When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.
Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.
The other options are incorrect:
Exitsare not a detection control mechanism.
Remediationsrefer to corrective actions, not suppression logic.
Recommendationsprovide guidance but do not change detection behavior.
By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.
Question 17
Can a specific detection be excluded altogether or just per entity?
Options:
A.
Only specific entities can be excluded by using the Identity-Based Detection → Detection Exclusion page
B.
Only detections can be disabled using the Identity-Based Detection → Detection Exclusion page
C.
All detections can be disabled, some detections support excluding entities
D.
Adding an exclusion for a detection creates a security hole, therefore a detection cannot be excluded
Falcon Identity Protection provides flexible control over how identity-based detections are handled through theDetection Exclusionsframework. According to the CCIS curriculum, administrators can eitherdisable an entire detection typeor, where supported,exclude specific entitiessuch as users, service accounts, or endpoints from triggering that detection.
Not all detections support entity-level exclusions. For detections that do, exclusions allow organizations to suppress known benign behavior without disabling the detection globally. This is particularly useful for service accounts or legacy systems that generate expected but non-malicious activity. When entity-level exclusion is not supported, administrators may choose todisable the detection entirely, which stops it from generating alerts across the environment.
The CCIS documentation clearly explains this dual model:
All detections can be disabled, regardless of type
Only some detections support entity-based exclusions
This approach balances operational flexibility with security integrity and avoids the misconception that exclusions automatically create security gaps. Therefore,Option Cis the correct and verified answer.
