
CCFH-202問題集PDFで100%合格保証付き
CCFH-202ブレーン問題集でリアル試験最新問題2024年03月29日には62問題
質問 # 30
When performing a raw event search via the Events search page, what are Event Actions?
- A. Event Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only
- B. Event Actions contains an audit information log of actions an analyst took in regards to a specific detection
- C. Event Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc
- D. Event Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search
正解:D
解説:
When performing a raw event search via the Events search page, Event Actions are pivotable workflows that allow you to perform various tasks related to the event or the host. For example, you can connect to a host using Real Time Response, run pre-made event searches based on the event type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the event name defined in the Events Data Dictionary.
質問 # 31
When exporting the results of the following event search, what data is saved in the exported file (assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName
- A. All events in the Events tab
- B. The results of the Statistics tab
- C. No data Results can only be exported when the "table" command is used
- D. The text of the query
正解:B
解説:
When exporting the results of an event search, the data that is saved in the exported file depends on the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as indicated by the stats command. Therefore, the data that is saved in the exported file is the results of the Statistics tab, which shows the count of events by ComputerName. The text of the query, all events in the Events tab, and no data are not correct answers.
質問 # 32
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?
- A. values
- B. distinct count
- C. table
- D. fields
正解:C
解説:
The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.
質問 # 33
Which of the following Event Search queries would only find the DNS lookups to the domain: www randomdomain com?
- A. ComputerName=localhost DnsRequest "randomdomain com"
- B. Dns=randomdomain com
- C. event_simpleName=DnsRequest DomainName=randomdomain com ComputerName=localhost
- D. event_simpleName=DnsRequest DomainName=www randomdomain com
正解:D
解説:
This Event Search query would only find the DNS lookups to the domain www randomdomain com, as it specifies the exact event type and domain name to match. The other queries would either find other events or domains that are not relevant to the question.
質問 # 34
A benefit of using a threat hunting framework is that it:
- A. Provides high fidelity threat actor attribution
- B. Automatically generates incident reports
- C. Provides actionable, repeatable steps to conduct threat hunting
- D. Eliminates false positives
正解:C
解説:
A threat hunting framework is a methodology that guides threat hunters in planning, executing, and improving their threat hunting activities. A benefit of using a threat hunting framework is that it provides actionable, repeatable steps to conduct threat hunting in a consistent and efficient manner. A threat hunting framework does not automatically generate incident reports, eliminate false positives, or provide high fidelity threat actor attribution, as these are dependent on other factors such as data sources, tools, and analysis skills.
質問 # 35
What information is shown in Host Search?
- A. Prevention Policies
- B. Processes and Services
- C. Quarantined Files
- D. Intel Reports
正解:B
解説:
Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search.
質問 # 36
Which of the following is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain?
- A. Emailing the intended victim with a malware attachment
- B. Loading a malicious payload into a common DLL
- C. Discovering internet-facing servers
- D. Installing a backdoor on the victim endpoint
正解:C
解説:
Discovering internet-facing servers is an example of actor actions during the RECONNAISSANCE phase of the Cyber Kill Chain. The RECONNAISSANCE phase is where the adversary researches and identifies targets, vulnerabilities, and attack vectors. Discovering internet-facing servers is a way for the adversary to find potential entry points or weaknesses in the target network.
質問 # 37
What elements are required to properly execute a Process Timeline?
- A. Agent ID (AID) and Target Process ID
- B. Target Process ID only
- C. Hostname and Local Process ID
- D. Agent ID (AID) only
正解:A
解説:
The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline.
質問 # 38
Event Search data is recorded with which time zone?
- A. EST
- B. PST
- C. GMT
- D. UTC
正解:D
解説:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT (Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search data is recorded with.
質問 # 39
Which Falcon documentation guide should you reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts?
- A. MITRE-Based Falcon Detections Framework
- B. Hunting and Investigation
- C. Events Data Dictionary
- D. Customizable Dashboards
正解:B
解説:
The Hunting and Investigation guide is the Falcon documentation guide that you should reference to hunt for anomalies related to scheduled tasks and other Windows related artifacts. The Hunting and Investigation guide provides sample hunting queries, select walkthroughs, and best practices for hunting with Falcon. It covers various topics such as process execution, network connections, registry activity, scheduled tasks, and more.
質問 # 40
Which of the following is TRUE about a Hash Search?
- A. Wildcard searches are not permitted with the Hash Search
- B. The Hash Search is available on Linux
- C. Module Load History is not presented in a Hash Search
- D. The Hash Search provides Process Execution History
正解:D
解説:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process execution history across all hosts in your environment. It shows information such as process name, command line, parent process name, parent command line, etc. for each execution of the file hash. Wildcard searches are permitted with the Hash Search, as long as they are at least four characters long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History is presented in a Hash Search, along with other information such as File Write History and Detection History.
質問 # 41
Which tool allows a threat hunter to populate and colorize all known adversary techniques in a single view?
- A. MITRE ATT&CK Navigator
- B. MISP
- C. OpenXDR
- D. OWASP Threat Dragon
正解:A
解説:
MITRE ATT&CK Navigator is a tool that allows a threat hunter to populate and colorize all known adversary techniques in a single view. It is based on the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics. The tool enables threat hunters to create custom matrices, layers, annotations, and filters to explore and model specific adversary techniques, with links to intelligence and case studies.
質問 # 42
Where would an analyst find information about shells spawned by root, Kernel Module loads, and wget/curl usage?
- A. Sensor Policy Daily report
- B. Linux Sensor report
- C. Mac Sensor report
- D. Sensor Health report
正解:B
解説:
The Linux Sensor report is where an analyst would find information about shells spawned by root, Kernel Module loads, and wget/curl usage. The Linux Sensor report is a pre-defined report that provides a summary view of selected activities on Linux hosts. It shows information such as process execution events, network connection events, file write events, etc. that occurred on Linux hosts within a specified time range. The Sensor Health report, the Sensor Policy Daily report, and the Mac Sensor report do not provide the same information.
質問 # 43
Which of the following is a suspicious process behavior?
- A. An Internet browser (eg, Internet Explorer) performing multiple DNS requests
- B. PowerShell launching a PowerShell script
- C. PowerShell running an execution policy of RemoteSigned
- D. Non-network processes (eg, notepad exe) making an outbound network connection
正解:D
解説:
Non-network processes are processes that are not expected to communicate over the network, such as notepad.exe. If they make an outbound network connection, it could indicate that they are compromised or maliciously used by an adversary. PowerShell running an execution policy of RemoteSigned is a default setting that allows local scripts to run without digital signatures. An Internet browser performing multiple DNS requests is a normal behavior for web browsing. PowerShell launching a PowerShell script is also a common behavior for legitimate tasks.
質問 # 44
How do you rename fields while using transforming commands such as table, chart, and stats?
- A. By specifying the desired name after the field name eg "stats count totalcount by ComputerName"
- B. By using the "renamed" keyword after the field name eg "stats count renamed totalcount by ComputerName"
- C. By renaming the fields with the "rename" command after the transforming command e.g. "stats count by ComputerName | rename count AS total_count"
- D. You cannot rename fields as it would affect sub-queries and statistical analysis
正解:C
解説:
The rename command is used to rename fields while using transforming commands such as table, chart, and stats. It can be used after the transforming command and specify the old and new field names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical analysis, as long as you use the correct field names in your queries. The renamed keyword and the desired name after the field name are not valid ways to rename fields.
質問 # 45
......
CCFH-202問題集には100%厳密検証された問題と解答で合格保証付きもしくは全額返金:https://jp.fast2test.com/CCFH-202-premium-file.html