CrowdStrike Certified Falcon Hunter (CCFH) — Question 9

Which field should you reference in order to find the system time of a *FileWritten event?

Answer options

• A. ContextTimeStamp_decimal
• B. FileTimeStamp_decimal
• C. ProcessStartTime_decimal
• D. timestamp

Correct answer: A

Explanation

The correct answer is A, ContextTimeStamp_decimal, because it specifically records the system time for events like *FileWritten. The other options do not pertain to this specific event's system time, with FileTimeStamp_decimal often relating to the file's metadata and the others referring to different timestamps altogether.