Exam CCFH-202 All QuestionsBrowse all questions from this exam
Go to Exam
Question 23

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine

    Correct Answer: A

    To query for multiple possible values in Splunk, the OR operator is used. This is because you want to return results where FileName matches any one of the specified values (net.exe, ipconfig.exe, or whoami.exe). Proper usage of the query would be 'FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe'.

Discussion

5 comments
nestorianOption: A
Jul 10, 2023

Answer is A. OR

examtopics3000Option: A
Aug 3, 2023

Answer is A. OR

Jimmy390Option: A
Sep 30, 2023

Answer is A. OR

alanalanalanOption: A
Jul 9, 2024

Answer is A. OR

gr23Option: A
Jan 10, 2024

Answer is A. AND is implied and not needed in most queries.