Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike Exam CCFR-201 Topic 1 Question 14 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam
Question #: 14
Topic #: 1
[All CCFR-201 Questions]

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

Show Suggested Answer Hide Answer
Suggested Answer: C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.


by Gwenn at May 23, 2024, 08:35 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Sherell
2 days ago
Definitely B. The question is asking for the fields needed to perform a Process Timeline search, and the ResponsibleProcessld_decimal and aid are the key pieces of information.
upvoted 0 times
...
Alverta
5 days ago
Actually, I checked the documentation and it says we need ParentProcessld_decimal and aid for the search.
upvoted 0 times
...
Toi
6 days ago
The correct answer seems to be B) ResponsibleProcessld_decimal and aid. That's the information I need to find out what other files were opened by the process responsible for the FileOpenlnfo event.
upvoted 0 times
...
Thurman
9 days ago
I disagree, I believe we need TargetProcessld_decimal and aid for the search.
upvoted 0 times
...
Alverta
12 days ago
I think we need ResponsibleProcessld_decimal and aid for Process Timeline search.
upvoted 0 times
...

Save Cancel