Which of the following queries will return the parent processes responsible for launching badprogram exe?
A . [search (ParentProcess) where name=badprogranrexe ] | table ParentProcessName _time
B. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename ParentProcessld_decimal AS TargetProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
C. [search (ProcessList) where Name=badprogram.exe ] | search ParentProcessName | table ParentProcessName _time
D. event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=badprogram.exe | rename TargetProcessld_decimal AS ParentProcessld_decimal | fields aid TargetProcessld_decimal] | stats count by FileName _time
Answer: D
Explanation:
This query will return the parent processes responsible for launching badprogram.exe by using a subsearch to find the processrollup2 events where FileName is badprogram.exe, then renaming the TargetProcessld_decimal field to ParentProcessld_decimal and using it as a filter for the main search, then using stats to count the occurrences of each FileName by _time. The other queries will either not return the parent processes or use incorrect field names or syntax.
Reference: https://www.crowdstrike.com/blog/tech-center/process-rollup-in-crowdstrike-falcon/
Latest CCFH-202 Dumps Valid Version with 60 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund