Which of the following would be the correct field name to find the name of an event?
A
Explanation:
Event_SimpleName is the correct field name to find the name of an event in Falcon Event Search. It is
a field that shows the simplified name of each event type, such as ProcessRollup2, DnsRequest, or
FileDelete. Event_Simple_Name, EVENT_SIMPLE_NAME, and event_simpleName are not valid field
names for finding the name of an event.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
Event Search data is recorded with which time zone?
D
Explanation:
Event Search data is recorded with UTC (Coordinated Universal Time) time zone. UTC is a standard
time zone that is used as a reference point for other time zones. PST (Pacific Standard Time), GMT
(Greenwich Mean Time), and EST (Eastern Standard Time) are not the time zones that Event Search
data is recorded with.
Reference:
https://www.crowdstrike.com/blog/tech-center/understanding-timestamps-in-
crowdstrike-falcon/
Which of the following Event Search queries would only find the DNS lookups to the domain: www
randomdomain com?
A
Explanation:
This Event Search query would only find the DNS lookups to the domain www randomdomain com,
as it specifies the exact event type and domain name to match. The other queries would either find
other events or domains that are not relevant to the question.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
How do you rename fields while using transforming commands such as table, chart, and stats?
A
Explanation:
The rename command is used to rename fields while using transforming commands such as table,
chart, and stats. It can be used after the transforming command and specify the old and new field
names with the AS keyword. You can rename fields as it would not affect sub-queries and statistical
analysis, as long as you use the correct field names in your queries. The renamed keyword and the
desired name after the field name are not valid ways to rename fields.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Rename
SPL (Splunk) eval statements can be used to convert Unix times (Epoch) into UTC readable time
Which eval function is correct^
C
Explanation:
The strftime eval function is used to convert Unix times (Epoch) into UTC readable time. It takes two
arguments: a Unix time field and a format string that specifies how to display the time. The now,
typeof, and relative_time eval functions are not used to convert Unix times into UTC readable time.
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/CommonEvalFunctions
Which of the following queries will return the parent processes responsible for launching
badprogram exe?
D
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a
subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the
TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search,
then using stats to count the occurrences of each FileName by _time. The other queries will either
not return the parent processes or use incorrect field names or syntax.
Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/
You want to produce a list of all event occurrences along with selected fields such as the full path,
time, username etc. Which command would be the appropriate choice?
C
Explanation:
The table command is used to produce a list of all event occurrences along with selected fields such
as the full path, time, username etc. It takes one or more field names as arguments and displays
them in a tabular format. The fields command is used to keep or remove fields from search results,
not to display them in a list. The distinct_count command is used to count the number of distinct
values of a field, not to display them in a list. The values command is used to display a list of unique
values of a field within each group, not to display all event occurrences.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Table
When exporting the results of the following event search, what data is saved in the exported file
(assuming Verbose Mode)? event_simpleName=*Written | stats count by ComputerName
B
Explanation:
When exporting the results of an event search, the data that is saved in the exported file depends on
the mode and the tab that is selected. In this case, the mode is Verbose and the tab is Statistics, as
indicated by the stats command. Therefore, the data that is saved in the exported file is the results of
the Statistics tab, which shows the count of events by ComputerName. The text of the query, all
events in the Events tab, and no data are not correct answers.
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Search/Exportsearchresults
The help desk is reporting an increase in calls related to user accounts being locked out over the last
few days. You suspect that this could be an attack by an adversary against your organization. Select
the best hunting hypothesis from the following:
D
Explanation:
A hunting hypothesis is a statement that describes a possible malicious activity that can be tested
with data and analysis. A good hunting hypothesis should be specific, testable, and relevant to the
problem or goal. In this case, the best hunting hypothesis from the following is that a password
guessing attack is being executed against remote access mechanisms such as VPN, as it explains the
possible cause and method of the user account lockouts in a specific and testable way. A zero-day
vulnerability on a Microsoft Exchange server is too vague and does not explain how it relates to the
lockouts. A hacked web application is also too vague and does not specify how it causes the lockouts.
Users locking their accounts out because they recently changed their passwords is not a malicious
activity and does not account for the increase in calls.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-framework/
To find events that are outliers inside a network,___________is the best hunting method to use.
D
Explanation:
Stacking (Frequency Analysis) is the best hunting method to use to find events that are outliers inside
a network. Stacking involves grouping events by a common attribute and counting their frequency,
then sorting them by ascending or descending order to identify rare or common events. This can
help find anomalies or deviations from normal behavior that could indicate malicious activity. Time-
based searching, machine learning, and searching are not specific hunting methods to find outliers.
Reference: https://www.crowdstrike.com/blog/tech-center/stacking-in-crowdstrike-falcon/