CrowdStrike Certified Falcon Hunter (CCFH) — Question 25

During an investigation you find out that files are being written to disc by a malicious process. While many are displayed in the detections as context items, you want to see all files written to your host by this process.

What Splunk search would work for this scenario?

Answer options

• A. event_simpleName=*written ComputerName=MyPC ContextProcessId_decimal=0123456789
• B. event_simpleName=*processrollup* ComputerName=MyPC TargetProcessId_decimal=0123456789
• C. event_simpleName=*written ComputerName=MyPC TargetProcessId_decimal=0123456789
• D. event_simpleName=*processrollup* ComputerName=MyPC ContextProcessId_decimal=0123456789

Correct answer: A

Explanation

The correct answer, A, correctly specifies the search for events where files are written, using the ContextProcessId to filter results for the specific malicious process. Options B and D focus on process rollup events, which do not directly indicate file writing activity. Option C, while close, uses the TargetProcessId instead of the ContextProcessId, which is not the correct identifier for this scenario.