CrowdStrike Certified Falcon Hunter (CCFH) — Question 28

Which of the following is an example of a Falcon threat hunting lead?

Answer options

• A. A routine threat hunt query showing process executions of single letter filename (e.g., a.exe) from temporary directories
• B. Security appliance logs showing potentially bad traffic to an unknown external IP address
• C. A help desk ticket for a user clicking on a link in an email causing their machine to become unresponsive and have high CPU usage
• D. An external report describing a unique 5 character file extension for ransomware encrypted files

Correct answer: A

Explanation

Option A is correct because it indicates unusual behavior with single letter filenames, which is a common tactic used by malware. The other options, while indicative of potential security issues, do not specifically represent direct leads for threat hunting in the Falcon context, as they are either too generic or related to user behavior rather than process execution anomalies.