CCFR-201 Free Practice Test

You receive an email from a third-party vendor that one of their services is compromised, thevendor names a specific IP address that the compromised service was using. Where would you input this indicator to find any activity related to this IP address?

1. A. IP Addresses
2. B. Remote or Network Logon Activity
3. C. Remote Access Graph
4. D. Hash Executions

Correct Answer: A
According to the [CrowdStrike website], the Discover page is where you can search for and analyze various types of indicators of compromise (IOCs), such as hashes, IP addresses, or domains that are associated with malicious activities. You can use various tools, such as Hash Executions, IP Addresses, Remote or Network Logon Activity, etc., to perform different types of searches and view the results in different ways. If you want to search for any activity related to an IP address that was compromised by a third-party vendor, you can use the IP Addresses tool to do so. You can input the IP address and see a summary of information from Falcon events that contain that IP address, such as hostname, sensor ID, OS, country, city, ISP, ASN, geolocation, process name, command line, and organizational unit of the host that communicated with that IP address.

You found a list of SHA256 hashes in an intelligence report and search for them using the Hash Execution Search. What can be determined from the results?

1. A. Identifies a detailed list of all process executions for the specified hashes
2. B. Identifies hosts that loaded or executed the specified hashes
3. C. Identifies users associated with the specified hashes
4. D. Identifies detections related to the specified hashes

Correct Answer: B
According to the CrowdStrike Falcon Devices Add-on for Splunk Installation and Configuration Guide v3.1.5+, the Hash Execution Search tool allows you to search for one or more SHA256 hashes and view a summary of information from Falcon events that contain those hashes1. The summary includes the hostname, sensor ID, OS, country, city, ISP, ASN, and geolocation of the host that loaded or executed those hashes1. You can also see a count of detections and incidents related to those hashes1.