ExamTopics Logo
Mail Us[email protected]
Menu
Crowdstrike Discussions
exam questions

Exam CCFR-201 All Questions

View all questions & answers for the CCFR-201 exam
Go to Exam

Exam CCFR-201 topic 1 question 26 discussion

Actual exam question from CrowdStrike's CCFR-201
Question #: 26
Topic #: 1
[All CCFR-201 Questions]

When examining a raw DNS request event, you see a field called ContextProcessId_decimal. What is the purpose of that field?

  • A. It contains the TargetProcessId_decimal value for other related events
  • B. It contains an internal value not useful for an investigation
  • C. It contains the ContextProcessId decimal value for the parent process that made the DNS request
  • D. It contains the TargetProcessId_decimal value for the process that made the DNS request
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by lightmagenta at Dec. 13, 2023, 6:53 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
evilCorpBot7494
3 weeks, 6 days ago
Selected Answer: D
According to Event Data Dictionary, The ContextProcessID is "the unique ID of a process that was spawned by another process. For example, if Process 1 spawns Process 2, the TargetProcessId of Process 1 will match the ContextProcessId of Process 2." So answer would be D, as the Context process ID of the DNS request would be the same value as the target process ID of the process that generated the DNS request.
upvoted 1 times
...
alanalanalan
7 months, 1 week ago
Selected Answer: D
agree with D
upvoted 1 times
...
kangaru
10 months, 2 weeks ago
Selected Answer: D
ContextProcessId of DnsRequest event is equal to the TargetProcessId of the event that spawned the DnsRequest event.
upvoted 1 times
...
VasiOnCacao
1 year ago
Actually, here I also think it might be D. Look at this reddit post - https://www.reddit.com/r/crowdstrike/comments/hr1kyb/rename_contextprocessid_decimal_as/. In other words ContextProcessId is generated to enrich the TargetProcessId event and has the same value. The main event won't contain ContextProcessId event, but a TargetProcessId.
upvoted 1 times
sbag0024
11 months ago
Not sure about D for this one it says TargetProcessID. NOT TargetProcessId_decimal. Both TargetProcessId and TargetProcessId_decimal are different things. I don't see a correct answer here?
upvoted 1 times
sbag0024
11 months ago
Actually might be C.
upvoted 1 times
sbag0024
11 months ago
Not sure on this one.
upvoted 1 times
...
...
...
...
wildbandana
1 year ago
I think is D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel