Questions for the CCFH-202 were updated on : Nov 21 ,2025
Which field in a DNS Request event points to the responsible process?
A
Explanation:
The ContextProcessld_readable field in a DNS Request event points to the responsible process. The
ContextProcessld_readable field is the readable representation of the process identifier for the
process that initiated the DNS request. It can be used to identify which process was communicating
with a specific domain or IP address. The TargetProcessld_decimal, ContextProcessld_decimal, and
ParentProcessId_decimal fields do not point to the responsible process.
Reference: https://falcon.crowdstrike.com/support/documentation/44/events-data-dictionary
You are reviewing a list of domains recently banned by your organization's acceptable use policy. In
particular, you are looking for the number of hosts that have visited each domain. Which tool should
you use in Falcon?
C
Explanation:
Bulk Domain Search is the tool that you should use in Falcon to review a list of domains recently
banned by your organization’s acceptable use policy and look for the number of hosts that have
visited each domain. Bulk Domain Search is an Investigate tool that allows you to search for multiple
domains at once and view their network connection events across all hosts in your environment. It
shows information such as domain name, number of hosts visited, number of detections generated,
etc. for each domain. Create a custom alert for each domain, Allowed Domain Summary Report, and
IP Addresses Search are not tools that you should use for this purpose.
Reference:
https://www.crowdstrike.com/blog/tech-center/bulk-domain-search-in-crowdstrike-
falcon/
What information is shown in Host Search?
D
Explanation:
Processes and Services is one of the information that is shown in Host Search. Host Search is an
Investigate tool that allows you to view events by category, such as process executions, network
connections, file writes, etc. Processes and Services is one of the categories that shows information
such as process name, command line, parent process name, parent command line, etc. for each
process execution event on a host. Quarantined Files, Prevention Policies, and Intel Reports are not
shown in Host Search.
Reference: https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/
When performing a raw event search via the Events search page, what are Event Actions?
C
Explanation:
When performing a raw event search via the Events search page, Event Actions are pivotable
workflows that allow you to perform various tasks related to the event or the host. For example, you
can connect to a host using Real Time Response, run pre-made event searches based on the event
type or name, or pivot to other investigatory pages such as host search, hash search, etc. Event
Actions do not contain audit information log, summary of actions taken by the Falcon sensor, or the
event name defined in the Events Data Dictionary.
Reference: https://www.crowdstrike.com/blog/tech-center/event-search-in-crowdstrike-falcon/
To view Files Written to Removable Media within a specified timeframe on a host within the Host
Search page, expand and refer to the _______dashboard panel.
D
Explanation:
To view Files Written to Removable Media within a specified timeframe on a host within the Host
Search page, you need to expand and refer to the Suspicious File Activity dashboard panel. The
Suspicious File Activity dashboard panel shows information such as files written to removable media,
files written to system directories by non-system processes, files written to startup folders, etc. The
other dashboard panels do not show files written to removable media.
Reference: https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/
What kind of activity does a User Search help you investigate?
B
Explanation:
User Search is an Investigate tool that helps you investigate a list of process activity executed by the
specified user account. It shows information such as process name, command line, parent process
name, parent command line, etc. for each process that was executed by the user account on any host
in your environment. It does not show a history of Falcon UI logon activity, a count of failed user
logon activity, or a list of DNS queries by the specified user account.
Reference: https://www.crowdstrike.com/blog/tech-center/user-search-in-crowdstrike-falcon/
What information is provided when using IP Search to look up an IP address?
C
Explanation:
IP Search is an Investigate tool that allows you to look up information about external IPs only. It
shows information such as geolocation, network connection events, detection history, etc. for each
external IP address that has communicated with your hosts. It does not show information about
internal IPs, suspicious IPs, or both internal and external IPs.
Reference: https://www.crowdstrike.com/blog/tech-center/ip-search-in-crowdstrike-falcon/
With Custom Alerts you are able to configure email alerts using predefined templates so you're
notified about specific activity in your environment. Which of the following outlines the steps
required to properly create a custom alert rule?
B
Explanation:
These are the steps required to properly create a custom alert rule. Custom Alerts are a feature that
allows you to configure email alerts using predefined templates so you’re notified about specific
activity in your environment. You can choose from various templates that cover different use cases,
such as suspicious PowerShell activity, network connections to risky countries, etc. You can also
preview the search results of the template before scheduling the alert. You do not need to create the
query for the alert, setup the email template for the alert, or create a new custom template, as these
are already provided by the predefined templates.
Reference: https://www.crowdstrike.com/blog/tech-center/custom-alerts-in-crowdstrike-falcon/
Which of the following is TRUE about a Hash Search?
B
Explanation:
The Hash Search is an Investigate tool that allows you to search for a file hash and view its process
execution history across all hosts in your environment. It shows information such as process name,
command line, parent process name, parent command line, etc. for each execution of the file hash.
Wildcard searches are permitted with the Hash Search, as long as they are at least four characters
long. The Hash Search is available on Linux, as well as Windows and Mac OS X. Module Load History
is presented in a Hash Search, along with other information such as File Write History and Detection
History.
Reference: https://www.crowdstrike.com/blog/tech-center/hash-search-in-crowdstrike-falcon/
While you're reviewing Unresolved Detections in the Host Search page, you notice the User Name
column contains "hostnameS " What does this User Name indicate?
C
Explanation:
When you see “hostnameS” in the User Name column in the Host Search page, it means that there is
no User Name associated with the event. This can happen when the event is related to a system
process or service that does not have a user context. It does not mean that the User Name is a
System User, that the User Name is not relevant for the dashboard, or that the Falcon sensor could
not determine the User Name.
Reference: https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/
The Process Timeline Events Details table will populate the Parent Process ID and the Parent File
columns when the cloudable Event data contains which event field?
C
Explanation:
The ParentProcessld_decimal event field is what the Process Timeline Events Details table will
populate the Parent Process ID and the Parent File columns with when the cloudable Event data
contains it. The ParentProcessld_decimal event field is the decimal representation of the process
identifier for the parent process of the target process. It can be used to trace the process ancestry
and identify potential malicious activity. The ContextProcessld_decimal, RawProcessld_decimal, and
RpcProcessld_decimal event fields are not used to populate the Parent Process ID and the Parent File
columns.
Reference: https://falcon.crowdstrike.com/support/documentation/44/events-data-dictionary
What is the difference between a Host Search and a Host Timeline?
B
Explanation:
This is the difference between a Host Search and a Host Timeline. A Host Search is an Investigate tool
that allows you to view events by category, such as process executions, network connections, file
writes, etc. A Host Timeline is an Investigate tool that allows you to view all events in chronological
order, without any categorization. Both tools can be used for detection investigation and proactive
hunting, depending on the use case and preference. You can access a Host Search from a detection or
manually enter the host details. You can also populate the Host Timeline fields manually or from
other pages in Falcon.
Reference:
https://www.crowdstrike.com/blog/tech-center/host-search-in-crowdstrike-falcon/
https://www.crowdstrike.com/blog/tech-center/host-timeline-in-crowdstrike-falcon/
What elements are required to properly execute a Process Timeline?
A
Explanation:
The Agent ID (AID) and the Target Process ID are the elements that are required to properly execute a
Process Timeline. The Agent ID (AID) is a unique identifier for each host that has a Falcon sensor
installed. The Target Process ID is the decimal representation of the process identifier for the process
that you want to investigate. These two elements are used to query the cloud for the events related
to the process on the host. The Agent ID (AID) only, the Hostname and Local Process ID, and the
Target Process ID only are not sufficient to execute a Process Timeline.
Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike-falcon/
What do you click to jump to a Process Timeline from many pages in Falcon, such as a Hash Search?
D
Explanation:
The Process Timeline Link is what you click to jump to a Process Timeline from many pages in Falcon,
such as a Hash Search. The Process Timeline Link is an icon that looks like three horizontal bars with
dots on them. It appears next to each process name or ID on various pages in Falcon, such as Hash
Search results, Detection details, Event Search results, etc. Clicking on it will open a new tab with the
Process Timeline for that process. The PID, the Process ID or Parent Process ID, and the CID are not
what you click to jump to a Process Timeline.
Reference: https://www.crowdstrike.com/blog/tech-center/process-timeline-in-crowdstrike-falcon/
What Investigate tool would you use to allow an analyst to view all events for a specific host?
C
Explanation:
The Host Timeline is the Investigate tool that you would use to allow an analyst to view all events for
a specific host. The Host Timeline shows a graphical representation of all events that occurred on a
host within a specified time range. It allows an analyst to zoom in and out, filter by event type or
name, and drill down into event details. The Bulk Timeline, the Host Search, and the Process
Timeline are not Investigate tools that you would use to view all events for a specific host.
Reference: https://www.crowdstrike.com/blog/tech-center/host-timeline-in-crowdstrike-falcon/