CrowdStrike Certified Falcon Administrator (CCFA) — Question 125

Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the detection, you see that it's triggering only on a specific Falcon IOA. What would be the best course of action for this situation?

Answer options

• A. Create a sensor visibility exclusion for "C:\Users\Bob\DevCode\felix.dll"
• B. Create an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll"
• C. Create a Custom IOC and set it to "Allow" for "C:\Users\Bob\DevCode\felix.dll"
• D. Manually turn off the built-in IOA through prevention policies

Correct answer: B

Explanation

Creating an IOA exclusion for 'C:\Users\Bob\DevCode\felix.dll' is the best course of action as it specifically targets the IOA triggering the alerts without affecting other potential detections. The other options either do not address the specific IOA or could compromise the overall security posture by allowing unwanted behavior.