CrowdStrike CCFH-202 Exam Topics
CrowdStrike CCFH-202 Exam Overview :
| Exam Name: | CrowdStrike Certified Falcon Hunter |
| Exam Code: | CCFH-202 |
| Certifications: | CrowdStrike CCFH Certification |
| See Expected Questions: | CrowdStrike CCFH-202 Expected Questions in Actual Exam |
CrowdStrike CCFH-202 Exam Objectives :
| Section | Objectives |
|---|---|
| 1.0 ATTACK FRAMEWORKS | 1.1 Demonstrate knowledge of the cyber kill chain (7) stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, covering tracks) and recognize intelligence gaps 1.2 Utilize the MITRE ATT&CK Framework to model threat actor behaviors 1.3 Operationalize the MITRE ATT&CK Framework to look for research threat models, TTPs and threat actors, and pivot as necessary and convey to non-technical audiences |
| 2.0 DETECTION ANALYSIS | 2.1 Explain when to use Event Search 2.2 Explain what a Process Timeline will provide 2.3 Demonstrate how to get a Process Timeline 2.4 Explain what a Host Timeline will provide |
| 3.0 SEARCH TOOLS | 3.1 Explain how to extract, analyze and use metadata around files and processes related to the Falcon platform 3.2 Explain what information a bulk (Destination) IP search provides 3.3 Pivot on results (PID vs. Process ID, etc.) 3.4 Explain what information a User Search provides 3.5 Explain what information a Host Search provides 3.6 Explain what information a Source IP Search provides 3.7 Explain what information a Hash Search provides 3.8 Explain what information a Hash Execution Search provides 3.9 Explain what information a Bulk Domain Search provides 3.10 Write an effective custom alert rule 3.11 Explain what event actions do |
| 4.0 EVENT SEARCH | 4.1 Describe general use cases for event searching 4.2 Perform a basic keyword search 4.3 Use Splunk syntax to refine your search (using fields such as ComputerName, event_simpleName, etc.) 4.4 Use interesting fields to refine your search 4.5 From the Statistics tab, use the left click filters to refine your search 4.6 Describe the process relationship of (Target/Parent/Context) 4.7 Explain how the rename command is used in a query related to associated event data, such as parent/target/context relationships 4.8 Explain what the “table” command does and demonstrate how it can be used for formatting output 4.9 Explain what the “stats count by” command does and demonstrate how it can be used for statistical analysis 4.10 Explain what the “join” command does and how it can be used to join disparate queries 4.11 Explain key event data types 4.12 Export search results 4.13 Convert and format Unix times to UTC-readable time |
| 5.0 REPORTS | 5.1 Explain what information a Linux Sensor Report will provide 5.2 Explain what information a Mac Sensor Report will provide 5.3 Locate built-in Hunting reports and explain what they provide 5.4 Explain what information the PowerShell Hunt report provides and demonstrate how to filter it 5.5 Demonstrate the ability to find built-in visibility reports and explain what they provide |
| 6.0 HUNTING ANALYTICS | 6.1 Analyze and recognize suspicious overt malicious behaviors 6.2 Demonstrate knowledge of target systems (asset inventory and who would target those assets) 6.3 Evaluate information for reliability, validity and relevance for use in the process of elimination 6.4 Identify alternative analytical interpretations to minimize and reduce false positives. 6.5 Decode and understand PowerShell/CMD activity 6.6 Recognize patterns such as an enterprise-wide file infection process and attempting to determine the root cause or source of the infection 6.7 Differentiate testing, DevOps or general user activity from adversary behavior 6.8 Identify the vulnerability exploited from an initial attack vector |
| 7.0 HUNTING METHODOLOGY | 7.1 Conduct routine active hunt operations within your environment to determine if your environment has been breached 7.2 Perform outlier analysis with the Falcon tool 7.3 Conduct hypothesis and hunting lead generation to prove them out using Falcon tools 7.4 Construct simple and complex EAM queries in Falcon 7.5 Investigate a process tree |
| 8 DOCUMENTATION | 8.1 Explain what information is in the Events Data Dictionary (Event Index) 8.2 Explain what information is in the Hunting & Investigation Guide |
| Official Information | https://www.crowdstrike.com/wp-content/uploads/2022/09/csu-cfcp-certification-guide.pdf |
Updates in the CrowdStrike CCFH-202 Exam Topics:
CrowdStrike CCFH-202 exam questions and practice test are the best ways to get fully prepared. Study4exam's trusted preparation material consists of both practice questions and practice test. To pass the actual CrowdStrike Certified Falcon Hunter CCFH-202 exam on the first attempt, you need to put in hard work on these questions as they cover all updated CrowdStrike CCFH-202 exam topics included in the official syllabus. Besides studying actual questions, you should take the CrowdStrike CCFH-202 practice test for self-assessment and actual exam simulation. Revise actual exam questions and remove your mistakes with the CrowdStrike Certified Falcon Hunter CCFH-202 exam practice test. Online and Windows-based formats of the CCFH-202 exam practice test are available for self-assessment.
Our Features
- 50000+ Customers feedbacks involved in Products
- Customize your exam based on your objectives
- User-Friendly interface
- Exam History and Progress reports
- Self-Assessment Features
- Various Learning Modes