Pass the CrowdStrike CCIS IDP Questions and answers with Dumpstech

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum,Internet Explorer 9 and Windows Server 2008represent theminimum supported requirementsfor rendering the Identity Verification Dialog on an end user’s system.

This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.

The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore,Option Ais the correct and verified answer.

The CCIS curriculum highlights a critical identity-security concept: when attackers usecompromised credentials, they often bypass traditional malware-based attack phases, including theExecutionphase of the MITRE ATT&CK framework. Because no malicious code needs to be executed, attackers can immediately begin interacting with the environment as a legitimate user.

As a result, threat actors move directly into theDiscoveryphase. During Discovery, attackers enumerate users, groups, privileges, systems, domain relationships, and trust paths to understand the environment and plan further actions. This behavior is commonly observed in identity-based attacks and living-off-the-land techniques.

Falcon Identity Protection is specifically designed to detect this behavior by monitoring authentication traffic, privilege usage, and anomalous identity activity—areas where traditional EDR tools may have limited visibility.

The other options are incorrect:

Initial Access has already occurred via credential compromise.

Weaponization and Execution are not required.

Lateral Movement typically follows Discovery.

Because compromised credentials allow attackers to jump straight intoDiscovery,Option Cis the correct and verified answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum,Identity Protection API information is located under the “CrowdStrike APIs” documentation category.

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented underCrowdStrike APIs,Option Dis the correct and verified answer.

GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader “CrowdStrike APIs” documentation category, not limited to a single product.

The CrowdStrike APIs section includes:

Authentication and API key usage

GraphQL schema references

Example GraphQL queries and mutations

Pagination, filtering, and response handling

While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.

The other options are incorrect:

Threat Intelligence focuses on adversary data.

XDR covers detection and correlation concepts.

Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.

Therefore,Option Ais the correct and verified answer.

Authentication Traffic Inspection (ATI) is enabled throughIdentity Configuration Policies, which define how the Falcon sensor captures and inspects identity-related network traffic. According to the CCIS documentation, ATI configuration is performed underConfigure > Identity Configuration Policies.

These policies allow administrators to specify which authentication protocols are inspected, which domain controllers are covered, and how identity telemetry is collected. This configuration step is mandatory to enable identity visibility and detection capabilities.

The Enforce menu is used for policy rules and automated actions, not traffic inspection. General settings do not control sensor inspection behavior. Because ATI directly affects sensor data capture, it is managed exclusively through Identity Configuration Policies.

Therefore,Option Dis the correct and verified answer.