Score Higher on Verified CCFH-202b | CrowdStrike Certified Falcon Hunter Exam Questions with Answers

In Falcon's telemetry, the ContextProcessId is a "pointer" used by secondary events (like network connections, file writes, or registry changes) to identify the specific process that performed the action. To find the identity, metadata, and lineage of that process, a hunter must pivot back to the process creation events: ProcessRollup2 or SyntheticProcessRollup2 .

In these "Rollup" events, the unique identifier for the process being described is stored in the TargetProcessId field. Therefore, to correlate the network activity (where the ID is the context) with the process itself, you must search for that ID in the TargetProcessId field of the rollup events. Option A is incorrect because ParentProcessId would show you the children of the process, not the process itself. Option B is incorrect because ContextProcessId is generally used in action-based events (telemetry) rather than the definition-based rollup events.

By executing the query in Option D, the hunter retrieves the full process details—including the FileName, CommandLine, UserSid, and MD5/SHA256 hashes—for the exact process instance that generated the network connections. This is a fundamental step in Search and Investigation Tools usage, allowing the analyst to verify if a legitimate process (like a web browser) or a malicious one (like a dropped executable) is the source of the network traffic.

In the context of Hunting Analytics , identifying the exploitation of CVE-2021-44228 (Log4j) requires looking for specific patterns associated with the Java Naming and Directory Interface (JNDI). The vulnerability allows an attacker to send a specially crafted string—often via an HTTP header or input field—that the Log4j library then parses and executes, leading to a remote JNDI lookup and subsequent code execution.

The event #event_simpleName=ScriptControlDetectInfo is particularly effective for this hunt because it provides visibility into the actual scripts and commands being interpreted and executed by the system. By searching the ScriptContent field for the regex /.*jndi:\w{1,5}:?\}?\/\/.*\}/i, a hunter can identify the tell-tale signature of a Log4j exploit payload, such as ${jndi:ldap://...}. While Option B targets the HttpRequestHeader, this requires specific network-level visibility that might not always be present or indexed in the same way as script execution telemetry. The ScriptControlDetectInfo event captures the payload when it interacts with the underlying system's script engines, providing a more definitive link between the exploit attempt and the resulting malicious activity on the Linux host. Using this granular level of visibility allows hunters to distinguish between a simple probe (network level) and an active exploitation attempt where the malicious string is being processed by the application's runtime environment.

Within the suite of Search and Investigation Tools , the Indicator graph is a powerful visualization feature designed to uncover the relationships between different malicious artifacts. While a "Process tree view" shows the parent-child execution lineage on a single host, the Indicator graph provides a multi-dimensional, global view of how a specific Indicator of Compromise (IOC)—such as a file hash (MD5/SHA256), a domain, or an IP address—is connected to other entities across the entire environment.

For a hunter, this graphical view is invaluable for identifying the "blast radius" of a threat. If a malicious file is loaded, the Indicator graph can visually map out every host that has seen that hash, any network connections that process made, and any other files dropped by that process. It essentially "connects the dots" by showing a spider-web of activity. This allows for rapid identification of lateral movement or shared infrastructure used by an adversary. Instead of manually correlating lists of hashes and IPs, the hunter can see the entire campaign structure at a glance. This tool is critical during the "Scoping" phase of an incident, as it helps ensure that no part of the attacker's infrastructure is missed during the remediation process, providing a much broader context than a standard flat search.