During an investigation you find out that files are being written to disc by a malicious process. While many are displayed in the detections as context items, you want to see all files written to your host by this process.
What Splunk search would work for this scenario?
To identify all files written by a specific malicious process, you should use the relevant event type and the correct process identifier field. The search query 'event_simpleName=*written ComputerName=MyPC ContextProcessId_decimal=0123456789' will display all files written by the process with the given ID running on MyPC. This query focuses on 'written' events and uses the 'ContextProcessId' which accurately identifies the source process as mentioned in the question.
C is wrong. TargetProcessId_decimal is not a valid field in *FileWritten events. You would use ContextProcessId to trace back its spawner.
C is wrong, as the question specifically asking for Context and not the created one