Your development team is working on a new enterprise application, but Falcon starts creating alerts during testing. The alert points to, "C:\Users\Bob\DevCode\felix.dll". In the detection, you see that it's triggering only on a specific Falcon IOA. What would be the best course of action for this situation?
Creating an IOA exclusion for "C:\Users\Bob\DevCode\felix.dll" is the best course of action in this situation. Since the alert is triggered specifically by a Falcon IOA, an IOA exclusion will effectively prevent the detection for this particular file without affecting other types of detections. Custom IOCs are more appropriate for handling detections based on indicators of compromise (IOCs) like file hashes and won't address IOA-based triggers.
Answer is B because the detection was for an IOA. If you allow the hash of the DLL via a Custom IOC it will only affect Machine Learning based detections and not IOAs, which means it cannot be C