To enhance your security, you want to detect and block based on a list of domains and IP addresses. How can you use IOC management to help this objective?
A.
Blocking of Domains and IP addresses is not a function of IOC management. A Custom IOA Rule should be used instead
B.
Using IOC management, import the list of hashes and IP addresses and set the action to Detect Only
C.
Using IOC management, import the list of hashes and IP addresses and set the action to Prevent/Block
D.
Using IOC management, import the list of hashes and IP addresses and set the action to No Action
Answer is A (However I initially thought C) - Under Endpoint Security > IOC Management > Add Indicators, you can add Hashes, Domains, and IPs. However!
- IPs: You are unable to block IP addresses and can only detect or no action.
- Domains: You are unable to block IP addresses and can only detect or no action.
Answer is A.
IOC management only allows "Detect only" and "No Action" among the possible actions. Therefore, it cannot be used to block based on IPs or domains. Custom IOA Rule groups allow to create rule types based on Network Connection (configuring a remote IP address) and domains, and gives the options to "Monitor", "Detect" and "Kill Process", being the late one the closest to "block".
So, C is discarded because IOc does not block, and A might be the correct answer, despite not having a "block" option.
C is Exactly Correct according to CS Falcon and there is 5 options under IOC Management to in the right side corner one buttton having : Add Hashes, Domain, IP Addresses, Import with Metadata, see Audit Log. Better before sitting for CCFA-200 Exam, verify the options under CS Console or CS Documentation.
You can add domains to IOC management but the only actions are Detect only or no action therefore the answer is A an IOA rule should be used to block it
The A is the right answer.
The only available actions for domains and IPs are Detect only and No action, so it is not possible to prevent them. Only hashes can be blocked with the use of IOCs.
Option A is the right one, you can add ip, domains and hashes in IOC's but cant take any action other then detect or No action. To block them IOA rule is required where kill process will act as a BLOCK
I agree to ShuliAbba, there is no block action if you will add a domain or IP in IOC management. In IOA you can create rules for Domain or IP that could detect and Kill Process (meaning blocked)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
vsnt89
2 months, 3 weeks agoCyberMacadamia
8 months agodiegofretesc
1 year, 1 month agoDarkieCopy
1 year, 4 months agoManuneethi
1 year, 4 months agosbag0024
1 year, 5 months agoFerbOP
1 year, 7 months agoJakeUK
1 year, 7 months agoNafil_46
1 year, 7 months ago3xploit
1 year, 7 months agoBelrose
1 year, 8 months agoim2ca
1 year, 8 months agoJer91
1 year, 8 months agoPrr0
1 year, 8 months agoandreiushu
1 year, 9 months agokgbac
1 year, 9 months agoReddington0214
1 year, 9 months ago