CrowdStrike CCFH-202 CrowdStrike Certified Falcon Hunter Exam Practice Test

Answer : B

These are the steps required to properly create a custom alert rule. Custom Alerts are a feature that allows you to configure email alerts using predefined templates so you're notified about specific activity in your environment. You can choose from various templates that cover different use cases, such as suspicious PowerShell activity, network connections to risky countries, etc. You can also preview the search results of the template before scheduling the alert. You do not need to create the query for the alert, setup the email template for the alert, or create a new custom template, as these are already provided by the predefined templates.

Answer : B

The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.

Answer : C

When you see ''hostnameS'' in the User Name column in the Host Search page, it means that there is no User Name associated with the event. This can happen when the event is related to a system process or service that does not have a user context. It does not mean that the User Name is a System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could not determine the User Name.

Answer : C

The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.

Answer : C

This is the correct answer for the same reason as above. The Events Data Dictionary provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console, which is useful for writing hunting queries. It does not provide pre-defined queries, detect names and descriptions, or compatible splunk commands.

Answer : B

When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count of events by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.

Answer : C

The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.