After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
After pivoting to an event search from a detection, you locate the ProcessRollup2 event. Which two field values are you required to obtain to perform a Process Timeline search so you can determine what the process was doing?
To perform a Process Timeline search, you need to know the specific agent identifier, which is the 'aid' field, and the identifier of the process being targeted, which is the 'TargetProcessId_decimal' field. These two pieces of information are crucial to accurately trace and investigate what actions the process was performing.
The correct answer is D. You need AID and Target ProcessID. Parent Process ID you can use also but it's not needed as it's filled in with an (*).
correct answer is A