CrowdStrike Certified Falcon Administrator (CCFA) — Question 63

You have an existing workflow that is triggered on a critical detection that sends an email to the escalation team. Your CISO has asked to also be notified via email with a customized message. What is the best way to update the workflow?

Answer options

• A. Clone the workflow and replace the existing email with your CISO's email
• B. Add a sequential action to send a custom email to your CISO
• C. Add a parallel action to send a custom email to your CISO
• D. Add the CISO's email to the existing action

Correct answer: C

Explanation

The correct answer is C because adding a parallel action allows the workflow to send both the original email and the custom email to the CISO simultaneously, ensuring that both notifications are sent without disrupting the existing process. Option A is incorrect as cloning the workflow is unnecessary and complicates management. Option B is wrong because a sequential action would delay the CISO's notification until after the escalation team's email is sent. Option D fails to provide a customized message, which is a requirement from the CISO.