Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25

- Free Preparation Discussions

CrowdStrike Exam CCFR-201 Topic 2 Question 38 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam

Question #: 38
Topic #: 2

[All CCFR-201 Questions]

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

ASHA256 and TargetProcessld_decimal

BSHA256 and ParentProcessld_decimal

Caid and ParentProcessld_decimal

Daid and TargetProcessld_decimal

Show Suggested Answer

Suggested Answer: D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID).These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.

by Francesco at Jun 12, 2025, 08:27 AM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Almeta

1 months ago

This question is a real head-scratcher! I'd say the correct answer is whichever one involves the least amount of work. Ain't nobody got time for that process timeline nonsense!

upvoted 0 times

Aide

12 days ago

Let's go with B) and see if we can get this done quickly.

upvoted 0 times

...

Claribel

18 days ago

I agree, that seems like the most logical choice.

upvoted 0 times

...

Cammy

21 days ago

I agree, let's go with that.

upvoted 0 times

...

Dacia

22 days ago

I think the answer is B) SHA256 and ParentProcessId_decimal.

upvoted 0 times

...

Zona

1 months ago

I think the answer is B) SHA256 and ParentProcessId_decimal.

upvoted 0 times

...

...

Aretha

2 months ago

I'm not sure, but I think it might be A) SHA256 and TargetProcessId_decimal.

upvoted 0 times

...

Laticia

2 months ago

Ah, I see what you mean, Margart. But I think Edison and B are on the right track. We need to focus on the parent process, not the target process.

upvoted 0 times

...

Ryann

2 months ago

I agree with Bettina, because the ParentProcessId_decimal is crucial for determining the process timeline.

upvoted 0 times

...

Margart

2 months ago

Hmm, I'm not so sure. Option D looks more appealing to me. Maybe the aid and TargetProcessId_decimal fields would be more useful for this task.

upvoted 0 times

...

Bettina

2 months ago

I think the answer is B) SHA256 and ParentProcessId_decimal.

upvoted 0 times

...

Emerson

2 months ago

I agree with Edison. The Process Timeline search requires the SHA256 and the ParentProcessId_decimal to determine what the process was doing.

upvoted 0 times

Lottie

21 days ago

I agree with Edison. The Process Timeline search requires the SHA256 and the ParentProcessId_decimal to determine what the process was doing.

upvoted 0 times

...

Clorinda

27 days ago

B) SHA256 and ParentProcessId_decimal

upvoted 0 times

...

Micaela

1 months ago

A) SHA256 and TargetProcessId_decimal

upvoted 0 times

...

...

Edison

2 months ago

Option B seems to be the correct answer here. We need the SHA256 hash and the ParentProcessId_decimal to perform a Process Timeline search.

upvoted 0 times

Reuben

2 months ago

Let's make sure to gather the SHA256 and ParentProcessId_decimal for the search.

upvoted 0 times

...

Alonso

2 months ago

That's correct, those are the two field values required for the Process Timeline search.

upvoted 0 times

...

Julene

2 months ago

I agree, we need the SHA256 hash and the ParentProcessId_decimal.

upvoted 0 times

...

...