A threat hunter is investigating a custom-compiled variant of Mimikatz. The malicious binary was executed on a single host and immediately deleted by the adversary. No file hash is available. Which Falcon search feature is the most effective starting point to identify other hosts where this specific binary may have been executed?
A security analyst is building a CQL query to identify potential DNS tunneling activity. The goal is to find hosts making an unusually high number of DNS requests for subdomains of a single parent domain. Which combination of CQL functions is best suited for this task?
During an investigation, a hunter analyzes a process tree where `winword.exe` spawns `cmd.exe`, which in turn launches `powershell.exe`. In the context of Falcon event data, what are the respective process relationships of `cmd.exe`?
A threat hunter is developing a hypothesis that adversaries are using a specific living-off-the-land binary (LOLBAS), `certutil.exe`, to download payloads from the internet. Which of the following activities, when combined, provide the strongest evidence to validate this hypothesis? (Select TWO)
A hunter observes a detection for PowerShell executing a command containing `-e` followed by a long, seemingly random string of characters. The Falcon UI automatically decodes this string. This behavior is most indicative of which MITRE ATT&CK technique?
True or False: The `stats` command in CQL can only be used to count events and cannot calculate other mathematical aggregations like averages or sums.
A pharmaceutical company is investigating a potential data exfiltration incident. The primary suspect is a disgruntled scientist who recently left the company. The security team believes the scientist may have used a cloud storage synchronization client to upload proprietary research data from their corporate laptop just before their departure. The security team has the scientist's laptop under forensic hold but first wants to use Falcon to quickly scope the activity across the environment. The known information is the name of a common cloud sync application (`megasync.exe`), the user's account name (`j.doe`), and the timeframe of the activity (the last 48 hours before the account was disabled). The goal is to create a report for management that visualizes the volume of outbound data per host associated with this user and application, to prioritize which other machines might have been compromised or used for exfiltration. Which approach in Falcon would most efficiently achieve this goal?
A hunter needs to create a CQL query that finds all `FileWritten` events but excludes any writes to files with `.log` or `.tmp` extensions. What is the correct syntax to achieve this?
When analyzing a Host Timeline, a threat hunter needs to understand the state of the host at a specific point in time, including running processes and network connections. Which built-in Falcon feature, accessible from the Host Management page, provides this detailed point-in-time snapshot?
A hunter is investigating an alert where `lsass.exe` crashed on a domain controller. The hypothesis is that an attacker attempted to dump credentials. To find the process that interacted with `lsass.exe` just before the crash, what is the most precise event to search for?