ExamTopics Logo
Mail Us[email protected]
Menu
Crowdstrike Discussions
exam questions

Exam CCFA All Questions

View all questions & answers for the CCFA exam
Go to Exam

Exam CCFA topic 1 question 198 discussion

Actual exam question from CrowdStrike's CCFA
Question #: 198
Topic #: 1
[All CCFA Questions]

There are a significant number of false positive detections from your developers that are getting blocked and quarantined by Falcon.

What Indicator of Compromise (IOC) action would be the best option?

  • A. No_action (displayed as None in the console)
  • B. Allow (displayed as Allow in the console)
  • C. Detect Only (displayed as Detect only in the console)
  • D. Prevent (displayed as Blocked in the console)
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by alashi at May 17, 2025, 5:37 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
aN0omY
1 week, 4 days ago
Selected Answer: B
this is a tricky question because detect would still ensure that should a malicious file come via this typical process, you have some alert/safeguard...so it's technically not wrong to do. I would lean more towards B. allow because you probably dont want to get a bunch of detections about it still.
upvoted 1 times
...
alashi
1 month ago
Selected Answer: B
B - why would you want it to still raise a detection if its a false positive?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel