CrowdStrike Certified Falcon Administrator (CCFA) — Question 171

Which of the following is TRUE regarding disabling detections for a host?

Answer options

• A. The DetectionSummaryEvent continues being sent to the Streaming API for that host
• B. After disabling detections, the host will operate in Reduced Functionality Mode (RFM) until detections are enabled
• C. The detections for that host are removed from the console immediately. No new detections will display in the console going forward unless detections are enabled
• D. After disabling detections, the data for all existing detections prior to disabling detections is removed from the Event Search

Correct answer: C

Explanation

Option C is correct because it accurately describes that detections for the host are removed from the console immediately, and no new detections will show unless detections are re-enabled. Option A is incorrect since the DetectionSummaryEvent does not continue to be sent. Option B is wrong because the host does not enter Reduced Functionality Mode immediately after disabling detections. Option D is also false as it misstates the handling of existing detection data.