Pass the CrowdStrike CCIS IDP Questions and answers with CertsForce

Falcon Identity Protection usesincident suppression windowsto prevent alert fatigue while still maintaining accurate incident tracking. According to the CCIS documentation, whennew events related to an existing identity-based incident occur, the incident issuppressed for 5 days.

This suppression means that Falcon does not generate a new incident for the same activity during this window. Instead, additional detections areadded to the existing incident, allowing analysts to view the full progression of the threat in a single investigative context.

The 5-day suppression window ensures that ongoing identity attacks—such as repeated authentication abuse or lateral movement—are consolidated rather than fragmented across multiple incidents. This improves investigation efficiency and aligns with Falcon’s incident lifecycle management approach.

Because the suppression period is fixed at5 days,Option Dis the correct and verified answer.

In Falcon Identity Protection, detection status is visually indicated using atoggle controlwithin the detection configuration interface. According to the CCIS documentation, when a detection isenabled, the toggle next toDetection Enabledis displayed ingreen.

A green toggle indicates that the detection logic is active and that Falcon will generate detections when the defined conditions are met. When the toggle is gray, the detection is disabled and will not generate alerts or contribute to incident formation.

Falcon does not rely on textual “Enabled” or “Disabled” tags to indicate detection status. Instead, the toggle color provides a clear, immediate visual indicator to administrators.

Because agreen toggleexplicitly represents an enabled detection,Option Bis the correct and verified answer.

Falcon Identity Protection integrates directly withThreat Hunterto enable deeper investigation of identity-based activity. According to the CCIS curriculum, selectingSearch for involved entities in Threat Hunterallows analysts to pivot from an identity-based detection into Threat Hunter while preserving identity context.

This pivot enables analysts to examine related users, service accounts, endpoints, and authentication behavior using advanced queries and timelines. Importantly, this action maintains the identity-centric investigation flow, bridging detections with broader hunting capabilities.

The other options do not perform this specific pivot:

Investigating users or endpoints remains within entity views.

Searching for events in Threat Hunter does not preserve entity context.

BecauseSearch for involved entities in Threat Hunteris the correct pivot action,Option Bis the verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exitsare not a detection control mechanism.

Remediationsrefer to corrective actions, not suppression logic.

Recommendationsprovide guidance but do not change detection behavior.

By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.

Falcon Identity Protection enforcesrole-based access control (RBAC)to ensure that only authorized users can create, modify, or manage policy rules. Policy rules directly impact identity enforcement actions, making proper role separation critical.

According to the CCIS documentation, the ability toenable and disable policy rulesis granted to theIdentity Protection Policy Managerand theFalcon Administratorroles. These roles are explicitly designed to manage enforcement logic, triggers, and automated identity controls.

TheIdentity Protection Domain Administratorrole, however, is limited todomain-level visibility and management, such as reviewing domain configurations, monitoring risks, and assessing posture. This role doesnothave permissions to modify or control policy enforcement behavior.

This separation prevents accidental or unauthorized changes to identity enforcement rules. Therefore,Option Ais the correct and verified answer.

In CrowdStrike Falcon Identity Protection, theRisktab within a user or account entity provides administrators with direct visibility intowhy an account has a specific risk score and what actions can be taken to reduce that score. This functionality is a core component of theUser AssessmentandRisk Assessmentsections of the CCIS (CrowdStrike Identity Specialist) curriculum.

The Risk tab aggregates bothanalysis-based risksanddetection-based risks, clearly identifying contributing factors such as compromised passwords, excessive privileges, risky authentication behavior, stale or never-used accounts, and policy violations. It also highlights theseverity, likelihood, and consequenceof each risk factor, allowingadministrators to prioritize remediation efforts effectively. Most importantly, this tab providesactionable guidance, enabling teams to understand which specific remediation steps—such as enforcing MFA, resetting credentials, reducing privileges, or disabling unused accounts—will directly lower the account’s overall risk score.

Other entity tabs do not provide this capability. TheTimelinetab focuses on chronological events and detections, theActivitytab displays authentication and behavioral activity, and theAssettab shows associated endpoints and resources. Only theRisktab is designed to explain risk drivers and guide remediation, makingOption Dthe correct and verified answer.

TheDomain Security Overviewpage in Falcon Identity Protection presents domain risks in aprioritized, descending order, based on a combination ofseverity, likelihood, and consequence. The CCIS curriculum emphasizes that organizations should address risksfrom top to bottom, as the list is already optimized to reflect the most impactful identity risks first.

This ordering allows security teams to focus remediation efforts where they will produce the greatest reduction in overall domain risk score. Addressing risks sequentially ensures alignment with Falcon’s risk modeling and avoids misprioritization that could occur if teams focus only on color-based severity or individual detections.

The incorrect options reflect common misconceptions:

Medium risks should not be prioritized over higher-impact risks.

Detections are different from risks and should not be addressed independently of risk context.

Low risks are intentionally deprioritized by the platform.

By following the descending order provided in the Domain Security Overview, organizations align remediation with Falcon’sZero Trust–driven identity risk scoring methodology, makingOption Athe correct answer.

Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled throughIdentity configuration policies.

Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.

The other options are incorrect because:

Identity management settings focus on identity governance and administration.

Identity detection configuration controls detection logic, not traffic inspection.

Identity protection settings manage high-level configuration but do not directly enable ATI.

Because ATI must be explicitly enabled viaIdentity configuration policies,Option Ais the correct and verified answer.

Within the Domain Security Overview,Goalsare used to tailor how identity risks are grouped, evaluated, and reported. TheReduce Attack Surfacegoal is the only option thatincorporates all identity risks into a single, comprehensive security assessment.

The CCIS curriculum explains that Reduce Attack Surface provides a holistic view of identity exposure by aggregating risks related to authentication paths, account hygiene, privileges, misconfigurations, and legacy identity weaknesses. This goal is designed for organizations seeking an overall understanding of their identity security posture rather than focusing on a specific domain such as privileged users or directory hygiene.

Other goals are more specialized:

AD Hygienefocuses on directory configuration issues.

Privileged User Managementconcentrates on high-privilege identities.

Pen Testingaligns more with adversarial simulation than continuous risk assessment.

Reduce Attack Surface aligns directly withZero Trust principles, helping organizations identify and eliminate unnecessary identity access paths. Therefore,Option Cis the correct and verified answer.