Practice Free CCCS-203b Exam Online Questions
Question #71
A company wants to create a Falcon Sensor policy to enforce strict monitoring on critical servers.
What is an essential configuration step for the policy?
- A . Configure prevention settings such as "Exploit Mitigation" and "Malware Prevention" for the policy.
- B . Add the policy under the "Sensor Exclusions" tab in the Falcon Console.
- C . Assign the policy to the "Default Group" to ensure global coverage.
- D . Set the policy mode to "Detection Only" for all servers.
Correct Answer: A
A
Explanation:
Option A: Configuring prevention settings like "Exploit Mitigation" and "Malware Prevention" is critical to enhance security on servers. These settings help the Falcon Sensor proactively block threats and secure the system.
Option B: The "Sensor Exclusions" tab is for excluding specific files, paths, or processes from monitoring, not for creating or applying policies.
Option C: Assigning to the "Default Group" might lead to unintended policy application across non-critical systems. Policies should target specific groups for better control.
Option D: While "Detection Only" provides visibility, it does not actively prevent threats. For critical servers, enabling prevention is more appropriate to mitigate risks.
A
Explanation:
Option A: Configuring prevention settings like "Exploit Mitigation" and "Malware Prevention" is critical to enhance security on servers. These settings help the Falcon Sensor proactively block threats and secure the system.
Option B: The "Sensor Exclusions" tab is for excluding specific files, paths, or processes from monitoring, not for creating or applying policies.
Option C: Assigning to the "Default Group" might lead to unintended policy application across non-critical systems. Policies should target specific groups for better control.
Option D: While "Detection Only" provides visibility, it does not actively prevent threats. For critical servers, enabling prevention is more appropriate to mitigate risks.
Question #72
A security team using CrowdStrike Falcon Runtime Protection wants to detect and respond to Indicators of Attack (IOAs) in their containerized environment.
Which of the following is the best approach for detecting IOAs in real-time?
- A . Monitor system calls and process behaviors in runtime to detect anomalous activity indicative of an attack.
- B . Block all incoming network connections to containerized workloads to prevent potential attacks.
- C . Only analyze static container images for known vulnerabilities before deployment.
- D . Rely exclusively on Kubernetes audit logs to identify threats within the environment.
Correct Answer: A
A
Explanation:
Option A: CrowdStrike Falcon Runtime Protection detects Indicators of Attack (IOAs) by monitoring system calls, process behaviors, and runtime activities in containers. This allows Falcon to identify anomalous activity, privilege escalation attempts, and suspicious behaviors indicative of an attack.
Option B: Blocking all network traffic would break legitimate communications and is not a practical security measure. Instead, Falcon applies behavioral analytics to detect suspicious network activity dynamically.
Option C: Static analysis alone is insufficient for detecting IOAs, as runtime threats may emerge after deployment, including zero-day attacks and living-off-the-land techniques.
Option D: While Kubernetes audit logs provide useful insights, they do not capture all IOAs, particularly those at the process and system call level within containers.
A
Explanation:
Option A: CrowdStrike Falcon Runtime Protection detects Indicators of Attack (IOAs) by monitoring system calls, process behaviors, and runtime activities in containers. This allows Falcon to identify anomalous activity, privilege escalation attempts, and suspicious behaviors indicative of an attack.
Option B: Blocking all network traffic would break legitimate communications and is not a practical security measure. Instead, Falcon applies behavioral analytics to detect suspicious network activity dynamically.
Option C: Static analysis alone is insufficient for detecting IOAs, as runtime threats may emerge after deployment, including zero-day attacks and living-off-the-land techniques.
Option D: While Kubernetes audit logs provide useful insights, they do not capture all IOAs, particularly those at the process and system call level within containers.
Question #73
During a review of the CrowdStrike Falcon asset inventory, you notice a legacy Windows XP device that is not running an endpoint protection solution. This asset has frequent outbound connections to unrecognized external IPs.
Which of the following is the best course of action to handle this risky asset?
- A . Ignore the asset as it might be part of a legitimate business process.
- B . Uninstall the device from the asset inventory to reduce noise in monitoring.
- C . Immediately block all outbound connections from this asset at the firewall.
- D . Quarantine the device using Falcon’s network containment feature and initiate a vulnerability assessment.
Correct Answer: D
D
Explanation:
Option A: Even if the asset serves a legitimate purpose, ignoring it without addressing its risks leaves your environment exposed to potential exploits or lateral movement by attackers.
Option B: Removing the asset from the inventory introduces blind spots in your monitoring and doesn’t address the security risks it poses.
Option C: Blocking connections at the firewall addresses only part of the issue and doesn’t resolve the inherent vulnerability of the device. The asset still requires further investigation and isolation.
Option D: Legacy systems like Windows XP are inherently risky as they no longer receive security updates. Coupled with the lack of endpoint protection and suspicious outbound traffic, this asset poses a significant threat. Quarantining the device ensures it is isolated from the network while a vulnerability assessment identifies any further risks or malicious activity. This is a proactive and effective approach to mitigating the risk.
D
Explanation:
Option A: Even if the asset serves a legitimate purpose, ignoring it without addressing its risks leaves your environment exposed to potential exploits or lateral movement by attackers.
Option B: Removing the asset from the inventory introduces blind spots in your monitoring and doesn’t address the security risks it poses.
Option C: Blocking connections at the firewall addresses only part of the issue and doesn’t resolve the inherent vulnerability of the device. The asset still requires further investigation and isolation.
Option D: Legacy systems like Windows XP are inherently risky as they no longer receive security updates. Coupled with the lack of endpoint protection and suspicious outbound traffic, this asset poses a significant threat. Quarantining the device ensures it is isolated from the network while a vulnerability assessment identifies any further risks or malicious activity. This is a proactive and effective approach to mitigating the risk.
Question #74
What is a valid reason for adding your base images into Falcon Cloud Security?
- A . Base image CVEs cannot be exploited by adversaries
- B . All base image CVEs are less risky than other CVEs
- C . Reduce duplicates when a base image is used multiple times
Correct Answer: C
C
Explanation:
A valid and recommended reason for adding base images into Falcon Cloud Security is to reduce duplicate findings when a base image is used multiple times. Base images are commonly shared across many application images, meaning vulnerabilities, secrets, or detections present in the base layer can appear repeatedly across derived images.
By onboarding base images directly into Falcon Cloud Security, the platform can more efficiently track and correlate vulnerabilities at their source. This allows security teams to remediate issues once at the base image level rather than addressing the same findings across every downstream image. As a result, vulnerability management becomes more accurate, scalable, and operationally efficient.
The other options are incorrect and potentially dangerous assumptions. Base image CVEs can absolutely be exploited by adversaries, and base image vulnerabilities are not inherently less risky than other CVEs. In many cases, unpatched base images are a primary attack vector in containerized environments.
CrowdStrike’s container image strategy emphasizes reducing noise, improving prioritization, and enabling faster remediation. Adding base images supports these goals by minimizing duplicate alerts and providing clearer insight into risk inheritance across image hierarchies. Therefore, the correct answer is Reduce duplicates when a base image is used multiple times.
C
Explanation:
A valid and recommended reason for adding base images into Falcon Cloud Security is to reduce duplicate findings when a base image is used multiple times. Base images are commonly shared across many application images, meaning vulnerabilities, secrets, or detections present in the base layer can appear repeatedly across derived images.
By onboarding base images directly into Falcon Cloud Security, the platform can more efficiently track and correlate vulnerabilities at their source. This allows security teams to remediate issues once at the base image level rather than addressing the same findings across every downstream image. As a result, vulnerability management becomes more accurate, scalable, and operationally efficient.
The other options are incorrect and potentially dangerous assumptions. Base image CVEs can absolutely be exploited by adversaries, and base image vulnerabilities are not inherently less risky than other CVEs. In many cases, unpatched base images are a primary attack vector in containerized environments.
CrowdStrike’s container image strategy emphasizes reducing noise, improving prioritization, and enabling faster remediation. Adding base images supports these goals by minimizing duplicate alerts and providing clearer insight into risk inheritance across image hierarchies. Therefore, the correct answer is Reduce duplicates when a base image is used multiple times.
Question #75
A security administrator needs to edit an existing Falcon Sensor policy to reduce the potential for false positives.
What action is required to achieve this?
- A . Add an exclusion rule for all system processes to prevent unnecessary alerts.
- B . Delete the existing policy and recreate it with the updated configuration.
- C . Lower the sensitivity of "Exploit Detection" to avoid triggering false alerts.
- D . Move the policy to the bottom of the policy priority list in the Falcon Console.
Correct Answer: C
C
Explanation:
Option A: Excluding all system processes creates a significant security risk and is not an effective way to manage false positives.
Option B: Editing the existing policy is sufficient and does not require deletion. Recreating policies unnecessarily increases administrative overhead.
Option C: Lowering the sensitivity of "Exploit Detection" can help reduce false positives by adjusting the thresholds for detecting potential threats. This action retains proactive protection while improving alert accuracy.
Option D: Policy priority affects which policy is applied when multiple policies overlap but does not address false positives within a policy.
C
Explanation:
Option A: Excluding all system processes creates a significant security risk and is not an effective way to manage false positives.
Option B: Editing the existing policy is sufficient and does not require deletion. Recreating policies unnecessarily increases administrative overhead.
Option C: Lowering the sensitivity of "Exploit Detection" can help reduce false positives by adjusting the thresholds for detecting potential threats. This action retains proactive protection while improving alert accuracy.
Option D: Policy priority affects which policy is applied when multiple policies overlap but does not address false positives within a policy.
Question #76
After deploying the CrowdStrike Kubernetes protection agent, an organization wants to ensure their environment is fully protected.
Which of the following describes a key feature of the Kubernetes protection agent?
- A . The agent performs host-level vulnerability scanning exclusively for the Kubernetes control plane.
- B . The agent enables runtime protection by monitoring container activities and blocking malicious behaviors.
- C . The agent replaces the need for Kubernetes Role-Based Access Control (RBAC) policies.
- D . The agent provides deep packet inspection for all network traffic in the cluster.
Correct Answer: B
B
Explanation:
Option A: This is incorrect as the Kubernetes protection agent provides protection across nodes and workloads, not exclusively the control plane. Host-level vulnerability scanning is a broader CrowdStrike capability.
Option B: One of the core features of the Kubernetes protection agent is runtime protection, which involves monitoring container activities, detecting malicious behaviors, and providing mechanisms to block them in real time. This helps ensure the security of running workloads.
Option C: This is incorrect because the Kubernetes protection agent complements Kubernetes security practices, including RBAC policies, rather than replacing them. Proper RBAC configuration remains essential for a secure cluster.
Option D: This is incorrect because the Kubernetes protection agent does not focus on deep packet inspection. Instead, it emphasizes runtime protection, workload monitoring, and compliance. Network security may require additional specialized tools.
B
Explanation:
Option A: This is incorrect as the Kubernetes protection agent provides protection across nodes and workloads, not exclusively the control plane. Host-level vulnerability scanning is a broader CrowdStrike capability.
Option B: One of the core features of the Kubernetes protection agent is runtime protection, which involves monitoring container activities, detecting malicious behaviors, and providing mechanisms to block them in real time. This helps ensure the security of running workloads.
Option C: This is incorrect because the Kubernetes protection agent complements Kubernetes security practices, including RBAC policies, rather than replacing them. Proper RBAC configuration remains essential for a secure cluster.
Option D: This is incorrect because the Kubernetes protection agent does not focus on deep packet inspection. Instead, it emphasizes runtime protection, workload monitoring, and compliance. Network security may require additional specialized tools.
Question #77
You are concerned about an overprivileged cloud identity.
What steps should you take to identify issues with the account’s permissions?
- A . Go to Investigate User Search and filter for the specific identity to see any risky activity related to its permissions
- B . Go to Cloud Indicators of Misconfiguration and filter for the identity to see any risky configurations related to its permissions
- C . Go to Cloud Indicators of Attack and filter for the identity to see any risky activity related to its permissions
- D . Go to Falcon Users Roles and Permissions and filter for the identity to see any risky configurations related to its permissions
Correct Answer: B
B
Explanation:
To identify issues related to an overprivileged cloud identity, CrowdStrike Falcon Cloud Security directs users to Cloud Indicators of Misconfiguration (CIM). These indicators focus specifically on risky configurations, including excessive permissions, overly broad IAM roles, and violations of least-privilege principles.
By filtering Cloud Indicators of Misconfiguration for the specific identity, security teams can quickly identify misaligned permissions such as wildcard actions, unused privileges, or access that exceeds the role’s intended function. This view is purpose-built for identifying configuration risk―not active attacks or behavioral anomalies.
Cloud Indicators of Attack (CIA) are used to detect suspicious or malicious activity, not static permission risk. Investigate User Search focuses on observed behavior rather than permission design. Falcon Users Roles and Permissions applies to Falcon console access, not cloud-provider IAM identities.
Therefore, the correct and CrowdStrike-aligned approach is to review Cloud Indicators of Misconfiguration for the identity in question.
B
Explanation:
To identify issues related to an overprivileged cloud identity, CrowdStrike Falcon Cloud Security directs users to Cloud Indicators of Misconfiguration (CIM). These indicators focus specifically on risky configurations, including excessive permissions, overly broad IAM roles, and violations of least-privilege principles.
By filtering Cloud Indicators of Misconfiguration for the specific identity, security teams can quickly identify misaligned permissions such as wildcard actions, unused privileges, or access that exceeds the role’s intended function. This view is purpose-built for identifying configuration risk―not active attacks or behavioral anomalies.
Cloud Indicators of Attack (CIA) are used to detect suspicious or malicious activity, not static permission risk. Investigate User Search focuses on observed behavior rather than permission design. Falcon Users Roles and Permissions applies to Falcon console access, not cloud-provider IAM identities.
Therefore, the correct and CrowdStrike-aligned approach is to review Cloud Indicators of Misconfiguration for the identity in question.
Question #78
You are tasked with reviewing the installed packages in a container image to ensure compliance with security policies.
Which of the following best describes a secure and efficient approach to this task?
- A . Using the apt-get list command inside the container to manually check package versions.
- B . Using a container security scanning tool to generate a software bill of materials (SBOM).
- C . Creating a custom script to compare installed packages with known vulnerabilities.
- D . Manually reviewing the base image layers using a text editor.
Correct Answer: B
B
Explanation:
Option A: This is a manual and error-prone process that does not scale well for complex images. It also fails to cross-reference vulnerabilities in real-time.
Option B: An SBOM provides a detailed inventory of all installed packages and dependencies in a container image. Container security scanning tools can automatically generate this information and cross-reference it with vulnerability databases, ensuring efficient and accurate reviews.
Option C: While technically possible, this approach is inefficient and unnecessary when purpose-built tools exist. Writing and maintaining such a script is time-intensive and error-prone.
Option D: This is an impractical and incomplete approach. Vulnerabilities cannot be reliably identified by manually inspecting files without the context of vulnerability databases or automated tools.
B
Explanation:
Option A: This is a manual and error-prone process that does not scale well for complex images. It also fails to cross-reference vulnerabilities in real-time.
Option B: An SBOM provides a detailed inventory of all installed packages and dependencies in a container image. Container security scanning tools can automatically generate this information and cross-reference it with vulnerability databases, ensuring efficient and accurate reviews.
Option C: While technically possible, this approach is inefficient and unnecessary when purpose-built tools exist. Writing and maintaining such a script is time-intensive and error-prone.
Option D: This is an impractical and incomplete approach. Vulnerabilities cannot be reliably identified by manually inspecting files without the context of vulnerability databases or automated tools.
Question #79
A financial services company needs to register multiple cloud accounts while adhering to strict compliance regulations such as SOC 2, GDPR, and HIPAA. The company must ensure that the cloud account registration method provides strong access controls, auditability, and compliance tracking.
Which of the following is the best approach?
- A . Allow developers to register their cloud accounts independently with no oversight to speed up onboarding.
- B . Use a shared service account with a single set of credentials for registering all cloud accounts.
- C . Register each cloud account using an administrator’s personal access credentials.
- D . Use an automated cloud registration workflow integrated with identity and access management (IAM) policies.
Correct Answer: D
D
Explanation:
Option A: Allowing developers to register cloud accounts without oversight creates a shadow IT problem, making it difficult to enforce security policies and track compliance. Unauthorized or improperly registered accounts may violate regulatory requirements.
Option B: Using a shared service account violates least privilege principles and creates compliance risks. If the shared credentials are compromised, multiple accounts could be affected, and it becomes difficult to track individual actions for compliance audits.
Option C: Using an administrator’s personal credentials introduces security and compliance risks. If the administrator leaves the company or their credentials are compromised, it could affect multiple cloud accounts, violating least privilege access principles.
Option D: An automated cloud registration workflow with IAM integration ensures security, auditability, and compliance tracking. IAM policies enforce access controls, ensuring that only authorized users and services can register accounts while maintaining compliance with regulations.
D
Explanation:
Option A: Allowing developers to register cloud accounts without oversight creates a shadow IT problem, making it difficult to enforce security policies and track compliance. Unauthorized or improperly registered accounts may violate regulatory requirements.
Option B: Using a shared service account violates least privilege principles and creates compliance risks. If the shared credentials are compromised, multiple accounts could be affected, and it becomes difficult to track individual actions for compliance audits.
Option C: Using an administrator’s personal credentials introduces security and compliance risks. If the administrator leaves the company or their credentials are compromised, it could affect multiple cloud accounts, violating least privilege access principles.
Option D: An automated cloud registration workflow with IAM integration ensures security, auditability, and compliance tracking. IAM policies enforce access controls, ensuring that only authorized users and services can register accounts while maintaining compliance with regulations.
Question #80
You are investigating IOAs found in your cloud environment after a security breach. You must find any IOAs signifying that the threat actor has used techniques to maintain access to your cloud resources.
What filter on the IOA dashboard can you use to only view these specific IOAs?
- A . Execution
- B . Privilege Escalation
- C . Persistence
- D . Ransomware
Correct Answer: C
C
Explanation:
In CrowdStrike Falcon Cloud Security, IOAs are categorized using MITRE ATT&CK-aligned tactics to help analysts quickly identify attacker objectives. When investigating how a threat actor may have maintained access to cloud resources after an initial breach, the appropriate tactic to focus on is Persistence.
Persistence IOAs represent techniques such as creating backdoor IAM roles, modifying access policies, adding API keys, enabling long-lived credentials, or altering cloud configurations to survive reboots or credential rotation. Filtering the IOA dashboard by Persistence isolates these behaviors, enabling faster root-cause analysis and remediation.
Other filters serve different investigative purposes. Execution focuses on initial code execution, Privilege Escalation highlights elevation of permissions, and Ransomware identifies encryption-related activity. None of these specifically address long-term access maintenance.
Therefore, filtering by Persistence is the correct and most effective way to identify IOAs related to maintaining access within cloud environments.
C
Explanation:
In CrowdStrike Falcon Cloud Security, IOAs are categorized using MITRE ATT&CK-aligned tactics to help analysts quickly identify attacker objectives. When investigating how a threat actor may have maintained access to cloud resources after an initial breach, the appropriate tactic to focus on is Persistence.
Persistence IOAs represent techniques such as creating backdoor IAM roles, modifying access policies, adding API keys, enabling long-lived credentials, or altering cloud configurations to survive reboots or credential rotation. Filtering the IOA dashboard by Persistence isolates these behaviors, enabling faster root-cause analysis and remediation.
Other filters serve different investigative purposes. Execution focuses on initial code execution, Privilege Escalation highlights elevation of permissions, and Ransomware identifies encryption-related activity. None of these specifically address long-term access maintenance.
Therefore, filtering by Persistence is the correct and most effective way to identify IOAs related to maintaining access within cloud environments.