IDP CrowdStrike Certified Identity Specialist(CCIS) Exam Questions and Answers

Falcon Identity Protection classifies accounts based on observed authentication behavior and associated identity attributes , not solely on naming conventions. According to the CCIS curriculum, programmatic accounts (such as service accounts or application accounts) typically lack human-centric attributes like a phone number, assigned operating system, job title, or executive role (for example, CEO).

Human accounts generally have enriched identity context sourced from directory services and identity providers, including user profile details, interactive login behavior, and endpoint associations. In contrast, programmatic accounts authenticate non-interactively, often on predictable schedules, and do not require personal attributes to function.

Falcon analyzes authentication traffic to automatically identify these characteristics and classify the account accordingly. An account missing human identity signals—such as a phone number or endpoint ownership—strongly aligns with programmatic behavior.

Because the absence of personal attributes and interactive context is a defining indicator of a programmatic account , Option A is the correct and verified answer.

In Falcon Identity Protection, the "Guest Account Enabled" risk highlights the presence of local or domain guest accounts that remain active across endpoints. Guest accounts are inherently high-risk because they typically lack strong authentication controls, are rarely monitored, and are frequently abused by attackers for lateral movement and persistence.

The CCIS curriculum explicitly recommends disabling Guest accounts on all endpoints as the primary remediation action. This is because guest accounts often bypass standard identity governance processes and violate the principles of least privilege and Zero Trust , both of which are foundational to Falcon Identity Protection’s security model. Disabling these accounts removes an unnecessary and dangerous authentication path from the environment.

Other options are incorrect because:

Adding endpoints to a watchlist does not remediate the risk.

Blocking access via a policy rule is less effective than eliminating the account entirely.

Disabling endpoints in Active Directory does not directly address the guest account exposure.

Falcon Identity Protection prioritizes elimination of weak identity configurations , and disabling guest accounts is a direct, effective action that immediately lowers identity risk scores and reduces attack surface. Therefore, Option C is the correct and verified answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.

Cloud-based MFA connectors integrate Falcon Identity Protection with third-party MFA providers using application-based authentication , not user credentials. As outlined in the CCIS curriculum, these connectors require an application identifier (Client/Application ID) and secret keys to securely authenticate API communications.

This approach follows modern security best practices by avoiding the use of privileged user credentials and instead leveraging scoped, revocable application secrets. The connector uses these credentials to trigger MFA challenges and exchange authentication context securely.

Options involving usernames, passwords, or domain controller details are incorrect, as Falcon Identity Protection does not store or require privileged account credentials for MFA integrations. Therefore, Option D is the correct answer.

Falcon Identity Protection supports geolocation-based detections to identify potentially risky authentication activity originating from unexpected or prohibited locations. According to the CCIS curriculum, any countries or regions added to the Blocklist will automatically trigger a geolocation-based detection when authentication traffic is observed from those locations.

The Blocklist is designed to explicitly define disallowed geographic regions . When an authentication attempt originates from a blocklisted country or region, Falcon treats the activity as suspicious and generates a detection or contributes to increased identity risk.

By contrast:

An Allowlist defines approved locations and suppresses detections.

A Dictionary is used for password-related analysis.

An Exclusion suppresses detections rather than generating them.

Because geolocation detections are triggered by blocklisted locations , Option A is the correct answer.

Within Falcon Identity Protection, a Watched User is a user explicitly designated for heightened monitoring due to potential business risk. According to the CCIS curriculum, watchlists are designed to provide additional visibility into users whose behavior, access level, or role may warrant closer observation, even if they have not yet exhibited confirmed malicious activity.

Watched Users may include executives, administrators, users with access to sensitive systems, or accounts suspected of being targeted. Placing a user on a watchlist does not imply compromise; instead, it ensures their activity is prioritized in investigations, detections, and dashboards.

The other options are incorrect:

Honeytoken Accounts are decoy accounts designed to detect malicious usage.

High Risk is a calculated risk state, not a monitoring classification.

Marked User is not a valid Falcon Identity Protection classification.

Because the CCIS material explicitly identifies Watched Users as accounts requiring observation for potential risk, Option C is the correct and verified answer.

Falcon Identity Threat Detection (ITD) provides visibility, analytics, and detection of identity-based threats but does not include enforcement capabilities . According to the CCIS curriculum, ITD customers have access to investigative and analytical features such as Event Analysis , Privileged Identities , and relevant Settings for visibility and monitoring.

Policy Rules , however, are part of Identity Threat Protection (ITP) and reside in the Enforce section of the Falcon console. Policy Rules enable automated responses and enforcement actions, such as blocking access or enforcing MFA, which are not available under ITD-only subscriptions.

This distinction is critical in the CCIS material:

ITD = Detect and analyze identity threats

ITP = Detect + enforce policy actions

Because ITD does not include enforcement functionality, Policy Rules are not available , making Option D the correct answer.

Falcon Identity Protection automatically differentiates human and programmatic accounts by analyzing authentication traffic patterns . According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.

Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.

This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.

Because Falcon uses authentication traffic analysis to classify account types, Option C is the correct and verified answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correct permission scope . According to the CCIS curriculum, the Identity Protection Detections scope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection is derived from detections , making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore, Option A is the correct and verified answer.

Falcon Identity Protection follows a correlation and enrichment model where events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum, events that occur after an incident is marked In Progress do not automatically create a new incident . Instead, related events and detections are typically added to the existing incident , provided they fall within the incident’s correlation and suppression window.

This behavior allows Falcon to present a single evolving incident , showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statement A is not true .

The other statements are correct:

Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.

Events can be linked to detections even if the detection is created after the event occurred.

Not all events are security-relevant; many remain informational and never become detections.

This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence, Option A is the correct answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum, Identity Protection API information is located under the “CrowdStrike APIs” documentation category .

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented under CrowdStrike APIs , Option D is the correct and verified answer.

Falcon Identity Protection evaluates domain risk by analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.

Measures such as enabling SMB signing , enforcing NTLMv2 , and upgrading unsupported operating systems remove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.

In contrast, upgrading end-of-life Acrobat Reader addresses an endpoint application vulnerability , not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.

Because domain risk scoring is strictly tied to identity infrastructure and authentication posture, Option B does not contribute to lowering the domain risk score and is therefore the correct answer.

In Falcon Identity Protection, the three-dot ( ⋮ ) action menu on an identity-based detection provides analysts with a limited set of actions that apply directly to the detection itself . According to the CCIS curriculum, these actions are designed to support investigation workflow, tuning, and documentation.

The supported actions in the detection-level three-dot menu include:

Edit status , which allows analysts to update the detection state (for example, New, In Progress, or Closed).

Add comment , which enables collaboration and documentation directly on the detection.

Add exclusion , where supported, to suppress future detections that match known benign behavior.

Add to Watchlist is not included in this menu because watchlists are applied to entities (such as users, service accounts, or endpoints), not to detections. Watchlists are managed from entity views or investigation workflows and are used to increase visibility and monitoring priority for specific identities—not to act on individual detections.

This distinction is emphasized in CCIS training to reinforce the separation between entity-centric actions and detection-centric actions . Because watchlists operate at the entity level, Option B is the correct and verified answer.

In Falcon Identity Protection, identity-based incidents are dynamic and can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident’s type is automatically recalculated based on the detections related to the incident , not by manual user actions.

As new identity-based detections are generated—such as credential misuse, lateral movement attempts, or abnormal authentication behavior—the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automatically change the incident type to better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident’s classification. The classification logic is driven entirely by Falcon’s analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon’s ability to adapt incident context as attacks progress , making Option D the correct answer.