CrowdStrike Certified Falcon Administrator (CCFA) — Question 159

There are a significant number of false positive detections from your developers that are getting blocked and quarantined by Falcon.

What Indicator of Compromise (IOC) action would be the best option?

Answer options

• A. No_action (displayed as None in the console)
• B. Allow (displayed as Allow in the console)
• C. Detect Only (displayed as Detect only in the console)
• D. Prevent (displayed as Blocked in the console)

Correct answer: C

Explanation

The best option is 'Detect Only' because it allows the system to monitor potential threats without taking immediate action, which helps in identifying false positives. The other options either block the detections or allow them without any monitoring, which does not address the issue of false positives effectively.