Custom Alerts, known as Custom Indicators of Attack (IOAs) in the Falcon platform, are user-defined detection rules. They are fundamentally based on Falcon Query Language (FQL) searches that run on a recurring schedule against event data. Administrators have the direct ability to configure the interval for these scheduled searches (A).

Furthermore, a primary purpose of creating a custom alert is to be notified of specific activity. The Falcon platform's notification workflow system is designed to integrate with these alerts, making it possible to automatically trigger and send detailed notifications via email when a custom rule's conditions are met (B).

C. configure prevention actions for alerting: Custom Alerts are a detection-only feature. They generate alerts based on searches but cannot initiate prevention actions like killing a process; this is handled by Prevention Policies.

D. be alerted to activity in real-time: Because Custom Alerts are based on scheduled queries that run at intervals (e.g., every five minutes), there is an inherent delay. They provide near real-time detection, not instantaneous, true real-time alerting.

1. CrowdStrike Falcon® Platform Documentation

"Custom IOA rules": This document outlines the process for creating custom detection rules. In the section "Create a new rule

" it explicitly details the requirement to set a "Schedule" for how often the rule will run against event data

confirming option A.

2. CrowdStrike Falcon® Platform Documentation

"Notification workflows": This documentation describes how to configure notifications. It specifies that a trigger for a notification can be a detection

and filters can be applied to target alerts from a specific "Detection method

" including "Custom IOA rule." This confirms the capability to receive emails for these alerts

supporting option B.

3. CrowdStrike University

"CrowdStrike Falcon Administrator (CCFA-200b) Courseware

" Module: Detections and Alerts: The course material distinguishes between detection mechanisms and prevention policies. It clarifies that Custom IOAs are for generating detections and do not include prevention capabilities

invalidating option C. The module also explains their scheduled nature

which contrasts with real-time prevention

invalidating option D.