Exam CCFH-202 topic 1 question 84 discussion

The correct is letter D, because the query has the fields "_time", "ComputerName" and "UserName". And the field "_time" means timestamp of the moment that the event was received by the Crowdstrike cloud ont Event Data Dictionary document. You can run the query "event_simpleName=UserLogon | table _time ComputerName UserName" on event search and see the results.

From the Event Data Dictionary: "_time: Timestamp of the moment that the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system. This is the timestamp Of the event from the clouds point Of view. This value can be converted to any time format and can be used for calculations." Lots of references to the cloud time in there.

B. Human-readable event host time, host name, user name Falcon Documentation > Event Investigation > Events > About Events _time Timestamp of the moment that the event was received by the CrowdStrike cloud. This is not to be confused with the time the event was generated locally on the system. This is the timestamp of the event from the cloud's point of view. This value can be converted to any time format and can be used for calculations. "10/19/2017 18:10:29.396"

Correct answer is A : Machine-readable event host time, host name, user name Reference : _time : The host's local time in epoch format."1538648887.051" https://falcon.crowdstrike.com/documentation/page/e3ce0b24/events-data-dictionary

Event Host Time is identified through ContextTimeStamp_decimal instead.

D _time is the command to covert cloud event time from EPOC to UTC readable.

event host time” and “event cloud time” are two different timestamps that are used to track when an event occurred on the host and when it was ingested into the cloud-based logging service, respectively

I think the correct answer is B. If I run that query it is human readable.

I think the correct answer is B.