CCFR-201 Exam - Question 3

It's responsible process is referred using ContextProcessId_demical

ContextProcessId_decimal is designed to capture the broader process context associated with the DNS request. This context can include the process that ultimately initiated the DNS resolution request, even if there were intermediary steps involved. This information is crucial for security analysts to understand which process is making external communication attempts and potentially identify malicious activity.

correct is D

D is correct. TargetprocessID_d is always the one responsible for the action.

Answer is C, C. Via its ContextProcessId_decimal field Refer to the document "Falcon Documentation > Endpoint Security > Event Investigation > Hunting and Investigation", the example is : Uncommon processes making network connections or DNS Requests : aid=my-aid event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName timestamp ImageFileName DomainName CommandLine

Answer is C, C. Via its ContextProcessId_decimal field Refer to the document "Falcon Documentation > Endpoint Security > Event Investigation > Hunting and Investigation", the example is : Uncommon processes making network connections or DNS Requests : aid=my-aid event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName timestamp ImageFileName DomainName CommandLine

Answer is C