How are ML exclusions created?

Machine Learning (ML) exclusions in the context of CrowdStrike's Falcon platform are specifically designed to refine the detection process and reduce false positives. They can be created directly from a detection that has been flagged by the system, allowing administrators to take immediate action based on real-time incident response. This means that when a detection occurs, the administrator can analyze the situation, assess whether the detection is legitimate, and, if necessary, create an exclusion that instructs the ML model not to consider the associated activity in future evaluations.

Creating exclusions via the Endpoint Security interface also supports the need for dynamic adjustments in response to evolving threats and operational challenges. This method allows for quick response and customization based on specific contextual insights gathered from the incident, which is essential in maintaining effective security without hindering business operations.

Other options suggesting different methods for creating ML exclusions do not align with the Falcon platform’s operational design. For instance, while manual creation by a system administrator is a valid practice in many contexts, it does not specifically tie to the real-time decision-making facilitated by direct detections. Similarly, suggesting automatic creation based on network traffic analysis or action solely through the Host Management page overlooks the proactive approach facilitated by managing exclusions based on live detections in the security workflow.