ExamTopics Logo
Mail Us[email protected]
Menu
Crowdstrike Discussions
exam questions

Exam CCFA All Questions

View all questions & answers for the CCFA exam
Go to Exam

Exam CCFA topic 1 question 2 discussion

Actual exam question from CrowdStrike's CCFA
Question #: 2
Topic #: 1
[All CCFA Questions]

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

  • A. Contact support and request that they modify the Machine Learning settings to no longer include this detection
  • B. Using IOC Management, add the hash of the binary in question and set the action to "Allow"
  • C. Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"
  • D. Using IOC Management, add the hash of the binary in question and set the action to "No Action"
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Reddington0214 at Feb. 4, 2023, 4:45 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AntiVirusAshok
9 months, 2 weeks ago
Selected Answer: B
Option D, “Using IOC Management, add the hash of the binary in question and set the action to ‘No Action’,” would not be effective because it doesn’t actively prevent the false positives. By setting the action to “No Action,” the system would continue to detect the binary but simply not take any action on it. This means the false positives would still appear in your detection logs, potentially cluttering them and making it harder to identify genuine threats. On the other hand, setting the action to “Allow” (Option B) ensures that the binary is recognized as safe and prevents it from being flagged in the future, thus keeping your detection logs clean and focused on actual threats.
upvoted 1 times
...
vsnt89
10 months, 3 weeks ago
Selected Answer: B
Option B is the correct because it won't generate detection while option D will keep generating detection but won't take any action.
upvoted 1 times
...
SuperDuperReverb
1 year, 4 months ago
@DarkieCopy Allow is present in IOC, I just looked. Allow means it will not log the detection, "No Action" means it will still collect data on occurences.
upvoted 1 times
...
DarkieCopy
1 year, 7 months ago
Selected Answer: D
Got to disagree with everyone: I think D is correct answer. IOC management only allows "Detect only" and "No Action" among the possible actions, checked in console. Same happens in question #12. "Detect only" and "No Action" are the only possibilities in IOC management
upvoted 1 times
FerbOP
1 year, 6 months ago
Check for Hash, for IP and Domain you have only Detect only and No Action
upvoted 1 times
...
...
sbag0024
2 years, 1 month ago
Selected Answer: B
B is correct
upvoted 2 times
...
FerbOP
2 years, 2 months ago
B - Allow,do not detect
upvoted 1 times
...
Reddington0214
2 years, 5 months ago
Selected Answer: B
I think B is correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel