Exam CCFH-202 All QuestionsBrowse all questions from this exam
Go to Exam
Question 23

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine

    Correct Answer: A

    To query for multiple possible values in Splunk, the OR operator is used. This is because you want to return results where FileName matches any one of the specified values (net.exe, ipconfig.exe, or whoami.exe). Proper usage of the query would be 'FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe'.

Discussion
nestorianOption: A

Answer is A. OR

examtopics3000Option: A

Answer is A. OR

Jimmy390Option: A

Answer is A. OR

alanalanalanOption: A

Answer is A. OR

gr23Option: A

Answer is A. AND is implied and not needed in most queries.