CrowdStrike Exam CCFR-201 Topic 1 Question 14 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam

Question #: 14
Topic #: 1

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenlnfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

AParentProcessld_decimal and aid

BResponsibleProcessld_decimal and aid

CContextProcessld_decimal and aid

DTargetProcessld_decimal and aid

Show Suggested Answer

Suggested Answer: C

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, a DNSRequest event contains information about a DNS query made by a process2.The event has several fields, such as DomainName, QueryType, QueryResponseCode, etc2.The field that links a DNSRequest event to its responsible process is ContextProcessId_decimal, which contains the decimal value of the process ID of the process that generated the event2.You can use this field to trace the process lineage and identify malicious or suspicious activities2.

by Gwenn at May 23, 2024, 08:35 PM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Dean

1 months ago

Haha, this is a classic 'which two fields do you need' type of question. B is the obvious answer, but I'm chuckling at the thought of someone picking C and trying to do a timeline search on the 'ContextProcessld_decimal'. That would be a wild goose chase!

upvoted 0 times

Evette

9 days ago

C) ContextProcessld_decimal and aid

upvoted 0 times

...

Felix

10 days ago

B) ResponsibleProcessld_decimal and aid

upvoted 0 times

...

Cyril

17 days ago

A) ParentProcessld_decimal and aid

upvoted 0 times

...

Twanna

2 months ago

I think B is the way to go. The question is specifically asking about the fields needed to find other files opened by the responsible process, so that's the logical choice.

upvoted 0 times

Dana

1 days ago

Sounds good, let's see what other files were opened by the responsible process.

upvoted 0 times

...

Yong

2 days ago

Let's use those to perform a Process Timeline search.

upvoted 0 times

...

Peggie

5 days ago

I'm not sure, but I think D could also work. It's important to consider all possibilities when conducting a Process Timeline search.

upvoted 0 times

...

Loren

15 days ago

I think A might also be useful. It's always good to have multiple options when searching for information like this.

upvoted 0 times

...

Carlota

19 days ago

I agree, B is the correct choice. Those fields will help us track down other files opened by the responsible process.

upvoted 0 times

...

Luis

24 days ago

I agree, ResponsibleProcessId_decimal and aid are the fields needed.

upvoted 0 times

...

Lavera

1 months ago

I think B is the way to go.

upvoted 0 times

...

Sherell

2 months ago

Definitely B. The question is asking for the fields needed to perform a Process Timeline search, and the ResponsibleProcessld_decimal and aid are the key pieces of information.

upvoted 0 times

Harrison

2 months ago

Yes, I agree. Those are the key fields needed for a Process Timeline search.

upvoted 0 times

...

Iola

2 months ago

I think the answer is B) ResponsibleProcessld_decimal and aid.

upvoted 0 times

...

Alverta

2 months ago

Actually, I checked the documentation and it says we need ParentProcessld_decimal and aid for the search.

upvoted 0 times

...

Toi

2 months ago

The correct answer seems to be B) ResponsibleProcessld_decimal and aid. That's the information I need to find out what other files were opened by the process responsible for the FileOpenlnfo event.

upvoted 0 times