CrowdStrike IDP CrowdStrike Certified Identity Specialist(CCIS) Exam Exam Practice Test

Authentication Traffic Inspection (ATI) is enabled throughIdentity Configuration Policies, which define how the Falcon sensor captures and inspects identity-related network traffic. According to the CCIS documentation, ATI configuration is performed underConfigure > Identity Configuration Policies.

These policies allow administrators to specify which authentication protocols are inspected, which domain controllers are covered, and how identity telemetry is collected. This configuration step is mandatory to enable identity visibility and detection capabilities.

The Enforce menu is used for policy rules and automated actions, not traffic inspection. General settings do not control sensor inspection behavior. Because ATI directly affects sensor data capture, it is managed exclusively through Identity Configuration Policies.

Therefore,Option Dis the correct and verified answer.

In the Domain Security Overview,Scopeis a configurable setting that allows administrators toswitch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.

The CCIS documentation explains that Scope determineswhich domain or tenant’s identity data is displayedin the Overview dashboard, including risk scores, trends, and prioritized remediation guidance. Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.

Other options are incorrect because:

Privileged Identities represent a subset of users, not a switchable setting.

Domains are entities, not a dashboard control.

Goal changes how risks are evaluated, not which environment is displayed.

By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore,Option Dis the correct answer.

When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exitsare not a detection control mechanism.

Remediationsrefer to corrective actions, not suppression logic.

Recommendationsprovide guidance but do not change detection behavior.

By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.

Falcon Identity Protection continuously inspects authentication traffic and network behavior to establishbehavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.

Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.

The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.

Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.

Falcon Identity Protection integrates withIdentity-as-a-Service (IDaaS)providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum,Okta SSOis a supported IDaaS connector that enables Falcon to ingestcloud authentication eventswhile also applyingSingle Sign-On (SSO) policies.

Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.

The other options are incorrect:

ADFSis an on-premises federation service, not a cloud IDaaS.

Azure NPSis used for RADIUS-based MFA, not SSO ingestion.

SAMLis a protocol, not an IDaaS connector.

Because Okta SSO provides both cloud activity ingestion and SSO enforcement,Option Bis the correct and verified answer.

Falcon Identity Protection evaluatesdomain riskby analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.

Measures such asenabling SMB signing,enforcing NTLMv2, andupgrading unsupported operating systemsremove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.

In contrast,upgrading end-of-life Acrobat Readeraddresses anendpoint application vulnerability, not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.

Because domain risk scoring is strictly tied to identity infrastructure and authentication posture,Option Bdoes not contribute to lowering the domain risk score and is therefore the correct answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correctpermission scope. According to the CCIS curriculum, theIdentity Protection Detectionsscope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection isderived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore,Option Ais the correct and verified answer.

The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.

According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.

Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.

The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection differentiateshuman accountsandprogrammatic accountsbased onauthentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum,human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.

Programmatic accounts (such as service accounts) typically authenticatenon-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.

The incorrect options reflect common misconceptions:

Human accounts are not always administrators.

Programmatic accounts can support MFA in some architectures.

Programmatic accounts are not used interactively.

Because interactive authentication behavior is the defining characteristic of human accounts,Option Dis the correct and verified answer.

Falcon Identity Protection classifies accounts based onobserved authentication behavior and associated identity attributes, not solely on naming conventions. According to the CCIS curriculum,programmatic accounts(such as service accounts or application accounts) typically lack human-centric attributes like a phone number, assigned operating system, job title, or executive role (for example, CEO).

Human accounts generally have enriched identity context sourced from directory services and identity providers, including user profile details, interactive login behavior, and endpoint associations. In contrast, programmatic accounts authenticate non-interactively, often on predictable schedules, and do not require personal attributes to function.

Falcon analyzes authentication traffic to automatically identify these characteristics and classify the account accordingly. An account missing human identity signals—such as a phone number or endpoint ownership—strongly aligns with programmatic behavior.

Because the absence of personal attributes and interactive context is a defining indicator of aprogrammatic account,Option Ais the correct and verified answer.

Falcon Identity Protection enforces deterministic policy execution using a clear and predictable precedence model. As outlined in the CCIS curriculum, Policy Groups are evaluated top to bottom, based on their order in the console. Within each Policy Group, Policy Rules are evaluated sequentially, also from top to bottom.

This ordered evaluation ensures consistent enforcement behavior and allows administrators to design layered identity controls. When a rule’s conditions are met and an action is executed, subsequent rules may or may not be evaluated depending on rule logic and configuration. This model gives administrators precise control over enforcement priority.

The incorrect options misunderstand how precedence works. Policy enforcement is not unordered, nor are Policy Groups merely visual containers. Both grouping and rule order matter.

This precedence model is critical for avoiding conflicting enforcement actions and aligns with Zero Trust principles by ensuring predictable, auditable identity enforcement. Therefore, Option A is the correct answer.

Falcon Identity Protection provides flexible control over how identity-based detections are handled through theDetection Exclusionsframework. According to the CCIS curriculum, administrators can eitherdisable an entire detection typeor, where supported,exclude specific entitiessuch as users, service accounts, or endpoints from triggering that detection.

Not all detections support entity-level exclusions. For detections that do, exclusions allow organizations to suppress known benign behavior without disabling the detection globally. This is particularly useful for service accounts or legacy systems that generate expected but non-malicious activity. When entity-level exclusion is not supported, administrators may choose todisable the detection entirely, which stops it from generating alerts across the environment.

The CCIS documentation clearly explains this dual model:

All detections can be disabled, regardless of type

Only some detections support entity-based exclusions

This approach balances operational flexibility with security integrity and avoids the misconception that exclusions automatically create security gaps. Therefore,Option Cis the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.

Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.

The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum,Internet Explorer 9 and Windows Server 2008represent theminimum supported requirementsfor rendering the Identity Verification Dialog on an end user’s system.

This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.

The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore,Option Ais the correct and verified answer.

In Falcon Identity Protection, theExploresection of the Falcon menu is used to investigate analytical views such as theEvent Analysis dashboard. This aligns with the CCIS framework, which defines Explore as the primary area forinteractive investigation, analytics, and risk explorationacross identity data.

The Event Analysis dashboard is designed to help administrators analyzeidentity-related authentication events, behavioral patterns, and anomalous activity derived from domain traffic inspection and domain controller telemetry. These analytical capabilities are intentionally placed underExplorebecause this menu category supports hypothesis-driven investigation rather than enforcement or configuration actions.

By contrast:

Enforceis used to apply policy rules and automated controls.

Threat Hunteris focused on proactive hunting using queries and detection pivots.

Configureis used to manage settings, connectors, policies, and integrations.

The CCIS documentation explicitly associates dashboards such asRisk AnalysisandEvent Analysiswith the Explore menu, emphasizing its role in understandingwhyrisk exists before taking action. Therefore,Option C (Explore)is the correct and verified answer.

Falcon Identity Protection enforcesrole-based access control (RBAC)to ensure that only authorized users can create, modify, or manage policy rules. Policy rules directly impact identity enforcement actions, making proper role separation critical.

According to the CCIS documentation, the ability toenable and disable policy rulesis granted to theIdentity Protection Policy Managerand theFalcon Administratorroles. These roles are explicitly designed to manage enforcement logic, triggers, and automated identity controls.

TheIdentity Protection Domain Administratorrole, however, is limited todomain-level visibility and management, such as reviewing domain configurations, monitoring risks, and assessing posture. This role doesnothave permissions to modify or control policy enforcement behavior.

This separation prevents accidental or unauthorized changes to identity enforcement rules. Therefore,Option Ais the correct and verified answer.