CCFH-202 CrowdStrike Certified Falcon Hunter Questions and Answers

 The ParentProcessld_decimal event field is what the Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns with when the cloudable Event data contains it. The ParentProcessld_decimal event field is the decimal representation of the process identifier for the parent process of the target process. It can be used to trace the process ancestry and identify potential malicious activity. The ContextProcessld_decimal, RawProcessld_decimal, and RpcProcessld_decimal event fields are not used to populate the Parent Process ID and the Parent File columns.

_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.

The Hunting and Investigation document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes. As explained above, the Hunting and Investigation document is a guide that provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. The other documents do not provide the same information.

This option is the correct one to complete the following EAM query:

event_simpleName=ProcessRollup2 FileName=$Recycle Bin

This query would search for any process execution that used a file stored in the Recycle Bin on a Windows host, as the asterisk (*) is a wildcard character that matches any number of characters before or after the specified string. The other options are not correct, as they use different wildcard characters that do not match the desired pattern.

 Lateral movement through a victim environment is an example of the Command & Control stage of the Cyber Kill Chain. The Cyber Kill Chain is a model that describes the phases of a cyber attack, from reconnaissance to actions on objectives. The Command & Control stage is where the adversary establishes and maintains communication with the compromised systems and moves laterally to expand their access and control.

Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization’s acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.