CrowdStrike Certified Falcon Administrator (CCFA) — Question 212

Your organization wants to monitor the use of remote access software that is currently authorized. The executable is called remote.exe.

How would you trigger a detection for review of any process named remote.exe?

Answer options

• A. Create an exclusion for remote.exe and set a workflow to email you every time the exclusion is used
• B. Assign an aggressive detection level machine-learning prevention policy to the applicable hosts
• C. Write an IOA rule to monitor process creation of .*\\remote\.exe
• D. Write a scheduled search looking for ProcessRollup2 events for remote.exe

Correct answer: C

Explanation

The correct answer is C because writing an IOA rule for process creation allows for real-time monitoring of the specific executable, enabling detection whenever it is initiated. Options A and B do not provide a method for detection but rather focus on exclusion or policy application, while D involves searching for past events rather than actively monitoring new instances.