CrowdStrike Certified Falcon Hunter (CCFH) — Question 57

The Process Timeline Events Details table will populate the Parent Process ID and the Parent File columns when the cloudable Event data contains which event field?

Answer options

• A. ContextProcessId_decimal
• B. RawProcessId_decimal
• C. ParentProcessId_decimal
• D. RpcProcessId_decimal

Correct answer: C

Explanation

The correct answer is C, as the ParentProcessId_decimal field explicitly provides the necessary information to populate the Parent Process ID and Parent File columns. Options A, B, and D do not contain the relevant parent process information, thus they cannot be used to populate those specific columns.