CrowdStrike CCFH-202 - CrowdStrike Certified Falcon Hunter Exam
Page: 2 / 18
Total 88 questions
Question #6 (Topic: Exam A)
A benefit of using a threat hunting framework is that it:
A. Automatically generates incident reports
B. Eliminates false positives
C. Provides high fidelity threat actor attribution
D. Provides actionable, repeatable steps to conduct threat hunting
Answer: D
Question #7 (Topic: Exam A)
Which of the following is an example of a Falcon threat hunting lead?
A. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
B. Security appliance logs showing potentially bad traffic to an unknown external IP address
C. A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
D. An external report describing a unique 5 character file extension for ransomware encrypted files
Answer: A
Question #8 (Topic: Exam A)
The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when which PowerShell Command line parameter is present?
A. -Command
B. -Hidden
C. -e
D. -nop
Answer: A
Question #9 (Topic: Exam A)
Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?
A. Model hunting framework
B. Competitive analysis
C. Analysis of competing hypotheses
D. Key assumptions check
Answer: C
Question #10 (Topic: Exam A)
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search?
A. utc_time
B. conv_time
C. _time
D. time
Answer: C
