Option A: Automatically disabling users without a thorough analysis could lead to operational

disruptions. CIEM performs a comprehensive assessment, considering factors like API activity, to ensure

accurate detection of inactivity.

Option B: Reassigning roles without first verifying the user’s purpose or activity may increase security

risks. CIEM focuses on identifying and managing inactive users, not on role reassignment as a default

action.

Option C: While CrowdStrike Falcon excels at endpoint detection and response (EDR), it is not designed

for analyzing cloud identity and access management (IAM) activities. Relying on Falcon for such tasks is

both inefficient and ineffective compared to using CIEM.

103/192

Option D: CIEM’s Identity Analyzer is specifically designed to monitor and analyze user activity

patterns across cloud environments. It can automatically detect inactive users based on their login, API

activity, and resource usage. This capability reduces the risk of overprivileged or orphaned accounts.

Using CIEM ensures efficiency and eliminates the manual overhead of user analysis.

Option A: Misconfigured Kubernetes ingress rules can expose sensitive services to the internet. The

correct action is to update Ingress and NetworkPolicy rules to limit access to only trusted sources and

necessary endpoints, reducing exposure while maintaining functionality.

Option B: Changing the container runtime (e.g., Docker to containerd) can have security benefits, but it

does not resolve misconfigured network exposure.

Option C: Shutting down pods immediately may prevent unauthorized access but could also cause

operational disruptions. The correct approach is to first secure network access before considering pod

restarts.

Option D: Disabling all public-facing networking is an extreme action that may impact legitimate

services. The issue should be addressed through precise network policy adjustments rather than blanket

restrictions.

Option A: Assessed/unassessed items relate to whether vulnerability assessment has occurred. This

choice incorrectly describes their scope and misapplies the terminology to accounts or containers instead

of container images.

Option B: Managed/unmanaged items do not refer to container images specifically. This conflates the

concept of container images (assessed/unassessed) with managed/unmanaged accounts or containers. The

status of being managed/unmanaged pertains to whether the item is actively monitored, not the

vulnerability state.

Option C: Managed items are accounts or containers actively integrated with and monitored by Falcon

Cloud Security. Unmanaged items are those outside the scope of Falcon monitoring, often requiring

additional steps to bring them under management. This distinction is fundamental to understanding

CrowdStrike’s coverage capabilities.

Option D: This explanation accurately describes assessed/unassessed items, not managed/unmanaged

items. The former pertains to whether a container image has been scanned for vulnerabilities.

Option A: CrowdStrike Falcon uses advanced AI-driven techniques, behavioral analytics, and real-time

threat intelligence rather than traditional signature-based detection, which is ineffective against modern

threats.

Option B: Falcon Cloud Security does not rely solely on application signing as a security measure.

Instead, it uses behavioral analysis, machine learning, and threat intelligence to detect and prevent threats.

Option C: While Falcon Cloud Security provides network monitoring and threat detection, it does not

automatically block all outbound traffic. Instead, it offers real-time visibility and response mechanisms

for cloud workloads.

Option D: CrowdStrike Falcon Cloud Security aligns with Zero Trust principles by continuously

monitoring cloud workloads, assessing risks, and enforcing least privilege access policies. It leverages

AI-powered threat detection, identity protection, and compliance automation to reduce risk.

Option A: Assessed items are those, such as container images, that have undergone vulnerability or

configuration assessments within Falcon Cloud Security. Unassessed items have not yet been scanned,

possibly due to configuration, scope, or timing limitations. Understanding this distinction is critical for

54/192

prioritizing security tasks.

Option B: The term "assessed" does not equate to being "fully patched." An item can be assessed and

still have vulnerabilities that need remediation.

Option C: Assessed and unassessed statuses are not related to the activity or archival state of containers.

Both active and inactive containers can be either assessed or unassessed depending on scanning

processes.

Option D: Assessed items are not synonymous with managed assets; unmanaged items can also be

assessed if scanned through external tools or workflows.

Option A: A one-size-fits-all approach ignores the unique requirements of different roles and leads to

over-permissioning or under-permissioning, both of which are undesirable from a security perspective.

Option B: Granting administrative privileges universally undermines security and increases the

likelihood of human error or exploitation. Only specific roles requiring administrative capabilities should

have such access.

Option C: Broad policies that grant universal access violate the principle of least privilege. They expose

the environment to unnecessary risks, such as unauthorized data access or resource modification.

Option D: This approach follows the principle of least privilege, ensuring users and roles have access

only to the resources and actions required for their responsibilities. This minimizes the attack surface,

reduces the risk of accidental or malicious misuse, and adheres to best practices in identity and access

management.

Option A: Using the CrowdStrike API to configure granular IAM policies is a potential task during or

after registration, but it is not the initial step. IAM roles and policies should be defined by the cloud

provider's configuration tools, not CrowdStrike, as a preliminary task.

Option B: Inputting cloud provider credentials directly into the CrowdStrike console is not a step in the

configuration process. Instead, API-based integrations rely on secure token-based authentication, not

direct username/password access, to align with best practices for security and scalability.

Option C: Assigning full administrator access to the CrowdStrike service account is unnecessary and

violates the principle of least privilege. Only specific permissions (e.g., read-only access for threat

detection) are required, and overly broad access increases the attack surface.

Option D: Generating an API client ID and secret is the required first step to enable secure

communication between the CrowdStrike Falcon platform and the cloud provider. The client ID and

secret are used for authentication when configuring API integrations, ensuring secure access to the cloud

account's data. Without this step, the integration cannot proceed.

5/192

Option A: Reassigning the Service Principal does not address the risk of overly permissive roles.

Additionally, using an existing Service Principal for a new purpose can create security challenges

Option B: While deleting the Service Principal may eliminate the risk, this approach can disrupt any

active dependencies. A more controlled remediation involves first reviewing and adjusting permissions.

Option C: Changing the role to "Reader" may reduce risk, but it does not address whether the Service

Principal is still necessary. The root cause (overly permissive roles and lack of usage) should be resolved.

Option D: The most effective action is to evaluate the necessity of the Service Principal and remove any

unnecessary roles or scopes. This minimizes risk while maintaining operational functionality if needed.

Option A: Configuring prevention settings like "Exploit Mitigation" and "Malware Prevention" is critical

to enhance security on servers. These settings help the Falcon Sensor proactively block threats and secure

the system.

Option B: The "Sensor Exclusions" tab is for excluding specific files, paths, or processes from

monitoring, not for creating or applying policies.

Option C: Assigning to the "Default Group" might lead to unintended policy application across non-

critical systems. Policies should target specific groups for better control.

Option D: While "Detection Only" provides visibility, it does not actively prevent threats. For critical

servers, enabling prevention is more appropriate to mitigate risks.

Option A: Falcon LogScale provides log analytics and can collect network event logs, but it does not

provide real-time visibility into active network connections at the process level. It is useful for post-

incident investigations but not for immediate runtime detection.

Option B: Identity Protection helps detect credential-based attacks and unauthorized access attempts but

does not monitor network connections at the process level. It is designed for preventing identity-based

56/192

threats rather than inspecting runtime network traffic.

Option C: This feature enables deep visibility into network connections at the process level within cloud

workloads, including Kubernetes containers. It allows the analyst to identify the specific containerized

process making the outbound connection, investigate its behavior, and detect potential threats.

Option D: Falcon Sandbox is used for analyzing suspicious files in an isolated environment to detect

malware behavior. It does not monitor active network connections within Kubernetes workloads.