CrowdStrike CCFH-202 Exam Actual Questions

User Search is an Investigate tool that helps you investigate a list of process activity executed by the specified user account. It shows information such as process name, command line, parent process name, parent command line, etc. for each process that was executed by the user account on any host in your environment. It does not show a history of Falcon UI logon activity, a count of failed user logon activity, or a list of DNS queries by the specified user account.

To view Files Written to Removable Media within a specified timeframe on a host within the Host Search page, you need to expand and refer to the Suspicious File Activity dashboard panel. The Suspicious File Activity dashboard panel shows information such as files written to removable media, files written to system directories by non-system processes, files written to startup folders, etc. The other dashboard panels do not show files written to removable media.

When performing a raw event search via the Events search page, Event Actions are pivotable workflows that allow you to perform various tasks related to the event or the host. For example, you can connect to a host using Real Time Response, run pre-made event searches based on the event type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the event name defined in the Events Data Dictionary.

Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search.

Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently banned by your organization's acceptable use policy and look for the number of hosts that have visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple domains at once and view their network connection events across all hosts in your environment. It shows information such as domain name, number of hosts visited, number of detections generated, etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and IP Addresses Search are not tools that you should use for this purpose.