Free and Premium CrowdStrike IDP Dumps Questions Answers

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.

GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader “CrowdStrike APIs” documentation category, not limited to a single product.

The CrowdStrike APIs section includes:

Authentication and API key usage

GraphQL schema references

Example GraphQL queries and mutations

Pagination, filtering, and response handling

While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.

The other options are incorrect:

Threat Intelligence focuses on adversary data.

XDR covers detection and correlation concepts.

Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.

Therefore,Option Ais the correct and verified answer.

Falcon Identity Protection integrates with a defined set ofsupported MFA providersto enforce identity verification and conditional access based on identity risk. According to the CCIS curriculum, supported MFA providers includeAzure (Entra) MFA,Cisco Duo, andSymantec VIP, which are commonly used enterprise-grade MFA solutions.

These integrations allow Falcon Identity Protection to evaluate authentication attempts and dynamically enforce MFA challenges when risky behavior is detected. The supported providers expose the necessary APIs and authentication workflows required for Falcon to trigger MFA challenges as part of Policy Rules and Zero Trust enforcement.

Firebaseis not a supported MFA provider within Falcon Identity Protection. Firebase is primarily a mobile and application development platform and does not function as an enterprise MFA provider compatible with Falcon’s identity enforcement model. As such, it cannot be used to enforce conditional access or identity verification through Falcon Identity Protection.

Because Falcon only supports specific, enterprise MFA integrations validated by CrowdStrike,Option Ais the correct and verified answer.

The CCIS curriculum highlights a critical identity-security concept: when attackers usecompromised credentials, they often bypass traditional malware-based attack phases, including theExecutionphase of the MITRE ATT&CK framework. Because no malicious code needs to be executed, attackers can immediately begin interacting with the environment as a legitimate user.

As a result, threat actors move directly into theDiscoveryphase. During Discovery, attackers enumerate users, groups, privileges, systems, domain relationships, and trust paths to understand the environment and plan further actions. This behavior is commonly observed in identity-based attacks and living-off-the-land techniques.

Falcon Identity Protection is specifically designed to detect this behavior by monitoring authentication traffic, privilege usage, and anomalous identity activity—areas where traditional EDR tools may have limited visibility.

The other options are incorrect:

Initial Access has already occurred via credential compromise.

Weaponization and Execution are not required.

Lateral Movement typically follows Discovery.

Because compromised credentials allow attackers to jump straight intoDiscovery,Option Cis the correct and verified answer.

Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled throughIdentity configuration policies.

Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.

The other options are incorrect because:

Identity management settings focus on identity governance and administration.

Identity detection configuration controls detection logic, not traffic inspection.

Identity protection settings manage high-level configuration but do not directly enable ATI.

Because ATI must be explicitly enabled viaIdentity configuration policies,Option Ais the correct and verified answer.

In Falcon Identity Protection,identity-based incidents are dynamicand can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident’stype is automatically recalculatedbased on thedetections related to the incident, not by manual user actions.

As new identity-based detections are generated—such as credential misuse, lateral movement attempts, or abnormal authentication behavior—the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automaticallychange the incident typeto better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident’s classification. The classification logic is driven entirely by Falcon’s analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon’s ability toadapt incident context as attacks progress, makingOption Dthe correct answer.

The Falcon sensor for Windows plays a critical role in Falcon Identity Protection bycollecting and validating domain authentication eventsdirectly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP throughAuthentication Traffic Inspection (ATI).

This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic—those functions belong to Active Directory and network infrastructure components.

By providinghigh-fidelity authentication telemetrywithout relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore,Option Dis the correct and verified answer.

Falcon Identity Protection continuously inspects authentication traffic and network behavior to establishbehavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.

Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.

The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.

Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.

Falcon Identity Protection integrates with third-party MFA providers throughMFA connectorsto support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.

One of the supported MFA authentication methods isPush, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.

The other options are not valid MFA authentication methods within Falcon:

Page and Pull are not recognized MFA mechanisms.

Alarm is related to alerting, not authentication.

By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles. Therefore,Option Bis the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

Falcon Identity Protection identifiesstale endpointsas systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for90 daysand then resumes activity will trigger aUse of Stale Endpointdetection.

This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.

The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives. Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.

Because Falcon explicitly defines stale endpoint activity using a90-day inactivity window,Option Bis the correct answer.

In Falcon Identity Protection,Informationaldetections represent low-impact events that provide context but do not indicate elevated identity risk. According to the CCIS curriculum,Informational events are excluded by defaultfrom standard detection views to reduce noise and allow analysts to focus on higher-risk activity.

By default,Low, Medium, and High severity detections remain visible, as these contribute directly to identity risk scoring, incident formation, and investigative workflows. Informational detections can still be viewed if filters are adjusted, but they are intentionally hidden in default views.

This design supports efficient threat triage by prioritizing detections that are more likely to represent real security concerns. The other options listed are not valid detection severity classifications within Falcon Identity Protection.

Because Informational events are excluded by default while higher-severity detections remain visible,Option Ais the correct and verified answer.

Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.

Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.

To integrate Falcon Identity Protection withAzure AD (Entra ID)as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requiresTenant Domain,Application (Client) ID, andApplication Secret.

These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.

Other options list incomplete or incorrect credential combinations. Therefore,Option Dis the correct and verified answer.

TheNIST SP 800-207 Zero Trust Architectureframework fundamentally rejects the concept of implicit trust based on network location. As outlined in both NIST guidance and reinforced in the CCIS curriculum,all users must be continuously validated and authenticated regardless of whether they are inside or outside the network perimeter.

Zero Trust assumes that threats can originate from anywhere, including internal networks. Therefore, authentication and authorization decisions must be made dynamically using identity, device posture, behavior, and risk signals—not network placement.

Falcon Identity Protection aligns directly with this principle by continuously evaluating identity behavior forall users, whether they authenticate from internal corporate networks, remote locations, or cloud environments.

Because Zero Trust applies universally,Option Cis the correct and verified answer.

Within the Domain Security Overview,Goalsare used to tailor how identity risks are grouped, evaluated, and reported. TheReduce Attack Surfacegoal is the only option thatincorporates all identity risks into a single, comprehensive security assessment.

The CCIS curriculum explains that Reduce Attack Surface provides a holistic view of identity exposure by aggregating risks related to authentication paths, account hygiene, privileges, misconfigurations, and legacy identity weaknesses. This goal is designed for organizations seeking an overall understanding of their identity security posture rather than focusing on a specific domain such as privileged users or directory hygiene.

Other goals are more specialized:

AD Hygienefocuses on directory configuration issues.

Privileged User Managementconcentrates on high-privilege identities.

Pen Testingaligns more with adversarial simulation than continuous risk assessment.

Reduce Attack Surface aligns directly withZero Trust principles, helping organizations identify and eliminate unnecessary identity access paths. Therefore,Option Cis the correct and verified answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum,Identity Protection API information is located under the “CrowdStrike APIs” documentation category.

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented underCrowdStrike APIs,Option Dis the correct and verified answer.