CrowdStrike Certified Falcon Hunter (CCFH) — Question 65
When searching for all events related to a specific process which field(s) should be selected in a query from the Event Actions drop down menu?
Answer options
- A. ContextProcessId_decimal
- B. timestamp
- C. Both TargetProcessId_decimal and ContextProcessId_decimal
- D. TargetProcessId_decimal
Correct answer: C
Explanation
The correct answer is C because selecting both TargetProcessId_decimal and ContextProcessId_decimal allows for a comprehensive search of all events related to the specific process. Options A and D are incomplete as they only focus on one aspect of the process identification, while option B is irrelevant as the timestamp does not relate to the search for process-related events.