Practice Free CCCS-203b Exam Online Questions
Question #101
A security team is tasked with creating an image assessment policy in the Falcon Cloud to scan container images for vulnerabilities before deployment.
Which of the following configurations is required to ensure the policy works as intended?
- A . Specify the severity levels (e.g., Critical, High, Medium) for vulnerabilities to flag.
- B . Enable the "Audit Mode" to enforce runtime image assessment.
- C . Enable the "Real-time Scanning" option to automatically block all unscanned images.
- D . Assign the policy to a specific Kubernetes namespace only.
Correct Answer: A
A
Explanation:
Option A: When creating an image assessment policy, defining the severity levels to flag ensures that only vulnerabilities meeting the specified thresholds are flagged. This configuration allows the policy to effectively prioritize risks and generate actionable insights.
Option B: Audit Mode is for runtime enforcement policies. Image assessment occurs during the CI/CD pipeline or image pull operations and is unrelated to runtime configurations.
Option C: Real-time scanning is unrelated to image assessment policies, as it pertains to runtime protection. Image assessment focuses on pre-deployment scanning, not real-time monitoring.
Option D: Image assessment policies apply to container images and are not limited to namespaces.
Namespace-specific configurations are part of runtime or admission policies, not image assessment.
A
Explanation:
Option A: When creating an image assessment policy, defining the severity levels to flag ensures that only vulnerabilities meeting the specified thresholds are flagged. This configuration allows the policy to effectively prioritize risks and generate actionable insights.
Option B: Audit Mode is for runtime enforcement policies. Image assessment occurs during the CI/CD pipeline or image pull operations and is unrelated to runtime configurations.
Option C: Real-time scanning is unrelated to image assessment policies, as it pertains to runtime protection. Image assessment focuses on pre-deployment scanning, not real-time monitoring.
Option D: Image assessment policies apply to container images and are not limited to namespaces.
Namespace-specific configurations are part of runtime or admission policies, not image assessment.
Question #102
What is the primary purpose of creating Falcon Cloud Security Policies and Rules in a cloud environment?
- A . To enforce granular security controls for workloads, users, and cloud resources based on predefined conditions.
- B . To automate software updates for containerized applications in the cloud.
- C . To configure network ingress and egress rules for cloud-native firewalls.
- D . To manage the deployment of Falcon agents across virtual machines.
Correct Answer: A
A
Explanation:
Option A: Falcon Cloud Security Policies and Rules allow organizations to define and enforce security controls specific to workloads, cloud resources, and user actions. These policies help prevent unauthorized access, misconfigurations, and potential vulnerabilities by evaluating predefined conditions and taking automated actions to ensure compliance and security.
Option B: Software updates for applications are typically handled by CI/CD pipelines or orchestration tools, not Falcon Cloud Security Policies and Rules.
Option C: Network rules are typically managed through cloud provider-specific tools (e.g., AWS Security Groups or Azure Network Security Rules), not through Falcon Cloud Security Policies.
Option D: While Falcon agents are critical for workload protection, their deployment is managed separately and is not the primary purpose of Falcon Cloud Security Policies and Rules.
A
Explanation:
Option A: Falcon Cloud Security Policies and Rules allow organizations to define and enforce security controls specific to workloads, cloud resources, and user actions. These policies help prevent unauthorized access, misconfigurations, and potential vulnerabilities by evaluating predefined conditions and taking automated actions to ensure compliance and security.
Option B: Software updates for applications are typically handled by CI/CD pipelines or orchestration tools, not Falcon Cloud Security Policies and Rules.
Option C: Network rules are typically managed through cloud provider-specific tools (e.g., AWS Security Groups or Azure Network Security Rules), not through Falcon Cloud Security Policies.
Option D: While Falcon agents are critical for workload protection, their deployment is managed separately and is not the primary purpose of Falcon Cloud Security Policies and Rules.
Question #103
There is a valid sensor update policy for all Linux hosts that is set to n-2. Some of the hosts have not updated their sensor version.
What is the reason for this situation?
- A . DaemonSet was used for deployment
- B . One-click sensor deployment has not been enabled
- C . None of the hosts have been restarted
Correct Answer: A
A
Explanation:
According to CrowdStrike Falcon documentation regarding Falcon Cloud Security (FCS) and Container Security, the method used to deploy sensors significantly impacts how updates are managed. When Linux hosts are part of a Kubernetes cluster and the Falcon sensor is deployed as a DaemonSet, the standard "Sensor Update Policy" configured in the Falcon Console does not automatically trigger a version change in the same way it does for a standard Windows or Linux workstation.
In a DaemonSet deployment, the sensor version is typically tied to the specific container image tag or the version defined in the Helm chart or YAML manifest used during deployment. If the manifest specifies a static version or if the orchestration layer (Kubernetes) is not instructed to pull a newer image and rollout a restart of the DaemonSet pods, the hosts will remain on their current version regardless of the "n-2" policy set in the console.
Furthermore, CrowdStrike documentation notes that for Linux Sensor Update Policies, the "n-2" setting dictates which version is assigned to the host, but the mechanism of delivery must be supported. In containerized environments, the "Auto-update" feature is often bypassed by the immutable nature of the deployment. To resolve this, the administrator must update the DaemonSet configuration to point to the newer sensor image, allowing Kubernetes to perform a rolling update across the nodes.
A
Explanation:
According to CrowdStrike Falcon documentation regarding Falcon Cloud Security (FCS) and Container Security, the method used to deploy sensors significantly impacts how updates are managed. When Linux hosts are part of a Kubernetes cluster and the Falcon sensor is deployed as a DaemonSet, the standard "Sensor Update Policy" configured in the Falcon Console does not automatically trigger a version change in the same way it does for a standard Windows or Linux workstation.
In a DaemonSet deployment, the sensor version is typically tied to the specific container image tag or the version defined in the Helm chart or YAML manifest used during deployment. If the manifest specifies a static version or if the orchestration layer (Kubernetes) is not instructed to pull a newer image and rollout a restart of the DaemonSet pods, the hosts will remain on their current version regardless of the "n-2" policy set in the console.
Furthermore, CrowdStrike documentation notes that for Linux Sensor Update Policies, the "n-2" setting dictates which version is assigned to the host, but the mechanism of delivery must be supported. In containerized environments, the "Auto-update" feature is often bypassed by the immutable nature of the deployment. To resolve this, the administrator must update the DaemonSet configuration to point to the newer sensor image, allowing Kubernetes to perform a rolling update across the nodes.
Question #104
A technology company is running a Kubernetes-based microservices architecture deployed across both on-premises data centers and multiple cloud environments, including AWS and Google Cloud. The security team wants a unified solution that provides runtime protection, threat detection, and container visibility across their hybrid cloud infrastructure.
Which CrowdStrike Falcon® sensor should they deploy?
- A . Falcon Cloud Workload Protection (CWP) Sensor
- B . Falcon Sensor for MacOS
- C . Falcon Forensic Collection Tool
- D . Falcon Sensor for Mobile Devices
Correct Answer: A
A
Explanation:
Option A: Falcon CWP is designed to secure containerized workloads across hybrid cloud environments, providing real-time threat detection, runtime protection, and visibility into Kubernetes clusters regardless of where they are deployed. It supports multi-cloud and on-premises deployments, making it the best fit for this scenario.
Option B: This sensor is tailored for Mac endpoint security and does not provide Kubernetes runtime protection. It is intended for user devices rather than containerized environments.
Option C: This tool is useful for post-incident forensic investigations but does not provide proactive runtime protection. It is not intended for continuous security monitoring in Kubernetes environments.
Option D: Mobile security sensors are designed for iOS and Android devices, focusing on mobile endpoint security rather than cloud-native workloads. They do not offer runtime protection for Kubernetes environments.
A
Explanation:
Option A: Falcon CWP is designed to secure containerized workloads across hybrid cloud environments, providing real-time threat detection, runtime protection, and visibility into Kubernetes clusters regardless of where they are deployed. It supports multi-cloud and on-premises deployments, making it the best fit for this scenario.
Option B: This sensor is tailored for Mac endpoint security and does not provide Kubernetes runtime protection. It is intended for user devices rather than containerized environments.
Option C: This tool is useful for post-incident forensic investigations but does not provide proactive runtime protection. It is not intended for continuous security monitoring in Kubernetes environments.
Option D: Mobile security sensors are designed for iOS and Android devices, focusing on mobile endpoint security rather than cloud-native workloads. They do not offer runtime protection for Kubernetes environments.
Question #105
Which are valid attributes when creating an image group?
- A . Image tags and Image name
- B . Repository and Image tags
- C . Image name and Repository
- D . Registry and Image name
Correct Answer: B
B
Explanation:
When creating an image group in CrowdStrike Falcon Cloud Security, valid attributes must align with how container images are uniquely identified and organized. The supported attributes include repository and image tags, which together allow precise grouping of related images.
The repository defines the image namespace or project within a registry, while image tags represent versions or variants such as latest, prod, or semantic versions. Using these attributes enables security teams to target policies and assessments consistently across image versions without relying on static names.
Options involving image name are incorrect because Falcon does not use a standalone image name field for grouping. Image identity is derived from registry, repository, and tag combinations. Registry can be used in some grouping contexts, but for image groups specifically, repository and tag are the valid selectable attributes.
Therefore, the correct answer is Repository and Image tags.
B
Explanation:
When creating an image group in CrowdStrike Falcon Cloud Security, valid attributes must align with how container images are uniquely identified and organized. The supported attributes include repository and image tags, which together allow precise grouping of related images.
The repository defines the image namespace or project within a registry, while image tags represent versions or variants such as latest, prod, or semantic versions. Using these attributes enables security teams to target policies and assessments consistently across image versions without relying on static names.
Options involving image name are incorrect because Falcon does not use a standalone image name field for grouping. Image identity is derived from registry, repository, and tag combinations. Registry can be used in some grouping contexts, but for image groups specifically, repository and tag are the valid selectable attributes.
Therefore, the correct answer is Repository and Image tags.
Question #106
When configuring a cloud account with APIs for CrowdStrike Falcon, which permissions must the API client include?
- A . Permissions to perform administrative tasks across all resources within the cloud account.
- B . Full permissions for all API calls to ensure Falcon has unrestricted access.
- C . Custom permissions that only allow integration with third-party monitoring tools.
- D . Scoped permissions to access specific resources such as compute, identity, and logging services required by Falcon.
Correct Answer: D
D
Explanation:
Option A: Granting administrative tasks across all resources is excessive and violates the principle of least privilege. Scoped permissions specific to Falcon’s needs are sufficient and more secure.
Option B: Unrestricted access to all API calls is unnecessary and introduces significant security risks.
Falcon’s integration requires only specific permissions, not full administrative access.
Option C: Permissions limited to third-party monitoring tools would exclude the necessary actions for Falcon to function properly, such as managing cloud configurations and detecting misconfigurations.
Option D: Scoped permissions ensure Falcon has access to resources it needs (e.g., compute for workload monitoring, identity for user access logs, and logging services like CloudTrail). This approach balances functionality and security.
D
Explanation:
Option A: Granting administrative tasks across all resources is excessive and violates the principle of least privilege. Scoped permissions specific to Falcon’s needs are sufficient and more secure.
Option B: Unrestricted access to all API calls is unnecessary and introduces significant security risks.
Falcon’s integration requires only specific permissions, not full administrative access.
Option C: Permissions limited to third-party monitoring tools would exclude the necessary actions for Falcon to function properly, such as managing cloud configurations and detecting misconfigurations.
Option D: Scoped permissions ensure Falcon has access to resources it needs (e.g., compute for workload monitoring, identity for user access logs, and logging services like CloudTrail). This approach balances functionality and security.
Question #107
You are troubleshooting an issue with an Azure account registered in Falcon Cloud Security. The registration appeared to be successful but certain CSPM operations, including asset inventories and IOM detection, are failing.
How can you securely test the hypothesis that these failed CSPM operations are related to your firewall configuration?
- A . Check that you have allowlisted the IP addresses provided in the public-facing CrowdStrike documentation
- B . Begin investigating another hypothesis as there is no way blocked traffic could be responsible
- C . Temporarily open up the firewall to all inbound traffic for testing purposes
Correct Answer: A
A
Explanation:
The secure and recommended approach to validate whether firewall restrictions are causing CSPM failures is to confirm that CrowdStrike’s documented IP addresses are allowlisted. Falcon Cloud Security relies on outbound API connectivity to cloud providers, and blocked traffic can disrupt asset inventory collection and IOM detection even if registration succeeds.
CrowdStrike publishes required IP ranges and endpoints for each cloud region. Verifying firewall rules against this documentation is a low-risk, best-practice troubleshooting step that preserves security controls while validating connectivity assumptions.
Opening firewalls broadly is insecure and unnecessary, and dismissing firewall-related causes without verification can delay resolution. Therefore, the correct answer is Check that you have allowlisted the IP addresses provided in the public-facing CrowdStrike documentation.
A
Explanation:
The secure and recommended approach to validate whether firewall restrictions are causing CSPM failures is to confirm that CrowdStrike’s documented IP addresses are allowlisted. Falcon Cloud Security relies on outbound API connectivity to cloud providers, and blocked traffic can disrupt asset inventory collection and IOM detection even if registration succeeds.
CrowdStrike publishes required IP ranges and endpoints for each cloud region. Verifying firewall rules against this documentation is a low-risk, best-practice troubleshooting step that preserves security controls while validating connectivity assumptions.
Opening firewalls broadly is insecure and unnecessary, and dismissing firewall-related causes without verification can delay resolution. Therefore, the correct answer is Check that you have allowlisted the IP addresses provided in the public-facing CrowdStrike documentation.
Question #108
After reviewing IAM findings from CrowdStrike CIEM, you observe the following issues:
• Multiple users have excessive permissions beyond their job requirements.
• Several accounts have been inactive for more than six months.
• Roles with administrative privileges are assigned to temporary contractors.
Which of the following remediation actions should be prioritized to address these findings?
- A . Disable all inactive accounts and enforce MFA for all users.
- B . Revoke excessive permissions and implement a role-based access control (RBAC) policy.
- C . Delete all roles with administrative privileges immediately.
- D . Reassign administrative privileges from temporary contractors to permanent employees and monitor them closely.
Correct Answer: B
B
Explanation:
Option A: Disabling inactive accounts and enforcing MFA are important steps, but they do not address the excessive permissions issue, which poses a more immediate risk. These measures can be part of a broader remediation strategy but are not the top priority.
Option B: Revoking excessive permissions directly addresses the risk of privilege escalation and unauthorized access. Implementing RBAC ensures that users only have the permissions necessary for their roles, reducing the attack surface and improving overall security posture. These actions provide a proactive approach to addressing IAM issues effectively.
Option C: Deleting all administrative roles indiscriminately can disrupt operations and is not a practical solution. Instead, roles should be reviewed and adjusted based on necessity and security requirements.
Option D: Reassigning privileges might reduce some risks but does not address the root cause of excessive permissions or inactive accounts. A comprehensive RBAC policy is a more effective solution.
B
Explanation:
Option A: Disabling inactive accounts and enforcing MFA are important steps, but they do not address the excessive permissions issue, which poses a more immediate risk. These measures can be part of a broader remediation strategy but are not the top priority.
Option B: Revoking excessive permissions directly addresses the risk of privilege escalation and unauthorized access. Implementing RBAC ensures that users only have the permissions necessary for their roles, reducing the attack surface and improving overall security posture. These actions provide a proactive approach to addressing IAM issues effectively.
Option C: Deleting all administrative roles indiscriminately can disrupt operations and is not a practical solution. Instead, roles should be reviewed and adjusted based on necessity and security requirements.
Option D: Reassigning privileges might reduce some risks but does not address the root cause of excessive permissions or inactive accounts. A comprehensive RBAC policy is a more effective solution.