Practice Free CCCS-203b Exam Online Questions
Question #61
In which environment condition does CrowdStrike recommend starting with Phase 1: Initial deployment rather than moving directly to Phase 2: Interim protection?
- A . Hosts in multiple clouds
- B . Pre-existing HIPS suites
- C . Highly ephemeral workloads
- D . No internet connectivity
Correct Answer: B
B
CrowdStrike recommends starting with Phase 1: Initial deployment when an environment already has pre-existing Host Intrusion Prevention Systems (HIPS) or similar legacy security controls in place. This guidance is based on the need to carefully evaluate compatibility, performance impact, and policy overlap before enabling more advanced protections.
Phase 1 focuses on sensor deployment, baseline visibility, and detection-only monitoring. This approach allows security teams to observe system behavior, identify potential conflicts, and fine-tune policies without immediately enforcing blocking or prevention actions. When legacy HIPS solutions are already active, enabling stronger protections too quickly can lead to false positives, application disruptions, or system instability.
Phase 2: Interim protection is better suited for environments that are cloud-native, highly ephemeral, or already aligned with modern endpoint security practices. However, environments with existing HIPS suites require a more cautious rollout to avoid overlapping controls and duplicated enforcement.
CrowdStrike’s phased deployment model ensures a smooth transition by prioritizing stability and operational awareness. Therefore, when pre-existing HIPS suites are present, CrowdStrike documentation and deployment best practices clearly recommend beginning with Phase 1: Initial deployment before progressing to stronger enforcement phases.
B
CrowdStrike recommends starting with Phase 1: Initial deployment when an environment already has pre-existing Host Intrusion Prevention Systems (HIPS) or similar legacy security controls in place. This guidance is based on the need to carefully evaluate compatibility, performance impact, and policy overlap before enabling more advanced protections.
Phase 1 focuses on sensor deployment, baseline visibility, and detection-only monitoring. This approach allows security teams to observe system behavior, identify potential conflicts, and fine-tune policies without immediately enforcing blocking or prevention actions. When legacy HIPS solutions are already active, enabling stronger protections too quickly can lead to false positives, application disruptions, or system instability.
Phase 2: Interim protection is better suited for environments that are cloud-native, highly ephemeral, or already aligned with modern endpoint security practices. However, environments with existing HIPS suites require a more cautious rollout to avoid overlapping controls and duplicated enforcement.
CrowdStrike’s phased deployment model ensures a smooth transition by prioritizing stability and operational awareness. Therefore, when pre-existing HIPS suites are present, CrowdStrike documentation and deployment best practices clearly recommend beginning with Phase 1: Initial deployment before progressing to stronger enforcement phases.
Question #62
A cloud security engineer is responsible for ensuring that their Kubernetes-based microservices architecture adheres to industry security standards. The organization wants to implement runtime security best practices and verify that their cluster configuration complies with the latest CIS (Center for Internet Security) benchmarks.
Which CrowdStrike Falcon feature should the engineer use to perform a compliance check against industry benchmarks?
- A . Falcon Identity Protection
- B . Falcon Prevent (NGAV)
- C . Falcon Forensics Collection
- D . Falcon Horizon (CSPM)
Correct Answer: D
D
Explanation:
Option A: Falcon Identity Protection helps detect identity-based attacks and credential misuse but does not provide compliance checks for cloud or Kubernetes environments.
Option B: Falcon Prevent is a next-generation antivirus (NGAV) solution that protects against malware and endpoint threats, but it does not assess cloud infrastructure or Kubernetes configurations against compliance benchmarks.
Option C: Falcon Forensics is useful for post-incident investigations but does not provide real-time security posture monitoring or compliance checks against industry benchmarks.
Option D: Falcon Horizon is CrowdStrike’s Cloud Security Posture Management (CSPM) solution, designed to monitor cloud, Kubernetes, and Docker configurations for compliance with security benchmarks such as CIS, NIST, and PCI-DSS. It provides continuous monitoring and remediation recommendations for misconfigurations, making it the best choice for compliance verification.
D
Explanation:
Option A: Falcon Identity Protection helps detect identity-based attacks and credential misuse but does not provide compliance checks for cloud or Kubernetes environments.
Option B: Falcon Prevent is a next-generation antivirus (NGAV) solution that protects against malware and endpoint threats, but it does not assess cloud infrastructure or Kubernetes configurations against compliance benchmarks.
Option C: Falcon Forensics is useful for post-incident investigations but does not provide real-time security posture monitoring or compliance checks against industry benchmarks.
Option D: Falcon Horizon is CrowdStrike’s Cloud Security Posture Management (CSPM) solution, designed to monitor cloud, Kubernetes, and Docker configurations for compliance with security benchmarks such as CIS, NIST, and PCI-DSS. It provides continuous monitoring and remediation recommendations for misconfigurations, making it the best choice for compliance verification.
Question #63
What is the first step in summarizing IAM findings using CrowdStrike Cloud Infrastructure Entitlement Manager (CIEM)?
- A . Conduct a manual penetration test to validate the findings.
- B . Use CIEM’s Identity Analyzer to generate a findings summary, highlighting potential risks and misconfigurations.
- C . Manually review all IAM policies across cloud environments.
- D . Export the CIEM report and analyze it using third-party software.
Correct Answer: B
B
Explanation:
Option A: While penetration testing is a valuable security practice, it is not the first step in summarizing IAM findings. CIEM’s Identity Analyzer is designed to provide immediate insights into IAM misconfigurations.
Option B: CIEM’s Identity Analyzer automatically compiles and summarizes findings related to IAM configurations, such as overprivileged accounts, inactive users, and missing MFA. This summary provides actionable insights, allowing administrators to address security gaps efficiently without manual effort.
Option C: This approach is inefficient and error-prone, particularly in complex, multi-cloud environments. CIEM automates the process of identifying IAM issues, making manual reviews unnecessary.
Option D: While exporting data for further analysis can be useful, CIEM provides built-in tools to generate actionable summaries. Using third-party software adds unnecessary complexity and delays remediation.
B
Explanation:
Option A: While penetration testing is a valuable security practice, it is not the first step in summarizing IAM findings. CIEM’s Identity Analyzer is designed to provide immediate insights into IAM misconfigurations.
Option B: CIEM’s Identity Analyzer automatically compiles and summarizes findings related to IAM configurations, such as overprivileged accounts, inactive users, and missing MFA. This summary provides actionable insights, allowing administrators to address security gaps efficiently without manual effort.
Option C: This approach is inefficient and error-prone, particularly in complex, multi-cloud environments. CIEM automates the process of identifying IAM issues, making manual reviews unnecessary.
Option D: While exporting data for further analysis can be useful, CIEM provides built-in tools to generate actionable summaries. Using third-party software adds unnecessary complexity and delays remediation.
Question #64
You are investigating unassessed images using Falcon Cloud Security.
What widget displays current totals of assessed and unassessed images in the Registry connections section under Image assessment settings?
- A . Image processing
- B . Assessed images
- C . Connection status
- D . Registry assessment status
Correct Answer: D
D
Explanation:
In Falcon Cloud Security, the Registry assessment status widget provides visibility into the current state of container image assessments for connected registries. This widget displays aggregate totals of assessed and unassessed images, allowing analysts to quickly determine whether images are being successfully scanned.
When investigating unassessed images, this widget is the primary starting point because it reflects real-time assessment coverage across all configured registry connections. It helps identify gaps caused by authentication failures, network restrictions, throttling, or configuration limits such as assessment age thresholds.
Other widgets provide narrower views. Image processing focuses on images currently being scanned, Assessed images only shows completed scans without highlighting gaps, and Connection status reflects connectivity health but not assessment coverage.
CrowdStrike documentation and UI design emphasize the Registry assessment status widget as the authoritative summary for image assessment completeness. Therefore, the correct answer is Registry assessment status.
D
Explanation:
In Falcon Cloud Security, the Registry assessment status widget provides visibility into the current state of container image assessments for connected registries. This widget displays aggregate totals of assessed and unassessed images, allowing analysts to quickly determine whether images are being successfully scanned.
When investigating unassessed images, this widget is the primary starting point because it reflects real-time assessment coverage across all configured registry connections. It helps identify gaps caused by authentication failures, network restrictions, throttling, or configuration limits such as assessment age thresholds.
Other widgets provide narrower views. Image processing focuses on images currently being scanned, Assessed images only shows completed scans without highlighting gaps, and Connection status reflects connectivity health but not assessment coverage.
CrowdStrike documentation and UI design emphasize the Registry assessment status widget as the authoritative summary for image assessment completeness. Therefore, the correct answer is Registry assessment status.
Question #65
You want to block privileged containers from being executed in your Kubernetes cluster.
What sensor type should you deploy?
- A . Kubernetes Protection Agent
- B . Kubernetes Sensor
- C . Kubernetes Image Assessment at Runtime
- D . Kubernetes Admission Controller
Correct Answer: D
D
Explanation:
To block privileged containers before they are executed, CrowdStrike recommends deploying the Kubernetes Admission Controller. This component operates at admission time, intercepting Kubernetes API requests and enforcing security policies before workloads are allowed to run.
Privileged containers represent a significant security risk because they can bypass isolation boundaries and access host resources. The Kubernetes Admission Controller can enforce policies that explicitly deny deployments using privileged flags, hostPath mounts, or other high-risk configurations.
Other options do not provide enforcement. Runtime sensors and agents can detect or alert on risky behavior after execution, but they cannot prevent the workload from starting. Image assessment evaluates image content but does not enforce Kubernetes runtime constraints.
Therefore, to proactively block privileged containers, the correct and CrowdStrike-recommended solution is the Kubernetes Admission Controller.
D
Explanation:
To block privileged containers before they are executed, CrowdStrike recommends deploying the Kubernetes Admission Controller. This component operates at admission time, intercepting Kubernetes API requests and enforcing security policies before workloads are allowed to run.
Privileged containers represent a significant security risk because they can bypass isolation boundaries and access host resources. The Kubernetes Admission Controller can enforce policies that explicitly deny deployments using privileged flags, hostPath mounts, or other high-risk configurations.
Other options do not provide enforcement. Runtime sensors and agents can detect or alert on risky behavior after execution, but they cannot prevent the workload from starting. Image assessment evaluates image content but does not enforce Kubernetes runtime constraints.
Therefore, to proactively block privileged containers, the correct and CrowdStrike-recommended solution is the Kubernetes Admission Controller.
Question #66
After identifying a risky Azure Service Principal using the CrowdStrike CIEM/Identity Analyzer, what is the most appropriate action to mitigate the risk?
- A . Replace the Service Principal with a managed identity to eliminate credential-related risks.
- B . Assign the Service Principal an "Owner" role for temporary troubleshooting purposes.
- C . Immediately delete the Service Principal and its associated secrets.
- D . Rotate the Service Principal’s credentials and reduce its permissions to the minimum necessary.
Correct Answer: D
D
Explanation:
Option A: While managed identities are a secure alternative to Service Principals, this is not always feasible for existing workflows. It may require significant reconfiguration, making it a long-term consideration rather than an immediate action.
Option B: Assigning high-level permissions like "Owner" unnecessarily increases risk. Troubleshooting should use roles with only the necessary permissions.
Option C: Deleting the Service Principal without understanding its purpose could disrupt workflows or critical services. A more measured approach is necessary to assess and mitigate risks.
Option D: Rotating credentials ensures that any compromised secrets are invalidated, while reducing permissions to the minimum necessary aligns with the principle of least privilege. This approach mitigates risks without disrupting the Service Principal’s intended functionality.
D
Explanation:
Option A: While managed identities are a secure alternative to Service Principals, this is not always feasible for existing workflows. It may require significant reconfiguration, making it a long-term consideration rather than an immediate action.
Option B: Assigning high-level permissions like "Owner" unnecessarily increases risk. Troubleshooting should use roles with only the necessary permissions.
Option C: Deleting the Service Principal without understanding its purpose could disrupt workflows or critical services. A more measured approach is necessary to assess and mitigate risks.
Option D: Rotating credentials ensures that any compromised secrets are invalidated, while reducing permissions to the minimum necessary aligns with the principle of least privilege. This approach mitigates risks without disrupting the Service Principal’s intended functionality.
Question #67
A company is onboarding multiple cloud accounts to CrowdStrike Falcon and encounters a failure when attempting to register its Google Cloud Platform (GCP) project. The error message states that Falcon cannot access the project resources.
What is the most likely reason for this issue?
- A . The GCP project must have Falcon’s external IP address manually added to its firewall rules to allow account registration.
- B . The required service account for CrowdStrike Falcon is missing or does not have the correct permissions assigned.
- C . The Google Cloud project must first be converted into an AWS account before it can be registered in CrowdStrike Falcon.
- D . The Falcon Console requires at least one workload in the Google Cloud project to have a CrowdStrike sensor installed before registration.
Correct Answer: B
B
Explanation:
Option A: Falcon does not require manual firewall configuration for registration. It uses API-based access to integrate with cloud environments.
Option B: In GCP, CrowdStrike Falcon requires a service account with the necessary permissions to access security data. If the service account is missing or lacks the required roles, Falcon cannot retrieve metadata or monitor resources, causing the registration to fail.
Option C: Falcon supports AWS, Azure, and GCP independently. There is no requirement to convert a GCP project into an AWS account for registration.
Option D: Falcon registration does not require sensor installation on workloads. The registration process is focused on cloud infrastructure security, separate from endpoint protection.
B
Explanation:
Option A: Falcon does not require manual firewall configuration for registration. It uses API-based access to integrate with cloud environments.
Option B: In GCP, CrowdStrike Falcon requires a service account with the necessary permissions to access security data. If the service account is missing or lacks the required roles, Falcon cannot retrieve metadata or monitor resources, causing the registration to fail.
Option C: Falcon supports AWS, Azure, and GCP independently. There is no requirement to convert a GCP project into an AWS account for registration.
Option D: Falcon registration does not require sensor installation on workloads. The registration process is focused on cloud infrastructure security, separate from endpoint protection.
Question #68
Which CrowdStrike Falcon capability is most effective for identifying suspicious or malicious network connections initiated by workloads in a runtime environment?
- A . IP Blacklist Integration for Inbound Traffic Only
- B . Scheduled Audits of Network Configurations
- C . Real-Time Network Monitoring with Behavioral Analytics
- D . Network Threat Detection in Development Pipelines
Correct Answer: C
C
Explanation:
Option A: Relying solely on inbound traffic blacklists limits the scope of protection. Many malicious activities, such as data exfiltration or beaconing, involve outbound connections.
Option B: Periodic audits can identify misconfigurations but lack the ability to detect or respond to real-time network activity or emerging threats.
Option C: CrowdStrike Falcon provides real-time monitoring and behavioral analytics to detect abnormal network activity in runtime environments. This feature allows security teams to identify and investigate malicious connections based on patterns or anomalies in communication, such as unusual ports, destinations, or traffic volumes.
Option D: While development pipeline scanning is useful for ensuring secure code and configurations, it does not address runtime network behavior or connections initiated by running workloads.
C
Explanation:
Option A: Relying solely on inbound traffic blacklists limits the scope of protection. Many malicious activities, such as data exfiltration or beaconing, involve outbound connections.
Option B: Periodic audits can identify misconfigurations but lack the ability to detect or respond to real-time network activity or emerging threats.
Option C: CrowdStrike Falcon provides real-time monitoring and behavioral analytics to detect abnormal network activity in runtime environments. This feature allows security teams to identify and investigate malicious connections based on patterns or anomalies in communication, such as unusual ports, destinations, or traffic volumes.
Option D: While development pipeline scanning is useful for ensuring secure code and configurations, it does not address runtime network behavior or connections initiated by running workloads.
Question #69
Using CrowdStrike CIEM/Identity Analyzer, which of the following indicates an account that uses MFA?
- A . An account with no configured security policy for additional authentication factors.
- B . An account that uses only an SSH key pair for authentication.
- C . An account that prompts users to enter a code sent to their email in addition to their password.
- D . An account that requires a username and password to log in.
Correct Answer: C
C
Explanation:
Option A: Accounts without an additional authentication factor clearly do not use MFA. This scenario indicates a lack of proper security policies.
Option B: SSH key pairs are a single-factor authentication mechanism based on "something you have." While secure, this does not qualify as MFA unless combined with an additional factor, such as a password or OTP.
Option C: Multi-Factor Authentication (MFA) requires at least two forms of authentication, typically combining something the user knows (password) and something they have (email code, authenticator app). This example clearly demonstrates the use of MFA by requiring an additional code after password
entry.
Option D: A username and password alone constitute single-factor authentication. While secure passwords are important, they do not meet the criteria for MFA.
C
Explanation:
Option A: Accounts without an additional authentication factor clearly do not use MFA. This scenario indicates a lack of proper security policies.
Option B: SSH key pairs are a single-factor authentication mechanism based on "something you have." While secure, this does not qualify as MFA unless combined with an additional factor, such as a password or OTP.
Option C: Multi-Factor Authentication (MFA) requires at least two forms of authentication, typically combining something the user knows (password) and something they have (email code, authenticator app). This example clearly demonstrates the use of MFA by requiring an additional code after password
entry.
Option D: A username and password alone constitute single-factor authentication. While secure passwords are important, they do not meet the criteria for MFA.
Question #70
You are tasked with creating a Falcon Fusion workflow to notify your cloud operations team when a new detection is triggered for an unapproved cloud policy violation.
What is the first step you should take in setting up this workflow?
- A . Configure the notification channels for the cloud operations team.
- B . Define the trigger conditions for the workflow.
- C . Enable auto-remediation for the policy violation.
- D . Select "Create New Workflow" from the Falcon Fusion console.
Correct Answer: D
D
Explanation:
Option A: Configuring notification channels is a critical step, but it occurs after the initial workflow creation. Jumping directly to this step skips foundational aspects like defining triggers and conditions.
Option B: Triggers are vital to the workflow, but they can only be defined after the workflow has been created. Defining triggers before creating the workflow is not possible in Falcon Fusion.
Option C: Auto-remediation is an optional feature that can be added to a workflow, but it is not a required or initial step when creating a workflow.
Option D: The first step in creating a Falcon Fusion workflow is to select "Create New Workflow" from the Falcon Fusion console. This is where the entire workflow configuration process begins. Starting here allows you to define subsequent steps like triggers, actions, and notification methods. Many users mistakenly believe they should start by configuring notification channels or defining triggers, but those steps come later in the workflow setup process.
D
Explanation:
Option A: Configuring notification channels is a critical step, but it occurs after the initial workflow creation. Jumping directly to this step skips foundational aspects like defining triggers and conditions.
Option B: Triggers are vital to the workflow, but they can only be defined after the workflow has been created. Defining triggers before creating the workflow is not possible in Falcon Fusion.
Option C: Auto-remediation is an optional feature that can be added to a workflow, but it is not a required or initial step when creating a workflow.
Option D: The first step in creating a Falcon Fusion workflow is to select "Create New Workflow" from the Falcon Fusion console. This is where the entire workflow configuration process begins. Starting here allows you to define subsequent steps like triggers, actions, and notification methods. Many users mistakenly believe they should start by configuring notification channels or defining triggers, but those steps come later in the workflow setup process.