CCCS-203b Sample Questions Answers

To allow an analyst to reviewcloud control plane Indicators of Misconfiguration (IOMs)while maintaining least-privilege access, CrowdStrike recommends assigning theCSPM Misconfiguration Viewerrole.

Cloud control plane IOMs focus on identifying insecure configurations across cloud providers, such as overly permissive IAM roles, disabled logging, public exposure of services, or noncompliant security settings. The CSPM Misconfiguration Viewer role grantsread-only accessto these findings, allowing analysts to investigate risks without making configuration changes.

Other roles provide broader access than required.Cloud Security Managerincludes administrative and modification privileges, exceeding least-privilege requirements.Kubernetes and Containers Managerfocuses on container and Kubernetes security, not cloud control plane configurations.Cloud Compliance Vieweris oriented toward compliance frameworks rather than detailed misconfiguration analysis.

By assigning the CSPM Misconfiguration Viewer role, organizations ensure analysts can perform their investigative duties safely and appropriately, aligning with CrowdStrike’s role-based access control (RBAC) best practices.

CrowdStrike recommends enablingDrift Preventionwhen container workloads have beendesigned to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container—such as installing packages or modifying files—indicates potential misconfiguration or malicious activity.

Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.

In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.

Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabledonly after workloads are intentionally designed to be immutable, making optionCthe correct answer.

InCrowdStrike Falcon Cloud Security, the most efficient and direct way to identify whichcontainer and Kubernetes podare responsible for suspicious outbound traffic is by usingNetwork Eventsand filtering on theremote (destination) port.

When a container initiates outbound network communication, thedestination portrepresents the service being contacted externally. Since the alert specifically referencesdestination port 1337, filteringNetwork Eventsforremote port 1337immediately surfaces the relevant telemetry. Falcon automatically enriches these events withcontainer ID, container name, Kubernetes pod name, namespace, node, and cluster context, allowing rapid attribution.

UsingAdvanced Event Searchis technically possible but less efficient, as it requires manual query construction and does not provide the same streamlined Kubernetes-focused workflow as Network Events. Reviewing dashboards alone is insufficient for precise attribution and forensic analysis.

Filtering onlocal port 1337would be incorrect in this scenario, as it would only identify processes listening locally rather than outbound connections sourcing from the container.

Therefore,Option Cis correct because it aligns with Falcon Cloud Security’s design forcontainer-aware network telemetry, providing the fastest and most accurate path to identifying the originating container and pod.

When configuring a new image registry connection for aprivately hosted container registryin CrowdStrike Falcon Cloud Security, the required and most critical action is toverify the token and secretused for authentication. Private registries require explicit credentials so Falcon can securely access and assess container images for vulnerabilities, malware, and misconfigurations.

CrowdStrike supports multiple private registry types (such as private Docker registries or cloud-native registries with restricted access). In all cases, Falcon relies on valid authentication credentials—typically a token, username/password, or service account secret—to pull image metadata and layers. If these credentials are incorrect, expired, or misconfigured, image assessment will fail even if the registry connection appears configured.

Other options may be relevant in specific environments but are not universally required at creation time. Registry URLs are validated during setup, and allowlisting IP addresses may be necessary only if strict network controls are in place. Secret expiration checks are a maintenance concern, not a mandatory creation step.

Therefore, the required action when creating a private registry connection is toverify the token and secret.

When creating an Image Assessment policy exclusion in CrowdStrike Falcon Cloud Security, the recommended and most precise method to temporarily suppress a specific CVE isVulnerability ID & Exclude until 14 days.

This approach allows security teams to explicitly reference a known CVE (for example, CVE-2024-XXXX) and suppress enforcement for a defined time window. The 14-day exclusion period is commonly used to allow development teams time to rebuild images, validate patches, or address dependency constraints without permanently weakening security posture.

Broad exclusions based on recently published vulnerabilities or packages can unintentionally suppress unrelated risk and increase exposure. Indefinite exclusions are discouraged unless there is a strong, documented business justification.

CrowdStrike documentation and best practices emphasizetime-bound, CVE-specific exclusionsto balance operational flexibility with security rigor. Therefore, the correct and recommended option isVulnerability ID & Exclude until 14 days.

InFalcon Cloud Security Network Events, port states reflect how network connections are established and handled at runtime. The platform uses standardized connection state terminology to help analysts understand traffic behavior and intent.

The three valid port states are:

Connect: Indicates an outbound connection attempt initiated by a process or container.

Accept: Represents an inbound connection that was accepted by a listening process.

Listen: Shows that a process is actively listening on a port for incoming connections.

These states provide crucial context for detecting suspicious behavior such as unauthorized listeners, unexpected inbound access, or abnormal outbound communications. Other options include terms not used by Falcon to define port state semantics within Network Events.

Therefore,Connect, Accept, and Listenis the correct answer.

CrowdStrike Falcon Cloud Security supportsscheduled reportingas the preferred mechanism for automatically distributing security findings to stakeholders who may not have direct access to the Falcon console. When container vulnerabilities need to be reviewed on aweekly basis, the correct and most operationally efficient approach is tocreate a scheduled report covering the last 7 days.

Scheduled reports can be configured to run automatically and delivered via email to designated recipients, including users without Falcon console access. This makes them ideal for cross-functional teams, auditors, or management who require regular visibility into container risk without interactive access.

UsingAdvanced Event Searchrequires console access and manual execution, which does not meet the requirement for automatic distribution. Dashboards also require console access and cannot be securely shared externally. A 24-hour report would not align with the stated weekly review cadence and could result in incomplete visibility.

CrowdStrike documentation and best practices recommend scheduled reports for recurring compliance, vulnerability, and risk reporting use cases. Therefore, the correct solution is tocreate a scheduled report to list vulnerable container data from the last 7 days.

CrowdStrike Falcon Cloud Security strongly recommends shifting securityleftin the development lifecycle by integratingimage assessment directly into the CI/CD pipeline. This approach ensures vulnerabilities are detectedduring the build process, before images are deployed into production environments.

By pushing container images to Falcon for assessment as part of CI/CD workflows, Falcon expands image layers, inventories binaries and OS packages, and evaluates vulnerabilities early. This enables development and security teams to remediate issues before deployment, reducing risk exposure and preventing vulnerable images from ever reaching runtime.

Runtime-only analysis and host-based tools are insufficient for proactive security, as they detect issues after exposure has already occurred. Manual inspection does not scale and introduces human error, making it unsuitable for modern DevOps pipelines.

Therefore, integrating automated image assessment into CI/CD pipelines is theCrowdStrike best practicefor secure container deployments.

In Falcon Cloud Security, theRegistry assessment statuswidget provides visibility into the current state of container image assessments for connected registries. This widget displaysaggregate totals of assessed and unassessed images, allowing analysts to quickly determine whether images are being successfully scanned.

When investigating unassessed images, this widget is the primary starting point because it reflects real-time assessment coverage across all configured registry connections. It helps identify gaps caused by authentication failures, network restrictions, throttling, or configuration limits such as assessment age thresholds.

Other widgets provide narrower views.Image processingfocuses on images currently being scanned,Assessed imagesonly shows completed scans without highlighting gaps, andConnection statusreflects connectivity health but not assessment coverage.

CrowdStrike documentation and UI design emphasize the Registry assessment status widget as the authoritative summary for image assessment completeness. Therefore, the correct answer isRegistry assessment status.

TheContainers and Images Compliance dashboardinFalcon Cloud Securityis designed to give security and DevOps teams avisual, aggregated view of compliance postureacross container images and running containers.

This dashboard summarizes compliance status against benchmarks such asCIS, organizational policies, and security best practices. It highlights compliant versus non-compliant images and containers, severity distribution, and trending risk, enabling teams to quickly assess overall posture and prioritize remediation.

The dashboard does not perform network monitoring, automatic patching, or unsupported container enumeration. Those functions are handled by other Falcon modules or operational workflows.

Therefore, itsprimary functionis toprovide a visual summary of compliance across containers and images, makingOption Acorrect.

InFalcon Cloud Security, prevention actions are triggered whenall configured enforcement criteriawithin a policy are met. When customizing theGKE Autopilot policy, enforcement requires alignment across vulnerability intelligence, detection severity, and compliance context.

By setting:

Vulnerability ExPRT.ai severity = Critical

Detection severity = Critical

Detection type = CIS benchmark deviation

you ensure that bothrisk-based vulnerability intelligenceandcompliance deviation severitythresholds are satisfied. This combination confirms that the issue is not only severe but also represents a critical deviation from an accepted security benchmark, justifying prevention.

Omitting the detection type or replacing it with image misconfiguration alone does not meet the enforcement logic required for policy-triggered prevention.

Therefore,Option Cis the correct combination that triggers prevention.

A primary benefit of CrowdStrike’s cloud security suite is that it provides a comprehensive security posture by integrating visibility and prevention across cloud workloads, identities, containers, and control planes.

Falcon Cloud Security unifies CSPM, workload protection, container security, identity protection, and detection and response into a single platform. This integration allows organizations to detect misconfigurations, prevent risky deployments, monitor runtime activity, and respond to threats using shared context and intelligence.

Other options describe isolated capabilities or services that are not the core value proposition of the platform. Therefore, the correct answer is Provides a comprehensive security posture by integrating visibility and prevention.

A commoncloud-conscious attacker techniqueused to remain hidden in a compromised environment isdisabling CloudTrail logging. AWS CloudTrail records API activity across an account, providing critical visibility into actions taken by users, roles, and services. By disabling or tampering with CloudTrail, attackers significantly reduce the likelihood of detection.

CrowdStrike Falcon Cloud Security classifies this behavior as a high-risk indicator because it directly impacts monitoring, forensics, and incident response. Without CloudTrail logs, security teams lose audit trails that are essential for identifying malicious actions such as privilege escalation, data exfiltration, or persistence mechanisms.

Other options represent misconfigurations or changes that may increase exposure but do not directly suppress visibility. For example, modifying storage networking or security groups increases attack surface, while adding certificates may support persistence—but none are as directly linked to stealth as disabling logging.

Therefore,CloudTrail logging disabledis the correct answer and a well-documented cloud attack tactic used to evade detection.

InFalcon Cloud Security image assessment policies, exclusions can be created to temporarily suppress enforcement or blocking of specific vulnerabilities. To block or exclude a vulnerability for auser-defined duration, the exclusion must be scoped using aVulnerability ID (CVE).

Using a Vulnerability ID allows precise control over a single, known issue and enables time-bound exclusions aligned with remediation plans or operational constraints. This approach ensures security teams can balance risk with business requirements while maintaining auditability and control.

Other options are too broad and do not support precise, time-based exclusions. Grouping vulnerabilities by publication date, exploit availability, or fix status lacks the granularity required for targeted policy enforcement.

Therefore,Vulnerability IDis the correct and documented mechanism for blocking a specific vulnerability for a defined period.