Practice Free CCCS-203b Exam Online Questions
Question #1
An organization is integrating CrowdStrike Falcon Cloud Security with Kubernetes to enhance workload protection using an admission controller.
What is a critical requirement for successfully deploying Falcon’s Kubernetes admission controller?
- A . The admission controller must be registered with the Kubernetes API server as either a mutating or validating webhook to enforce security policies.
- B . The admission controller must be configured to modify the etcd database directly to prevent unauthorized resource creation.
- C . The admission controller must be deployed as a sidecar container in every pod to enforce security policies dynamically.
- D . The Kubernetes cluster must be configured to allow only manually approved API requests before the admission controller can take effect.
Correct Answer: A
A
Explanation:
Option A: Admission controllers in Kubernetes function as webhooks that the API server invokes during resource creation. They can be either mutating webhooks, which modify API requests, or validating webhooks, which approve or deny them based on security policies. Falcon Cloud Security leverages this functionality to enforce security policies on workload deployment, preventing misconfigurations, vulnerabilities, and non-compliant images from being deployed.
Option B: Admission controllers do not modify etcd directly. They operate at the request validation stage before data is stored in etcd, ensuring that only compliant and secure configurations proceed.
Option C: Admission controllers are not deployed as sidecar containers in every pod. Instead, they act as centralized services that interact with the API server to validate and enforce security rules before pod creation.
Option D: API requests are not manually approved before admission controllers take effect. Instead, the webhook-based controller evaluates and either modifies or denies requests automatically.
A
Explanation:
Option A: Admission controllers in Kubernetes function as webhooks that the API server invokes during resource creation. They can be either mutating webhooks, which modify API requests, or validating webhooks, which approve or deny them based on security policies. Falcon Cloud Security leverages this functionality to enforce security policies on workload deployment, preventing misconfigurations, vulnerabilities, and non-compliant images from being deployed.
Option B: Admission controllers do not modify etcd directly. They operate at the request validation stage before data is stored in etcd, ensuring that only compliant and secure configurations proceed.
Option C: Admission controllers are not deployed as sidecar containers in every pod. Instead, they act as centralized services that interact with the API server to validate and enforce security rules before pod creation.
Option D: API requests are not manually approved before admission controllers take effect. Instead, the webhook-based controller evaluates and either modifies or denies requests automatically.
Question #2
How can you delete a registry connection from the CrowdStrike Falcon console without affecting other registry connections?
- A . Remove all associated images from the registry before attempting to delete the connection.
- B . Navigate to the "Image Assessment" page, select the specific registry connection, and click "Delete."
- C . Disable the "Image Assessment" feature globally and then remove the registry details.
- D . Use the "Bulk Delete" option to remove all registry connections, including the one you want to delete.
Correct Answer: B
B
Explanation:
Option A: Deleting associated images from the registry is not a prerequisite for removing a registry connection in CrowdStrike. The connection can be removed independently.
Option B: The "Image Assessment" page allows users to manage individual registry connections.
Deleting a specific connection can be done here without affecting other connections.
Option C: Disabling "Image Assessment" globally is not required to delete a specific registry connection.
This action would unnecessarily impact all registry integrations.
Option D: The "Bulk Delete" option removes all registry connections, which is not suitable if you only want to delete one specific connection.
B
Explanation:
Option A: Deleting associated images from the registry is not a prerequisite for removing a registry connection in CrowdStrike. The connection can be removed independently.
Option B: The "Image Assessment" page allows users to manage individual registry connections.
Deleting a specific connection can be done here without affecting other connections.
Option C: Disabling "Image Assessment" globally is not required to delete a specific registry connection.
This action would unnecessarily impact all registry integrations.
Option D: The "Bulk Delete" option removes all registry connections, which is not suitable if you only want to delete one specific connection.
Question #3
What is the primary purpose of creating API clients and keys in CrowdStrike Falcon Cloud Security?
- A . To store telemetry data securely within the Falcon platform.
- B . To allow endpoint agents to register with the Falcon platform automatically.
- C . To enable multi-factor authentication (MFA) for users accessing the Falcon platform.
- D . To provide secure and automated communication between the Falcon platform and third-party applications.
Correct Answer: D
D
Explanation:
Option A: API clients and keys do not store data; they are tools for accessing and interacting with the Falcon platform programmatically. Telemetry data is collected and stored separately in the cloud.
Option B: Endpoint agents use specific registration processes and do not rely on API clients or keys for
initial registration. API keys are primarily for integrations and programmatic tasks.
Option C: MFA is a user authentication mechanism and not related to API clients and keys. API keys are used for programmatic access rather than human user authentication.
Option D: API clients and keys are used to establish secure, programmatic access to the Falcon platform for integration with third-party applications, enabling automated workflows and data exchange.
D
Explanation:
Option A: API clients and keys do not store data; they are tools for accessing and interacting with the Falcon platform programmatically. Telemetry data is collected and stored separately in the cloud.
Option B: Endpoint agents use specific registration processes and do not rely on API clients or keys for
initial registration. API keys are primarily for integrations and programmatic tasks.
Option C: MFA is a user authentication mechanism and not related to API clients and keys. API keys are used for programmatic access rather than human user authentication.
Option D: API clients and keys are used to establish secure, programmatic access to the Falcon platform for integration with third-party applications, enabling automated workflows and data exchange.
Question #4
After deploying the Falcon Container Sensor in your Kubernetes cluster, your team wants to understand its primary use cases.
Which of the following is a primary function of the Falcon Container Sensor in Kubernetes?
- A . Monitoring container runtime activity and detecting malicious behavior.
- B . Automatically scaling Kubernetes pods based on security threats.
- C . Encrypting all data stored in Kubernetes Persistent Volumes (PVs).
- D . Deploying application code to Kubernetes clusters securely.
Correct Answer: A
A
Explanation:
Option A: The primary function of the Falcon Container Sensor is to monitor container runtime activity, identify anomalies, and detect potential threats or malicious behavior.
Option B: The Falcon Container Sensor does not control pod scaling. Kubernetes itself handles scaling based on resource usage, not security threats.
Option C: The sensor does not encrypt data in Persistent Volumes. Data encryption is managed by the storage provider or Kubernetes itself, not by the Falcon Container Sensor.
Option D: The Falcon Container Sensor is not responsible for deploying application code. It focuses on securing containerized workloads rather than application delivery.
A
Explanation:
Option A: The primary function of the Falcon Container Sensor is to monitor container runtime activity, identify anomalies, and detect potential threats or malicious behavior.
Option B: The Falcon Container Sensor does not control pod scaling. Kubernetes itself handles scaling based on resource usage, not security threats.
Option C: The sensor does not encrypt data in Persistent Volumes. Data encryption is managed by the storage provider or Kubernetes itself, not by the Falcon Container Sensor.
Option D: The Falcon Container Sensor is not responsible for deploying application code. It focuses on securing containerized workloads rather than application delivery.
Question #5
Which of the following best practices should you follow when creating custom IOM rules in CrowdStrike Falcon to prevent accidental disruptions in operations?
- A . Use the "Regex" condition type to cover all possible indicators with a single rule.
- B . Disable logging for custom rules to reduce performance overhead.
- C . Apply the rule to all systems in the organization without exclusions.
- D . Test the rule in a Detection-only mode before enabling blocking.
Correct Answer: D
D
Explanation:
Option A: This is incorrect because while Regex can be powerful, overly broad patterns may result in false positives or system disruptions. It is better to create specific rules tailored to precise indicators.
Option B: This is incorrect because logging is crucial for monitoring the effectiveness of IOM rules and troubleshooting issues. Disabling logs would make it difficult to audit the rule’s impact and effectiveness.
Option C: This is incorrect because applying a rule universally can lead to unintended consequences, especially if critical systems or services rely on the flagged entity. You should define exclusions for known benign use cases.
Option D: This is correct because testing in Detection-only mode allows you to monitor the rule’s effectiveness and ensure it does not cause unintended disruptions before enabling the "Block" action. This approach minimizes risks associated with false positives.
D
Explanation:
Option A: This is incorrect because while Regex can be powerful, overly broad patterns may result in false positives or system disruptions. It is better to create specific rules tailored to precise indicators.
Option B: This is incorrect because logging is crucial for monitoring the effectiveness of IOM rules and troubleshooting issues. Disabling logs would make it difficult to audit the rule’s impact and effectiveness.
Option C: This is incorrect because applying a rule universally can lead to unintended consequences, especially if critical systems or services rely on the flagged entity. You should define exclusions for known benign use cases.
Option D: This is correct because testing in Detection-only mode allows you to monitor the rule’s effectiveness and ensure it does not cause unintended disruptions before enabling the "Block" action. This approach minimizes risks associated with false positives.
Question #6
How can you find if there are any remediable vulnerabilities in your running containers?
- A . Filter container assets by container running status and vulnerability remediation
- B . Filter image detections by container running status and remediation
- C . Filter image vulnerabilities by container running status and remediation
- D . Filter container assets by container running status and detection remediation
Correct Answer: C
C
Explanation:
To identify remediable vulnerabilities in running containers, CrowdStrike Falcon Cloud Security recommends filtering image vulnerabilities by container running status and remediation. This approach correlates container runtime state with image assessment results, allowing security teams to focus on vulnerabilities that are both present in images and actively impacting running workloads.
Image vulnerability findings include remediation metadata such as fixed versions, patch availability, and upgrade paths. By filtering on container running status, you ensure that attention is limited to vulnerabilities that pose immediate risk rather than those in dormant or unused images. Adding the remediation filter further refines results to show only vulnerabilities that can realistically be addressed, helping teams prioritize efficiently.
Other options are incorrect because container assets and detections focus on runtime behavior, not vulnerability remediation context. Image detections relate to malware or suspicious artifacts, not CVEs.
This filtering method aligns with CrowdStrike best practices for vulnerability prioritization by combining runtime relevance and remediation feasibility, making option C the correct answer.
C
Explanation:
To identify remediable vulnerabilities in running containers, CrowdStrike Falcon Cloud Security recommends filtering image vulnerabilities by container running status and remediation. This approach correlates container runtime state with image assessment results, allowing security teams to focus on vulnerabilities that are both present in images and actively impacting running workloads.
Image vulnerability findings include remediation metadata such as fixed versions, patch availability, and upgrade paths. By filtering on container running status, you ensure that attention is limited to vulnerabilities that pose immediate risk rather than those in dormant or unused images. Adding the remediation filter further refines results to show only vulnerabilities that can realistically be addressed, helping teams prioritize efficiently.
Other options are incorrect because container assets and detections focus on runtime behavior, not vulnerability remediation context. Image detections relate to malware or suspicious artifacts, not CVEs.
This filtering method aligns with CrowdStrike best practices for vulnerability prioritization by combining runtime relevance and remediation feasibility, making option C the correct answer.
Question #7
Which of the following security issues is most critical to address in a container image according to the Image Assessment report from CrowdStrike?
- A . High-severity CVE vulnerabilities in system libraries
- B . Deprecated or unused packages in the image
- C . Missing comments in the Dockerfile
- D . Detected hardcoded credentials for a development database
Correct Answer: A
A
Explanation:
Option A: High-severity Common Vulnerabilities and Exposures (CVEs) indicate critical security risks, such as the ability to execute arbitrary code, privilege escalation, or data exfiltration. System libraries are
fundamental to the container’s operation, and their vulnerabilities can be exploited to compromise the entire container or host. Addressing these vulnerabilities is crucial to prevent exploitation.
Option B: Deprecated or unused packages can increase the attack surface but are not as immediately critical as high-severity CVEs. These can be removed to streamline the image but do not represent an active threat unless they contain exploitable vulnerabilities.
Option C: Comments in a Dockerfile improve maintainability and readability but have no bearing on the security of the image itself. This is a best practice for developers, not a critical security issue.
Option D: While hardcoded credentials are a significant security concern, they typically represent an issue of configuration or secret management rather than a systemic vulnerability in the image. They may also be environment-specific, making them less critical than systemic vulnerabilities like CVEs in system libraries.
A
Explanation:
Option A: High-severity Common Vulnerabilities and Exposures (CVEs) indicate critical security risks, such as the ability to execute arbitrary code, privilege escalation, or data exfiltration. System libraries are
fundamental to the container’s operation, and their vulnerabilities can be exploited to compromise the entire container or host. Addressing these vulnerabilities is crucial to prevent exploitation.
Option B: Deprecated or unused packages can increase the attack surface but are not as immediately critical as high-severity CVEs. These can be removed to streamline the image but do not represent an active threat unless they contain exploitable vulnerabilities.
Option C: Comments in a Dockerfile improve maintainability and readability but have no bearing on the security of the image itself. This is a best practice for developers, not a critical security issue.
Option D: While hardcoded credentials are a significant security concern, they typically represent an issue of configuration or secret management rather than a systemic vulnerability in the image. They may also be environment-specific, making them less critical than systemic vulnerabilities like CVEs in system libraries.
Question #8
Your company uses more than one cloud for cost optimization to avoid being locked in to one vendor.
It saves the company money but adds complexity and visibility issues for your team.
Where can you find all of your compute assets that are managed and unmanaged by CrowdStrike across all supported cloud providers?
- A . Image Assessment Dashboard
- B . Compliance Dashboard
- C . Application Security Posture Inventory
- D . Cloud Asset Inventory
Correct Answer: D
D
Explanation:
The Cloud Asset Inventory in CrowdStrike Falcon Cloud Security provides a centralized, normalized view of all compute assets across AWS, Azure, and Google Cloud, regardless of whether they are managed or unmanaged by the Falcon sensor.
This inventory aggregates metadata from cloud provider APIs and Falcon telemetry to present unified visibility into virtual machines, cloud instances, container hosts, and workloads. Security teams can filter assets by cloud provider, account, region, operating system, sensor status, and risk posture, making it essential for multi-cloud environments.
Other dashboards serve specialized purposes: the Image Assessment Dashboard focuses on container images, the Compliance Dashboard maps findings to regulatory frameworks, and Application Security Posture Inventory focuses on application-level risk. None of these provide the full compute asset view required for cross-cloud operational awareness.
Therefore, Cloud Asset Inventory is the correct location for maintaining visibility across complex, multi-cloud environments.
D
Explanation:
The Cloud Asset Inventory in CrowdStrike Falcon Cloud Security provides a centralized, normalized view of all compute assets across AWS, Azure, and Google Cloud, regardless of whether they are managed or unmanaged by the Falcon sensor.
This inventory aggregates metadata from cloud provider APIs and Falcon telemetry to present unified visibility into virtual machines, cloud instances, container hosts, and workloads. Security teams can filter assets by cloud provider, account, region, operating system, sensor status, and risk posture, making it essential for multi-cloud environments.
Other dashboards serve specialized purposes: the Image Assessment Dashboard focuses on container images, the Compliance Dashboard maps findings to regulatory frameworks, and Application Security Posture Inventory focuses on application-level risk. None of these provide the full compute asset view required for cross-cloud operational awareness.
Therefore, Cloud Asset Inventory is the correct location for maintaining visibility across complex, multi-cloud environments.
Question #9
Your organization decides to discontinue using a specific cloud account monitored by CrowdStrike Falcon.
What is the correct procedure to deprovision the account from Falcon without leaving residual connections?
- A . Delete all virtual machines associated with the cloud account before deprovisioning.
- B . Remove the cloud account from the Falcon console and disable API access for Falcon.
- C . Revoke permissions granted to CrowdStrike Falcon on the cloud account.
- D . Uninstall all CrowdStrike endpoint agents from the cloud account.
Correct Answer: B
B
Explanation:
Option A: Deleting virtual machines is unnecessary for deprovisioning. The focus should be on severing integration points between Falcon and the cloud account.
Option B: Removing the account from the Falcon console ensures that Falcon no longer attempts to monitor it. Disabling API access prevents further interaction and completes the deprovisioning process.
Option C: Revoking permissions alone is insufficient because the account remains linked to Falcon.
Proper deprovisioning requires both removing the account and disabling API access.
Option D: Uninstalling endpoint agents is irrelevant to deprovisioning a cloud account from Falcon.
Agents operate independently from cloud account registration.
B
Explanation:
Option A: Deleting virtual machines is unnecessary for deprovisioning. The focus should be on severing integration points between Falcon and the cloud account.
Option B: Removing the account from the Falcon console ensures that Falcon no longer attempts to monitor it. Disabling API access prevents further interaction and completes the deprovisioning process.
Option C: Revoking permissions alone is insufficient because the account remains linked to Falcon.
Proper deprovisioning requires both removing the account and disabling API access.
Option D: Uninstalling endpoint agents is irrelevant to deprovisioning a cloud account from Falcon.
Agents operate independently from cloud account registration.
Question #10
During the deployment of the CrowdStrike Container Sensor in a Kubernetes cluster, the sensor fails to register with the CrowdStrike Falcon platform.
What could be the root cause of this issue?
- A . The sensor must be deployed as a DaemonSet with one pod per namespace.
- B . The sensor requires elevated privileges for all containers running in the cluster.
- C . The sensor requires a direct internet connection to the CrowdStrike cloud.
- D . The Kubernetes API server is not configured to allow external admission plugins.
Correct Answer: C
C
Explanation:
Option A: The CrowdStrike Container Sensor is deployed as a DaemonSet to ensure it runs on all nodes, but it does not need a pod per namespace. This misunderstanding could lead to resource waste and unnecessary complexity.
Option B: The sensor itself requires elevated privileges to monitor workloads, but it does not enforce privilege elevation on all other containers in the cluster.
Option C: The CrowdStrike Container Sensor requires connectivity to the CrowdStrike Falcon cloud for registration, telemetry, and updates. Without a direct internet connection or a properly configured proxy, the sensor cannot communicate with the Falcon platform, leading to deployment failures. Ensuring network connectivity is one of the first troubleshooting steps.
Option D: While the Admission Controller relies on external admission plugins, the Container Sensor itself does not require this configuration. This is unrelated to sensor registration.
C
Explanation:
Option A: The CrowdStrike Container Sensor is deployed as a DaemonSet to ensure it runs on all nodes, but it does not need a pod per namespace. This misunderstanding could lead to resource waste and unnecessary complexity.
Option B: The sensor itself requires elevated privileges to monitor workloads, but it does not enforce privilege elevation on all other containers in the cluster.
Option C: The CrowdStrike Container Sensor requires connectivity to the CrowdStrike Falcon cloud for registration, telemetry, and updates. Without a direct internet connection or a properly configured proxy, the sensor cannot communicate with the Falcon platform, leading to deployment failures. Ensuring network connectivity is one of the first troubleshooting steps.
Option D: While the Admission Controller relies on external admission plugins, the Container Sensor itself does not require this configuration. This is unrelated to sensor registration.