The CCFH-202 exam is the final step toward the completion of CCFH certification. Passcert CrowdStrike Certified Falcon Hunter CCFH-202 Dumps are designed by experts who have extensive knowledge and experience in the CCFH-202 exam domain. They update their dumps regularly to reflect the latest changes and trends in the exam content. Passcert CrowdStrike Certified Falcon Hunter CCFH-202 Dumps contain real and valid questions and answers that cover all the topics and objectives of the CCFH-202 exam. You can use Passcert CrowdStrike Certified Falcon Hunter CCFH-202 Dumps to test your knowledge, identify your weak areas, improve your skills, and boost your confidence.
The CCFH exam is a 90-minute, 60-question assessment. This exam passed several rounds of editing by both technical and non-technical experts and has been tested by a wide variety of candidates.
1.2 Utilize the MITRE ATT&CK Framework to model threat actor behaviors
1.3 Operationalize the MITRE ATT&CK Framework to look for research threat models, TTPs and threat actors, and pivot as necessary and convey to non-technical audiences
2.2 Explain what a Process Timeline will provide
2.3 Demonstrate how to get a Process Timeline
2.4 Explain what a Host Timeline will provide
3.2 Explain what information a bulk (Destination) IP search provides
3.3 Pivot on results (PID vs. Process ID, etc.)
3.4 Explain what information a User Search provides
3.5 Explain what information a Host Search provides
3.6 Explain what information a Source IP Search provides
3.7 Explain what information a Hash Search provides
3.8 Explain what information a Hash Execution Search provides
3.9 Explain what information a Bulk Domain Search provides
3.10 Write an effective custom alert rule
3.11 Explain what event actions do
4.2 Perform a basic keyword search
4.3 Use Splunk syntax to refine your search (using fields such as ComputerName, event_simpleName, etc.)
4.4 Use interesting fields to refine your search
4.5 From the Statistics tab, use the left click filters to refine your search
4.6 Describe the process relationship of (Target/Parent/Context)
4.7 Explain how the rename command is used in a query related to associated event data, such as parent/target/context relationships
4.8 Explain what the “table” command does and demonstrate how it can be used for formatting output
4.9 Explain what the “stats count by” command does and demonstrate how it can be used for statistical analysis
4.10 Explain what the “join” command does and how it can be used to join disparate queries
4.11 Explain key event data types
4.12 Export search results
4.13 Convert and format Unix times to UTC-readable time
5.2 Explain what information a Mac Sensor Report will provide
5.3 Locate built-in Hunting reports and explain what they provide
5.4 Explain what information the PowerShell Hunt report provides and demonstrate how to filter it
5. 5 Demonstrate the ability to find built-in visibility reports and explain what they provide
6.2 Demonstrate knowledge of target systems (asset inventory and who would target those assets)
6.3 Evaluate information for reliability, validity and relevance for use in the process of elimination
6.4 Identify alternative analytical interpretations to minimize and reduce false positives.
6.5 Decode and understand PowerShell/CMD activity
6.6 Recognize patterns such as an enterprise-wide file infection process and attempting to determine the root cause or source of the infection
6.7 Differentiate testing, DevOps or general user activity from adversary behavior
6.8 Identify the vulnerability exploited from an initial attack vector
7.2 Perform outlier analysis with the Falcon tool
7.3 Conduct hypothesis and hunting lead generation to prove them out using Falcon tools
7.4 Construct simple and complex EAM queries in Falcon
7.5 Investigate a process tree
8.2 Explain what information is in the Hunting & Investigation Guide
A.ContextProcessld_readable
B.TargetProcessld_decimal
C.ContextProcessld_decimal
D.ParentProcessId_decimal
Answer: A
2. You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?
A.Create a custom alert for each domain
B.Allowed Domain Summary Report
C.Bulk Domain Search
D.IP Addresses Search
Answer: C
3. What information is shown in Host Search?
A.Quarantined Files
B.Prevention Policies
C.Intel Reports
D.Processes and Services
Answer: D
4. When performing a raw event search via the Events search page, what are Event Actions?
A.Event Actions contains an audit information log of actions an analyst took in regards to a specific detection
B.Event Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only
C.Event Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search
D.Event Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc
Answer: C
5. What information is provided when using IP Search to look up an IP address?
A.Both internal and external IPs
B.Suspicious IP addresses
C.External IPs only
D.Internal IPs only
Answer: C
6. What kind of activity does a User Search help you investigate?
A.A history of Falcon Ul logon activity
B.A list of process activity executed by the specified user account
C.A count of failed user logon activity
D.A list of DNS queries by the specified user account
Answer: B
CrowdStrike Certified Falcon Hunter (CCFH)
The CCFH exam is the final step toward the completion of CCFH certification, which is one of the three certifications offered by CrowdStrike University. The other two certifications are CrowdStrike Certified Falcon Administrator (CCFA) and CrowdStrike Certified Falcon Responder (CCFR). To prepare for the CCFH exam, you need to have hands-on experience with the Falcon platform and be familiar with the Splunk Search Processing Language (SPL).This exam evaluates a candidate's knowledge, skills and abilities to effectively respond to a detection within the CrowdStrike Falcon console and Investigate app, use queries and automated reports to assist in machine auditing and proactive investigation, and perform search queries using the Splunk syntax.The CCFH exam is a 90-minute, 60-question assessment. This exam passed several rounds of editing by both technical and non-technical experts and has been tested by a wide variety of candidates.
CCFH Exam Objectives
1 ATTACK FRAMEWORKS
1.1 Demonstrate knowledge of the cyber kill chain (7) stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, covering tracks) and recognize intelligence gaps1.2 Utilize the MITRE ATT&CK Framework to model threat actor behaviors
1.3 Operationalize the MITRE ATT&CK Framework to look for research threat models, TTPs and threat actors, and pivot as necessary and convey to non-technical audiences
2 DETECTION ANALYSIS
2.1 Explain when to use Event Search2.2 Explain what a Process Timeline will provide
2.3 Demonstrate how to get a Process Timeline
2.4 Explain what a Host Timeline will provide
3 SEARCH TOOLS
3.1 Explain how to extract, analyze and use metadata around files and processes related to the Falcon platform3.2 Explain what information a bulk (Destination) IP search provides
3.3 Pivot on results (PID vs. Process ID, etc.)
3.4 Explain what information a User Search provides
3.5 Explain what information a Host Search provides
3.6 Explain what information a Source IP Search provides
3.7 Explain what information a Hash Search provides
3.8 Explain what information a Hash Execution Search provides
3.9 Explain what information a Bulk Domain Search provides
3.10 Write an effective custom alert rule
3.11 Explain what event actions do
4 EVENT SEARCH
4.1 Describe general use cases for event searching4.2 Perform a basic keyword search
4.3 Use Splunk syntax to refine your search (using fields such as ComputerName, event_simpleName, etc.)
4.4 Use interesting fields to refine your search
4.5 From the Statistics tab, use the left click filters to refine your search
4.6 Describe the process relationship of (Target/Parent/Context)
4.7 Explain how the rename command is used in a query related to associated event data, such as parent/target/context relationships
4.8 Explain what the “table” command does and demonstrate how it can be used for formatting output
4.9 Explain what the “stats count by” command does and demonstrate how it can be used for statistical analysis
4.10 Explain what the “join” command does and how it can be used to join disparate queries
4.11 Explain key event data types
4.12 Export search results
4.13 Convert and format Unix times to UTC-readable time
5 REPORTS
5.1 Explain what information a Linux Sensor Report will provide5.2 Explain what information a Mac Sensor Report will provide
5.3 Locate built-in Hunting reports and explain what they provide
5.4 Explain what information the PowerShell Hunt report provides and demonstrate how to filter it
5. 5 Demonstrate the ability to find built-in visibility reports and explain what they provide
6 HUNTING ANALYTICS
6.1 Analyze and recognize suspicious overt malicious behaviors6.2 Demonstrate knowledge of target systems (asset inventory and who would target those assets)
6.3 Evaluate information for reliability, validity and relevance for use in the process of elimination
6.4 Identify alternative analytical interpretations to minimize and reduce false positives.
6.5 Decode and understand PowerShell/CMD activity
6.6 Recognize patterns such as an enterprise-wide file infection process and attempting to determine the root cause or source of the infection
6.7 Differentiate testing, DevOps or general user activity from adversary behavior
6.8 Identify the vulnerability exploited from an initial attack vector
7 HUNTING METHODOLOGY
7.1 Conduct routine active hunt operations within your environment to determine if your environment has been breached7.2 Perform outlier analysis with the Falcon tool
7.3 Conduct hypothesis and hunting lead generation to prove them out using Falcon tools
7.4 Construct simple and complex EAM queries in Falcon
7.5 Investigate a process tree
8 DOCUMENTATION
8.1 Explain what information is in the Events Data Dictionary (Event Index)8.2 Explain what information is in the Hunting & Investigation Guide
Share CrowdStrike Certified Falcon Hunter CCFH-202 Free Dumps
1. Which field in a DNS Request event points to the responsible process?A.ContextProcessld_readable
B.TargetProcessld_decimal
C.ContextProcessld_decimal
D.ParentProcessId_decimal
Answer: A
2. You are reviewing a list of domains recently banned by your organization's acceptable use policy. In particular, you are looking for the number of hosts that have visited each domain. Which tool should you use in Falcon?
A.Create a custom alert for each domain
B.Allowed Domain Summary Report
C.Bulk Domain Search
D.IP Addresses Search
Answer: C
3. What information is shown in Host Search?
A.Quarantined Files
B.Prevention Policies
C.Intel Reports
D.Processes and Services
Answer: D
4. When performing a raw event search via the Events search page, what are Event Actions?
A.Event Actions contains an audit information log of actions an analyst took in regards to a specific detection
B.Event Actions contains the summary of actions taken by the Falcon sensor such as quarantining a file, prevent a process from executing or taking no actions and creating a detection only
C.Event Actions are pivotable workflows including connecting to a host, pre-made event searches and pivots to other investigatory pages such as host search
D.Event Actions is the field name that contains the event name defined in the Events Data Dictionary such as ProcessRollup, SyntheticProcessRollup, DNS request, etc
Answer: C
5. What information is provided when using IP Search to look up an IP address?
A.Both internal and external IPs
B.Suspicious IP addresses
C.External IPs only
D.Internal IPs only
Answer: C
6. What kind of activity does a User Search help you investigate?
A.A history of Falcon Ul logon activity
B.A list of process activity executed by the specified user account
C.A count of failed user logon activity
D.A list of DNS queries by the specified user account
Answer: B