CrowdStrike Updated CCFH-202b Exam Questions and Answers by anya

To perform a complete and effective investigation into a specific process's behavior within the Falcon platform, an analyst must understand how the system correlates disparate telemetry events. The two primary keys for this correlation are TargetProcessId and ContextProcessId . These IDs act as the "Common Threads" that allow Search and Investigation Tools to reconstruct the full lifecycle of an execution.

When a process is first created, it generates a ProcessRollup2 event (or a SyntheticProcessRollup2 if it was already running). In this specific event, the process's unique identifier is recorded in the TargetProcessId field. However, all subsequent actions performed by that process—such as network connections (NetworkConnectIP4), file modifications (fswrite), or DNS lookups—do not use the TargetProcessId. Instead, they include a field called ContextProcessId , which "points" back to the original process ID. By selecting and filtering for both of these fields in a query, a hunter can successfully "join" the metadata of the process (its name, command line, and user) with the actual activities it performed. Selecting only one of these would result in an incomplete picture: you would see the process start but not what it did, or see various actions without knowing exactly which process was responsible for them. Mastering the relationship between Target and Context IDs is fundamental for pivoting through the process timeline.

To build effective and high-performance queries in Advanced Event Search , a hunter must have access to a definitive map of the telemetry captured by the sensor. The Falcon console docs serve as the primary repository for this information, specifically housing the Events Data Dictionary (also known as the Events Full Reference). This documentation is indispensable because it provides the technical specifications for every event type and field indexed within the platform.

Within the documentation, an analyst can find descriptions for fields like aid (Agent ID), aip (External IP), and the complex relationships between various Process IDs. Understanding these fields is critical for Hunting Analytics , as it prevents common errors, such as using a field that contains strings for a mathematical operation or confusing the ComputerName with the UserSid. Furthermore, the documentation often includes examples of how these fields are used in CrowdStrike Query Language (CQL) , allowing hunters to adapt existing templates to their specific needs. Relying on the official console documentation ensures that the hunter is using the most up-to-date definitions as new event types are added or existing ones are refined by CrowdStrike’s engineering teams, maintaining the accuracy and reliability of their investigations.

In Falcon's telemetry, the ContextProcessId is a "pointer" used by secondary events (like network connections, file writes, or registry changes) to identify the specific process that performed the action. To find the identity, metadata, and lineage of that process, a hunter must pivot back to the process creation events: ProcessRollup2 or SyntheticProcessRollup2 .

In these "Rollup" events, the unique identifier for the process being described is stored in the TargetProcessId field. Therefore, to correlate the network activity (where the ID is the context) with the process itself, you must search for that ID in the TargetProcessId field of the rollup events. Option A is incorrect because ParentProcessId would show you the children of the process, not the process itself. Option B is incorrect because ContextProcessId is generally used in action-based events (telemetry) rather than the definition-based rollup events.

By executing the query in Option D, the hunter retrieves the full process details—including the FileName, CommandLine, UserSid, and MD5/SHA256 hashes—for the exact process instance that generated the network connections. This is a fundamental step in Search and Investigation Tools usage, allowing the analyst to verify if a legitimate process (like a web browser) or a malicious one (like a dropped executable) is the source of the network traffic.