CrowdStrike Certified Falcon Hunter (CCFH) — Question 18

What is the purpose of the rename command in this query?

event_simpleName=ProcessRollup2 [search event_simpleName=ProcessRollup2 FileName=excel.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid ParentProcessId_decimal] | stats count by FileName CommandLine

Answer options

• A. It runs a sub-search to locate all detections where excel.exe was blocked
• B. It renames a field to drive the main search in order to locate all children processes of excel.exe
• C. It joins all combinations of parent / children processes involving excel.exe
• D. It renames a field to drive the main search in order to locate all parent processes of excel.exe

Correct answer: B

Explanation

The correct answer B is accurate because the rename command is used to change the TargetProcessId_decimal field to ParentProcessId_decimal, which is essential for identifying child processes of excel.exe. The other options do not correctly reflect the purpose of the rename command or misinterpret its function in the context of the query.