CrowdStrike Certified Falcon Administrator (CCFA) — Question 195

Detections related to a penetration test on a particular server are currently generating thousands of entries in the console. Your leadership does not need to track the detections in Falcon.

What should you do to allow your team to focus on more relevant detections?

Answer options

• A. Delete the detections in the console and contain the server undergoing the test
• B. Permanently disable detections for the server in Host Management
• C. Temporarily disable detections for the server in Host Management and re-enable after the test is done
• D. Create a Fusion Workflow to email the SOC team every time the penetration test generates a detection

Correct answer: C

Explanation

Option C is correct because temporarily disabling detections allows the team to concentrate on more relevant alerts during the penetration test without losing the ability to track them later. Option A is incorrect as deleting detections does not help in managing future alerts. Option B is not ideal since permanently disabling detections could lead to missing important alerts. Option D is not efficient, as it still involves tracking unnecessary alerts instead of focusing on critical ones.