Falcon Identity Protection provides flexible control over how identity-based detections are handled through theDetection Exclusionsframework. According to the CCIS curriculum, administrators can eitherdisable an entire detection typeor, where supported,exclude specific entitiessuch as users, service accounts, or endpoints from triggering that detection.
Not all detections support entity-level exclusions. For detections that do, exclusions allow organizations to suppress known benign behavior without disabling the detection globally. This is particularly useful for service accounts or legacy systems that generate expected but non-malicious activity. When entity-level exclusion is not supported, administrators may choose todisable the detection entirely, which stops it from generating alerts across the environment.
The CCIS documentation clearly explains this dual model:
All detections can be disabled, regardless of type
Only some detections support entity-based exclusions
This approach balances operational flexibility with security integrity and avoids the misconception that exclusions automatically create security gaps. Therefore,Option Cis the correct and verified answer.
