CrowdStrike Certified Identity Specialist IDP Exam Questions

Answer : A

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correct permission scope. According to the CCIS curriculum, the Identity Protection Detections scope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection is derived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore, Option A is the correct and verified answer.

Answer : C

Within Falcon Identity Protection, a Watched User is a user explicitly designated for heightened monitoring due to potential business risk. According to the CCIS curriculum, watchlists are designed to provide additional visibility into users whose behavior, access level, or role may warrant closer observation, even if they have not yet exhibited confirmed malicious activity.

Watched Users may include executives, administrators, users with access to sensitive systems, or accounts suspected of being targeted. Placing a user on a watchlist does not imply compromise; instead, it ensures their activity is prioritized in investigations, detections, and dashboards.

The other options are incorrect:

Honeytoken Accounts are decoy accounts designed to detect malicious usage.

High Risk is a calculated risk state, not a monitoring classification.

Marked User is not a valid Falcon Identity Protection classification.

Because the CCIS material explicitly identifies Watched Users as accounts requiring observation for potential risk, Option C is the correct and verified answer.

Answer : D

To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriate permission scopes. According to the CCIS curriculum, the Identity Protection GraphQL scope with Write permissions must be enabled prior to using the Identity Protection API.

This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.

The other options are incorrect because:

Identity Protection Assessment and Health are read-only data scopes.

The statement that Write permissions are not required is explicitly false per CCIS documentation.

Because GraphQL access requires the Identity Protection GraphQL (Write) scope, Option D is the correct and verified answer.

Answer : D

In CrowdStrike Falcon Identity Protection, the Risk tab within a user or account entity provides administrators with direct visibility into why an account has a specific risk score and what actions can be taken to reduce that score. This functionality is a core component of the User Assessment and Risk Assessment sections of the CCIS (CrowdStrike Identity Specialist) curriculum.

The Risk tab aggregates both analysis-based risks and detection-based risks, clearly identifying contributing factors such as compromised passwords, excessive privileges, risky authentication behavior, stale or never-used accounts, and policy violations. It also highlights the severity, likelihood, and consequence of each risk factor, allowing administrators to prioritize remediation efforts effectively. Most importantly, this tab provides actionable guidance, enabling teams to understand which specific remediation steps---such as enforcing MFA, resetting credentials, reducing privileges, or disabling unused accounts---will directly lower the account's overall risk score.

Other entity tabs do not provide this capability. The Timeline tab focuses on chronological events and detections, the Activity tab displays authentication and behavioral activity, and the Asset tab shows associated endpoints and resources. Only the Risk tab is designed to explain risk drivers and guide remediation, making Option D the correct and verified answer.

Answer : C

Falcon Fusion workflows integrate directly with Falcon Identity Protection through identity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection is Alert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to represent identity-based attack activity.

While New incident and New endpoint detection are valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly, Spotlight user action > Host relates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enables automated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based on identity detections. Therefore, workflows tied to Alert > Identity detection allow organizations to respond quickly and consistently to identity threats, making Option C the correct answer.

Answer : D

To integrate Falcon Identity Protection with Azure AD (Entra ID) as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requires Tenant Domain, Application (Client) ID, and Application Secret.

These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.

Other options list incomplete or incorrect credential combinations. Therefore, Option D is the correct and verified answer.

Answer : B

Falcon Identity Protection identifies stale endpoints as systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for 90 days and then resumes activity will trigger a Use of Stale Endpoint detection.

This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.

The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives. Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.

Because Falcon explicitly defines stale endpoint activity using a 90-day inactivity window, Option B is the correct answer.