Examice

Exam CCFA All QuestionsBrowse all questions from this exam

Question 2

You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints. What is the best way to prevent these in the future?

Contact support and request that they modify the Machine Learning settings to no longer include this detection

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

Correct Answer: B

The best way to prevent future false positives caused by the custom binary is to use IOC (Indicator of Compromise) Management to add the hash of the binary and set the action to 'Allow'. This will ensure that the binary is recognized as safe and will not trigger false positives in the Machine Learning detections. This approach directly addresses the issue by specifying that this particular binary should be allowed, thus preventing further false alarms.

Discussion

sbag0024Option: B

B is correct

Reddington0214Option: B

I think B is correct

SuperDuperReverbOption: B

@DarkieCopy Allow is present in IOC, I just looked. Allow means it will not log the detection, "No Action" means it will still collect data on occurences.

DarkieCopyOption: D

Got to disagree with everyone: I think D is correct answer. IOC management only allows "Detect only" and "No Action" among the possible actions, checked in console. Same happens in question #12. "Detect only" and "No Action" are the only possibilities in IOC management

FerbOP

Check for Hash, for IP and Domain you have only Detect only and No Action

FerbOPOption: B

B - Allow,do not detect