Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike Exam CCFR-201 Topic 2 Question 38 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam
Question #: 38
Topic #: 2
[All CCFR-201 Questions]

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

Show Suggested Answer Hide Answer
Suggested Answer: D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID).These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.


by Francesco at Jun 12, 2025, 08:27 AM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Laticia
2 days ago
Ah, I see what you mean, Margart. But I think Edison and B are on the right track. We need to focus on the parent process, not the target process.
upvoted 0 times
...
Ryann
3 days ago
I agree with Bettina, because the ParentProcessId_decimal is crucial for determining the process timeline.
upvoted 0 times
...
Margart
5 days ago
Hmm, I'm not so sure. Option D looks more appealing to me. Maybe the aid and TargetProcessId_decimal fields would be more useful for this task.
upvoted 0 times
...
Bettina
6 days ago
I think the answer is B) SHA256 and ParentProcessId_decimal.
upvoted 0 times
...
Emerson
6 days ago
I agree with Edison. The Process Timeline search requires the SHA256 and the ParentProcessId_decimal to determine what the process was doing.
upvoted 0 times
...
Edison
9 days ago
Option B seems to be the correct answer here. We need the SHA256 hash and the ParentProcessId_decimal to perform a Process Timeline search.
upvoted 0 times
Reuben
2 days ago
Let's make sure to gather the SHA256 and ParentProcessId_decimal for the search.
upvoted 0 times
...
Alonso
3 days ago
That's correct, those are the two field values required for the Process Timeline search.
upvoted 0 times
...
Julene
4 days ago
I agree, we need the SHA256 hash and the ParentProcessId_decimal.
upvoted 0 times
...
...

Save Cancel