Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

CrowdStrike Exam CCFR-201 Topic 2 Question 38 Discussion

Actual exam question for CrowdStrike's CCFR-201 exam
Question #: 38
Topic #: 2
[All CCFR-201 Questions]

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

Show Suggested Answer Hide Answer
Suggested Answer: D

According to theCrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Process Timeline search requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID).These fields can be obtained from the ProcessRollup2 event, which contains information about processes that have executed on a host1.


by Francesco at Jun 12, 2025, 08:27 AM

Limited Time Offer

25%

Off

Get Premium CCFR-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Ryann
20 hours ago
I agree with Bettina, because the ParentProcessId_decimal is crucial for determining the process timeline.
upvoted 0 times
...
Margart
3 days ago
Hmm, I'm not so sure. Option D looks more appealing to me. Maybe the aid and TargetProcessId_decimal fields would be more useful for this task.
upvoted 0 times
...
Bettina
4 days ago
I think the answer is B) SHA256 and ParentProcessId_decimal.
upvoted 0 times
...
Emerson
4 days ago
I agree with Edison. The Process Timeline search requires the SHA256 and the ParentProcessId_decimal to determine what the process was doing.
upvoted 0 times
...
Edison
7 days ago
Option B seems to be the correct answer here. We need the SHA256 hash and the ParentProcessId_decimal to perform a Process Timeline search.
upvoted 0 times
Alonso
17 hours ago
That's correct, those are the two field values required for the Process Timeline search.
upvoted 0 times
...
Julene
2 days ago
I agree, we need the SHA256 hash and the ParentProcessId_decimal.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77