CrowdStrike Certified Falcon Administrator (CCFA) — Question 153

Which statement is TRUE regarding disabling detections on a host?

Answer options

• A. Hosts with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed
• B. Hosts with detections disabled will not alert on anything until detections are enabled again
• C. Hosts with detections disabled will not alert on blocklisted hashes or machine learning detections, but will still alert on IOA-based detections. It will remain that way until detections are enabled again
• D. Hosts cannot have their detections disabled individually

Correct answer: B

Explanation

The correct answer is B because once detections are disabled, the host will not generate any alerts until detections are re-enabled. Option A is incorrect as it misstates the alerting behavior. Option C incorrectly suggests that some alerts would still occur, and option D is wrong because it is indeed possible to disable detections on individual hosts.