The most effective and precise method to identify non-standard web browsers is to use an allow-list (whitelist) approach. This rule logic defines the approved browser executables (chrome.exe, firefox.exe, msedge.exe) and triggers an alert for any process that appears to be a browser but does not match the approved names. This directly targets the use of unauthorized software, which is a key indicator of shadow IT, regardless of how the application was launched. This method minimizes false positives while effectively monitoring for policy violations.

A. This rule is too specific. It only detects browsers launched by PowerShell, a common attack technique, but misses non-standard browsers launched normally by a user (e.g., by clicking an icon).

B. This rule is too narrow. While users often launch applications from the Windows Explorer shell (explorer.exe), browsers can be launched by other parent processes, such as Outlook or a PDF reader.

C. This is an imprecise and overly broad rule. It would generate many false positives for legitimate processes with "browser" in their name (e.g., file browsers) and could be easily bypassed by browsers without "browser" in their executable name.

1. CrowdStrike Falcon Documentation

"Creating Custom IOA Rules": The Falcon platform allows for the creation of custom IOA rules based on event data

such as process creation. A standard rule pattern for application control involves specifying the ImageFileName (the process executable name) and using a negative matching condition (e.g.

is not one of) against a list of approved applications. This directly supports the logic in option D for identifying unauthorized software. (Reference: CrowdStrike Falcon Platform UI and official training materials for CCFA).

2. MITRE

"Software Discovery: T1518": The MITRE ATT&CK framework

a foundational resource for understanding adversary behavior

describes "Software Discovery" techniques. Detecting unexpected or non-standard software is a core principle of identifying potential policy violations or malicious activity. The logic in option D is a direct implementation of a detection strategy for this technique

focusing on identifying software that deviates from a baseline. (Reference: MITRE ATT&CK

Technique T1518

"Software Discovery").

3. SANS Institute

"Endpoint Protection and Response": SANS whitepapers and courseware on endpoint security emphasize the importance of application control and whitelisting as a defensive measure. Monitoring for executions of non-whitelisted applications is a fundamental EDR capability for detecting both shadow IT and malicious code. Option D perfectly encapsulates this security principle. (Reference: SANS Institute Reading Room

Papers on Endpoint Security and Application Whitelisting).