CrowdStrike Certified Falcon Hunter (CCFH) — Question 12

What Search page would help a threat hunter differentiate testing, DevOPs, or general user activity from adversary behavior?

Answer options

• A. Hash Search
• B. IP Search
• C. Domain Search
• D. User Search

Correct answer: D

Explanation

The correct answer is D, User Search, as it allows for the analysis of user-specific actions, making it easier to identify normal behavior versus that of an adversary. The other options, such as Hash Search, IP Search, and Domain Search, focus on different types of data and do not provide the same level of insight into user activities.