Examice

Exam CCFH-202 All QuestionsBrowse all questions from this exam

Question 55

What is the purpose of the rename command in this query?

event_simpleName=ProcessRollup2 [search event_simpleName=ProcessRollup2 FileName=excel.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid ParentProcessId_decimal] | stats count by FileName CommandLine

It runs a sub-search to locate all detections where excel.exe was blocked

It renames a field to drive the main search in order to locate all children processes of excel.exe

It joins all combinations of parent / children processes involving excel.exe

It renames a field to drive the main search in order to locate all parent processes of excel.exe

Correct Answer: D

The rename command changes the field name TargetProcessId_decimal to ParentProcessId_decimal within the sub-search. This helps in driving the main search to identify all parent processes of excel.exe by linking them with the renamed field. The main search then uses this renamed field to correlate and find the relevant information.

Discussion

gr23Option: B

B. To find the parent process you rename ParentProcessID_decimal to TargetProcessID_decimal. To find the the child you rename TargetProcessID_decimal As ParentProcessID_decimal.

Pipo12345Option: B

B is correct >>> A similar example from internal Crowdstrike docs: event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName=winlogon.exe | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid ParentProcessId_decimal] | stats count by FileName CommandLine Explanation: Show all children of a process (e.g.winlogon.exe) – Looking for typical children of a process, to see outliers

SunaperiOption: D

d is correct