IDP Exam Dumps - CrowdStrike CCIS Questions and Answers

Falcon Identity Protection integrates with a defined set ofsupported MFA providersto enforce identity verification and conditional access based on identity risk. According to the CCIS curriculum, supported MFA providers includeAzure (Entra) MFA,Cisco Duo, andSymantec VIP, which are commonly used enterprise-grade MFA solutions.

These integrations allow Falcon Identity Protection to evaluate authentication attempts and dynamically enforce MFA challenges when risky behavior is detected. The supported providers expose the necessary APIs and authentication workflows required for Falcon to trigger MFA challenges as part of Policy Rules and Zero Trust enforcement.

Firebaseis not a supported MFA provider within Falcon Identity Protection. Firebase is primarily a mobile and application development platform and does not function as an enterprise MFA provider compatible with Falcon’s identity enforcement model. As such, it cannot be used to enforce conditional access or identity verification through Falcon Identity Protection.

Because Falcon only supports specific, enterprise MFA integrations validated by CrowdStrike,Option Ais the correct and verified answer.

TheDomain Security Overviewpage in Falcon Identity Protection presents domain risks in aprioritized, descending order, based on a combination ofseverity, likelihood, and consequence. The CCIS curriculum emphasizes that organizations should address risksfrom top to bottom, as the list is already optimized to reflect the most impactful identity risks first.

This ordering allows security teams to focus remediation efforts where they will produce the greatest reduction in overall domain risk score. Addressing risks sequentially ensures alignment with Falcon’s risk modeling and avoids misprioritization that could occur if teams focus only on color-based severity or individual detections.

The incorrect options reflect common misconceptions:

Medium risks should not be prioritized over higher-impact risks.

Detections are different from risks and should not be addressed independently of risk context.

Low risks are intentionally deprioritized by the platform.

By following the descending order provided in the Domain Security Overview, organizations align remediation with Falcon’sZero Trust–driven identity risk scoring methodology, makingOption Athe correct answer.

In Falcon Identity Protection, theDomainspage is where administrators can view themonitoring and health status of domain controllers. The CCIS curriculum explains that this page provides visibility into which domain controllers are actively reporting authentication traffic, their inspection status, and whether Authentication Traffic Inspection (ATI) is enabled.

This view is essential for validating coverage and ensuring that Falcon Identity Protection has sufficient visibility into domain authentication activity. Administrators can quickly identify gaps, such as domain controllers that are not reporting or are misconfigured, and take corrective action.

The other options serve different purposes:

Settingsmanage general configuration.

System Notificationsdisplay alerts and messages.

Connectorsmanage integrations such as MFA and IDaaS.

Because domain controller visibility and monitoring health are managed at the domain level,Option C (Domains)is the correct and verified answer.

To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriatepermission scopes. According to the CCIS curriculum, theIdentity Protection GraphQLscope withWrite permissionsmust be enabled prior to using the Identity Protection API.

This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.

The other options are incorrect because:

Identity Protection Assessment and Health are read-only data scopes.

The statement that Write permissions are not required is explicitly false per CCIS documentation.

Because GraphQL access requires theIdentity Protection GraphQL (Write)scope,Option Dis the correct and verified answer.

In Falcon Identity Protection,default insightsare prebuilt analytical views provided by CrowdStrike to immediately highlight common and high-impact identity risks across the environment. These default insights are automatically available in theRisk AnalysisandInsightsareas and are designed to surface well-known identity exposure patterns without requiring customization.

Examples ofdefault insightsincludeUsing Unmanaged Endpoints,GPO Exposed Password, andCompromised Password. These insights are natively provided because they represent frequent and high-risk identity attack vectors such as credential exposure, unmanaged authentication sources, and password compromise, all of which directly contribute to elevated identity risk scores.

Poorly Protected Accounts with SPN (Service Principal Name), however, isnot provided as a default insight. While Falcon Identity Protection does collect and analyze SPN-related risk signals—such as Kerberoasting exposure and weak service account protections—this specific grouping must be created by administrators usingcustom insight filters. Custom insights allow teams to define precise conditions, combine attributes (privilege level, SPN presence, password age, MFA status), and tailor risk visibility to their organization’s threat model.

This distinction is emphasized in the CCIS curriculum, which explains thatcustom insights extend beyond default coverage, enabling deeper, organization-specific identity risk analysis. Therefore,Option Dis the correct answer.

In Falcon Identity Protection,Informationaldetections represent low-impact events that provide context but do not indicate elevated identity risk. According to the CCIS curriculum,Informational events are excluded by defaultfrom standard detection views to reduce noise and allow analysts to focus on higher-risk activity.

By default,Low, Medium, and High severity detections remain visible, as these contribute directly to identity risk scoring, incident formation, and investigative workflows. Informational detections can still be viewed if filters are adjusted, but they are intentionally hidden in default views.

This design supports efficient threat triage by prioritizing detections that are more likely to represent real security concerns. The other options listed are not valid detection severity classifications within Falcon Identity Protection.

Because Informational events are excluded by default while higher-severity detections remain visible,Option Ais the correct and verified answer.

Falcon Identity Protection follows acorrelation and enrichment modelwhere events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum,events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typicallyadded to the existing incident, provided they fall within the incident’s correlation and suppression window.

This behavior allows Falcon to present asingle evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statementA is not true.

The other statements are correct:

Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.

Events can be linked to detections even if the detection is created after the event occurred.

Not all events are security-relevant; many remain informational and never become detections.

This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence,Option Ais the correct answer.

Falcon Identity Protection integrates withIdentity-as-a-Service (IDaaS)providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum,Okta SSOis a supported IDaaS connector that enables Falcon to ingestcloud authentication eventswhile also applyingSingle Sign-On (SSO) policies.

Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.

The other options are incorrect:

ADFSis an on-premises federation service, not a cloud IDaaS.

Azure NPSis used for RADIUS-based MFA, not SSO ingestion.

SAMLis a protocol, not an IDaaS connector.

Because Okta SSO provides both cloud activity ingestion and SSO enforcement,Option Bis the correct and verified answer.

Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.

Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.

Falcon Identity Protection calculates user risk scores based on a combination ofprivilege level,credential exposure, andbehavioral indicators. According to the CCIS curriculum, aprivileged user with a compromised passwordrepresents one of the highest-risk identity scenarios.

Privileged accounts—such as administrators or service accounts with elevated access—already pose increased risk due to their access scope. When Falcon detects that such an account’s credentials have been compromised, the risk escalates significantly because attackers can immediately gain high-impact access without further escalation.

The other options do not inherently represent the same level of risk:

Logging in from a shared endpoint may increase risk but is context-dependent.

Stale users are risky but typically lower risk than active compromised credentials.

Domain Admin group membership alone does not imply compromise.

Becausecredential compromise combined with privilegedramatically increases attack potential,Option Bis the correct and verified answer.