CrowdStrike Certified Falcon Hunter (CCFH) — Question 87

Which of the following is the proper method to quantify search results, enabling a hunter to quickly sort and identify outliers?

Answer options

• A. Using the “| stats count by” command at the end of a search string in Event Search
• B. Using the “|stats count” command at the end of a search string in Event Search
• C. Using the “|eval” command at the end of a search string in Event Search
• D. Exporting Event Search results to a spreadsheet and aggregating the results

Correct answer: A

Explanation

The correct answer is A because the “| stats count by” command effectively groups and counts the occurrences of events, which is essential for identifying outliers. Option B only counts events without grouping them, which does not help in identifying outliers. Option C, using the “|eval” command, is not designed for counting or sorting but rather for creating new fields. Option D involves manual aggregation in a spreadsheet, which is less efficient than using built-in commands directly in Event Search.