Question 1

After performing an image assessment in Falcon Cloud Security, which of the following is a typical actionable recommendation?

Accepted Answer

C

Explanation: Option A: Admission Controllers provide security and compliance enforcement, and disabling them would reduce security posture rather than align with image assessment results. Option B: Applying pod security policies is a general security best practice but is not directly derived from an image assessment. Option C: Image assessments identify vulnerabilities and provide actionable recommendations, such as updating base images or dependencies to mitigate critical security risks. Option D: Limiting pods per node is a capacity management measure, not an outcome of image assessments focused on vulnerabilities. 107/192

Question 2

After identifying inactive users using the CrowdStrike CIEM/Identity Analyzer, what is the most appropriate action to mitigate risks associated with these accounts?

Accepted Answer

B

Explanation: Option A: Transferring permissions without a clear business need or appropriate analysis can lead to excessive privilege assignments and violate the principle of least privilege, increasing the risk of insider threats or accidental misuse. Option B: Temporarily disabling inactive accounts allows organizations to verify whether the accounts are genuinely no longer in use while preventing immediate security risks. Monitoring for unexpected activity during the temporary disablement phase helps identify potential misuse or ongoing necessity of the account, ensuring informed decisions about deactivation or deletion. Option C: Deactivating accounts without addressing roles and permissions still poses a security risk. Inactive accounts with retained permissions can be re-enabled or misused inappropriately. Option D: While deleting inactive accounts removes potential attack vectors, this approach is risky without prior analysis. Some accounts may be needed for legacy systems or auditing purposes, leading to operational disruption. 78/192

Question 3

What is the most effective action to take when a CIEM tool identifies an Azure Service Principal with overly permissive roles and no recent usage?

Accepted Answer

D

Explanation: Option A: Reassigning the Service Principal does not address the risk of overly permissive roles. Additionally, using an existing Service Principal for a new purpose can create security challenges Option B: While deleting the Service Principal may eliminate the risk, this approach can disrupt any active dependencies. A more controlled remediation involves first reviewing and adjusting permissions. Option C: Changing the role to "Reader" may reduce risk, but it does not address whether the Service Principal is still necessary. The root cause (overly permissive roles and lack of usage) should be resolved. Option D: The most effective action is to evaluate the necessity of the Service Principal and remove any unnecessary roles or scopes. This minimizes risk while maintaining operational functionality if needed.

Question 4

When analyzing cloud findings for misconfigurations, which of the following would be considered a high-risk practice that should be flagged for remediation?

Accepted Answer

B

Explanation: Option A: NSGs are an effective way to control network access to resources. Limiting traffic to trusted IPs reduces the attack surface and is a good security practice. Option B: Port 22 is typically used for SSH access. Allowing unrestricted inbound traffic to this port exposes cloud-hosted resources to brute-force attacks and unauthorized access. This is a high-risk practice and a common misconfiguration that should be remediated by limiting access to trusted IPs or using VPNs. Option C: RBAC is a best practice for managing permissions in the cloud. It ensures that users have access only to the resources they need, reducing the risk of over-privileged accounts. This is not a high- risk practice. Option D: MFA is a critical security control that protects against unauthorized access, even if credentials are compromised. Enforcing MFA is a recommended practice, not a high-risk one.

Question 5

While editing the cloud security posture policy in Falcon to enhance compliance with industry standards,
you notice a rule that detects misconfigured IAM roles in your AWS environment. What action should
you configure for this rule to prevent unauthorized access effectively?

Accepted Answer

B

Explanation: Option A: Monitoring alone provides visibility but does not address the root cause or prevent potential security risks from misconfigured IAM roles. Option B: Adding a condition that enforces least-privilege policies ensures that IAM roles are configured to minimize unnecessary permissions. This is a proactive approach to reducing the risk of unauthorized access while aligning with best practices for identity and access management. Option C: Auto-remediation by deletion is overly aggressive and may disrupt legitimate operations, especially in production environments. Option D: While alerts provide visibility, they do not actively enforce secure configurations. This action is insufficient for preventing unauthorized access.

Question 6

Which statement correctly explains how Falcon Cloud Security components work together to protect cloud environments?

Accepted Answer

Explanation: Option A: While the Falcon Overwatch team provides expert threat hunting, Falcon Cloud Security also relies on automated analytics and AI-based detection. This ensures a comprehensive approach to identifying and mitigating threats without solely depending on human oversight. Option B: Falcon modules are designed to work together seamlessly, automatically correlating data to provide actionable insights. Manual correlation is not required, and suggesting otherwise misrepresents the platform’s automation and integration capabilities. Option C: While Falcon Cloud Security can interact with third-party APIs for extended functionality, it has native capabilities to detect misconfigurations and threats in cloud environments. This reduces dependence on external tools. Option D: Falcon Cloud Security leverages integration with modules like Falcon Horizon for cloud posture management and Falcon Prevent for real-time prevention. These integrations streamline vulnerability detection and workload protection without requiring extensive manual configuration.

Question 7

A security team wants to configure scheduled reports in CrowdStrike to track cloud security risks and
compliance over time. Which of the following is a requirement for successfully setting up and using
scheduled reports?

Accepted Answer

A

Explanation: Option A: Scheduled reports must be configured with specific parameters such as data sources (cloud assets, compliance findings, threat detections), reporting frequency (daily, weekly, monthly), and delivery methods (email, dashboard, or external integrations). Option B: While admin-level users can configure reports, role-based access control (RBAC) in CrowdStrike allows specific roles, such as security analysts, to set up and receive reports without full platform access. Option C: Scheduled reports do not perform automatic mitigation; they provide insights and recommendations, but security teams must take action based on the findings. Option D: Scheduled reports are automated, meaning that once configured, they are generated periodically without requiring manual execution.

Question 8

A security administrator is configuring pre-runtime protection in CrowdStrike Falcon to ensure that only
trusted container images from specific registries are scanned and allowed for deployment. What is the
best approach for adding registry connection details?

Accepted Answer

C

Explanation: 72/192 Option A: Default Falcon registry settings may not cover all organizational needs. Custom configurations should be made to ensure alignment with security policies. Option B: Allowing all registries without authentication increases security risks, as unauthorized or malicious images can be pulled and deployed. Option C: To ensure pre-runtime protection, administrators should define registry connection details, specify the registry URL, enable authentication (if needed), and set image scanning policies for security compliance. Option D: Private repositories are not automatically secure. Vulnerabilities can still exist in private images, making it critical to enable scanning even for internal sources.

Question 9

What happens to the data and alerts linked to a cloud account after it is deprovisioned from the Falcon console?

Accepted Answer

D

Explanation: Option A: Data visibility is not tied to re-registration within a specific timeframe. Historical data is retained regardless of whether the account is re-registered or permanently deprovisioned. This answer introduces an unnecessary restriction. Option B: CrowdStrike retains historical data for compliance and forensic purposes. Immediate and permanent deletion would hinder post-deprovisioning investigations or audits, which is not the intended behavior of the Falcon platform. Option C: There is no automatic data archival or deletion process tied to deprovisioning a cloud account in Falcon. Historical data remains accessible for an extended period, as determined by organizational data retention policies. Option D: When a cloud account is deprovisioned from Falcon, the platform stops collecting new data and generating alerts for the account. However, historical data and alerts are retained for compliance and auditing purposes. This ensures organizations can review past activity and investigate incidents even after the account is deprovisioned.

Question 10

Which of the following scenarios represents a security risk that CrowdStrike Identity Analyzer (CIEM) is designed to identify and address?

Accepted Answer

C

Explanation: Option A: Allowing inbound traffic on port 443 (HTTPS) is a standard practice for secure web services. While this could be a misconfiguration if unnecessary, it falls under network security rather than identity management, which is the focus of CIEM. Option B: Concurrency settings relate to resource performance and scalability, not identity or entitlement management. CIEM does not monitor or manage execution limits for serverless functions. Option C: CIEM is specifically designed to detect and analyze overly permissive roles and identities, 51/192 particularly when sensitive permissions (like resource deletion) are assigned to multiple non-human identities. This scenario poses a significant security risk if those identities are compromised or misused. Option D: This is an expected and secure behavior when proper access policies are in place. CIEM would not flag this as an issue since the access is authorized and aligns with standard operational practices.

Question 11

A security analyst using CrowdStrike Falcon Cloud Workload Protection (CWP) notices unusual
outbound traffic from a Kubernetes pod to an unknown external IP. The analyst needs to determine
whether the traffic is malicious and identify the process responsible for the connection. Which
CrowdStrike Falcon feature should the analyst use to identify network connections at the process level?

Accepted Answer

C

Explanation: Option A: Falcon LogScale provides log analytics and can collect network event logs, but it does not provide real-time visibility into active network connections at the process level. It is useful for post- incident investigations but not for immediate runtime detection. Option B: Identity Protection helps detect credential-based attacks and unauthorized access attempts but does not monitor network connections at the process level. It is designed for preventing identity-based 56/192 threats rather than inspecting runtime network traffic. Option C: This feature enables deep visibility into network connections at the process level within cloud workloads, including Kubernetes containers. It allows the analyst to identify the specific containerized process making the outbound connection, investigate its behavior, and detect potential threats. Option D: Falcon Sandbox is used for analyzing suspicious files in an isolated environment to detect malware behavior. It does not monitor active network connections within Kubernetes workloads.

Question 12

When configuring an automated remediation workflow for AWS findings in Falcon Fusion, why is it important to perform a dry run before enabling the workflow in production?

Accepted Answer

B

Explanation: Option A: Applying actual changes, even to a limited set of resources, does not constitute a dry run. A dry run explicitly avoids making changes to validate the workflow without risk. Option B: A dry run simulates the actions of the remediation workflow without actually making any changes to the resources. This process is crucial for validating the workflow's logic, ensuring it targets the 6/192 intended findings, and understanding potential impacts. Dry runs help reduce the risk of unintended disruptions in production environments. Option C: A dry run does not bypass permissions validation. In fact, testing permissions is an important part of the dry run process to ensure the workflow has the necessary access. Option D: Generating compliance reports is not the purpose of a dry run. While useful for audits, compliance reports do not test the logic or simulate the outcomes of a workflow.

Question 13

During an audit of your organization's CrowdStrike Identity Analyzer configuration, you find several
policies related to cloud service access. Which of the following represents a misconfiguration that needs
immediate remediation?

Accepted Answer

C

Explanation: Option A: Denying access to sensitive resources for unauthorized roles enhances security and ensures that users cannot access resources they are not entitled to. Option B: Read-only access aligns with least privilege, ensuring analysts can view data without modifying it. This is a correctly configured policy. 76/192 Option C: This misconfiguration grants excessive privileges to all users, violating the principle of least privilege and increasing the risk of accidental or intentional misuse. Access to production environments should be tightly controlled and limited to specific, authorized roles. Option D: Granting developers permissions tailored to their role in a non-production environment aligns with best practices and does not pose a security risk.

Question 14

While investigating an alert in the CrowdStrike Falcon platform, you discover a registry key modification
in HKCU\Software\Microsoft\Windows\CurrentVersion\Run referencing a newly created executable in
the user’s AppData\Roaming directory. What does this likely indicate?

Accepted Answer

A

Explanation: Option A: The HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key is a common persistence mechanism used by malware. The presence of a new executable in the AppData\Roaming directory is particularly suspicious, as this directory is often exploited by attackers to store malicious files. Further investigation is necessary to analyze the executable and mitigate the threat. Option B: System optimization scripts rarely require registry modifications for persistence and are generally stored in predefined system directories, not AppData. The context points more toward malicious activity. Option C: While some applications use AppData for updates, they generally overwrite existing files rather than create new executables with corresponding registry entries. Validate this scenario against update logs and application behavior. Option D: Legitimate applications may add entries to this registry key, but these are typically well- documented and located in program directories, not AppData\Roaming. The context of the directory and newly created executable makes this explanation less likely.

Question 15

Which of the following scenarios would most likely indicate an account with unnecessary access privileges, as identified by a CIEM solution?

Accepted Answer

A

Explanation: Option A: CIEM solutions identify accounts with excessive or unused privileges, such as a developer account with elevated access that hasn’t been used in a significant period. Such privileges pose a risk of being exploited and should be reviewed or revoked if not necessary. Option B: A revoked role assignment indicates proactive access management. CIEM would not flag this as unnecessary access, as the issue has already been addressed. Option C: Regular use of administrator accounts for their designated purpose would not typically indicate unnecessary access privileges. However, best practices encourage limiting the scope of administrator roles when possible. Option D: This account demonstrates the principle of least privilege. The service account has minimal necessary permissions, and its activity aligns with its purpose, so it would not be flagged by CIEM.

Free CrowdStrike CCCS-203b Actual Exam Questions