Free Practice Questions for CrowdStrike IDP Exam

Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzingauthentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.

Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.

This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.

Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.

In Falcon Identity Protection, the"Guest Account Enabled"risk highlights the presence of local or domain guest accounts that remain active across endpoints. Guest accounts are inherently high-risk because they typically lack strong authentication controls, are rarely monitored, and are frequently abused by attackers for lateral movement and persistence.

The CCIS curriculum explicitly recommendsdisabling Guest accounts on all endpointsas the primary remediation action. This is because guest accounts often bypass standard identity governance processes and violate the principles ofleast privilegeandZero Trust, both of which are foundational to Falcon Identity Protection’s security model. Disabling these accounts removes an unnecessary and dangerous authentication path from the environment.

Other options are incorrect because:

Adding endpoints to a watchlist does not remediate the risk.

Blocking access via a policy rule is less effective than eliminating the account entirely.

Disabling endpoints in Active Directory does not directly address the guest account exposure.

Falcon Identity Protection prioritizeselimination of weak identity configurations, and disabling guest accounts is a direct, effective action that immediately lowers identity risk scores and reduces attack surface. Therefore,Option Cis the correct and verified answer.

The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.

According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.

Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.

The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.

Falcon Identity Protection continuously inspects authentication traffic and network behavior to establishbehavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.

Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.

The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.

Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.

Falcon Identity Protection identifiesstale endpointsas systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for90 daysand then resumes activity will trigger aUse of Stale Endpointdetection.

This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.

The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives. Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.

Because Falcon explicitly defines stale endpoint activity using a90-day inactivity window,Option Bis the correct answer.

The provided Falcon Fusion SOAR workflow example shows a trigger based on anIdentity Detection, followed by conditions and actions that search for recently logged-in users and related entities across endpoints. According to the CCIS curriculum, this type of workflow aligns with theLateral Movementtactic in the MITRE ATT&CK framework.

Lateral Movement involves an attacker moving from one system or account to another after initial access has been achieved. The workflow’s logic—correlating identity detections with additional users and endpoints—supports identifying and responding to movement across the environment using compromised or abused credentials.

The other tactics do not best fit this scenario:

Initial Access occurs earlier in the attack chain.

Credential Access focuses on obtaining credentials.

Privilege Escalation centers on increasing access rights.

Because the workflow is designed to detect and respond tomovement between systems and identities,Option C (Lateral Movement)is the correct and verified answer.

A modern Zero Trust security architecture fundamentally differs from the traditional wall-and-moat model byeliminating implicit trust based on network location. As defined inNIST SP 800-207and reinforced in the CCIS curriculum, Zero Trust requirescontinuous authentication and authorization of all entities, regardless of whether they originate from inside or outside the network.

Traditional perimeter-based security assumes that users and devices inside the network are trusted, focusing defenses at the boundary. This approach fails in modern environments where cloud access, remote work, and compromised credentials allow attackers to operate internally without triggering perimeter controls.

Zero Trust replaces this assumption with continuous validation using identity, behavior, device posture, and risk signals. Falcon Identity Protection operationalizes this concept by continuously inspecting authentication traffic and reassessing trust throughout a session, not just at login time.

Because Zero Trust applies universally and continuously,Option Dis the correct and verified answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum,Identity Protection API information is located under the “CrowdStrike APIs” documentation category.

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented underCrowdStrike APIs,Option Dis the correct and verified answer.

In Falcon Identity Protection, theDomainspage is where administrators can view themonitoring and health status of domain controllers. The CCIS curriculum explains that this page provides visibility into which domain controllers are actively reporting authentication traffic, their inspection status, and whether Authentication Traffic Inspection (ATI) is enabled.

This view is essential for validating coverage and ensuring that Falcon Identity Protection has sufficient visibility into domain authentication activity. Administrators can quickly identify gaps, such as domain controllers that are not reporting or are misconfigured, and take corrective action.

The other options serve different purposes:

Settingsmanage general configuration.

System Notificationsdisplay alerts and messages.

Connectorsmanage integrations such as MFA and IDaaS.

Because domain controller visibility and monitoring health are managed at the domain level,Option C (Domains)is the correct and verified answer.