Which of the following applies to Custom Blocking Prevention Policy settings?
Which of the following applies to Custom Blocking Prevention Policy settings?
Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy. Custom blocking in prevention policies refers to blocklisting hashes through the IOC Management, and hashes need to be added here first. There is no mention of blocklisting IP addresses and domains under custom blocking settings, nor the necessity for remediation after partial executions.
Prevention policies don't block custom IOC management you can add link to custom IOA rules. That mean C is the correct answer.
https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/
C is the correct answer.
https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/
AUTO, N-1, N-2
https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/ A for me
Custom blocking in prevention policies referes to hashes, ips, and domains added to IOC Management.
@plantvast - I think you might be wrong because you cannot block IPs and domains, only hashes in the IOC + as written in the policy section "Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
You can actually add hashes, domains and IP addresses on IOC management. Navigate to the page in Falcon and attempt to a new indicator and the options will appear.
you are right and wrong my friend, adding IPs and domains in the IOC is indeed possible, but not with "block" action on them - only "detect" or "no action".
from the "Custom Blocking" policy section - "Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
Check here: https://www.crowdstrike.com/blog/tech-center/how-to-prevent-malware-with-custom-blacklisting/
C is correct - Block processes matching hashes that you add to IOC Management with action Block
Sounds like A to me: Falcon allows you to upload hashes from your own black or white lists. To enabled this navigate to the Configuration App, Prevention hashes window, and click on “Upload Hashes” in the upper right-hand corner. Note that you can also automate the task of importing hashes with the CrowdStrike Falcon® API.
C? bad question imo.
A is correct : Custom Blocking enables blocklisting by hash, via hashes you add to IOC Management with the option set to Block.
A is correct