You have 100 hashes that have been prohibited by management and need to be blocked within your organization. Using Falcon, what is the best way to accomplish this?
A.
Navigate to Configure > IOC Management. Add a custom IOC. Add the list of hashes. Set the action to Block. Verify the prevention policy includes Custom Blocking under Execution Blocking.
B.
Navigate to Configure > Prevention policies. Add an IOC Policy. Add the list of hashes as CSV file. Set the action to Block. Verify Custom Execution Blocking is active.
C.
Navigate to Configure > IOC Management. Add a custom Prevention Policy. Add the list of hashes. Set the action to Block. Verify the policy includes Custom Execution Blocking.
D.
Navigate to Configure > Prevention policies. Add an IOC Policy. Add the list of hashes as CSV file. Set the action to Block and Alert. Verify Custom Blocking inside Execution Blocking is active.
The correct method is to use IOC Management , add the hashes as custom IOCs, set the action to Block , and ensure the applicable prevention policy has Custom Blocking enabled under Execution Blocking. Hash-based blocking is an IOC Management function. Prevention policies do not create “IOC Policies” in the way the distractors describe; instead, prevention policies must include the setting that enforces custom blocking. Setting hashes to Block without enabling the relevant policy capability may fail to enforce the intended behavior on hosts. The CCFA rule configuration and policy application topics emphasize that IOC Management defines the custom indicators and actions, while prevention policy settings determine whether those actions are enforced on endpoints.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit