CrowdStrike IDP - CrowdStrike Certified Identity Specialist(CCIS) Exam

The CCIS curriculum highlights a critical identity-security concept: when attackers usecompromised credentials, they often bypass traditional malware-based attack phases, including theExecutionphase of the MITRE ATT&CK framework. Because no malicious code needs to be executed, attackers can immediately begin interacting with the environment as a legitimate user.

As a result, threat actors move directly into theDiscoveryphase. During Discovery, attackers enumerate users, groups, privileges, systems, domain relationships, and trust paths to understand the environment and plan further actions. This behavior is commonly observed in identity-based attacks and living-off-the-land techniques.

Falcon Identity Protection is specifically designed to detect this behavior by monitoring authentication traffic, privilege usage, and anomalous identity activity—areas where traditional EDR tools may have limited visibility.

The other options are incorrect:

Initial Access has already occurred via credential compromise.

Weaponization and Execution are not required.

Lateral Movement typically follows Discovery.

Because compromised credentials allow attackers to jump straight intoDiscovery,Option Cis the correct and verified answer.

Falcon Identity Protection integrates with third-party MFA providers throughMFA connectorsto support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.

One of the supported MFA authentication methods isPush, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.

The other options are not valid MFA authentication methods within Falcon:

Page and Pull are not recognized MFA mechanisms.

Alarm is related to alerting, not authentication.

By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles. Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection integrates withIdentity-as-a-Service (IDaaS)providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum,Okta SSOis a supported IDaaS connector that enables Falcon to ingestcloud authentication eventswhile also applyingSingle Sign-On (SSO) policies.

Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.

The other options are incorrect:

ADFSis an on-premises federation service, not a cloud IDaaS.

Azure NPSis used for RADIUS-based MFA, not SSO ingestion.

SAMLis a protocol, not an IDaaS connector.

Because Okta SSO provides both cloud activity ingestion and SSO enforcement,Option Bis the correct and verified answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correctpermission scope. According to the CCIS curriculum, theIdentity Protection Detectionsscope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection isderived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore,Option Ais the correct and verified answer.

Falcon Identity Protection establishes auser baselineby observing authentication behavior over time, including login frequency, endpoints used, access patterns, and protocol usage. According to the CCIS curriculum, Falcon typically requiresapproximately one weekof consistent activity to develop an initial, reliable baseline for a user.

This baseline allows Falcon to distinguish normal behavior from anomalies and to calculate accurate risk scores. While the baseline continues to mature over time and becomes more precise with additional data, the first usable behavioral model is generally formed within a week.

Longer timeframes such as one or three months are not required to begin detecting abnormal behavior. Conversely, periods shorter than a week may not provide sufficient behavioral data to accurately model normal usage patterns.

Because Falcon can rapidly establish a functional baseline while continuously refining it,Option C (One week)is the correct and verified answer.

Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.

Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.

WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.

The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.

Falcon Identity Protection evaluatesdomain riskby analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.

Measures such asenabling SMB signing,enforcing NTLMv2, andupgrading unsupported operating systemsremove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.

In contrast,upgrading end-of-life Acrobat Readeraddresses anendpoint application vulnerability, not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.

Because domain risk scoring is strictly tied to identity infrastructure and authentication posture,Option Bdoes not contribute to lowering the domain risk score and is therefore the correct answer.