CrowdStrike Certified Falcon Responder (CCFR) — Question 24

After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?

Answer options

• A. SHA256 and TargetProcessId_decimal
• B. SHA256 and ParentProcessId_decimal
• C. aid and ParentProcessId_decimal
• D. aid and TargetProcessId_decimal

Correct answer: D

Explanation

To perform a Process Timeline search effectively, you need the 'aid' and 'TargetProcessId_decimal' values. The 'aid' is essential for identifying the specific process instance, while the 'TargetProcessId_decimal' helps in tracking the actions of that process. The other options include fields that are not required for this specific search.