Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike CCFH-202b Exam - Topic 1 Question 6 Discussion

Which of the following queries will return the parent processes responsible for launching badprogram exe?
D) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
A) [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
B) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
C) [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time

CrowdStrike CCFH-202b Exam - Topic 1 Question 6 Discussion

Actual exam question for CrowdStrike's CCFH-202b exam
Question #: 6
Topic #: 1
[All CCFH-202b Questions]

Which of the following queries will return the parent processes responsible for launching badprogram exe?

Show Suggested Answer Hide Answer
Suggested Answer: D

This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.


by Tora at Mar 04, 2026, 08:52 AM

Limited Time Offer

25%

Off

Get Premium CCFH-202b Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Sheron
29 days ago
Not sure about D, seems overly complicated for this.
upvoted 0 times
...
Ivory
1 month ago
I think A is the right choice, it’s straightforward.
upvoted 0 times
...
Tiera
1 month ago
Option C looks solid for finding parent processes.
upvoted 0 times
...
Mose
1 month ago
Not sure about B, seems overly complicated for this.
upvoted 0 times
...
Tandra
2 months ago
I agree with C, it makes the most sense.
upvoted 0 times
...
Annamae
2 months ago
Wait, is "badprogranrexe" a typo in A?
upvoted 0 times
...
Frederic
2 months ago
I think D is the correct one, actually.
upvoted 0 times
...
Merlyn
2 months ago
Option C looks right to me.
upvoted 0 times
...
Tayna
2 months ago
I have a feeling that option D is the one we discussed in class, but I’m not entirely confident about the field names used.
upvoted 0 times
...
Margart
3 months ago
I’m a bit confused about the difference between options B and D; they both seem to involve renaming fields, but I can't recall which one is more accurate.
upvoted 0 times
...
Rana
3 months ago
I remember practicing with similar queries, and I feel like option C might be the right approach since it directly mentions ParentProcessName.
upvoted 0 times
...
Loren
3 months ago
I think option A looks familiar, but I’m not sure if it correctly references the parent processes.
upvoted 0 times
...

Save Cancel