Free CCFA-200 Actual Exam Questions s - Question 12 Discussion
IOC detections. How should the administrator modify IOC settings to prevent these false positives while
maintaining security for other domains?
Makes sense to keep detections active but avoid blocks, so D fits best here.
Disabling domain-based IOC detections completely like in A seems too broad and risky since it would lower overall security. Between B, C, and D, excluding the domain locally (B) might lead to inconsistent enforcement if some endpoints miss the update. Setting it to Detect Only (D) still flags the domain but doesn’t block it, which balances false positives with visibility. This way, you keep an eye on the domain without interrupting workflows or risking missing other real threats. So, D would be a safer middle ground while maintaining good monitoring.
C imo because adding the domain to Custom Indicators with "Allow" stops false positives but keeps other domain detections active. Local exclusions might miss global IOC updates elsewhere.
It’s B because local exclusions stop false flags without affecting global rules.
Good point about keeping some level of monitoring. I think B is worth considering too because adding the domain to local exclusions stops the false positives right at the endpoints without disabling detection globally. That way, you avoid alerts and blocks for the known safe domain but still keep overall IOC detection on for everything else. It’s a more surgical fix compared to changing custom indicators, which might still generate alerts. So I’d go with B to balance stopping false flags and maintaining security elsewhere.
It’s tricky, but wouldn’t D make sense to still detect without blocking?