練習できるCCFH-202問題には認定ガイド問題と解答とトレーニングを提供しています [Q16-Q33]

Share

練習できるCCFH-202問題には認定ガイド問題と解答とトレーニングを提供しています

無料CrowdStrike CCFH-202テスト練習問題試験問題集

質問 # 16
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?

  • A. Dns=randomdomain com
  • B. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
  • C. ComputerName=localhost DnsRequest "randomdomain com"
  • D. event_simpleName=DnsRequest DomainName=www randomdomain com

正解:D

解説:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.


質問 # 17
Which SPL (Splunk) field name can be used to automatically convert Unix times (Epoch) to UTC readable time within the Flacon Event Search?

  • A. conv_time
  • B. utc_time
  • C. _time
  • D. time

正解:C

解説:
_time is the SPL (Splunk) field name that can be used to automatically convert Unix times (Epoch) to UTC readable time within the Falcon Event Search. It is a default field that shows the timestamp of each event in a human-readable format. utc_time, conv_time, and time are not valid SPL field names for converting Unix times to UTC readable time.


質問 # 18
Which of the following queries will return the parent processes responsible for launching badprogram exe?

  • A. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
  • B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
  • C. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
  • D. [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time

正解:B

解説:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.


質問 # 19
In the Powershell Hunt report, what does the "score" signify?

  • A. A cumulative score of the various potential command line switches
  • B. Maliciousness score determined by NGAV
  • C. Number of hosts that ran the PowerShell script
  • D. How recently the PowerShell script executed

正解:A

解説:
In the Powershell Hunt report, the score signifies a cumulative score of the various potential command line switches that were used in the PowerShell script execution. The score is based on a weighted system that assigns different values to different switches based on their potential maliciousness or usefulness for threat hunting. For example, -EncodedCommand has a higher value than -NoProfile. The score does not signify the number of hosts that ran the PowerShell script, how recently the PowerShell script executed, or the maliciousness score determined by NGAV.


質問 # 20
What topics are presented in the Hunting and Investigation Guide?

  • A. Sample hunting queries, select walkthroughs and best practices for hunting with Falcon
  • B. Detailed tutorial on writing advanced queries such as sub-searches and joins
  • C. Recommended platform configurations and prevention settings to ensure detections are generated for hunting leads
  • D. Detailed summary of event names, descriptions, and some key data fields for hunting and investigation

正解:A

解説:
This is the correct answer for the same reason as above. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It does not provide a detailed tutorial on writing advanced queries, a detailed summary of event names and descriptions, or recommended platform configurations and prevention settings.


質問 # 21
With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?

  • A. Create the query for the alert, setup the email template for the alert, and then set the schedule for the alert
  • B. Choose the template you would like to configure, setup how often you would like the alert to run, and then schedule the alert
  • C. Choose the template you would like to configure, preview the search results, and then schedule the alert
  • D. Create a new custom template, configure the email template, and then create the custom query for the alert

正解:C

解説:
These are the steps required to properly create a custom alert rule. Custom Alerts are a feature that allows you to configure email alerts using predefined templates so you're notified about specific activity in your environment. You can choose from various templates that cover different use cases, such as suspicious PowerShell activity, network connections to risky countries, etc. You can also preview the search results of the template before scheduling the alert. You do not need to create the query for the alert, setup the email template for the alert, or create a new custom template, as these are already provided by the predefined templates.


質問 # 22
An analyst has sorted all recent detections in the Falcon platform to identify the oldest in an effort to determine the possible first victim host What is this type of analysis called?

  • A. Statistical analysis
  • B. Machine Learning
  • C. Temporal analysis
  • D. Visualization of hosts

正解:C

解説:
Temporal analysis is a type of analysis that focuses on the timing and sequence of events in order to identify patterns, trends, or anomalies. By sorting all recent detections in the Falcon platform to identify the oldest, an analyst can perform temporal analysis to determine the possible first victim host and trace back the origin of an attack.


質問 # 23
Event Search data is recorded with which time zone?

  • A. GMT
  • B. UTC
  • C. EST
  • D. PST

正解:B

解説:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search data is recorded with.


質問 # 24
You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?

  • A. Events Data Dictionary
  • B. Hunting and Investigation
  • C. Event stream APIs
  • D. Streaming API Event Dictionary

正解:A

解説:
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because it provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console. The Events Data Dictionary describes each event type, field name, data type, description, and example value that can be used to query and analyze event data. The Streaming API Event Dictionary, Hunting and Investigation, and Event stream APIs are not documentation that provide details about key data fields and sensor events.


質問 # 25
What is the main purpose of the Mac Sensor report?

  • A. To provide a dashboard for Mac related detections
  • B. To provide a summary view of selected activities on Mac hosts
  • C. To provide vulnerability assessment for Mac Operating Systems
  • D. To identify endpoints that are in Reduced Functionality Mode

正解:B

解説:
The Mac Sensor report is a pre-defined report that provides a summary view of selected activities on Mac hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Mac hosts within a specified time range. The Mac Sensor report does not identify endpoints that are in Reduced Functionality Mode, provide vulnerability assessment for Mac Operating Systems, or provide a dashboard for Mac related detections.


質問 # 26
What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

  • A. Hash Search
  • B. Domain Search
  • C. User Search
  • D. IP Search

正解:C

解説:
User Search is a search page that allows a threat hunter to search for user activity across endpoints and correlate it with other events. This can help differentiate testing, DevOPs, or general user activity from adversary behavior by identifying anomalous or suspicious user actions, such as logging into multiple systems, running unusual commands, or accessing sensitive files.


質問 # 27
The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when which PowerShell Command line parameter is present?

  • A. -Hidden
  • B. -nop
  • C. -Command
  • D. -e

正解:C

解説:
The Falcon Detections page will attempt to decode Encoded PowerShell Command line parameters when the -Command parameter is present. The -Command parameter allows PowerShell to execute a specified script block or string. If the script block or string is encoded using Base64 or other methods, the Falcon Detections page will try to decode it and show the original command. The -Hidden, -e, and -nop parameters are not related to encoding or decoding PowerShell commands.


質問 # 28
While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name column contains "hostnameS " What does this User Name indicate?

  • A. The Falcon sensor could not determine the User Name
  • B. The User Name is not relevant for the dashboard
  • C. The User Name is a System User
  • D. There is no User Name associated with the event

正解:D

解説:
When you see "hostnameS" in the User Name column in the Host Search page, it means that there is no User Name associated with the event. This can happen when the event is related to a system process or service that does not have a user context. It does not mean that the User Name is a System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could not determine the User Name.


質問 # 29
In the MITRE ATT&CK Framework (version 11 - the newest version released in April 2022), which of the following pair of tactics is not in the Enterprise: Windows matrix?

  • A. Reconnaissance and Resource Development
  • B. Privilege Escalation and Initial Access
  • C. Persistence and Execution
  • D. Impact and Collection

正解:A

解説:
Reconnaissance and Resource Development are two tactics that are not in the Enterprise: Windows matrix of the MITRE ATT&CK Framework (version 11). These two tactics are part of the PRE-ATT&CK matrix, which covers the actions that adversaries take before compromising a target. The Enterprise: Windows matrix covers the actions that adversaries take after gaining initial access to a Windows system. Persistence, Execution, Impact, Collection, Privilege Escalation, and Initial Access are all tactics that are in the Enterprise: Windows matrix.


質問 # 30
Which of the following does the Hunting and Investigation Guide contain?

  • A. Example Event Search queries useful for threat hunting
  • B. A list of all event types specifically used for hunting and their syntax
  • C. Example Event Search queries useful for Falcon platform configuration
  • D. A list of all event types and their syntax

正解:A

解説:
The Hunting and Investigation guide contains example Event Search queries useful for threat hunting. These queries are based on common threat hunting use cases and scenarios, such as finding suspicious processes, network connections, registry activity, etc. The guide also explains how to customize and modify the queries to suit different needs and environments. The guide does not contain a list of all event types and their syntax, as that information is provided in the Events Data Dictionary. The guide also does not contain example Event Search queries useful for Falcon platform configuration, as that is not the focus of the guide.


質問 # 31
Refer to Exhibit.

Falcon detected the above file attempting to execute. At initial glance; what indicators can we use to provide an initial analysis of the file?

  • A. Local prevalence, IOC Management action, and Event Search
  • B. VirusTotal, Hybrid Analysis, and Google pivot indicator lights enabled
  • C. File path, hard disk volume number, and IOC Management action
  • D. File name, path, Local and Global prevalence within the environment

正解:D

解説:
The file name, path, Local and Global prevalence are indicators that can provide an initial analysis of the file without relying on external sources or tools. The file name can indicate the purpose or origin of the file, such as if it is a legitimate application or a malicious payload. The file path can indicate where the file was located or executed from, such as if it was in a temporary or system directory. The Local and Global prevalence can indicate how common or rare the file is within the environment or across all Falcon customers, which can help assess the risk or impact of the file.


質問 # 32
What Investigate tool would you use to allow an analyst to view all events for a specific host?

  • A. Host Timeline
  • B. Host Search
  • C. Bulk Timeline
  • D. Process Timeline

正解:A

解説:
The Host Timeline is the Investigate tool that you would use to allow an analyst to view all events for a specific host. The Host Timeline shows a graphical representation of all events that occurred on a host within a specified time range. It allows an analyst to zoom in and out, filter by event type or name, and drill down into event details. The Bulk Timeline, the Host Search, and the Process Timeline are not Investigate tools that you would use to view all events for a specific host.


質問 # 33
......


CrowdStrike CCFH-202 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Explain what information a Source IP Search provides
  • Explain what the “table” command does and demonstrate how it can be used for formatting output
トピック 2
  • From the Statistics tab, use the left click filters to refine your search
  • Explain what the “join” command does and how it can be used to join disparate queries
トピック 3
  • Demonstrate how to get a Process Timeline
  • Analyze and recognize suspicious overt malicious behaviors
トピック 4
  • Explain what information a Hash Execution Search provides
  • Explain what information a Bulk Domain Search provides
トピック 5
  • Utilize the MITRE ATT&CK Framework to model threat actor behaviors
  • Explain what information a bulk (Destination) IP search provides
トピック 6
  • Identify the vulnerability exploited from an initial attack vector
  • Explain what information is in the Events Data Dictionary

 

試験準備には欠かさない!トップクラスのCrowdStrike CCFH-202試験アプリ学習ガイドで練習問題最新版:https://jp.fast2test.com/CCFH-202-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어