Certified Falcon Hunter

Here you have the best CrowdStrike CCFH-202 practice exam questions

  • You have 59 total questions to study from
  • Each page has 5 questions, making a total of 12 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on December 19, 2024
Question 1 of 59

Which of the following is a suspicious process behavior?

    Correct Answer: D

    A non-network process like notepad.exe making an outbound network connection is highly suspicious because such applications generally do not require internet access. This behavior could indicate that malware is attempting to establish communication with a remote server or exfiltrate data, making it a significant red flag for potential malicious activity.

Question 2 of 59

Which field should you reference in order to find the system time of a *FileWritten event?

    Correct Answer: A

    The correct field to reference for finding the system time of a *FileWritten event is 'ContextTimeStamp_decimal'. This field indicates the time at which an event occurred on the system as seen by the sensor. It captures the system time of the event, which is what is required to determine when the FileWritten event took place.

Question 3 of 59

What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

    Correct Answer: D

    To differentiate testing, DevOps, or general user activity from adversary behavior, a threat hunter would benefit from a User Search page. This page allows the correlation of user activity across endpoints and helps identify anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files, which are indicative of adversary behavior.

Question 4 of 59

An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host. What is this type of analysis called?

    Correct Answer: C

    The type of analysis described involves sorting detections based on their timestamps to identify the first occurrence or oldest detection. This approach, focusing on the timing and sequence of events, is known as temporal analysis.

Question 5 of 59

Falcon detected the above file attempting to execute. At initial glance, what indicators can we use to provide an initial analysis of the file?

    Correct Answer: B

    For the initial analysis of the file detected by Falcon, the most relevant indicators are the file name and path, as well as the file's local and global prevalence within the environment. These indicators provide crucial information about the file's origin, its location within the system, and how commonly the file is encountered both locally and globally. This helps in assessing the potential risk and determining whether the file is likely to be malicious or benign.