Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CrowdStrike CCFR-201b Exam - Topic 1 Question 6 Discussion

Actual exam question for CrowdStrike's CCFR-201b exam
Question #: 6
Topic #: 1
[All CCFR-201b Questions]

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

Show Suggested Answer Hide Answer
Suggested Answer: D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline tool allows you to view all cloudable events associated with a given process, such as process creation, network connections, file writes, registry modifications, etc2.The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo event, which contains information about a file being opened by a process2.


by Lorrie at Mar 07, 2026, 09:58 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201b Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Linsey
4 days ago
Wait, are we sure about that? I thought it could be D too.
upvoted 0 times
...
Quentin
9 days ago
Definitely B, that's what I've always used for these searches.
upvoted 0 times
...
Dorathy
14 days ago
I thought it was A, ParentProcessId seems important too.
upvoted 0 times
...
Theola
20 days ago
B is the right choice, you need ResponsibleProcessId.
upvoted 0 times
...
Viki
25 days ago
I feel like TargetProcessId_decimal and aid could be the answer too, but I can't recall if that was covered in our last session.
upvoted 0 times
...
Cordie
30 days ago
I thought it was the ParentProcessId_decimal and aid, but now I'm second-guessing myself after reviewing the material.
upvoted 0 times
...
Tasia
1 month ago
I remember practicing a similar question where we had to identify process IDs, so I feel like it's definitely about the process ID and aid, but which one?
upvoted 0 times
...
Larae
1 month ago
I think we need the ResponsibleProcessId_decimal and aid, but I'm not entirely sure if that's the right combination.
upvoted 0 times
...

Save Cancel