Free CrowdStrike CCCS-203b Actual Exam Questions - Question 9 Discussion

Maybe D makes the most sense since stopping new data while keeping old alerts visible fits typical behavior after deprovisioning. A and C sound too temporary or strict to me.

Guessing A because a short grace period to recover data after deprovisioning is common practice, so the data might stick around briefly before it's gone for good.

Maybe A makes sense too since some platforms keep data temporarily in case you want to reactivate quickly. It fits the idea of a limited grace period for account recovery.

I’m thinking B could be right since immediate deletion would prevent any data leaks after deprovisioning. It makes sense for security to wipe everything right away. B

Option D, since it matches typical behavior of stopping new data but keeping history for reference.

D imo, historical info shouldn’t just vanish after deprovisioning.

I agree with the idea that B is too extreme since immediate deletion could cause audit problems. D fits practical needs better because you’d want to keep historical info even if the account is offboarded. So, D for me.

Maybe D makes sense because it aligns with how platforms keep old logs for audits even after stopping new data. Immediate deletion like B seems too harsh and could cause issues.

I think the answer is D. When you deprovision a cloud account, you usually lose new data collection, but the old data and alerts stay accessible for review. Makes sense for investigation purposes. Anyone else agree?