a search string in Event Search
B Using the “|stats count” command at the end of a search string in Event Search
C Using the “|eval” command at the end of a search string in Event Search
D Exporting Event Search results to a spreadsheet and aggregating the results

That's the end of the Preview

Create a free account to unlock all questions for this exam.

Log In / Sign Up

Page 1 of 4 • Questions 1-25 of 88

1 2 3 4

→

Know a question that should be here? Contribute to this exam

Which of the following is a suspicious process behavior?

A PowerShell running an execution policy of RemoteSigned
B An Internet browser (eg., Internet Explorer) performing multiple DNS requests
C PowerShell launching a PowerShell script
D Non-network processes (e.g., notepad.exe) making an outbound network connection

Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search?

A utc_time
B conv_time
C _time
D time