CrowdStrike Certified Falcon Responder (CCFR) — Question 11

After running an Event Search, you can select many Event Actions depending on your results. Which of the following is NOT an option for any Event Action?

Answer options

• A. Draw Process Explorer
• B. Show a +/- 10-minute window of events
• C. Show a Process Timeline for the responsible process
• D. Show Associated Event Data (from TargetProcessId_decimal or ContextProcessId decimal)

Correct answer: C

Explanation

The correct answer is C because showing a Process Timeline is not an option offered for Event Actions. The other options, such as drawing the Process Explorer and displaying event windows or associated data, are valid actions that can be performed after an Event Search.