To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?
To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?
Blocking of domains and IP addresses is not a function of IOC management. Instead, a Custom IOA Rule should be used to block processes associated with specific domains or IP addresses. IOC management primarily supports actions like Detect Only or No Action for domains and IP addresses, and block actions are generally limited to hash indicators.
I agree to ShuliAbba, there is no block action if you will add a domain or IP in IOC management. In IOA you can create rules for Domain or IP that could detect and Kill Process (meaning blocked)
we can't block IP's in IOC management but we could block domains only for mobile devices. Since question is generic, Answer is A
Wrong!! - the correct answer is A. you can only block hashes in the IOC, the rest can be blocked via IOA.
Actually you can add hashes, domains, and IP addresses in IOC management. The answer is C.
Tested on Falcon.
Option A is the right one, you can add ip, domains and hashes in IOC's but cant take any action other then detect or No action. To block them IOA rule is required where kill process will act as a BLOCK
The Answer is C ! Tested in CS (Hash/Domain /IP)
You can add domains to IOC management but the only actions are Detect only or no action therefore the answer is A an IOA rule should be used to block it
A is correct. Custom IOA rule group can be used to block process associated with IP and domain
Answer is A. IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block". So, C is discarded because IOc does not block, and A might be the correct answer, despite not having a "block" option.
you can't block this IP address on Falcon
A is the correct answer
Checked on Falcon, Answer is C
Hello guys, it's C but on cloud EU it's not possible for IP and domain unfortunately. On US cloud yes it's possible.
The A is the right answer. The only available actions for domains and IPs are Detect only and No action, so it is not possible to prevent them. Only hashes can be blocked with the use of IOCs.
A seems correct though the IOA option in the UI is to "kill" the process. There is not a way to block.
C is Exactly Correct according to CS Falcon and there is 5 options under IOC Management to in the right side corner one buttton having : Add Hashes, Domain, IP Addresses, Import with Metadata, see Audit Log. Better before sitting for CCFA-200 Exam, verify the options under CS Console or CS Documentation.
Yo creo que la respuesta es A, ya que con IOC no se puede bloquear. Solo detectar o no tomar accion.
Answer is A (However I initially thought C) - Under Endpoint Security > IOC Management > Add Indicators, you can add Hashes, Domains, and IPs. However! - IPs: You are unable to block IP addresses and can only detect or no action. - Domains: You are unable to block IP addresses and can only detect or no action.