With Custom Alerts you are able to configure email alerts using predefined templates so you're notified about specific activity in your environment. Which of the following outlines the steps required to properly create a custom alert rule?
Answer : B
These are the steps required to properly create a custom alert rule. Custom Alerts are a feature that allows you to configure email alerts using predefined templates so you're notified about specific activity in your environment. You can choose from various templates that cover different use cases, such as suspicious PowerShell activity, network connections to risky countries, etc. You can also preview the search results of the template before scheduling the alert. You do not need to create the query for the alert, setup the email template for the alert, or create a new custom template, as these are already provided by the predefined templates.
Question 2
When performing a raw event search via the Events search page, what are Event Actions?
Answer : C
When performing a raw event search via the Events search page, Event Actions are pivotable workflows that allow you to perform various tasks related to the event or the host. For example, you can connect to a host using Real Time Response, run pre-made event searches based on the event type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the event name defined in the Events Data Dictionary.
Question 3
Which of the following is a suspicious process behavior?
Answer : D
Non-network processes are processes that are not expected to communicate over the network, such as notepad.exe. If they make an outbound network connection, it could indicate that they are compromised or maliciously used by an adversary. PowerShell running an execution policy of RemoteSigned is a default setting that allows local scripts to run without digital signatures. An Internet browser performing multiple DNS requests is a normal behavior for web browsing. PowerShell launching a PowerShell script is also a common behavior for legitimate tasks.
Question 4
You need details about key data fields and sensor events which you may expect to find from Hosts running the Falcon sensor. Which documentation should you access?
Answer : A
The Events Data Dictionary found in the Falcon documentation is useful for writing hunting queries because it provides a reference of information about the events found in the Investigate > Event Search page of the Falcon Console. The Events Data Dictionary describes each event type, field name, data type, description, and example value that can be used to query and analyze event data. The Streaming API Event Dictionary, Hunting and Investigation, and Event stream APIs are not documentation that provide details about key data fields and sensor events.
Question 5
What information is shown in Host Search?
Answer : D
Processes and Services is one of the information that is shown in Host Search. Host Search is an Investigate tool that allows you to view events by category, such as process executions, network connections, file writes, etc. Processes and Services is one of the categories that shows information such as process name, command line, parent process name, parent command line, etc. for each process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not shown in Host Search.
Question 6
You want to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. Which command would be the appropriate choice?
Answer : C
The table command is used to produce a list of all event occurrences along with selected fields such as the full path, time, username etc. It takes one or more field names as arguments and displays them in a tabular format. The fields command is used to keep or remove fields from search results, not to display them in a list. The distinct_count command is used to count the number of distinct values of a field, not to display them in a list. The values command is used to display a list of unique values of a field within each group, not to display all event occurrences.
Question 7
The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?
Answer : C
The ParentProcessld_decimal event field is what the Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns with when the cloudable Event data contains it. The ParentProcessld_decimal event field is the decimal representation of the process identifier for the parent process of the target process. It can be used to trace the process ancestry and identify potential malicious activity. The ContextProcessld_decimal, RawProcessld_decimal, and RpcProcessld_decimal event fields are not used to populate the Parent Process ID and the Parent File columns.
All Official Question Types