Because the detection is triggering only on a specific Falcon IOA, the correct remediation is an IOA exclusion scoped to the relevant detection context and file path. IOA exclusions are intended to reduce false-positive behavioral detections and preventions. Falcon guidance states that IOA exclusions “reduce false-positive detection alerts from IOAs” by stopping behavioral IOA detections and preventions, and they can be created directly from a CrowdStrike-generated detection or by duplicating an existing exclusion. A Custom IOC Allow would be appropriate for an indicator-based decision, such as a known-good hash, but this scenario is explicitly behavioral because the trigger is a Falcon IOA. Manually disabling the built-in IOA through prevention policies is too broad and weakens protection beyond the single development artifact. A sensor visibility exclusion would suppress sensor event visibility and is broader than required. CCFA reference topics: Detection and Prevention Policies, IOA Exclusions, Rule Configuration, false-positive handling.