Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

CrowdStrike Exam CCFH-202 Topic 6 Question 40 Discussion

Actual exam question for CrowdStrike's CCFH-202 exam
Question #: 40
Topic #: 6
[All CCFH-202 Questions]

Which of the following queries will return the parent processes responsible for launching badprogram exe?

Show Suggested Answer Hide Answer
Suggested Answer: D

This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.


by Maryrose at Mar 21, 2025, 09:34 PM

Limited Time Offer

25%

Off

Get Premium CCFH-202 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Sharen
2 months ago
I see your point, but I still think D) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time is the best option
upvoted 0 times
...
Martha
2 months ago
But query C) [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time seems more logical to me
upvoted 0 times
...
Sharen
2 months ago
I disagree, I believe the answer is B) event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
upvoted 0 times
...
Ryan
3 months ago
Haha, imagine if the bad program was called 'badprogram.exe'. That's like something out of a bad movie. Anyway, I think Option C is the way to go - it's the most direct approach.
upvoted 0 times
...
Jannette
3 months ago
Option D seems to have the right idea, but the field names are a bit confusing. I'd prefer something more straightforward like ParentProcessId.
upvoted 0 times
Rory
2 months ago
Maybe we can try Option A and see if it gives us the information we need.
upvoted 0 times
...
Josephine
2 months ago
I think Option B might be a good choice as well.
upvoted 0 times
...
Selma
2 months ago
I agree, Option D does seem to be on the right track.
upvoted 0 times
...
...
Martha
3 months ago
I think the correct query is A) [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
upvoted 0 times
...
Tennie
3 months ago
Option A looks promising, but I'm not sure if it includes the full details we need. I'd like to see the ParentProcessName as well as the timestamp.
upvoted 0 times
Veta
3 months ago
Let's go with option A then.
upvoted 0 times
...
Lawrence
3 months ago
I agree, we need the ParentProcessName and timestamp.
upvoted 0 times
...
Leota
3 months ago
I think option A is the best choice.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77