The objective is to monitor a script that is not inherently malicious but could be used for malicious purposes. The most appropriate approach is to create a rule that provides visibility without disrupting legitimate operations. A "Detect" rule type in CrowdStrike Falcon is designed for this exact purpose. It generates an alert when the specified conditions—in this case, the execution of a process with a matching filename—are met, allowing administrators to investigate the activity without taking a disruptive, preventative action that could impact business continuity.

A. "Quarantine File" is a prevention action. This is too aggressive for monitoring a file that has legitimate uses and would prevent any process from accessing it.

C. "Isolate Host" is a severe containment measure. Isolating a host for running a non-malicious script would cause significant, unnecessary disruption to the user and the system.

D. "Block and Kill Process" is a prevention action. This would stop the script from running, which is inappropriate given the script is not inherently malicious and the goal is monitoring.

1. CrowdStrike Falcon® Platform Documentation

"Custom IOAs": In the section on "Rule Types

" the documentation distinguishes between "Detect" and "Prevent" rules. It specifies that Detect rules are used to generate a detection and provide visibility into an activity without blocking it. In contrast

Prevent rules are designed to block an activity from occurring. This directly supports using the "Detect" type for a monitoring use case. (Reference: CrowdStrike Support Portal

Document ID: CS-FAL-09-IOA

"Rule Groups and Rule Types

" p. 5).

2. SANS Institute

"Endpoint Detection and Response (EDR) Architecture and Operations": This courseware often discusses the principle of tuning EDR platforms. It emphasizes starting with detection/audit-only rules for activities that are not confirmed to be malicious to gather intelligence and avoid false positives. This aligns with using a "Detect" rule before escalating to "Prevention." (Reference: SANS FOR508: Advanced Incident Response

Threat Hunting

and Digital Forensics

Module 4: Endpoint Detection and Response).

3. Carnegie Mellon University

Software Engineering Institute (SEI)

"Defining Custom Detection Rules in Endpoint Security Solutions": This technical report discusses best practices for creating custom rules. It advises that for dual-use tools or scripts

initial rules should be configured for logging and alerting (detection) rather than blocking

to establish a baseline of normal activity and prevent operational disruption. (Reference: CMU/SEI-2022-TR-004

Section 3.4.1

"Rule Scoping and Actions").