CrowdStrike IDP - CrowdStrike Certified Identity Specialist(CCIS) Exam

When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exitsare not a detection control mechanism.

Remediationsrefer to corrective actions, not suppression logic.

Recommendationsprovide guidance but do not change detection behavior.

By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.

The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.

According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.

Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.

The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.

In Falcon Identity Protection, auser baselineis established by observing consistent and repeatable behavior over time, including authentication patterns, endpoint associations, and usage context. According to the CCIS curriculum, one of the strongest indicators that a user has an established baseline is the presence ofendpoints for which the user is identified as an owner.

Endpoint ownership is determined through historical authentication behavior and usage frequency. When Falcon identifies that a user consistently logs into specific endpoints over time, those endpoints are marked asowned, which signifies that sufficient historical data exists to confidently model the user’s normal behavior. This ownership relationship is only created after Falcon has observed the user long enough to establish a reliable baseline.

The other options do not definitively indicate a baseline:

Logging into multiple endpoints may occur during initial discovery or anomalous activity.

A risk score reflects current risk posture, not baseline maturity.

Recent logon activity alone does not imply historical consistency.

Becauseendpoint ownership requires sustained, predictable behavior over time, it is the clearest indicator that Falcon has successfully established a user baseline. Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzingauthentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.

Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.

This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.

Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.

The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum,Internet Explorer 9 and Windows Server 2008represent theminimum supported requirementsfor rendering the Identity Verification Dialog on an end user’s system.

This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.

The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore,Option Ais the correct and verified answer.

Cloud-based MFA connectors integrate Falcon Identity Protection with third-party MFA providers usingapplication-based authentication, not user credentials. As outlined in the CCIS curriculum, these connectors require anapplication identifier (Client/Application ID)andsecret keysto securely authenticate API communications.

This approach follows modern security best practices by avoiding the use of privileged user credentials and instead leveraging scoped, revocable application secrets. The connector uses these credentials to trigger MFA challenges and exchange authentication context securely.

Options involving usernames, passwords, or domain controller details are incorrect, as Falcon Identity Protection does not store or require privileged account credentials for MFA integrations. Therefore,Option Dis the correct answer.

Falcon Identity Protection follows acorrelation and enrichment modelwhere events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum,events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typicallyadded to the existing incident, provided they fall within the incident’s correlation and suppression window.

This behavior allows Falcon to present asingle evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statementA is not true.

The other statements are correct:

Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.

Events can be linked to detections even if the detection is created after the event occurred.

Not all events are security-relevant; many remain informational and never become detections.

This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence,Option Ais the correct answer.

Falcon Identity Protection integrates with a defined set ofsupported MFA providersto enforce identity verification and conditional access based on identity risk. According to the CCIS curriculum, supported MFA providers includeAzure (Entra) MFA,Cisco Duo, andSymantec VIP, which are commonly used enterprise-grade MFA solutions.

These integrations allow Falcon Identity Protection to evaluate authentication attempts and dynamically enforce MFA challenges when risky behavior is detected. The supported providers expose the necessary APIs and authentication workflows required for Falcon to trigger MFA challenges as part of Policy Rules and Zero Trust enforcement.

Firebaseis not a supported MFA provider within Falcon Identity Protection. Firebase is primarily a mobile and application development platform and does not function as an enterprise MFA provider compatible with Falcon’s identity enforcement model. As such, it cannot be used to enforce conditional access or identity verification through Falcon Identity Protection.

Because Falcon only supports specific, enterprise MFA integrations validated by CrowdStrike,Option Ais the correct and verified answer.

Falcon Identity Threat Detection (ITD) providesvisibility, analytics, and detectionof identity-based threats but doesnot include enforcement capabilities. According to the CCIS curriculum, ITD customers have access to investigative and analytical features such asEvent Analysis,Privileged Identities, and relevantSettingsfor visibility and monitoring.

Policy Rules, however, are part ofIdentity Threat Protection (ITP)and reside in theEnforcesection of the Falcon console. Policy Rules enable automated responses and enforcement actions, such as blocking access or enforcing MFA, which are not available under ITD-only subscriptions.

This distinction is critical in the CCIS material:

ITD = Detect and analyze identity threats

ITP = Detect + enforce policy actions

Because ITD does not include enforcement functionality,Policy Rules are not available, makingOption Dthe correct answer.