Which of the following queries will return the parent processes responsible for launching badprogram exe?

CCFH-202 0 Comments

Which of the following queries will return the parent processes responsible for launching badprogram exe?
A . [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time

Answer: D

Explanation:

This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.

Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/

Latest CCFH-202 Dumps Valid Version with 60 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download CCFH-202 PDF     CCFH-202 Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments