CrowdStrike Certified Falcon Hunter (CCFH) — Question 2

Adversaries commonly execute discovery commands such as net.exe, ipconfig.exe, and whoami.exe. Rather than query for each of these commands individually, you would like to use a single query with all of them. What Splunk operator is needed to complete the following query? aid=my-aid event_simpleName=ProcessRollup2 (FileName=net.exe __________ FileName=ipconfig.exe _________ FileName=whoami.exe) | table ComputerName UserName FileName CommandLine

Answer options

• A. OR
• B. IN
• C. NOT
• D. AND

Correct answer: A

Explanation

The correct answer is A (OR) because this operator allows you to specify multiple conditions where any of them can be true, which is necessary for including multiple command names in the same query. The other options do not fit the requirement: B (IN) is used for matching against a list, C (NOT) would exclude terms, and D (AND) would require all conditions to be true, which is not the case here.