CrowdStrike Certified Falcon Responder (CCFR) — Question 28

When examining a raw DNS request event, you see a field called ContextProcessId_decimal. What is the purpose of that field?

Answer options

• A. It contains the TargetProcessId_decimal value for other related events
• B. It contains an internal value not useful for an investigation
• C. It contains the ContextProcessId decimal value for the parent process that made the DNS request
• D. It contains the TargetProcessId_decimal value for the process that made the DNS request

Correct answer: D

Explanation

The correct answer is D because the ContextProcessId_decimal field specifically identifies the process that made the DNS request. Options A and C are incorrect as they refer to different process IDs that are not relevant to the DNS request itself, while option B incorrectly states that the value is not useful for investigations.