An attacker created a scheduled task which executes a remote management application.
Which MITRE ATT&CK Matrix for Enterprise stage is this an example of?
ALateral Movement
BPrivilege Escalation
CGaining Access
DPersistence
You are investigating an alert for a process that connected to the following suspicious domain: reallysuspiciousdomain[.]com
Which of the Investigate dashboards would provide a list of processes that looked up the specified domain?
AIP addresses
BBulk domains
CGeo location activity
DRemote access graph
You want to use result data from an Advanced Event Search to create a custom dashboard that will display the total number of detections in a seven-day time period.
Which widget will allow you to display the total number of detections as buckets on a timeline?
ATime Chart Widget
BEvent List Widget
CSankey Diagram Widget
DBar Chart Widget
During an investigation, you discover a Falcon host connecting from a country outside of those you normally do business with.
Which built-in report would display Falcon hosts connecting from that country?
AGlobal connection heat map
BGeo location activity
CRemote access graph
DAttack Paths
Which CQL function is recommended to use when exporting a few fields from a large number of events (>100,000) to a CSV?
Acollect()
Bselect()
Ctable()
DoutputCsv()
You suspect that a user is abusing their admin privileges and you want to see the recent commands they have been utilizing.
Which Investigate search will identify this?
AProcess Context
BUser Search
CProcess timeline
DHost Search
You want to use result data from an Advanced Event Search to create a custom dashboard that will display the total number of detections in a seven-day time period.
Which widget will allow you to display the total number of detections as a single value digit?
AScatter Chart Widget
BGauge Widget
CHeat Map Widget
DTime Chart Widget
Your organization has identified a malicious Scheduled task that executes every 5 minutes.
Which LogScale event search function can be used to quickly identify and display the unique hosts affected by the malware?
Astats
Buniq
Ctable()
DgroupBy()
Which field in an event would show you whether a file was downloaded from a restricted site?
AEventOrigin
BHostUrl
CReferrerUrl
DZoneIdentifier
While reviewing network activity, you notice an increase in DNS requests for a newly registered domain with a poor reputation.
What is an appropriate first step to examine this potential threat?
AContain the hosts connecting to the domain to prevent lateral movement
BUtilize Falcon Investigate to find all hosts that are querying the domain
CScan your environment for malware
DBlock all DNS traffic to the potentially suspicious domain
Which action helps identify an enterprise-wide file infection?
AUtilize the IP addresses Investigate dashboard to find the hosts processes that are connecting to an unusual IP
BMonitor the Falcon Console for alerts on suspicious process activity
CUtilize CrowdStrike Query Language (CQL) to search for files with specific hashes or attributes
DAnalyze the Investigate Host dashboard to identify endpoints with high-risk file activity
Falcon Machine Learning has prevented and quarantined a file being written to disk that has VSCode as a parent process. This file was compiled by the system owner.
What should the next steps be?
ADetonate the file in a private sandbox, and write a Machine Learning exclusion if the file activity is expected
BDetonate the file in a private or public sandbox, and write a Machine Learning exclusion
CDetonate the file in a private sandbox, and write an exclusion for the Indicator of Attack if the file activity is expected
You are investigating detections around network reconnaissance activity including multiple commands executed by cmd.exe and need to identify the root cause.
How can you quickly verify if these commands are the result of an exploited vulnerability?
ACheck the process tree and all parent processes to see how cmd.exe was launched
BContain the host and see if more commands are being issued by this process
CCompare the utilized commands in cmd.exe to other commands used by admins of this organization
Which pre-defined reports will show activities that typically indicate suspicious activity occurring on a system?
AHunt reports
BTimeline reports
CScheduled searches
DSensor reports
What is an appropriate use for the join() function within a query?
AWhen you need to join the same query from different time frames
BWhen you have two queries with a common value that need to be combined
CWhen you have two queries that may contain correlated information that you want to combine
DWhen you want to combine two queries to generate additional fields
While performing triage on a detection, you notice an event with the name SyntheticProcessRollup2.
What conclusion can be made about this event?
AThe event was generated for a process which is not built-in to the host's Operating System
BThe event was generated for a process which started before the sensor did
CThe event was generated to provide context on process injection techniques being used on the host
DThe event was generated as a result of a critical detection
What can a hunter add at the end of a search string in Advanced Event Search to identify outliers when quantifying the results?
A| groupBy()
B| group()
C| eval()
D| sample()
Falcon has detected and prevented credential dumping activity on a domain controller. There were no obvious credential dumping tools identified in the detection.
What is the next step in your investigation?
APerform a PowerShell hunt across the environment
BReview dump sites and the dark web for the exposed credentials
CPerform an advanced event search and investigate the time window of events surrounding the alert
DEscalate the activity to your IT department and inquire if they are performing this activity
You receive an alert for the following process tree:
IIS/W3WP.exe -> Powershell.exe -> cmd.exe -> whoami.exe -> net1.exe
Which of the following describes what has occurred?
AEmail gateway validating user permissions with whoami and network status with net1
BReconnaissance commands run via a Webserver compromise
CWebserver troubleshooting user access issues by querying whoami and net1
DEmail gateway automating routine tasks for whoami and net1 networking configuration
You've written a complex query within Advanced Event Search that is returning millions of events, making it difficult to threat hunt for particular file metadata.
Which option would decrease query time and remove values that are not of interest?
AFiltering the results to remove irrelevant events
BAggregating the results to group by a specific value
CAdding a value as column within the ingested field
Your organization uses an internally developed application for operations. The application is triggering Indicators of Attack (IOA) detections for vulnerable driver usage on servers where Falcon was just installed. After reviewing the application, you determine that application behavior is expected.
What will reduce risk in the environment the most?
ACreate an IOA exclusion for this activity
BCreate a Machine Learning Exclusion
CCreate a Sensor Visibility Exclusion
DUpdate the vulnerable driver to a non-vulnerable recent version
When investigating two related processes within Advanced Event Search, how does the ContextProcessId relate to the TargetProcessId?
AWhen Process 1 spawns, it has a TargetProcessId and matches the ContextProcessId of Process 1 for a different process chain
BWhen Process 1 spawns Process 2, the ContextProcessId of Process 1 will match the TargetProcessId of Process 2
CWhen Process 1 spawns Process 2, the TargetProcessId of Process 1 will match the ContextProcessId of Process 2
DWhen Process 1 spawns, it has a ContextProcessId and matches the TargetProcessId of Process 1 for a different process chain
Which document can reference any searchable event and its description?
AEvents Full Reference (Events Data Dictionary)
BQuery Builder
CEvents Index
DAdvanced Event Search
Where can you find details about key data fields to use in an advanced search query?
AIn the Lookup Files section
BVia the Support Portal
CVia the Falcon console docs
DIn the Crowdstrike Open Source Events Reference
Which function would you add to a groupBy() to show all the associated domain names that an executable communicated to in a single record?
Preview
