crowdstrike · CCFR-201 · Q428 · multiple_choice · topic_1

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find…

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

A.ParentProcessId_decimal and aid
B.ResponsibleProcessId_decimal and aid
C.ContextProcessId_decimal and aid
D.TargetProcessId_decimal and aid

Explanation

Selected Answer: C Just checked the fields for event_simpleName=FileOpenInfo and there is no TargetProcessId_decimal. Correct answer is ContextProcessId_decimal. This field is in the output of this event. Also the question says what field do you need from the FileOpenInfo event, so answer has to be ContextProcessId_decimal.

Reference: examtopics_top_comment

Practice with progress tracking

Sign in to track wrong answers, get spaced-repetition reminders, and run timed exam mode.

Start tracked practice Pricing