Pass the CrowdStrike CCIS IDP Questions and answers with Dumpstech

Falcon Identity Threat Detection (ITD) providesvisibility, analytics, and detectionof identity-based threats but doesnot include enforcement capabilities. According to the CCIS curriculum, ITD customers have access to investigative and analytical features such asEvent Analysis,Privileged Identities, and relevantSettingsfor visibility and monitoring.

Policy Rules, however, are part ofIdentity Threat Protection (ITP)and reside in theEnforcesection of the Falcon console. Policy Rules enable automated responses and enforcement actions, such as blocking access or enforcing MFA, which are not available under ITD-only subscriptions.

This distinction is critical in the CCIS material:

ITD = Detect and analyze identity threats

ITP = Detect + enforce policy actions

Because ITD does not include enforcement functionality,Policy Rules are not available, makingOption Dthe correct answer.

In Falcon Identity Protection, thethree-dot (⋮) action menuon anidentity-based detectionprovides analysts with a limited set of actions that applydirectly to the detection itself. According to the CCIS curriculum, these actions are designed to support investigation workflow, tuning, and documentation.

The supported actions in the detection-level three-dot menu include:

Edit status, which allows analysts to update the detection state (for example, New, In Progress, or Closed).

Add comment, which enables collaboration and documentation directly on the detection.

Add exclusion, where supported, to suppress future detections that match known benign behavior.

Add to Watchlistisnot includedin this menu because watchlists are applied toentities(such as users, service accounts, or endpoints), not to detections. Watchlists are managed from entity views or investigation workflows and are used to increase visibility and monitoring priority for specific identities—not to act on individual detections.

This distinction is emphasized in CCIS training to reinforce the separation betweenentity-centric actionsanddetection-centric actions. Because watchlists operate at the entity level,Option Bis the correct and verified answer.

In Falcon Identity Protection, auser baselineis established by observing consistent and repeatable behavior over time, including authentication patterns, endpoint associations, and usage context. According to the CCIS curriculum, one of the strongest indicators that a user has an established baseline is the presence ofendpoints for which the user is identified as an owner.

Endpoint ownership is determined through historical authentication behavior and usage frequency. When Falcon identifies that a user consistently logs into specific endpoints over time, those endpoints are marked asowned, which signifies that sufficient historical data exists to confidently model the user’s normal behavior. This ownership relationship is only created after Falcon has observed the user long enough to establish a reliable baseline.

The other options do not definitively indicate a baseline:

Logging into multiple endpoints may occur during initial discovery or anomalous activity.

A risk score reflects current risk posture, not baseline maturity.

Recent logon activity alone does not imply historical consistency.

Becauseendpoint ownership requires sustained, predictable behavior over time, it is the clearest indicator that Falcon has successfully established a user baseline. Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection differentiateshuman accountsandprogrammatic accountsbased onauthentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum,human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.

Programmatic accounts (such as service accounts) typically authenticatenon-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.

The incorrect options reflect common misconceptions:

Human accounts are not always administrators.

Programmatic accounts can support MFA in some architectures.

Programmatic accounts are not used interactively.

Because interactive authentication behavior is the defining characteristic of human accounts,Option Dis the correct and verified answer.

Falcon Identity Protection continuously inspects authentication traffic and network behavior to establishbehavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.

Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.

The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.

Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.

Within the Domain Security Overview,Goalsare used to tailor how identity risks are grouped, evaluated, and reported. TheReduce Attack Surfacegoal is the only option thatincorporates all identity risks into a single, comprehensive security assessment.

The CCIS curriculum explains that Reduce Attack Surface provides a holistic view of identity exposure by aggregating risks related to authentication paths, account hygiene, privileges, misconfigurations, and legacy identity weaknesses. This goal is designed for organizations seeking an overall understanding of their identity security posture rather than focusing on a specific domain such as privileged users or directory hygiene.

Other goals are more specialized:

AD Hygienefocuses on directory configuration issues.

Privileged User Managementconcentrates on high-privilege identities.

Pen Testingaligns more with adversarial simulation than continuous risk assessment.

Reduce Attack Surface aligns directly withZero Trust principles, helping organizations identify and eliminate unnecessary identity access paths. Therefore,Option Cis the correct and verified answer.

Within Falcon Identity Protection, aWatched Useris a user explicitly designated forheightened monitoringdue to potential business risk. According to the CCIS curriculum, watchlists are designed to provide additional visibility into users whose behavior, access level, or role may warrant closer observation, even if they have not yet exhibited confirmed malicious activity.

Watched Users may include executives, administrators, users with access to sensitive systems, or accounts suspected of being targeted. Placing a user on a watchlist does not imply compromise; instead, it ensures their activity is prioritized in investigations, detections, and dashboards.

The other options are incorrect:

Honeytoken Accountsare decoy accounts designed to detect malicious usage.

High Riskis a calculated risk state, not a monitoring classification.

Marked Useris not a valid Falcon Identity Protection classification.

Because the CCIS material explicitly identifiesWatched Usersas accounts requiring observation for potential risk,Option Cis the correct and verified answer.

To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriatepermission scopes. According to the CCIS curriculum, theIdentity Protection GraphQLscope withWrite permissionsmust be enabled prior to using the Identity Protection API.

This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.

The other options are incorrect because:

Identity Protection Assessment and Health are read-only data scopes.

The statement that Write permissions are not required is explicitly false per CCIS documentation.

Because GraphQL access requires theIdentity Protection GraphQL (Write)scope,Option Dis the correct and verified answer.

Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.

Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.

Falcon Identity Protection enforces deterministic policy execution using a clear and predictable precedence model. As outlined in the CCIS curriculum, Policy Groups are evaluated top to bottom, based on their order in the console. Within each Policy Group, Policy Rules are evaluated sequentially, also from top to bottom.

This ordered evaluation ensures consistent enforcement behavior and allows administrators to design layered identity controls. When a rule’s conditions are met and an action is executed, subsequent rules may or may not be evaluated depending on rule logic and configuration. This model gives administrators precise control over enforcement priority.

The incorrect options misunderstand how precedence works. Policy enforcement is not unordered, nor are Policy Groups merely visual containers. Both grouping and rule order matter.

This precedence model is critical for avoiding conflicting enforcement actions and aligns with Zero Trust principles by ensuring predictable, auditable identity enforcement. Therefore, Option A is the correct answer.