CrowdStrike Certified Falcon Administrator (CCFA) — Question 166

You have 100 hashes that have been prohibited by management and need to be blocked within your organization.

Using Falcon, what is the best way to accomplish this?

Answer options

• A. Navigate to Configure > IOC Management. Inside this dashboard, add a custom Prevention Policy. Add the list of hashes. Set the action to Block. Verify the policy includes Custom Execution Blocking.
• B. Navigate to Configure > Prevention policies. Inside this dashboard, add an IOC Policy. Add the list of hashes as CSV file. Set the action to “Block." Verify the option for Custom Execution Blocking is active.
• C. Navigate to Configure > IOC Management. Inside this dashboard, add a custom IOAdd the list of hashes. Set the action to Block. Verify the prevention policy includes Custom Blocking under Execution Blocking.
• D. Navigate to Configure > Prevention policies. Inside this dashboard, add an IOC Policy. Add the list of hashes as a CSV file. Set the action to “Block and Alert.” Verify the option for Custom Blocking inside Execution Blocking is active.

Correct answer: C

Explanation

The correct answer, C, specifies using the IOC Management section to create a custom IOC and verify the prevention policy includes Custom Blocking, which is essential for efficiently blocking those hashes. The other options either refer to incorrect sections or do not specify the appropriate action settings required for blocking the hashes effectively.