Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike Exam CCFH-202 Topic 6 Question 40 Discussion

Actual exam question for CrowdStrike's CCFH-202 exam
Question #: 40
Topic #: 6
[All CCFH-202 Questions]

Which of the following queries will return the parent processes responsible for launching badprogram exe?

Show Suggested Answer Hide Answer
Suggested Answer: D

This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.


by Maryrose at Mar 21, 2025, 09:34 PM

Limited Time Offer

25%

Off

Get Premium CCFH-202 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Sharen
5 days ago
I see your point, but I still think D) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time is the best option
upvoted 0 times
...
Martha
10 days ago
But query C) [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time seems more logical to me
upvoted 0 times
...
Sharen
12 days ago
I disagree, I believe the answer is B) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
upvoted 0 times
...
Ryan
22 days ago
Haha, imagine if the bad program was called 'badprogram.exe'. That's like something out of a bad movie. Anyway, I think Option C is the way to go - it's the most direct approach.
upvoted 0 times
...
Jannette
24 days ago
Option D seems to have the right idea, but the field names are a bit confusing. I'd prefer something more straightforward like ParentProcessId.
upvoted 0 times
Selma
11 days ago
I agree, Option D does seem to be on the right track.
upvoted 0 times
...
...
Martha
26 days ago
I think the correct query is A) [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
upvoted 0 times
...
Tennie
28 days ago
Option A looks promising, but I'm not sure if it includes the full details we need. I'd like to see the ParentProcessName as well as the timestamp.
upvoted 0 times
Veta
15 days ago
Let's go with option A then.
upvoted 0 times
...
Lawrence
18 days ago
I agree, we need the ParentProcessName and timestamp.
upvoted 0 times
...
Leota
20 days ago
I think option A is the best choice.
upvoted 0 times
...
...

Save Cancel