Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?
Using the “| stats count by” command at the end of a search string in Event Search is the proper method to quantify search results. This command allows you to aggregate and count results based on specific fields, which helps in sorting and identifying outliers effectively. It provides a more detailed breakdown by different criteria, making it easier for a hunter to analyze and detect anomalies.
The "| stats count by" command allows you to aggregate and count results based on specific fields, which is useful for quantifying and summarizing search results and identifying outliers based on different criteria.
Answer : A A. Using the “| stats count by” command at the end of a search string in Event Search keyword : stats count by Reference : Investigating and Querying Event Data with Falcon EDR
100 percent A
I think B is wrong because stats count "by" has to be there
Answer is A. stats count BY. Look at any of the sample queries CS gives you on their blogs and they all have stats count BY.
I think this is a bad question though, you could use stats count or stats count by, it depends on what the desired outcome is and it is not specified in the question clearly.