Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

CrowdStrike Exam CCFH-202 Topic 2 Question 9 Discussion

Actual exam question for CrowdStrike's CCFH-202 exam
Question #: 9
Topic #: 2
[All CCFH-202 Questions]

Which of the following is an example of a Falcon threat hunting lead?

Show Suggested Answer Hide Answer
Suggested Answer: A

The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor installed. The Target Process ID is the decimal representation of the process identifier for the process that you want to investigate. These two elements are used to query the cloud for the events related to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the Target Process ID only are not sufficient to execute a Process Timeline.


by Lindsey at Aug 08, 2023, 01:23 PM

Limited Time Offer

25%

Off

Get Premium CCFH-202 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Annmarie
1 months ago
D, no doubt. Anything with the word 'ransomware' is a surefire winner. Although, I do wonder if the answer is hidden in the file extension, like 'R4ns0mw4r3.exe'.
upvoted 0 times
...
Jean
1 months ago
A single letter filename from a temp directory? That's like trying to find a needle in a haystack made of needles. I'm going with C - that help desk ticket sounds like a real juicy lead.
upvoted 0 times
Lisbeth
2 days ago
I'm leaning towards the security appliance logs showing potentially bad traffic to an unknown external IP address.
upvoted 0 times
...
Lachelle
12 days ago
I think the routine threat hunt query could also be a valuable lead to investigate.
upvoted 0 times
...
Kelvin
18 days ago
I agree, that help desk ticket seems like a clear indicator of a potential threat.
upvoted 0 times
...
...
Jules
1 months ago
Hmm, A seems a bit too generic. Maybe the security appliance logs in B could be useful, but I think I'll go with C. Who doesn't love a good 'user clicked on a link' story?
upvoted 0 times
...
Hyman
1 months ago
B sounds promising, but I'm going to go with D. That unique file extension is a dead giveaway for ransomware, and it's an external report, so it's gotta be legit, right?
upvoted 0 times
Yesenia
17 days ago
I agree with you, D seems like the most reliable lead. We should definitely investigate further based on that external report.
upvoted 0 times
...
Lashawna
29 days ago
I see your point, but I still think D is the best option. That unique file extension for ransomware is a clear indicator of a threat.
upvoted 0 times
...
Edison
1 months ago
I think B is a good choice too, but I'm leaning towards A. Process executions of single letter filenames from temporary directories sounds suspicious.
upvoted 0 times
...
...
Wenona
2 months ago
I'm not sure, but I think B) Security appliance logs showing potentially bad traffic to an unknown external IP address could also be a valid option.
upvoted 0 times
...
Deane
2 months ago
A routine threat hunt query? Really? That's like looking for a needle in a haystack. I'll go with C - that user clicking on a sketchy link is a much better lead to investigate.
upvoted 0 times
Elenore
1 months ago
Yeah, it's definitely a more actionable lead compared to a routine threat hunt query.
upvoted 0 times
...
Lauryn
1 months ago
I agree, investigating the user clicking on a sketchy link is a more direct lead.
upvoted 0 times
...
...
Desirae
2 months ago
I agree with Hildred, that seems like a clear example of Falcon threat hunting lead.
upvoted 0 times
...
Hildred
2 months ago
I think the answer is A) A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77