CrowdStrike Certified Falcon Administrator (CCFA) — Question 223

Your leadership wants controls in place for immediate action on any Overwatch detections.

What should you do to ensure the host is contained quickly and notifies the appropriate staff?

Answer options

• A. Create a Fusion SOAR workflow using the Overwatch playbook to contain the host and email the SOC team
• B. Create a Fusion SOAR workflow to create a detection for Overwatch and email the SOC team
• C. Create a Fusion SOAR workflow to contain the host and email the Overwatch team
• D. Create a Fusion SOAR workflow to trigger on an Overwatch detection and set it to block the detection

Correct answer: A

Explanation

Option A is correct because it directly utilizes the Overwatch playbook to ensure the host is contained swiftly and informs the SOC team, which is essential for incident response. The other options either focus on creating detections or notify the wrong team, which does not address the immediate need for containment and communication.