CrowdStrike CCFH-202b Practice Test Questions Answers

The Falcon platform provides a variety of visual Reports and References designed to help security teams identify geographic anomalies that may indicate unauthorized access or compromised credentials. The Global connection heat map is a specialized dashboard that aggregates network telemetry and visualizes it based on the geographic origin of the connections associated with Falcon-managed hosts.

This report is a vital component of a hunter's toolkit for "Geofencing" or identifying "Impossible Travel" scenarios. By providing a high-level visual representation of where in the world host connections are originating, it allows analysts to quickly spot outliers—such as a connection from a country where the organization has no employees, offices, or known business interests. While the "Geo location activity" (Option A) might sound similar, the "Global connection heat map" is the specific built-in name for the dashboard that provides the density-based visualization required to distinguish between a single anomalous connection and a widespread, automated attack originating from a specific region. Once an anomaly is identified on the heat map, a hunter can pivot directly into the associated events to see which aid (Agent ID) is involved and what specific processes or users are initiating those suspicious international connections.

In the CrowdStrike Falcon ecosystem, the Events Full Reference , commonly referred to as the Events Data Dictionary , is the foundational documentation for any analyst performing raw telemetry analysis. This document serves as the definitive encyclopedia for every event type (such as ProcessRollup2, NetworkConnectIP4, or DnsRequest) and every individual field (such as aid, TargetProcessId, or CommandLine) captured by the Falcon sensor.

When a hunter is crafting complex queries in Event Search , the Data Dictionary provides the necessary context to understand exactly what a specific field represents and the data types it contains. For example, if an analyst is unsure whether a timestamp is in milliseconds or seconds, or needs to know the difference between a ParentProcessId and a ContextProcessId, the Events Full Reference is the primary source of truth. Utilizing this document is a core part of the Hunting Methodology , as it allows the hunter to move beyond the high-level GUI and build precise, technical queries based on a deep understanding of the underlying data structure. Without referencing this data dictionary, an analyst might misinterpret field values, leading to "false negatives" in their search results. It is the essential roadmap for navigating the massive amounts of telemetry stored within the Falcon platform.

In proactive threat hunting, Least-Frequency Analysis (LFA) is a powerful technique used to identify anomalies by looking for rare events that deviate from the organizational baseline. Windows services typically execute from standardized, protected directories such as C:\Windows\System32\. When a service is observed starting from a non-standard location—such as a user's Temp folder or a suspicious application directory—it often indicates persistence or a "Living off the Land" attack.

The correct query utilizes the != (not equal) operator within the CrowdStrike Query Language (CQL) to filter out legitimate, common paths. By excluding the System32 and servicing directories, the hunter narrows the dataset to focus exclusively on services running from irregular paths. The groupBy function is then used to aggregate these occurrences by ServiceDisplayName, collecting the specific ImageFileName and counting the frequency of each. Finally, sorting by count in ascending order (order=asc) ensures that the "least-used" or rarest services appear at the top of the results. This methodology allows a hunter to bypass the "noise" of thousands of standard system services and pinpoint unique, potentially malicious binaries that have registered themselves as services to maintain a long-term foothold on the endpoint.

==========

To perform a complete and effective investigation into a specific process's behavior within the Falcon platform, an analyst must understand how the system correlates disparate telemetry events. The two primary keys for this correlation are TargetProcessId and ContextProcessId . These IDs act as the "Common Threads" that allow Search and Investigation Tools to reconstruct the full lifecycle of an execution.

When a process is first created, it generates a ProcessRollup2 event (or a SyntheticProcessRollup2 if it was already running). In this specific event, the process's unique identifier is recorded in the TargetProcessId field. However, all subsequent actions performed by that process—such as network connections (NetworkConnectIP4), file modifications (fswrite), or DNS lookups—do not use the TargetProcessId. Instead, they include a field called ContextProcessId , which "points" back to the original process ID. By selecting and filtering for both of these fields in a query, a hunter can successfully "join" the metadata of the process (its name, command line, and user) with the actual activities it performed. Selecting only one of these would result in an incomplete picture: you would see the process start but not what it did, or see various actions without knowing exactly which process was responsible for them. Mastering the relationship between Target and Context IDs is fundamental for pivoting through the process timeline.

Identifying an enterprise-wide file infection requires a hunter to look past simple file names, which adversaries often randomize or mask to evade basic detection. The most effective Hunting Methodology for this scenario is to focus on the file's unique cryptographic hash (MD5, SHA256). Even if an attacker renames a malicious binary (e.g., from malware.exe to svchost.exe) to blend into different environments, the hash remains identical.

By utilizing CrowdStrike Query Language (CQL) in the Event Search or LogScale environments, a hunter can search for a known malicious hash across all ProcessRollup2 and ImageHash events. This allows the analyst to see every instance where that specific file has appeared, regardless of the local file name or path. This technique is particularly powerful for identifying "Polymorphic" behavior where the filename changes but the core payload stays the same. While monitoring alerts (Option A) is reactive and host dashboards (Option B) are localized, hash-based hunting provides a global, enterprise-wide perspective. This ensures that the hunter can identify every single "infected" host, including those where the malware may be dormant or where a local detection has not yet been triggered, enabling a comprehensive and simultaneous remediation effort across the entire organization.