CrowdStrike CCFH-202b Exam - Topic 1 Question 6 Discussion

Actual exam question for CrowdStrike's CCFH-202b exam

Question #: 6
Topic #: 1

Which of the following queries will return the parent processes responsible for launching badprogram exe?

A[search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time

Bevent_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

C[search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time

Devent_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

Show Suggested Answer

Suggested Answer: D

This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.

by Tora at Mar 04, 2026, 08:52 AM

Limited Time Offer

25%

1 month ago

I think option A looks familiar, but I’m not sure if it correctly references the parent processes.

upvoted 0 times

...