ExamTopics Logo
Mail Us[email protected]
Menu
Crowdstrike Discussions
exam questions

Exam CCFH-202 All Questions

View all questions & answers for the CCFH-202 exam
Go to Exam

Exam CCFH-202 topic 1 question 16 discussion

Actual exam question from CrowdStrike's CCFH-202
Question #: 16
Topic #: 1
[All CCFH-202 Questions]

Which of the following queries will return the parent processes responsible for launching badprogram.exe?

  • A. [search (ParentProcess) where name=badprogram.exe ] | table ParentProcessName _time
  • B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessId_decimal AS TargetProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
  • C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
  • D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid TargetProcessId_decimal] | stats count by FileName _time
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by examtopics3000 at Aug. 3, 2023, 6:37 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alanalanalan
10 months ago
Selected Answer: B
Selected Answer: B
upvoted 1 times
...
five55
1 year, 1 month ago
Selected Answer: B
You need to combine the field the only way we can do with subsearch
upvoted 1 times
...
gr23
1 year, 4 months ago
B. To find "parent" you rename ParentProcessID_decimal to TargetProcessID_decimal
upvoted 1 times
...
Pipo12345
1 year, 4 months ago
Selected Answer: B
B is correct.
upvoted 1 times
...
joal23
1 year, 7 months ago
Is Letter B. The Parent Process is when rename ParentProcessId_decimal as TargetProcessId_decimal.
upvoted 2 times
...
Chiquitabandita
1 year, 8 months ago
Selected Answer: D
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time.
upvoted 2 times
kangaru
1 year, 3 months ago
By renaming TargetProcessld_decimal field to ParentProcessld_decimal, you pivot the targetprocess of badprogram.exe as the child and search for all child process launched by badprogram.exe instead, not the process that spawned badprogram.exe.
upvoted 1 times
...
...
Chiquitabandita
1 year, 8 months ago
Selected Answer: B
query filters for "badprogram.exe" and renames the ParentProcessId_decimal to TargetProcessId_decimal to find the parent processes associated with it. The "stats count by FileName _time" part of the query helps present the results effectively.
upvoted 1 times
...
examtopics3000
1 year, 9 months ago
Selected Answer: B
Sorry, correct answer is B
upvoted 3 times
...
examtopics3000
1 year, 9 months ago
For me, correct answer is D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago