CrowdStrike Certified Falcon Administrator (CCFA) — Question 168

During a simulated training exercise with your security team, an analyst used Falcon to network contain a host. It was then discovered that containing this specific host interrupted some key business processes and resulted in lost revenue.

As the Falcon Administrator, what can be done to prevent this interruption in the future?

Answer options

• A. Collaborate with the firewall engineers so that in the future, network containment would only deny external IP addresses and no internal IP addresses
• B. Configure your containment policy to allow the IP addresses for those key business processes so that your hosts will be allowed to communicate with them, even if those hosts are contained
• C. Add this Falcon host to your deny list so that it is never able to be network contained again
• D. Educate the analyst so they can understand and memorize which hosts are safe to network contain, and which would cause harm if contained

Correct answer: B

Explanation

The correct answer is B because adjusting the containment policy to allow communication with key business processes prevents disruption while still enabling security measures. Option A is insufficient as it does not address the specific needs of the business processes. Option C is too extreme, as it eliminates the ability to contain a potentially compromised host altogether. Option D relies on human memory, which is prone to error, rather than implementing a systematic solution.