CrowdStrike CCFR-201b Exam - Topic 1 Question 6 Discussion

Actual exam question for CrowdStrike's CCFR-201b exam

Question #: 6
Topic #: 1

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

AParentProcessld_decimal and aid

BResponsibleProcessld_decimal and aid

CContextProcessld_decimal and aid

DTargetProcessld_decimal and aid

Show Suggested Answer

Suggested Answer: D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.

by Lorrie at Mar 07, 2026, 09:58 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201b Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!