Free CCFH-202 Sample Questions — CrowdStrike Certified Falcon Hunter

Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?

• A. Model hunting framework
• B. Competitive analysis
• C. Analysis of competing hypotheses
• D. Key assumptions check

Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?

• A. Hunt-and-Peck Search Methodology
• B. Stacking (Frequency Analysis)
• C. Time-based Searching
• D. Machine Learning

You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?

• A. Create a custom alert for each domain
• B. Allowed Domain Summary Report
• C. Bulk Domain Search
• D. IP Addresses Search

To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, expand and refer to the _____________ dashboard panel.

• A. Command Line and Admin Tools
• B. Processes and Services
• C. Registry, Tasks, and Firewall
• D. Suspicious File Activity

Which of the following process trees should raise the most suspicion that adversary activity may be present on a web server?

• A. SMSS.EXE >> WINLOGON.EXE >> USERINIT.EXE >> EXPLORER.EXE >> WORD.EXE
• B. WINLOGON.EXE >> USERINIT.EXE >> EXPLORER.EXE >> OUTLOOK.EXE >> CHROME.EXE
• C. WININIT.EXE >> SERVICES >> SVCHOST.EXE >> TASKENG.EXE >> POWERSHELL.EXE
• D. WININIT.EXE >> SERVICES >> SVCHOST.EXE >> W3WP.EXE >> CMD.EXE

Suspicious RDP connections have been observed on a host within your environment. How do you utilize Event Search to show all connections on this specific host?

• A. event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer
• B. Table timestamp ComputerName UserName UserPrincipal LogonServer
• C. UserIdentity=LogonType_decimal=10 | table timestamp UserPrincipal LogonServer
• D. aid=[my-aid] event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer

Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?

• A. MISP
• B. OWASP Threat Dragon
• C. Open XDR
• D. MITRE ATT&CK Navigator

What Investigate tool would you use to allow an analyst to view all events for a specific host?

• A. Bulk Timeline
• B. Host Search
• C. Host Timeline
• D. Process Timeline

While on the Statistics tab in Event Search you can click on results to perform a number of actions. If you select “Exclude from results” what happens?

• A. It will update the Search to remove that field name from results
• B. It will update the Search to remove results matching on the field valid pair
• C. There is no Exclude form results option
• D. It will update the Search to remove that results matching the value

To find events that are outliers inside a network, ___________is the best hunting method to use.

• A. time-based
• B. machine learning
• C. searching
• D. stacking

Which of the following best describes the purpose of the Mac Sensor report?

• A. The Mac Sensor report displays a listing of all Mac hosts without a Falcon sensor installed
• B. The Mac Sensor report provides a detection focused view of known malicious activities occurring on Mac hosts, including machine-learning and indicator-based detections
• C. The Mac Sensor report displays a listing of all Mac hosts with a Falcon sensor installed
• D. The Mac Sensor report provides a comprehensive view of activities occurring on Mac hosts, including items of interest that may be hunting or investigation leads

What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

• A. PID
• B. Process ID or Parent Process ID
• C. CID
• D. Process Timeline Link

What information is provided when using IP Search to look up an IP address?

• A. Both internal and external IPs
• B. Suspicious IP addresses
• C. External IPs only
• D. Internal IPs only

When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName

• A. The text of the query
• B. The results of the Statistics tab
• C. No data. Results can only be exported when the “table” command is used
• D. All events in the Events tab

The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

• A. ContextProcessId_decimal
• B. RawProcessId_decimal
• C. ParentProcessId_decimal
• D. RpcProcessId_decimal

Which report would you use to find when a specific user last reset their password?

• A. Falcon UI Audit Trail
• B. Remote Access Graph Visibility Report
• C. User Timeline
• D. Logon Activities Visibility Report

When configuring a custom alert, how do you separate recipient email addresses if including more than 1 recipient?

• A. Colon ':'
• B. Comma ','
• C. Select emails via the dropdown user selector
• D. Semi-colon ';'

SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time. Which eval function is correct?

• A. now
• B. typeof
• C. strftime
• D. relative_time

In which of the following stages of the Cyber Kill Chain does the actor not interact with the victim endpoint(s)?

• A. Exploitation
• B. Weaponization
• C. Command & control
• D. Installation

You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?

• A. fields
• B. distinctcount
• C. table
• D. values