CrowdStrike Exam CCFR-201 Topic 1 Question 14 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam

Question #: 14
Topic #: 1

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

AParentProcessld_decimal and aid

BResponsibleProcessld_decimal and aid

CContextProcessld_decimal and aid

DTargetProcessld_decimal and aid

Show Suggested Answer

Suggested Answer: C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.

by Gwenn at May 23, 2024, 08:35 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Alverta

1 days ago

I think we need ResponsibleProcessld_decimal and aid for Process Timeline search.

upvoted 0 times

...