CrowdStrike Certified Falcon Administrator (CCFA) — Question 204

You will be testing detections with pentest and security tooling on your host.

How can a workflow be created to automatically assign any detection related to your pentest to yourself in real time?

Answer options

• A. Create a workflow to disable detections for your host until testing is done
• B. Create an Event trigger workflow that triggers on an EPP Detection with an action to assign the detection to yourself
• C. Create an Event trigger workflow that triggers on an EPP Detection with conditions looking for the desired hostname. The Action will then assign the detection to yourself.
• D. Create a scheduled workflow to run once a day that triggers on an EPP Detection with conditions looking for the desired hostname. The Action will then assign the detection to yourself.

Correct answer: C

Explanation

Option C is correct because it creates a real-time Event trigger workflow that not only looks for EPP Detections but also filters by the desired hostname, ensuring that only relevant detections are assigned to you. Option A is incorrect because disabling detections would prevent you from receiving any alerts during your testing. Option B lacks the hostname condition which may lead to irrelevant detections being assigned. Option D is not suitable for real-time assignment as it runs on a daily schedule, which does not meet the requirement for immediate response.