IDP CrowdStrike Certified Identity Specialist(CCIS) Exam Questions and Answers

In CrowdStrike Falcon Identity Protection, theRisktab within a user or account entity provides administrators with direct visibility intowhy an account has a specific risk score and what actions can be taken to reduce that score. This functionality is a core component of theUser AssessmentandRisk Assessmentsections of the CCIS (CrowdStrike Identity Specialist) curriculum.

The Risk tab aggregates bothanalysis-based risksanddetection-based risks, clearly identifying contributing factors such as compromised passwords, excessive privileges, risky authentication behavior, stale or never-used accounts, and policy violations. It also highlights theseverity, likelihood, and consequenceof each risk factor, allowingadministrators to prioritize remediation efforts effectively. Most importantly, this tab providesactionable guidance, enabling teams to understand which specific remediation steps—such as enforcing MFA, resetting credentials, reducing privileges, or disabling unused accounts—will directly lower the account’s overall risk score.

Other entity tabs do not provide this capability. TheTimelinetab focuses on chronological events and detections, theActivitytab displays authentication and behavioral activity, and theAssettab shows associated endpoints and resources. Only theRisktab is designed to explain risk drivers and guide remediation, makingOption Dthe correct and verified answer.

Falcon Identity Protection follows acorrelation and enrichment modelwhere events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum,events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typicallyadded to the existing incident, provided they fall within the incident’s correlation and suppression window.

This behavior allows Falcon to present asingle evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statementA is not true.

The other statements are correct:

Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.

Events can be linked to detections even if the detection is created after the event occurred.

Not all events are security-relevant; many remain informational and never become detections.

This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence,Option Ais the correct answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correctpermission scope. According to the CCIS curriculum, theIdentity Protection Detectionsscope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection isderived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore,Option Ais the correct and verified answer.

Falcon Identity Threat Detection (ITD) providesvisibility, analytics, and detectionof identity-based threats but doesnot include enforcement capabilities. According to the CCIS curriculum, ITD customers have access to investigative and analytical features such asEvent Analysis,Privileged Identities, and relevantSettingsfor visibility and monitoring.

Policy Rules, however, are part ofIdentity Threat Protection (ITP)and reside in theEnforcesection of the Falcon console. Policy Rules enable automated responses and enforcement actions, such as blocking access or enforcing MFA, which are not available under ITD-only subscriptions.

This distinction is critical in the CCIS material:

ITD = Detect and analyze identity threats

ITP = Detect + enforce policy actions

Because ITD does not include enforcement functionality,Policy Rules are not available, makingOption Dthe correct answer.

Falcon Identity Protection integrates with a defined set ofsupported MFA providersto enforce identity verification and conditional access based on identity risk. According to the CCIS curriculum, supported MFA providers includeAzure (Entra) MFA,Cisco Duo, andSymantec VIP, which are commonly used enterprise-grade MFA solutions.

These integrations allow Falcon Identity Protection to evaluate authentication attempts and dynamically enforce MFA challenges when risky behavior is detected. The supported providers expose the necessary APIs and authentication workflows required for Falcon to trigger MFA challenges as part of Policy Rules and Zero Trust enforcement.

Firebaseis not a supported MFA provider within Falcon Identity Protection. Firebase is primarily a mobile and application development platform and does not function as an enterprise MFA provider compatible with Falcon’s identity enforcement model. As such, it cannot be used to enforce conditional access or identity verification through Falcon Identity Protection.

Because Falcon only supports specific, enterprise MFA integrations validated by CrowdStrike,Option Ais the correct and verified answer.

Falcon Identity Protection differentiateshuman accountsandprogrammatic accountsbased onauthentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum,human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.

Programmatic accounts (such as service accounts) typically authenticatenon-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.

The incorrect options reflect common misconceptions:

Human accounts are not always administrators.

Programmatic accounts can support MFA in some architectures.

Programmatic accounts are not used interactively.

Because interactive authentication behavior is the defining characteristic of human accounts,Option Dis the correct and verified answer.

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.

In Falcon Identity Protection, theDomainspage is where administrators can view themonitoring and health status of domain controllers. The CCIS curriculum explains that this page provides visibility into which domain controllers are actively reporting authentication traffic, their inspection status, and whether Authentication Traffic Inspection (ATI) is enabled.

This view is essential for validating coverage and ensuring that Falcon Identity Protection has sufficient visibility into domain authentication activity. Administrators can quickly identify gaps, such as domain controllers that are not reporting or are misconfigured, and take corrective action.

The other options serve different purposes:

Settingsmanage general configuration.

System Notificationsdisplay alerts and messages.

Connectorsmanage integrations such as MFA and IDaaS.

Because domain controller visibility and monitoring health are managed at the domain level,Option C (Domains)is the correct and verified answer.

GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader “CrowdStrike APIs” documentation category, not limited to a single product.

The CrowdStrike APIs section includes:

Authentication and API key usage

GraphQL schema references

Example GraphQL queries and mutations

Pagination, filtering, and response handling

While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.

The other options are incorrect:

Threat Intelligence focuses on adversary data.

XDR covers detection and correlation concepts.

Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.

Therefore,Option Ais the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.

According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.

Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.

The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.

In the Domain Security Overview,Scopeis a configurable setting that allows administrators toswitch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.

The CCIS documentation explains that Scope determineswhich domain or tenant’s identity data is displayedin the Overview dashboard, including risk scores, trends, and prioritized remediation guidance. Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.

Other options are incorrect because:

Privileged Identities represent a subset of users, not a switchable setting.

Domains are entities, not a dashboard control.

Goal changes how risks are evaluated, not which environment is displayed.

By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore,Option Dis the correct answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.

Falcon Threat Hunter provides a direct integration with theAPI Builderto support advanced investigation workflows and automation. According to the CCIS curriculum, analysts can take an existing Threat Hunter query and convert it into aGraphQL-compatible formatby selectingOpen Query in API Builderfrom the Threat Hunter menu.

This option opens the current query in a new window within API Builder, automatically translating the query structure into GraphQL syntax where applicable. This enables security teams to reuse validated hunting logic for automation, reporting, or external integrations without rewriting queries from scratch.

The other menu options serve different purposes:

Export to API Builderis not a valid menu action.

Save as Custom Querystores the query for reuse inside Threat Hunter.

Save as Custom Reportgenerates a reporting artifact, not an API query.

BecauseOpen Query in API Builderis the only option that opens the query in GraphQL format in a new window,Option Dis the correct and verified answer.