The CrowdStrike CCFH-202b exam preparation guide is designed to provide candidates with necessary information about the Falcon Hunter exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the CrowdStrike Certified Falcon Hunter (CCFH) exam.
It is recommended for all the candidates to refer the CCFH-202b objectives and sample questions provided in this preparation guide. The CrowdStrike CCFH certification is mainly targeted to the candidates who want to build their career in Falcon Platform domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual CrowdStrike Falcon Hunter exam.
CrowdStrike CCFH-202b Exam Summary:
|
Exam Name
|
CrowdStrike Falcon Hunter |
| Exam Code | CCFH-202b |
| Exam Price | $250 USD |
| Duration | 90 minutes |
| Number of Questions | 60 |
| Passing Score | 80% |
| Recommended Training / Books | CCFH Training |
| Schedule Exam | PEARSON VUE |
| Sample Questions | CrowdStrike CCFH-202b Sample Questions |
| Recommended Practice | CrowdStrike Certified Falcon Hunter (CCFH) Practice Test |
CrowdStrike Falcon Hunter Syllabus:
| Section | Objectives |
|---|---|
| ATT&CK Frameworks |
- Demonstrate knowledge of the cyber kill chain (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, covering tracks) and recognize intelligence gaps - Utilize the MITRE ATT&CK Framework to model threat actor behaviors - Operationalize the MITRE ATT&CK Framework to look for research threat models, TTPs and threat actors, and pivot as necessary and convey to non-technical audiences |
| Detection Analysis |
- Analyze information displayed in the Host Timeline to understand host states and events - Analyze the information displayed in the Process Timeline to understand the flow of events and detections - Pivot from the detection page to additional investigative tools |
| Search and Investigation Tools |
- Analyze and interpret metadata around files and processes recorded by Falcon - Differentiate use of Investigate Module tools available in Falcon - Understand use cases for various search options (e.g., User Search, Host Search, Hash Search, IP Addresses Search, Bulk Domain Search) - Interpret search result information displayed in dashboards to determine additional investigation or action |
| Event Search |
- Define key syntax of CrowdStrike Query Language (CQL) - Build a query and perform a search using CQL - Format event data for user readability, export or charting - Filter event data and analyze results - Describe the process relationship of (Target/Parent/Context) - Define key data event types - Convert and format Unix times to UTC readable time - Create a custom dashboard to display Advanced Event Search results |
| Reports and References |
- Use the built-in Hunt reports to refine event details - Use the built-in Visibility reports to refine event details - Leverage the Events Full Reference documentation to learn information about specific events |
| Hunting Analytics |
- Analyze and recognize suspicious overt malicious behaviors - Understand target systems (asset inventory and who would target those assets) - Evaluate information for reliability, validity and relevance for use in the process of elimination - Identify alternative analytical interpretations to minimize and reduce false positives - Decode and understand PowerShell/CMD activity - Recognize patterns such as an enterprise-wide file infection process to determine the root cause or source of the infection - Differentiate testing, DevOPs or general user activity from adversary behavior - Identify the vulnerability exploited from an initial attack vector |
| Hunting Methodology |
- Conduct routine active hunt operations within your environment in order to determine if your environment has been breached - Perform outlier analysis with the Falcon tool - Conduct hypothesis and hunting lead generation in order to prove them using Falcon tools - Construct simple and complex EAM queries in Falcon - Investigate a process tree |