Examice

Exam CCFR-201 All QuestionsBrowse all questions from this exam

Question 13

You are reviewing the raw data in an event search from a detection tree. You find a FileOpenInfo event and want to find out if any other files were opened by the responsible process. Which two field values do you need from this event to perform a Process Timeline search?

ParentProcessId_decimal and aid

ResponsibleProcessId_decimal and aid

ContextProcessId_decimal and aid

TargetProcessId_decimal and aid

Correct Answer: C

To find out if any other files were opened by the responsible process in a Process Timeline search, you need the ContextProcessId_decimal, which identifies the process that triggered the FileOpenInfo event, and the aid (Agent Identifier), which provides context for the specific endpoint. These two fields together allow you to track the activities of the responsible process across the timeline.

Discussion

e6cb31bOption: C

Just checked the fields for event_simpleName=FileOpenInfo and there is no TargetProcessId_decimal. Correct answer is ContextProcessId_decimal. This field is in the output of this event. Also the question says what field do you need from the FileOpenInfo event, so answer has to be ContextProcessId_decimal.

kangaruOption: C

#event_simpleName=FileOpenInfo does not have 'TargetProcessId' in it's field. ContextProcessId reflects more on the 'responsible process' that spawned the FileOpenInfo event.

alanalanalanOption: C

Answer : C. ContextProcessId_decimal and aid. checked #event_simpleName=FileOpenInfo does not have 'TargetProcessId' in it's field.

alanalanalanOption: C

Answer : C. ContextProcessId_decimal and aid. checked #event_simpleName=FileOpenInfo does not have 'TargetProcessId' in it's field.

silva222222Option: B

The previous response you provided is accurate and comprehensive. Here's a reiteration: B. ResponsibleProcessId_decimal and aid are the two field values you need from a FileOpenInfo event to perform a Process Timeline search and identify other files opened by the responsible process. Here's a breakdown of why these fields are crucial: ResponsibleProcessId_decimal: This field directly identifies the process that initiated the FileOpenInfo event, which is the process you want to investigate further. aid (Agent Identifier): This unique identifier for the endpoint provides context for the process and allows you to focus the Process Timeline search on the specific device where the file open occurred.

uday1985Option: D

The tool requires two parameters:aid(agent ID) andTargetProcessId_decimal(the decimal value of the process ID)2.These fields can be obtained from any event that involves the process, such as a FileOpenInfo

sbag0024Option: D

I think this is D I looked on the timeline and you need an AID Target AID, and Parent ID.

mloboOption: D

D, totally

Pipo12345Option: D

It's D