CrowdStrike Certified Falcon Responder (CCFR) — Question 54

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

Answer options

• A. ParentProcessId_decimal and aid
• B. ResponsibleProcessId_decimal and aid
• C. ContextProcessId_decimal and aid
• D. TargetProcessId_decimal and aid

Correct answer: C

Explanation

The correct answer is C, as the ContextProcessId_decimal is essential to pinpoint the specific context of the process during the event. The other options either reference different process IDs or do not provide the necessary context for the timeline search.