IDP Exam Dumps : CrowdStrike Certified Identity Specialist(CCIS) Exam

In Falcon Identity Protection,Informationaldetections represent low-impact events that provide context but do not indicate elevated identity risk. According to the CCIS curriculum,Informational events are excluded by defaultfrom standard detection views to reduce noise and allow analysts to focus on higher-risk activity.

By default,Low, Medium, and High severity detections remain visible, as these contribute directly to identity risk scoring, incident formation, and investigative workflows. Informational detections can still be viewed if filters are adjusted, but they are intentionally hidden in default views.

This design supports efficient threat triage by prioritizing detections that are more likely to represent real security concerns. The other options listed are not valid detection severity classifications within Falcon Identity Protection.

Because Informational events are excluded by default while higher-severity detections remain visible,Option Ais the correct and verified answer.

Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled throughIdentity configuration policies.

Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.

The other options are incorrect because:

Identity management settings focus on identity governance and administration.

Identity detection configuration controls detection logic, not traffic inspection.

Identity protection settings manage high-level configuration but do not directly enable ATI.

Because ATI must be explicitly enabled viaIdentity configuration policies,Option Ais the correct and verified answer.

The CCIS curriculum highlights a critical identity-security concept: when attackers usecompromised credentials, they often bypass traditional malware-based attack phases, including theExecutionphase of the MITRE ATT&CK framework. Because no malicious code needs to be executed, attackers can immediately begin interacting with the environment as a legitimate user.

As a result, threat actors move directly into theDiscoveryphase. During Discovery, attackers enumerate users, groups, privileges, systems, domain relationships, and trust paths to understand the environment and plan further actions. This behavior is commonly observed in identity-based attacks and living-off-the-land techniques.

Falcon Identity Protection is specifically designed to detect this behavior by monitoring authentication traffic, privilege usage, and anomalous identity activity—areas where traditional EDR tools may have limited visibility.

The other options are incorrect:

Initial Access has already occurred via credential compromise.

Weaponization and Execution are not required.

Lateral Movement typically follows Discovery.

Because compromised credentials allow attackers to jump straight intoDiscovery,Option Cis the correct and verified answer.