IDP CrowdStrike Certified Identity Specialist(CCIS) Exam Free Practice Exam Questions (2026 Updated)

Falcon Identity Protection establishes auser baselineby observing authentication behavior over time, including login frequency, endpoints used, access patterns, and protocol usage. According to the CCIS curriculum, Falcon typically requiresapproximately one weekof consistent activity to develop an initial, reliable baseline for a user.

This baseline allows Falcon to distinguish normal behavior from anomalies and to calculate accurate risk scores. While the baseline continues to mature over time and becomes more precise with additional data, the first usable behavioral model is generally formed within a week.

Longer timeframes such as one or three months are not required to begin detecting abnormal behavior. Conversely, periods shorter than a week may not provide sufficient behavioral data to accurately model normal usage patterns.

Because Falcon can rapidly establish a functional baseline while continuously refining it,Option C (One week)is the correct and verified answer.

Falcon Identity Protection integrates with third-party MFA providers throughMFA connectorsto support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.

One of the supported MFA authentication methods isPush, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.

The other options are not valid MFA authentication methods within Falcon:

Page and Pull are not recognized MFA mechanisms.

Alarm is related to alerting, not authentication.

By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles. Therefore,Option Bis the correct and verified answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correctpermission scope. According to the CCIS curriculum, theIdentity Protection Detectionsscope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection isderived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore,Option Ais the correct and verified answer.

Falcon Identity Protection usesincident suppression windowsto prevent alert fatigue while still maintaining accurate incident tracking. According to the CCIS documentation, whennew events related to an existing identity-based incident occur, the incident issuppressed for 5 days.

This suppression means that Falcon does not generate a new incident for the same activity during this window. Instead, additional detections areadded to the existing incident, allowing analysts to view the full progression of the threat in a single investigative context.

The 5-day suppression window ensures that ongoing identity attacks—such as repeated authentication abuse or lateral movement—are consolidated rather than fragmented across multiple incidents. This improves investigation efficiency and aligns with Falcon’s incident lifecycle management approach.

Because the suppression period is fixed at5 days,Option Dis the correct and verified answer.

In CrowdStrike Falcon Identity Protection, theRisktab within a user or account entity provides administrators with direct visibility intowhy an account has a specific risk score and what actions can be taken to reduce that score. This functionality is a core component of theUser AssessmentandRisk Assessmentsections of the CCIS (CrowdStrike Identity Specialist) curriculum.

The Risk tab aggregates bothanalysis-based risksanddetection-based risks, clearly identifying contributing factors such as compromised passwords, excessive privileges, risky authentication behavior, stale or never-used accounts, and policy violations. It also highlights theseverity, likelihood, and consequenceof each risk factor, allowingadministrators to prioritize remediation efforts effectively. Most importantly, this tab providesactionable guidance, enabling teams to understand which specific remediation steps—such as enforcing MFA, resetting credentials, reducing privileges, or disabling unused accounts—will directly lower the account’s overall risk score.

Other entity tabs do not provide this capability. TheTimelinetab focuses on chronological events and detections, theActivitytab displays authentication and behavioral activity, and theAssettab shows associated endpoints and resources. Only theRisktab is designed to explain risk drivers and guide remediation, makingOption Dthe correct and verified answer.

The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.

According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.

Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.

The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection calculates user risk scores based on a combination ofprivilege level,credential exposure, andbehavioral indicators. According to the CCIS curriculum, aprivileged user with a compromised passwordrepresents one of the highest-risk identity scenarios.

Privileged accounts—such as administrators or service accounts with elevated access—already pose increased risk due to their access scope. When Falcon detects that such an account’s credentials have been compromised, the risk escalates significantly because attackers can immediately gain high-impact access without further escalation.

The other options do not inherently represent the same level of risk:

Logging in from a shared endpoint may increase risk but is context-dependent.

Stale users are risky but typically lower risk than active compromised credentials.

Domain Admin group membership alone does not imply compromise.

Becausecredential compromise combined with privilegedramatically increases attack potential,Option Bis the correct and verified answer.

The provided Falcon Fusion SOAR workflow example shows a trigger based on anIdentity Detection, followed by conditions and actions that search for recently logged-in users and related entities across endpoints. According to the CCIS curriculum, this type of workflow aligns with theLateral Movementtactic in the MITRE ATT&CK framework.

Lateral Movement involves an attacker moving from one system or account to another after initial access has been achieved. The workflow’s logic—correlating identity detections with additional users and endpoints—supports identifying and responding to movement across the environment using compromised or abused credentials.

The other tactics do not best fit this scenario:

Initial Access occurs earlier in the attack chain.

Credential Access focuses on obtaining credentials.

Privilege Escalation centers on increasing access rights.

Because the workflow is designed to detect and respond tomovement between systems and identities,Option C (Lateral Movement)is the correct and verified answer.

In the Domain Security Overview,Scopeis a configurable setting that allows administrators toswitch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.

The CCIS documentation explains that Scope determineswhich domain or tenant’s identity data is displayedin the Overview dashboard, including risk scores, trends, and prioritized remediation guidance. Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.

Other options are incorrect because:

Privileged Identities represent a subset of users, not a switchable setting.

Domains are entities, not a dashboard control.

Goal changes how risks are evaluated, not which environment is displayed.

By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore,Option Dis the correct answer.

The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum,Internet Explorer 9 and Windows Server 2008represent theminimum supported requirementsfor rendering the Identity Verification Dialog on an end user’s system.

This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.

The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore,Option Ais the correct and verified answer.

In Falcon Identity Protection,Informationaldetections represent low-impact events that provide context but do not indicate elevated identity risk. According to the CCIS curriculum,Informational events are excluded by defaultfrom standard detection views to reduce noise and allow analysts to focus on higher-risk activity.

By default,Low, Medium, and High severity detections remain visible, as these contribute directly to identity risk scoring, incident formation, and investigative workflows. Informational detections can still be viewed if filters are adjusted, but they are intentionally hidden in default views.

This design supports efficient threat triage by prioritizing detections that are more likely to represent real security concerns. The other options listed are not valid detection severity classifications within Falcon Identity Protection.

Because Informational events are excluded by default while higher-severity detections remain visible,Option Ais the correct and verified answer.

TheNIST SP 800-207 Zero Trust Architectureframework fundamentally rejects the concept of implicit trust based on network location. As outlined in both NIST guidance and reinforced in the CCIS curriculum,all users must be continuously validated and authenticated regardless of whether they are inside or outside the network perimeter.

Zero Trust assumes that threats can originate from anywhere, including internal networks. Therefore, authentication and authorization decisions must be made dynamically using identity, device posture, behavior, and risk signals—not network placement.

Falcon Identity Protection aligns directly with this principle by continuously evaluating identity behavior forall users, whether they authenticate from internal corporate networks, remote locations, or cloud environments.

Because Zero Trust applies universally,Option Cis the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

Falcon Identity Protection is designed to address the growing threat ofidentity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection providesproactive identity risk mitigationrather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. ThroughPolicy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated withPrivileged Access Management (PAM)orIAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure bydetecting and preventing identity misuse in real time.

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore,Option Cis the correct and verified answer.

In Falcon Identity Protection,identity-based incidents are dynamicand can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident’stype is automatically recalculatedbased on thedetections related to the incident, not by manual user actions.

As new identity-based detections are generated—such as credential misuse, lateral movement attempts, or abnormal authentication behavior—the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automaticallychange the incident typeto better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident’s classification. The classification logic is driven entirely by Falcon’s analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon’s ability toadapt incident context as attacks progress, makingOption Dthe correct answer.

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.