Examice

Exam CCFR-201 All QuestionsBrowse all questions from this exam

Go to Exam

Question 36

When examining raw event data, what is the purpose of the field called ParentProcessId_decimal?

It contains an internal value not useful for an investigation

It contains the TargetProcessId_decimal value of the child process

It contains the SensorId_decimal value for related events

It contains the TargetProcessId_decimal of the parent process

Correct Answer: D

The purpose of the field called ParentProcessId_decimal is to contain the TargetProcessId_decimal of the parent process. This field helps in identifying the parent process that spawned the current process, which is critical information during an investigation to understand the process hierarchy and root cause.

Discussion

AcrbyOption: D

I checked from the UI. Targetprocessid and contexProcessId always the same.

kangaruOption: D

Given two processes ProcessRollup2 where the PR2-1 spawns PR2-2, The TargetProcessId of PR2-1 is equal to the ParentProcessId of PR2-2.

lightmagentaOption: A

correct answer is A