リアルCrowdStrike CCFH-202試験問題集には正解62問題と解答があります [Q32-Q57]

Share

リアルCrowdStrike CCFH-202試験問題集には正解62問題と解答があります

有効なCCFH-202テスト解答とCrowdStrike CCFH-202試験PDF問題を試そう

質問 # 32
A benefit of using a threat hunting framework is that it:

  • A. Provides actionable, repeatable steps to conduct threat hunting
  • B. Provides high fidelity threat actor attribution
  • C. Eliminates false positives
  • D. Automatically generates incident reports

正解:A

解説:
A threat hunting framework is a methodology that guides threat hunters in planning, executing, and improving their threat hunting activities. A benefit of using a threat hunting framework is that it provides actionable, repeatable steps to conduct threat hunting in a consistent and efficient manner. A threat hunting framework does not automatically generate incident reports, eliminate false positives, or provide high fidelity threat actor attribution, as these are dependent on other factors such as data sources, tools, and analysis skills.


質問 # 33
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?

  • A. ComputerName=localhost DnsRequest "randomdomain com"
  • B. event_simpleName=DnsRequest DomainName=www randomdomain com
  • C. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
  • D. Dns=randomdomain com

正解:B

解説:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.


質問 # 34
Which field in a DNS Request event points to the responsible process?

  • A. ContextProcessld_readable
  • B. ParentProcessId_decimal
  • C. ContextProcessld_decimal
  • D. TargetProcessld_decimal

正解:A

解説:
The ContextProcessld_readable field in a DNS Request event points to the responsible process. The ContextProcessld_readable field is the readable representation of the process identifier for the process that initiated the DNS request. It can be used to identify which process was communicating with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal, and ParentProcessId_decimal fields do not point to the responsible process.


質問 # 35
What information is provided when using IP Search to look up an IP address?

  • A. Internal IPs only
  • B. Both internal and external IPs
  • C. Suspicious IP addresses
  • D. External IPs only

正解:D

解説:
IP Search is an Investigate tool that allows you to look up information about external IPs only. It shows information such as geolocation, network connection events, detection history, etc. for each external IP address that has communicated with your hosts. It does not show information about internal IPs, suspicious IPs, or both internal and external IPs.


質問 # 36
Which of the following does the Hunting and Investigation Guide contain?

  • A. A list of all event types specifically used for hunting and their syntax
  • B. Example Event Search queries useful for threat hunting
  • C. Example Event Search queries useful for Falcon platform configuration
  • D. A list of all event types and their syntax

正解:B

解説:
The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.


質問 # 37
What topics are presented in the Hunting and Investigation Guide?

  • A. Detailed summary of event names, descriptions, and some key data fields for hunting and investigation
  • B. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon
  • C. Detailed tutorial on writing advanced queries such as sub-searches and joins
  • D. Recommended platform configurations and prevention settings to ensure detections are generated for hunting leads

正解:B

解説:
This is the correct answer for the same reason as above. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names and descriptions, or recommended platform configurations and prevention settings.


質問 # 38
What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?

  • A. Process Timeline Link
  • B. Process ID or Parent Process ID
  • C. PID
  • D. CID

正解:A

解説:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not what you click to jump to a Process Timeline.


質問 # 39
What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

  • A. Domain Search
  • B. User Search
  • C. IP Search
  • D. Hash Search

正解:B

解説:
User Search is a search page that allows a threat hunter to search for user activity across endpoints and correlate it with other events. This can help differentiate testing, DevOPs, or general user activity from adversary behavior by identifying anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files.


質問 # 40
Which threat framework allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies?

  • A. Director of National Intelligence Cyber Threat Framework
  • B. Lockheed Martin Cyber Kill Chain
  • C. MITRE ATT&CK
  • D. NIST 800-171 Cyber Threat Framework

正解:C

解説:
MITRE ATT&CK is a threat framework that allows a threat hunter to explore and model specific adversary tactics and techniques, with links to intelligence and case studies. It is a knowledge base of adversary behaviors and tactics that covers various platforms, domains, and scenarios. It provides a common language and structure for threat hunters to understand and analyze threats, as well as to share findings and recommendations.


質問 # 41
What Investigate tool would you use to allow an analyst to view all events for a specific host?

  • A. Bulk Timeline
  • B. Host Timeline
  • C. Host Search
  • D. Process Timeline

正解:B

解説:
The Host Timeline is the Investigate tool that you would use to allow an analyst to view all events for a specific host. The Host Timeline shows a graphical representation of all events that occurred on a host within a specified time range. It allows an analyst to zoom in and out, filter by event type or name, and drill down into event details. The Bulk Timeline, the Host Search, and the Process Timeline are not Investigate tools that you would use to view all events for a specific host.


質問 # 42
What is the main purpose of the Mac Sensor report?

  • A. To identify endpoints that are in Reduced Functionality Mode
  • B. To provide vulnerability assessment for Mac Operating Systems
  • C. To provide a dashboard for Mac related detections
  • D. To provide a summary view of selected activities on Mac hosts

正解:D

解説:
The Mac Sensor report is a pre-defined report that provides a summary view of selected activities on Mac hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Mac hosts within a specified time range. The Mac Sensor report does not identify endpoints that are in Reduced Functionality Mode, provide vulnerability assessment for Mac Operating Systems, or provide a dashboard for Mac related detections.


質問 # 43
Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?

  • A. MISP
  • B. OpenXDR
  • C. OWASP Threat Dragon
  • D. MITRE ATT&CK Navigator

正解:D

解説:
MITRE ATT&CK Navigator is a tool that allows a threat hunter to populate and colorize all known adversary techniques in a single view. It is based on the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics. The tool enables threat hunters to create custom matrices, layers, annotations, and filters to explore and model specific adversary techniques, with links to intelligence and case studies.


質問 # 44
Which document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes?

  • A. Incident and Detection Monitoring
  • B. Real Time Response and Network Containment
  • C. Hunting and Investigation
  • D. Events Data Dictionary

正解:C

解説:
The Hunting and Investigation document provides information on best practices for writing Splunk-based hunting queries, predefined queries which may be customized to hunt for suspicious network connections, and predefined queries which may be customized to hunt for suspicious processes. As explained above, the Hunting and Investigation document is a guide that provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. The other documents do not provide the same information.


質問 # 45
What information is provided from the MITRE ATT&CK framework in a detection's Execution Details?

  • A. Triggering Indicator
  • B. Grouping Tag
  • C. Command Line
  • D. Technique ID

正解:D

解説:
Technique ID is the information that is provided from the MITRE ATT&CK framework in a detection's Execution Details. Technique ID is a unique identifier for each technique in the MITRE ATT&CK framework, such as T1059 for Command and Scripting Interpreter or T1566 for Phishing. Technique ID helps to map a detection to a specific adversary behavior and tactic. Grouping Tag, Command Line, and Triggering Indicator are not information that is provided from the MITRE ATT&CK framework in a detection's Execution Details.


質問 # 46
Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?

  • A. Mac Sensor report
  • B. Sensor Health report
  • C. Sensor Policy Daily report
  • D. Linux Sensor report

正解:D

解説:
The Linux Sensor report is where an analyst would find information about shells spawned by root, Kernel Module loads, and wget/curl usage. The Linux Sensor report is a pre-defined report that provides a summary view of selected activities on Linux hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Linux hosts within a specified time range. The Sensor Health report, the Sensor Policy Daily report, and the Mac Sensor report do not provide the same information.


質問 # 47
In the Powershell Hunt report, what does the "score" signify?

  • A. How recently the PowerShell script executed
  • B. Number of hosts that ran the PowerShell script
  • C. Maliciousness score determined by NGAV
  • D. A cumulative score of the various potential command line switches

正解:D

解説:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.


質問 # 48
What elements are required to properly execute a Process Timeline?

  • A. Hostname and Local Process ID
  • B. Agent ID (AID) only
  • C. Agent ID (AID) and Target Process ID
  • D. Target Process ID only

正解:C

解説:
The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline.


質問 # 49
Adversaries commonly execute discovery commands such as netexe, ipconfig.exe, and whoami exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query?

  • A. AND
  • B. NOT
  • C. IN
  • D. OR

正解:D

解説:
The OR operator is needed to complete the following query, as it allows to search for events that match any of the specified values. The query would look like this:
event_simpleName=ProcessRollup2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe The OR operator is used to combine multiple search terms or expressions and return events that match at least one of them. The IN, NOT, and AND operators are not suitable for this query, as they have different functions and meanings.


質問 # 50
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?

  • A. distinct count
  • B. table
  • C. fields
  • D. values

正解:B

解説:
The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.


質問 # 51
Refer to Exhibit.

Falcon detected the above file attempting to execute. At initial glance; what indicators can we use to provide an initial analysis of the file?

  • A. VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
  • B. File path, hard disk volume number, and IOC Management action
  • C. File name, path, Local and Global prevalence within the environment
  • D. Local prevalence, IOC Management action, and Event Search

正解:C

解説:
The file name, path, Local and Global prevalence are indicators that can provide an initial analysis of the file without relying on external sources or tools. The file name can indicate the purpose or origin of the file, such as if it is a legitimate application or a malicious payload. The file path can indicate where the file was located or executed from, such as if it was in a temporary or system directory. The Local and Global prevalence can indicate how common or rare the file is within the environment or across all Falcon customers, which can help assess the risk or impact of the file.


質問 # 52
Which of the following is a recommended technique to find unique outliers among a set of data in the Falcon Event Search?

  • A. Stacking (Frequency Analysis)
  • B. Time-based Searching
  • C. Hunt-and-Peck Search Methodology
  • D. Machine Learning

正解:A

解説:
Stacking (Frequency Analysis) is a recommended technique to find unique outliers among a set of data in the Falcon Event Search. As explained above, stacking involves grouping events by a common attribute and counting their frequency, then sorting them by ascending or descending order to identify rare or common events. This can help find anomalies or deviations from normal behavior that could indicate malicious activity. Hunt-and-Peck Search Methodology, Time-based Searching, and Machine Learning are not specific techniques to find unique outliers among a set of data.


質問 # 53
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^

  • A. strftime
  • B. typeof
  • C. now
  • D. relative time

正解:A

解説:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.


質問 # 54
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time Which eval function is correct^

  • A. strftime
  • B. typeof
  • C. now
  • D. relative time

正解:A

解説:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two arguments: a Unix time field and a format string that specifies how to display the time. The now, typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.


質問 # 55
Which structured analytic technique contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis?

  • A. Model hunting framework
  • B. Key assumptions check
  • C. Competitive analysis
  • D. Analysis of competing hypotheses

正解:D

解説:
Analysis of competing hypotheses is a structured analytic technique that contrasts different hypotheses to determine which is the best leading (prioritized) hypothesis. It involves listing all the possible hypotheses, identifying the evidence and assumptions for each hypothesis, evaluating the consistency and reliability of the evidence and assumptions, and rating the likelihood of each hypothesis based on the evidence and assumptions.


質問 # 56
Which of the following is an example of a Falcon threat hunting lead?

  • A. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
  • B. A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
  • C. Security appliance logs showing potentially bad traffic to an unknown external IP address
  • D. An external report describing a unique 5 character file extension for ransomware encrypted files

正解:A

解説:
A Falcon threat hunting lead is a piece of information that can be used to initiate or guide a threat hunting activity within the Falcon platform. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories is an example of a Falcon threat hunting lead, as it can indicate potential malicious activity that can be further investigated using Falcon data and features. Security appliance logs, help desk tickets, and external reports are not examples of Falcon threat hunting leads, as they are not directly related to the Falcon platform or data.


質問 # 57
......

CCFH-202試験問題と有効なCCFH-202問題集でPDF:https://jp.fast2test.com/CCFH-202-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어