CCCS-203b Questions and Answers

The secure and recommended approach to validate whether firewall restrictions are causing CSPM failures is toconfirm that CrowdStrike’s documented IP addresses are allowlisted. Falcon Cloud Security relies on outbound API connectivity to cloud providers, and blocked traffic can disrupt asset inventory collection and IOM detection even if registration succeeds.

CrowdStrike publishes required IP ranges and endpoints for each cloud region. Verifying firewall rules against this documentation is alow-risk, best-practice troubleshooting stepthat preserves security controls while validating connectivity assumptions.

Opening firewalls broadly is insecure and unnecessary, and dismissing firewall-related causes without verification can delay resolution. Therefore, the correct answer isCheck that you have allowlisted the IP addresses provided in the public-facing CrowdStrike documentation.

To automate response actions when a vulnerability is discovered in a container image, CrowdStrike Falcon Fusion uses the triggerKubernetes and containers > Image assessment > Vulnerabilities. This trigger activates when Falcon identifies vulnerabilities during container image scanning and assessment.

Image assessment vulnerabilities occurpre-runtime, making this trigger ideal for shift-left security automation. Actions such as sending notifications, opening tickets, tagging images, or blocking deployments via policy enforcement can be automatically initiated before vulnerable images reach production.

TheContainer detectionstrigger applies to runtime events, not image vulnerabilities.Vulnerabilities user actiontriggers depend on manual interaction and are not suitable for automated detection-driven workflows.

By using the image assessment vulnerability trigger, organizations can integrate Falcon Cloud Security findings directly into CI/CD pipelines and remediation workflows, ensuring faster response and reduced risk exposure.

Therefore, the correct Fusion workflow trigger isKubernetes and containers > Image assessment > Vulnerabilities.

If the primary concern is adversaries obtainingadministrator or elevated privileges, the first Cloud Identity Analyzer category to review isPrivilege Escalation. This category focuses on techniques and misconfigurations that allow attackers to gain higher-level permissions than initially granted.

Privilege escalation in cloud environments often involves overly permissive IAM roles, abuse of service principals, misconfigured trust relationships, or exploitation of identity federation mechanisms. CrowdStrike Cloud Identity Analyzer maps these behaviors to established attack frameworks and highlights identities that could be abused to gain admin-level access.

Other categories address different stages of the attack lifecycle.Executionfocuses on running malicious actions,Persistenceon maintaining access, andDefense Evasionon hiding activity. While all are important, privilege escalation represents the most direct path to full environment compromise.

Therefore, the correct starting point isPrivilege Escalation.

To notify your team when anew executable is downloaded and executed inside a running container, you must use aruntime-focused triggerin Falcon Fusion. The correct selection isContainer detection > Container runtime detection.

Container runtime detections monitor live container behavior, including process execution, file writes, network activity, and binary downloads. When an executable is introduced and run at runtime, this represents potential malicious activity or policy violation that cannot be detected during image assessment.

Image Assessmenttriggers apply only to pre-runtime image scanning and cannot detect runtime execution.Container drift detectionfocuses on changes to container state relative to the original image but does not specifically target execution-based detections.

CrowdStrike Falcon Cloud Security documentation clearly distinguishes runtime detections as the correct signal source for SOAR automation involving live container behavior. Therefore, the correct trigger configuration isContainer detection > Container runtime detection.

Cloud Groups in CrowdStrike Falcon Cloud Security are designed to logically segment cloud resources so users can focus only on what is relevant to their role or responsibility. The primary way cloud groups reduce noise is bynarrowing a user’s scope of analysis through filtered cloud resources.

By grouping resources based on criteria such as account, region, service, or tags, Cloud Groups ensure that analysts and responders only see findings related to the resources they own or manage. This minimizes alert fatigue, reduces unnecessary exposure to unrelated findings, and improves investigation efficiency.

Cloud Groups do not assign permissions directly; permissions are managed through Falcon RBAC roles. They also do not primarily function as exclusion mechanisms—although exclusions may be applied, their core purpose is scoping and contextualization.

CrowdStrike best practices emphasize Cloud Groups as a way to align security visibility with organizational structure, enabling teams to operate more efficiently and responsibly. Therefore, the correct answer isNarrow a user’s scope of analysis by filtering cloud resources.

To identify issues related to anoverprivileged cloud identity, CrowdStrike Falcon Cloud Security directs users toCloud Indicators of Misconfiguration (CIM). These indicators focus specifically on risky configurations, including excessive permissions, overly broad IAM roles, and violations of least-privilege principles.

By filtering Cloud Indicators of Misconfiguration for the specific identity, security teams can quickly identify misaligned permissions such as wildcard actions, unused privileges, or access that exceeds the role’s intended function. This view is purpose-built for identifying configuration risk—not active attacks or behavioral anomalies.

Cloud Indicators of Attack (CIA)are used to detect suspicious or malicious activity, not static permission risk.Investigate User Searchfocuses on observed behavior rather than permission design.Falcon Users Roles and Permissionsapplies to Falcon console access, not cloud-provider IAM identities.

Therefore, the correct and CrowdStrike-aligned approach is to reviewCloud Indicators of Misconfigurationfor the identity in question.

Falcon Cloud Security categorizes IOAs usingMITRE ATT&CK tactics and techniques, enriched withcloud-provider contextto accurately represent cloud-native attack behavior.

To identifyDefense Evasion via Impair Defenses: Disable or Modify Toolsactivity specifically withinAzure, analysts must filter IOAs usingMITRE Tactic and Techniquewhile also scoping the environment to thecloud provider. This ensures visibility into attacker behaviors such as disabling logging, modifying security services, or impairing monitoring controls at the cloud-provider level.

Filtering by attack type alone lacks the structured MITRE mapping required for accurate investigative workflows. Service-level filters are insufficient because impairment of defenses in cloud environments often impacts provider-managed services rather than individual workloads.

Therefore,MITRE Tactic and Technique – Cloud provideris the correct and most precise filter to identify Azure-specific defense evasion IOAs.

The CrowdStrike Kubernetes Admission Controller is apre-runtime security controldesigned to enforce security policiesbefore workloads are allowed to runin a Kubernetes environment. Its primary purpose is tomonitor and enforce security policies in any containerized environmentby intercepting Kubernetes API requests at admission time.

When a deployment, pod, or container is submitted to the Kubernetes API server, the Admission Controller evaluates the request against Falcon Cloud Security policies. These policies can include rules related to image risk posture, vulnerabilities, malware presence, secrets, or compliance violations. If an image violates defined policies, the Admission Controller can block the deployment, preventing insecure or non-compliant workloads from entering the cluster.

This capability is critical for implementing ashift-left security model, ensuring that threats are stoppedbefore runtime, rather than detected after execution. While Falcon also provides runtime protection and visibility across managed Kubernetes platforms such as EKS and AKS, those capabilities are not the primary function of the Admission Controller itself.

The Admission Controller does not forward Kubernetes logs to SIEM platforms; instead, it acts as an enforcement gate. Therefore, the correct answer isMonitors and enforces security policies in any containerized environment.

CrowdStrike recommends enablingDrift Preventionwhen container workloads have beendesigned to be immutable. Immutable infrastructure is a core cloud-native principle where containers are not modified after deployment. Any change to a running container—such as installing packages or modifying files—indicates potential misconfiguration or malicious activity.

Drift Prevention enforces this principle by blocking or alerting on runtime changes that deviate from the original container image. This makes it highly effective for production environments where containers should run exactly as built and deployed.

In development or testing environments, containers often change dynamically, making Drift Prevention impractical due to excessive false positives. Similarly, containers that must download or install packages at startup inherently require runtime modification and are not suitable candidates for Drift Prevention.

Enabling Drift Prevention at the wrong time can disrupt legitimate workloads. Therefore, CrowdStrike guidance clearly states that Drift Prevention should be enabledonly after workloads are intentionally designed to be immutable, making optionCthe correct answer.

Drift indicators in the Containers dashboard are used to identify containers performing activity that deviates from their original image configuration. Drift occurs when files, binaries, or processes appear in a running container that were not present in the image at build time.

CrowdStrike Falcon Cloud Security tracks this behavior to help identify compromised containers, unauthorized changes, or violations of immutability principles. Drift indicators are especially valuable in production environments where containers are expected to remain unchanged after deployment.

Alerts and container detections may signal malicious behavior, but drift indicators specifically highlight unexpected changes relative to the image baseline. Therefore, the correct answer is Drift indicators.

CrowdStrike Falcon Cloud Security supportsscheduled reportingas the preferred mechanism for automatically distributing security findings to stakeholders who may not have direct access to the Falcon console. When container vulnerabilities need to be reviewed on aweekly basis, the correct and most operationally efficient approach is tocreate a scheduled report covering the last 7 days.

Scheduled reports can be configured to run automatically and delivered via email to designated recipients, including users without Falcon console access. This makes them ideal for cross-functional teams, auditors, or management who require regular visibility into container risk without interactive access.

UsingAdvanced Event Searchrequires console access and manual execution, which does not meet the requirement for automatic distribution. Dashboards also require console access and cannot be securely shared externally. A 24-hour report would not align with the stated weekly review cadence and could result in incomplete visibility.

CrowdStrike documentation and best practices recommend scheduled reports for recurring compliance, vulnerability, and risk reporting use cases. Therefore, the correct solution is tocreate a scheduled report to list vulnerable container data from the last 7 days.

CrowdStrike recommends starting withPhase 1: Initial deploymentwhen an environment already haspre-existing Host Intrusion Prevention Systems (HIPS)or similar legacy security controls in place. This guidance is based on the need to carefully evaluate compatibility, performance impact, and policy overlap before enabling more advanced protections.

Phase 1 focuses on sensor deployment, baseline visibility, and detection-only monitoring. This approach allows security teams to observe system behavior, identify potential conflicts, and fine-tune policies without immediately enforcing blocking or prevention actions. When legacy HIPS solutions are already active, enabling stronger protections too quickly can lead to false positives, application disruptions, or system instability.

Phase 2: Interim protection is better suited for environments that are cloud-native, highly ephemeral, or already aligned with modern endpoint security practices. However, environments with existing HIPS suites require a more cautious rollout to avoid overlapping controls and duplicated enforcement.

CrowdStrike’s phased deployment model ensures a smooth transition by prioritizing stability and operational awareness. Therefore, whenpre-existing HIPS suitesare present, CrowdStrike documentation and deployment best practices clearly recommend beginning withPhase 1: Initial deploymentbefore progressing to stronger enforcement phases.