IDP CrowdStrike Certified Identity Specialist(CCIS) Exam Questions and Answers

Authentication Traffic Inspection (ATI) is enabled throughIdentity Configuration Policies, which define how the Falcon sensor captures and inspects identity-related network traffic. According to the CCIS documentation, ATI configuration is performed underConfigure > Identity Configuration Policies.

These policies allow administrators to specify which authentication protocols are inspected, which domain controllers are covered, and how identity telemetry is collected. This configuration step is mandatory to enable identity visibility and detection capabilities.

The Enforce menu is used for policy rules and automated actions, not traffic inspection. General settings do not control sensor inspection behavior. Because ATI directly affects sensor data capture, it is managed exclusively through Identity Configuration Policies.

Therefore,Option Dis the correct and verified answer.

Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.

Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.

When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exitsare not a detection control mechanism.

Remediationsrefer to corrective actions, not suppression logic.

Recommendationsprovide guidance but do not change detection behavior.

By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.

Falcon Identity Protection is designed toextend—not replace—existing MFA solutions. According to the CCIS curriculum, Identity Protection enhances MFA by adding arisk-driven, policy-based enforcement layerthat dynamically triggers MFA challenges when risky or abnormal identity behavior is detected.

Rather than applying MFA uniformly, Falcon evaluates authentication context such as behavioral deviation, privilege usage, and anomaly detection. When risk thresholds are exceeded, Policy Rules can enforce MFA through integrated connectors, providing adaptive, Zero Trust–aligned authentication.

The incorrect options misunderstand Falcon’s role. Identity Protection does detect risky behavior, does not replace MFA providers, and fully supports both cloud and on-premises MFA connectors.

Because Falcon adds intelligence-driven enforcement on top of MFA,Option Ais the correct and verified answer.

Falcon Identity Protection identifiesstale endpointsas systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for90 daysand then resumes activity will trigger aUse of Stale Endpointdetection.

This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.

The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives. Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.

Because Falcon explicitly defines stale endpoint activity using a90-day inactivity window,Option Bis the correct answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum,Identity Protection API information is located under the “CrowdStrike APIs” documentation category.

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented underCrowdStrike APIs,Option Dis the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.

Falcon Identity Protection integrates withIdentity-as-a-Service (IDaaS)providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum,Okta SSOis a supported IDaaS connector that enables Falcon to ingestcloud authentication eventswhile also applyingSingle Sign-On (SSO) policies.

Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.

The other options are incorrect:

ADFSis an on-premises federation service, not a cloud IDaaS.

Azure NPSis used for RADIUS-based MFA, not SSO ingestion.

SAMLis a protocol, not an IDaaS connector.

Because Okta SSO provides both cloud activity ingestion and SSO enforcement,Option Bis the correct and verified answer.

To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriatepermission scopes. According to the CCIS curriculum, theIdentity Protection GraphQLscope withWrite permissionsmust be enabled prior to using the Identity Protection API.

This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.

The other options are incorrect because:

Identity Protection Assessment and Health are read-only data scopes.

The statement that Write permissions are not required is explicitly false per CCIS documentation.

Because GraphQL access requires theIdentity Protection GraphQL (Write)scope,Option Dis the correct and verified answer.

In Falcon Identity Protection, auser baselineis established by observing consistent and repeatable behavior over time, including authentication patterns, endpoint associations, and usage context. According to the CCIS curriculum, one of the strongest indicators that a user has an established baseline is the presence ofendpoints for which the user is identified as an owner.

Endpoint ownership is determined through historical authentication behavior and usage frequency. When Falcon identifies that a user consistently logs into specific endpoints over time, those endpoints are marked asowned, which signifies that sufficient historical data exists to confidently model the user’s normal behavior. This ownership relationship is only created after Falcon has observed the user long enough to establish a reliable baseline.

The other options do not definitively indicate a baseline:

Logging into multiple endpoints may occur during initial discovery or anomalous activity.

A risk score reflects current risk posture, not baseline maturity.

Recent logon activity alone does not imply historical consistency.

Becauseendpoint ownership requires sustained, predictable behavior over time, it is the clearest indicator that Falcon has successfully established a user baseline. Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection usesincident suppression windowsto prevent alert fatigue while still maintaining accurate incident tracking. According to the CCIS documentation, whennew events related to an existing identity-based incident occur, the incident issuppressed for 5 days.

This suppression means that Falcon does not generate a new incident for the same activity during this window. Instead, additional detections areadded to the existing incident, allowing analysts to view the full progression of the threat in a single investigative context.

The 5-day suppression window ensures that ongoing identity attacks—such as repeated authentication abuse or lateral movement—are consolidated rather than fragmented across multiple incidents. This improves investigation efficiency and aligns with Falcon’s incident lifecycle management approach.

Because the suppression period is fixed at5 days,Option Dis the correct and verified answer.

Falcon Threat Hunter provides a direct integration with theAPI Builderto support advanced investigation workflows and automation. According to the CCIS curriculum, analysts can take an existing Threat Hunter query and convert it into aGraphQL-compatible formatby selectingOpen Query in API Builderfrom the Threat Hunter menu.

This option opens the current query in a new window within API Builder, automatically translating the query structure into GraphQL syntax where applicable. This enables security teams to reuse validated hunting logic for automation, reporting, or external integrations without rewriting queries from scratch.

The other menu options serve different purposes:

Export to API Builderis not a valid menu action.

Save as Custom Querystores the query for reuse inside Threat Hunter.

Save as Custom Reportgenerates a reporting artifact, not an API query.

BecauseOpen Query in API Builderis the only option that opens the query in GraphQL format in a new window,Option Dis the correct and verified answer.

Falcon Identity Protection is designed to address the growing threat ofidentity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection providesproactive identity risk mitigationrather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. ThroughPolicy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated withPrivileged Access Management (PAM)orIAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure bydetecting and preventing identity misuse in real time.

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore,Option Cis the correct and verified answer.