Answer is C, C. Via its ContextProcessId_decimal field
Refer to the document "Falcon Documentation > Endpoint Security > Event Investigation >
Hunting and Investigation", the example is : Uncommon processes making network connections or DNS Requests :
aid=my-aid event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName timestamp ImageFileName DomainName CommandLine
Answer is C, C. Via its ContextProcessId_decimal field
Refer to the document "Falcon Documentation > Endpoint Security > Event Investigation >
Hunting and Investigation", the example is : Uncommon processes making network connections or DNS Requests :
aid=my-aid event_simpleName="DnsRequest" | rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search aid=my-aid event_simpleName="ProcessRollup2" ImageFileName="*PROCESS"] | table ComputerName timestamp ImageFileName DomainName CommandLine
ContextProcessId_decimal is designed to capture the broader process context associated with the DNS request. This context can include the process that ultimately initiated the DNS resolution request, even if there were intermediary steps involved. This information is crucial for security analysts to understand which process is making external communication attempts and potentially identify malicious activity.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jolujo10
5 months, 3 weeks agoalanalanalan
6 months agoalanalanalan
6 months agosilva222222
6 months, 1 week agokangaru
9 months, 2 weeks agosbag0024
9 months, 3 weeks agoTiago90
11 months, 3 weeks ago