Practice Free CCCS-203b Exam Online Questions
Question #81
CrowdStrike Falcon Cloud Security provides integration with Kubernetes admission controllers to enhance security by enforcing policies on workloads.
What is the primary function of a Kubernetes admission controller in this security model?
- A . It intercepts and evaluates requests to the Kubernetes API server before objects are persisted in etcd, enforcing security policies.
- B . It monitors outbound network traffic from pods to detect anomalies and prevent data exfiltration.
- C . It scans container images at runtime to detect threats and automatically stops malicious processes.
- D . It replaces Kubernetes Role-Based Access Control (RBAC) to provide more granular permissions for cloud-native applications.
Correct Answer: A
A
Explanation:
Option A: Kubernetes admission controllers operate within the API request lifecycle and evaluate incoming requests before they are committed to etcd, the Kubernetes database. In Falcon Cloud Security, the admission controller enforces policies such as allowing only trusted container images, preventing the deployment of misconfigured workloads, and ensuring security compliance. This ensures that threats are mitigated before they are deployed, reducing the attack surface.
Option B: Network monitoring is a different function handled by network security tools such as Falcon Cloud Security’s workload protection capabilities, which inspect outbound traffic. Admission controllers, however, focus on evaluating and enforcing security policies during deployment.
Option C: Runtime security scanning is an essential security function but is separate from admission controllers. Runtime protection is handled by tools like Falcon Container Security, which continuously monitors running containers for threats. Admission controllers operate at the deployment phase rather than runtime.
Option D: Kubernetes RBAC controls access to resources, while admission controllers validate or mutate requests before resources are created. They do not replace RBAC but can complement it by enforcing additional security policies.
A
Explanation:
Option A: Kubernetes admission controllers operate within the API request lifecycle and evaluate incoming requests before they are committed to etcd, the Kubernetes database. In Falcon Cloud Security, the admission controller enforces policies such as allowing only trusted container images, preventing the deployment of misconfigured workloads, and ensuring security compliance. This ensures that threats are mitigated before they are deployed, reducing the attack surface.
Option B: Network monitoring is a different function handled by network security tools such as Falcon Cloud Security’s workload protection capabilities, which inspect outbound traffic. Admission controllers, however, focus on evaluating and enforcing security policies during deployment.
Option C: Runtime security scanning is an essential security function but is separate from admission controllers. Runtime protection is handled by tools like Falcon Container Security, which continuously monitors running containers for threats. Admission controllers operate at the deployment phase rather than runtime.
Option D: Kubernetes RBAC controls access to resources, while admission controllers validate or mutate requests before resources are created. They do not replace RBAC but can complement it by enforcing additional security policies.
Question #82
A security team wants to configure scheduled reports in CrowdStrike to track cloud security risks and compliance over time.
Which of the following is a requirement for successfully setting up and using scheduled reports?
- A . Reports must be configured with specific data sources, time frames, and delivery methods
- B . Only administrators with full Falcon platform access can configure and receive scheduled reports
- C . The scheduled reports feature automatically mitigates vulnerabilities upon report generation
- D . The security team must manually generate a new report each time they need security insights
Correct Answer: A
A
Explanation:
Option A: Scheduled reports must be configured with specific parameters such as data sources (cloud assets, compliance findings, threat detections), reporting frequency (daily, weekly, monthly), and delivery methods (email, dashboard, or external integrations).
Option B: While admin-level users can configure reports, role-based access control (RBAC) in CrowdStrike allows specific roles, such as security analysts, to set up and receive reports without full platform access.
Option C: Scheduled reports do not perform automatic mitigation; they provide insights and recommendations, but security teams must take action based on the findings.
Option D: Scheduled reports are automated, meaning that once configured, they are generated periodically without requiring manual execution.
A
Explanation:
Option A: Scheduled reports must be configured with specific parameters such as data sources (cloud assets, compliance findings, threat detections), reporting frequency (daily, weekly, monthly), and delivery methods (email, dashboard, or external integrations).
Option B: While admin-level users can configure reports, role-based access control (RBAC) in CrowdStrike allows specific roles, such as security analysts, to set up and receive reports without full platform access.
Option C: Scheduled reports do not perform automatic mitigation; they provide insights and recommendations, but security teams must take action based on the findings.
Option D: Scheduled reports are automated, meaning that once configured, they are generated periodically without requiring manual execution.
Question #83
While editing registry connection details in Falcon Cloud Security, which of the following actions ensures minimal disruption to ongoing operations?
- A . Immediately delete the existing connection before creating a new one.
- B . Modify the existing connection details, then save and test the updated connection.
- C . Disable all running workloads dependent on the registry before making edits.
- D . Reset the Falcon Cloud Security settings to default before making any changes.
Correct Answer: B
B
Explanation:
Option A: Deleting the connection immediately disrupts ongoing workflows and may result in failed image assessments or deployments.
Option B: Editing the existing connection details and saving changes is the best approach, as Falcon Cloud Security allows modifications to registry connections with minimal impact. Testing ensures the changes are valid before they take effect.
Option C: Disabling workloads is unnecessary unless the changes involve critical configurations affecting runtime operations.
Option D: Resetting Falcon Cloud Security settings is excessive and risks losing unrelated configurations, introducing unnecessary complications.
B
Explanation:
Option A: Deleting the connection immediately disrupts ongoing workflows and may result in failed image assessments or deployments.
Option B: Editing the existing connection details and saving changes is the best approach, as Falcon Cloud Security allows modifications to registry connections with minimal impact. Testing ensures the changes are valid before they take effect.
Option C: Disabling workloads is unnecessary unless the changes involve critical configurations affecting runtime operations.
Option D: Resetting Falcon Cloud Security settings is excessive and risks losing unrelated configurations, introducing unnecessary complications.
Question #84
Which data sources does CrowdStrike CIEM primarily analyze to identify privileged accounts without multi-factor authentication (MFA)?
- A . Endpoint login logs collected by CrowdStrike Falcon.
- B . Email activity logs from integrated cloud email platforms.
- C . Firewall access control lists (ACLs) for privileged IP ranges.
- D . Cloud provider IAM policy configurations and MFA enforcement settings.
Correct Answer: D
D
Explanation:
Option A: Falcon focuses on endpoint activity and threat detection, which is unrelated to IAM configurations or MFA enforcement. CIEM is tailored to cloud IAM analysis.
Option B: Email activity logs are unrelated to identifying privileged accounts or MFA enforcement.
CIEM focuses on cloud provider IAM policies and MFA settings to detect misconfigurations effectively.
Option C: Firewall ACLs are used to control network traffic and are not relevant to cloud IAM or MFA configurations. CIEM operates on IAM data and cloud provider configurations, not network-level settings.
Option D: CIEM analyzes IAM policy configurations to identify accounts with privileged roles and cross-references these findings with MFA enforcement settings to determine which accounts are not protected by MFA. This approach ensures precise detection of misconfigured accounts that could pose security risks.
D
Explanation:
Option A: Falcon focuses on endpoint activity and threat detection, which is unrelated to IAM configurations or MFA enforcement. CIEM is tailored to cloud IAM analysis.
Option B: Email activity logs are unrelated to identifying privileged accounts or MFA enforcement.
CIEM focuses on cloud provider IAM policies and MFA settings to detect misconfigurations effectively.
Option C: Firewall ACLs are used to control network traffic and are not relevant to cloud IAM or MFA configurations. CIEM operates on IAM data and cloud provider configurations, not network-level settings.
Option D: CIEM analyzes IAM policy configurations to identify accounts with privileged roles and cross-references these findings with MFA enforcement settings to determine which accounts are not protected by MFA. This approach ensures precise detection of misconfigured accounts that could pose security risks.
Question #85
Which feature of Falcon Horizon allows users to identify exposed cloud services and workloads running without requiring the deployment of a Falcon sensor?
- A . Vulnerability patching orchestration
- B . Deployment of lightweight monitoring agents
- C . Real-time behavioral monitoring
- D . API-driven cloud workload discovery
Correct Answer: D
D
Explanation:
Option A: Patching orchestration is not part of Falcon Horizon’s functionality. It focuses on remediation rather than workload discovery or runtime protection.
Option B: While lightweight monitoring agents can provide visibility, this contradicts the requirement of finding workloads without deploying a Falcon sensor. Falcon Horizon’s agentless approach eliminates this dependency.
Option C: Real-time behavioral monitoring is a feature of Falcon modules like Falcon Prevent or Falcon Insight, which require sensors to monitor and analyze workload behavior. This is not applicable to environments without sensor deployment.
Option D: Falcon Horizon uses API-driven cloud workload discovery to analyze the state of resources in the cloud environment. By leveraging APIs provided by cloud service providers, Falcon Horizon gathers data on running workloads, exposed services, and misconfigurations without needing to deploy agents or sensors on individual workloads. This approach is efficient and does not require intrusive installation processes.
D
Explanation:
Option A: Patching orchestration is not part of Falcon Horizon’s functionality. It focuses on remediation rather than workload discovery or runtime protection.
Option B: While lightweight monitoring agents can provide visibility, this contradicts the requirement of finding workloads without deploying a Falcon sensor. Falcon Horizon’s agentless approach eliminates this dependency.
Option C: Real-time behavioral monitoring is a feature of Falcon modules like Falcon Prevent or Falcon Insight, which require sensors to monitor and analyze workload behavior. This is not applicable to environments without sensor deployment.
Option D: Falcon Horizon uses API-driven cloud workload discovery to analyze the state of resources in the cloud environment. By leveraging APIs provided by cloud service providers, Falcon Horizon gathers data on running workloads, exposed services, and misconfigurations without needing to deploy agents or sensors on individual workloads. This approach is efficient and does not require intrusive installation processes.
Question #86
Which of the following is a requirement for enabling the Kubernetes Admission Controller for the CrowdStrike Kubernetes and Container Sensor?
- A . Role-Based Access Control (RBAC) must be configured to grant the Admission Controller permissions to intercept and modify API requests.
- B . Pod-level annotations must be added to all running workloads.
- C . The Admission Controller must be deployed as a Custom Resource Definition (CRD).
- D . The Admission Controller requires direct integration with the underlying host operating system kernel.
Correct Answer: A
A
Explanation:
Option A: The Kubernetes Admission Controller requires appropriate RBAC permissions to function correctly. These permissions allow it to validate and enforce policies by intercepting and potentially modifying API requests to the Kubernetes API server. Without the correct RBAC configuration, the Admission Controller cannot enforce security controls or policies effectively.
Option B: While annotations might be used for other configuration purposes, they are not a requirement for enabling the Admission Controller.
Option C: This is incorrect because Admission Controllers are not CRDs. They are built-in or webhook-based components of Kubernetes.
Option D: This is incorrect as Admission Controllers operate at the API level and have no dependency on the host operating system kernel.
A
Explanation:
Option A: The Kubernetes Admission Controller requires appropriate RBAC permissions to function correctly. These permissions allow it to validate and enforce policies by intercepting and potentially modifying API requests to the Kubernetes API server. Without the correct RBAC configuration, the Admission Controller cannot enforce security controls or policies effectively.
Option B: While annotations might be used for other configuration purposes, they are not a requirement for enabling the Admission Controller.
Option C: This is incorrect because Admission Controllers are not CRDs. They are built-in or webhook-based components of Kubernetes.
Option D: This is incorrect as Admission Controllers operate at the API level and have no dependency on the host operating system kernel.
Question #87
You are investigating potential data exfiltration by reviewing IOAs in Falcon Cloud Security. You must check for any evidence of Defense Evasion via Impair Defenses: Disable or Modify Tools activity in your Azure environment.
Which IOA filters meet those requirements to identify any related IOAs?
- A . MITRE Tactic and Technique C Cloud provider
- B . Attack type C Cloud provider
- C . MITRE Tactic and Technique C Service
- D . Attack type C Service
Correct Answer: A
A
Explanation:
Falcon Cloud Security categorizes IOAs using MITRE ATT&CK tactics and techniques, enriched with cloud-provider context to accurately represent cloud-native attack behavior.
To identify Defense Evasion via Impair Defenses: Disable or Modify Tools activity specifically within Azure, analysts must filter IOAs using MITRE Tactic and Technique while also scoping the environment to the cloud provider. This ensures visibility into attacker behaviors such as disabling logging, modifying security services, or impairing monitoring controls at the cloud-provider level.
Filtering by attack type alone lacks the structured MITRE mapping required for accurate investigative workflows. Service-level filters are insufficient because impairment of defenses in cloud environments often impacts provider-managed services rather than individual workloads.
Therefore, MITRE Tactic and Technique C Cloud provider is the correct and most precise filter to identify Azure-specific defense evasion IOAs.
A
Explanation:
Falcon Cloud Security categorizes IOAs using MITRE ATT&CK tactics and techniques, enriched with cloud-provider context to accurately represent cloud-native attack behavior.
To identify Defense Evasion via Impair Defenses: Disable or Modify Tools activity specifically within Azure, analysts must filter IOAs using MITRE Tactic and Technique while also scoping the environment to the cloud provider. This ensures visibility into attacker behaviors such as disabling logging, modifying security services, or impairing monitoring controls at the cloud-provider level.
Filtering by attack type alone lacks the structured MITRE mapping required for accurate investigative workflows. Service-level filters are insufficient because impairment of defenses in cloud environments often impacts provider-managed services rather than individual workloads.
Therefore, MITRE Tactic and Technique C Cloud provider is the correct and most precise filter to identify Azure-specific defense evasion IOAs.
Question #88
What is the primary reason for reviewing the base image of a container when performing a security assessment?
- A . The base image configuration ensures proper runtime performance.
- B . Base images must always include minimal layers to optimize storage.
- C . The base image often contains outdated dependencies that may introduce vulnerabilities.
- D . Reviewing the base image guarantees compatibility with orchestrators like Kubernetes.
Correct Answer: C
C
Explanation:
Option A: While runtime performance can be influenced by the image configuration, the primary focus of a security assessment is identifying and mitigating vulnerabilities, not performance optimization.
Option B: Although using minimal layers can improve storage efficiency, the goal of reviewing base images is to ensure security, not necessarily to reduce the image size.
Option C: The base image forms the foundation of a container. If it contains outdated or vulnerable dependencies, they can propagate to any containers built from it. Regularly reviewing and updating the
base image ensures that known vulnerabilities are mitigated, which is critical for maintaining a secure environment.
Option D: Compatibility with orchestrators like Kubernetes is generally determined by the image’s runtime requirements, not by reviewing the base image for security.
C
Explanation:
Option A: While runtime performance can be influenced by the image configuration, the primary focus of a security assessment is identifying and mitigating vulnerabilities, not performance optimization.
Option B: Although using minimal layers can improve storage efficiency, the goal of reviewing base images is to ensure security, not necessarily to reduce the image size.
Option C: The base image forms the foundation of a container. If it contains outdated or vulnerable dependencies, they can propagate to any containers built from it. Regularly reviewing and updating the
base image ensures that known vulnerabilities are mitigated, which is critical for maintaining a secure environment.
Option D: Compatibility with orchestrators like Kubernetes is generally determined by the image’s runtime requirements, not by reviewing the base image for security.
Question #89
A security engineer has received an alert in the CrowdStrike Falcon console indicating a misconfigured Amazon S3 bucket that is publicly accessible. To mitigate this issue and prevent unauthorized access, which of the following actions should the engineer take first?
- A . Enable AWS Shield Advanced to protect against Distributed Denial-of-Service (DDoS) attacks.
- B . Deploy a Falcon Sensor on the S3 bucket to monitor access attempts.
- C . Create a new IAM role with administrator privileges and attach it to all cloud instances.
- D . Modify the S3 bucket permissions to restrict public access and enforce least privilege.
Correct Answer: D
D
Explanation:
Option A: AWS Shield Advanced protects against DDoS attacks, but it does not resolve misconfigured permissions on an S3 bucket. The root cause of the issue is excessive access permissions, not a network-based attack.
Option B: CrowdStrike Falcon sensors are deployed on cloud workloads (e.g., EC2 instances, containers) but cannot be installed on S3 buckets. Falcon Cloud Security provides visibility into misconfigurations, but the solution to this problem lies in correcting bucket policies.
Option C: Granting administrator privileges to all instances violates the principle of least privilege and increases the attack surface. Instead, access should be granted only to necessary users and services with minimal permissions.
Option D: The first step in remediating a publicly accessible S3 bucket is to modify its permissions. This includes disabling public access, reviewing and restricting IAM policies, and ensuring that only authorized users or services can access the data. CrowdStrike Falcon Cloud Security helps detect such misconfigurations, but remediation requires direct action in AWS.
D
Explanation:
Option A: AWS Shield Advanced protects against DDoS attacks, but it does not resolve misconfigured permissions on an S3 bucket. The root cause of the issue is excessive access permissions, not a network-based attack.
Option B: CrowdStrike Falcon sensors are deployed on cloud workloads (e.g., EC2 instances, containers) but cannot be installed on S3 buckets. Falcon Cloud Security provides visibility into misconfigurations, but the solution to this problem lies in correcting bucket policies.
Option C: Granting administrator privileges to all instances violates the principle of least privilege and increases the attack surface. Instead, access should be granted only to necessary users and services with minimal permissions.
Option D: The first step in remediating a publicly accessible S3 bucket is to modify its permissions. This includes disabling public access, reviewing and restricting IAM policies, and ensuring that only authorized users or services can access the data. CrowdStrike Falcon Cloud Security helps detect such misconfigurations, but remediation requires direct action in AWS.
Question #90
How can cloud groups reduce noise and focus responsibility for users?
- A . Apply exclusions for accounts assigned to the cloud group
- B . Assign permissions to users within the group
- C . Narrow a user’s scope of analysis by filtering cloud resources
Correct Answer: C
C
Explanation:
Cloud Groups in CrowdStrike Falcon Cloud Security are designed to logically segment cloud resources so users can focus only on what is relevant to their role or responsibility. The primary way cloud groups reduce noise is by narrowing a user’s scope of analysis through filtered cloud resources.
By grouping resources based on criteria such as account, region, service, or tags, Cloud Groups ensure that analysts and responders only see findings related to the resources they own or manage. This minimizes alert fatigue, reduces unnecessary exposure to unrelated findings, and improves investigation efficiency.
Cloud Groups do not assign permissions directly; permissions are managed through Falcon RBAC roles. They also do not primarily function as exclusion mechanisms―although exclusions may be applied, their core purpose is scoping and contextualization.
CrowdStrike best practices emphasize Cloud Groups as a way to align security visibility with organizational structure, enabling teams to operate more efficiently and responsibly. Therefore, the correct answer is Narrow a user’s scope of analysis by filtering cloud resources.
C
Explanation:
Cloud Groups in CrowdStrike Falcon Cloud Security are designed to logically segment cloud resources so users can focus only on what is relevant to their role or responsibility. The primary way cloud groups reduce noise is by narrowing a user’s scope of analysis through filtered cloud resources.
By grouping resources based on criteria such as account, region, service, or tags, Cloud Groups ensure that analysts and responders only see findings related to the resources they own or manage. This minimizes alert fatigue, reduces unnecessary exposure to unrelated findings, and improves investigation efficiency.
Cloud Groups do not assign permissions directly; permissions are managed through Falcon RBAC roles. They also do not primarily function as exclusion mechanisms―although exclusions may be applied, their core purpose is scoping and contextualization.
CrowdStrike best practices emphasize Cloud Groups as a way to align security visibility with organizational structure, enabling teams to operate more efficiently and responsibly. Therefore, the correct answer is Narrow a user’s scope of analysis by filtering cloud resources.