A Falcon Responder is analyzing a detection where `svchost.exe` initiated an outbound network connection to a known malicious IP address. The Process Tree shows this `svchost.exe` instance has no parent process. Which investigative step should be taken next within the Falcon UI to determine the root cause of this suspicious activity?
During an investigation, you use the RTR command `get C:\Users\Public\artifact.exe`. The command fails with an 'access denied' error, even though you have administrative privileges. You suspect the file is locked by a running process. Which sequence of RTR commands is the most effective way to identify the locking process and successfully retrieve the file?
A financial services firm has a legacy application that exhibits behavior similar to credential dumping but is a legitimate and required part of their quarterly reporting process. This activity generates a high volume of false positive detections, causing analyst fatigue. What is the most precise and secure method to suppress these specific detections without weakening the security posture for the rest of the host?
You are building a custom search query to identify potential lateral movement using `PsExec.exe`. You want to find instances where `PsExec.exe` was written to a remote host's ADMIN$ share. Which is the most accurate and efficient search query to accomplish this?
A responder is reviewing a detection and sees the MITRE ATT&CK Tactic 'TA0003 - Persistence' followed by the Technique 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'. What does this information primarily indicate about the adversary's actions?
When using the Bulk Domain Search feature, a responder can upload a list of up to 5,000 domains for analysis. True or False: The results of this search will show which hosts in your environment have communicated with those domains within the last 30 days.
A responder is analyzing a detection on a Linux server. They need to collect a list of all active network connections, the process associated with each connection, and write the output to a file on the host for later retrieval. Which of the following RTR commands would accomplish this?
Which of the following pieces of information are available for a given host when viewed from the Host Search results? (Select THREE)
A security analyst is investigating a complex detection involving multiple processes. After reviewing the Process Tree, they want to understand the exact sequence of all activities performed by a single suspicious process, including file modifications, registry changes, and network connections. Which feature should the analyst pivot to from the detection details?
While analyzing an `LsassRead` detection, a responder examines the command line of the source process, `procdump.exe`. The command is `procdump.exe -ma lsass.exe C:\temp\lsass.dmp`. In this context, what does the external prevalence score of '1' for the `procdump.exe` hash likely signify?