CrowdStrike Certified Identity Specialist IDP Exam Questions

Answer : C

Falcon Identity Protection is designed to address the growing threat of identity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection provides proactive identity risk mitigation rather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. Through Policy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated with Privileged Access Management (PAM) or IAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure by detecting and preventing identity misuse in real time.

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore, Option C is the correct and verified answer.

Answer : D

In the Domain Security Overview, Scope is a configurable setting that allows administrators to switch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.

The CCIS documentation explains that Scope determines which domain or tenant's identity data is displayed in the Overview dashboard, including risk scores, trends, and prioritized remediation guidance. Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.

Other options are incorrect because:

Privileged Identities represent a subset of users, not a switchable setting.

Domains are entities, not a dashboard control.

Goal changes how risks are evaluated, not which environment is displayed.

By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore, Option D is the correct answer.

Answer : C

Falcon Identity Protection establishes a user baseline by observing authentication behavior over time, including login frequency, endpoints used, access patterns, and protocol usage. According to the CCIS curriculum, Falcon typically requires approximately one week of consistent activity to develop an initial, reliable baseline for a user.

This baseline allows Falcon to distinguish normal behavior from anomalies and to calculate accurate risk scores. While the baseline continues to mature over time and becomes more precise with additional data, the first usable behavioral model is generally formed within a week.

Longer timeframes such as one or three months are not required to begin detecting abnormal behavior. Conversely, periods shorter than a week may not provide sufficient behavioral data to accurately model normal usage patterns.

Because Falcon can rapidly establish a functional baseline while continuously refining it, Option C (One week) is the correct and verified answer.

Answer : B

In Falcon Identity Protection, the three-dot () action menu on an identity-based detection provides analysts with a limited set of actions that apply directly to the detection itself. According to the CCIS curriculum, these actions are designed to support investigation workflow, tuning, and documentation.

The supported actions in the detection-level three-dot menu include:

Edit status, which allows analysts to update the detection state (for example, New, In Progress, or Closed).

Add comment, which enables collaboration and documentation directly on the detection.

Add exclusion, where supported, to suppress future detections that match known benign behavior.

Add to Watchlist is not included in this menu because watchlists are applied to entities (such as users, service accounts, or endpoints), not to detections. Watchlists are managed from entity views or investigation workflows and are used to increase visibility and monitoring priority for specific identities---not to act on individual detections.

This distinction is emphasized in CCIS training to reinforce the separation between entity-centric actions and detection-centric actions. Because watchlists operate at the entity level, Option B is the correct and verified answer.

Answer : A

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon's Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon's analytics engine---not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.

Answer : D

In Falcon Identity Protection, identity-based incidents are dynamic and can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident's type is automatically recalculated based on the detections related to the incident, not by manual user actions.

As new identity-based detections are generated---such as credential misuse, lateral movement attempts, or abnormal authentication behavior---the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automatically change the incident type to better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident's classification. The classification logic is driven entirely by Falcon's analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon's ability to adapt incident context as attacks progress, making Option D the correct answer.

Answer : A

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correct permission scope. According to the CCIS curriculum, the Identity Protection Detections scope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection is derived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore, Option A is the correct and verified answer.