CrowdStrike Certified Falcon Hunter (CCFH) — Question 62

Suspicious RDP connections have been observed on a host within your environment. How do you utilize Event Search to show all connections on this specific host?

Answer options

• A. event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer
• B. Table timestamp ComputerName UserName UserPrincipal LogonServer
• C. UserIdentity=LogonType_decimal=10 | table timestamp UserPrincipal LogonServer
• D. aid=[my-aid] event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer

Correct answer: D

Explanation

The correct answer is D because it includes the necessary aid parameter to specify the application ID along with the correct event filtering for RDP connections. Option A lacks the aid parameter, while B and C do not filter for LogonType_decimal=10, making them insufficient for identifying the specific connections of interest.