CrowdStrike Certified Identity Specialist(CCIS) Exam Questions and Answers
What is the recommended action for the"Guest Account Enabled"risk?
Options:
Add related endpoints to a watchlist
Apply a policy rule with an "Access" trigger and "Block" action on the Guest account
Disable Guest accounts on all endpoints
Disable the endpoint in Active Directory
Answer:
CExplanation:
In Falcon Identity Protection, the"Guest Account Enabled"risk highlights the presence of local or domain guest accounts that remain active across endpoints. Guest accounts are inherently high-risk because they typically lack strong authentication controls, are rarely monitored, and are frequently abused by attackers for lateral movement and persistence.
The CCIS curriculum explicitly recommendsdisabling Guest accounts on all endpointsas the primary remediation action. This is because guest accounts often bypass standard identity governance processes and violate the principles ofleast privilegeandZero Trust, both of which are foundational to Falcon Identity Protection’s security model. Disabling these accounts removes an unnecessary and dangerous authentication path from the environment.
Other options are incorrect because:
Adding endpoints to a watchlist does not remediate the risk.
Blocking access via a policy rule is less effective than eliminating the account entirely.
Disabling endpoints in Active Directory does not directly address the guest account exposure.
Falcon Identity Protection prioritizeselimination of weak identity configurations, and disabling guest accounts is a direct, effective action that immediately lowers identity risk scores and reduces attack surface. Therefore,Option Cis the correct and verified answer.
Describe the difference between a Human account and a Programmatic account.
Options:
A human account is an Administrator
A programmatic account is never authorized for multi-factor authentication
A programmatic account is only used interactively
A human account is often used interactively
Answer:
DExplanation:
Falcon Identity Protection differentiateshuman accountsandprogrammatic accountsbased onauthentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum,human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.
Programmatic accounts (such as service accounts) typically authenticatenon-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.
The incorrect options reflect common misconceptions:
Human accounts are not always administrators.
Programmatic accounts can support MFA in some architectures.
Programmatic accounts are not used interactively.
Because interactive authentication behavior is the defining characteristic of human accounts,Option Dis the correct and verified answer.
What is the purpose behind creating Policy Rules?
Options:
Policy Rules determine what actions to take in response to certain triggers/conditions observed within the environment
Policy Rules determine what actions an admin in the console can take before making adjustments
Policy Rules determine the scope in which the sensor collects information on the environment
Policy Rules determine how the console tracks and learns behavior for users in the environment
Answer:
AExplanation:
Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.
These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.
The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.
The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.
How does CrowdStrike Falcon Identity Protection help customers identify different types of accounts in their domain?
Options:
Implements advanced encryption algorithms for account metadata
Assigns a human authorizer to each programmatic account for approval
Analyzes authentication traffic and automatically classifies programmatic and human accounts
Conducts regular vulnerability assessments on programmatic accounts
Answer:
CExplanation:
Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzingauthentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.
Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.
This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.
Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.
Which of the following statements isNOTtrue as it relates to Identity Events, Detections, and Incidents?
Options:
Events related to an incident that occur after the incident is marked In Progress will create a new incident
A detection can become an element of an incident that preceded it in time
An event can become an element of a detection that preceded it in time
Not all events are security events that become elements of detections
Answer:
AExplanation:
Falcon Identity Protection follows acorrelation and enrichment modelwhere events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum,events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typicallyadded to the existing incident, provided they fall within the incident’s correlation and suppression window.
This behavior allows Falcon to present asingle evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statementA is not true.
The other statements are correct:
Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.
Events can be linked to detections even if the detection is created after the event occurred.
Not all events are security-relevant; many remain informational and never become detections.
This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence,Option Ais the correct answer.
When creating an API key, which scope should be selected to retrieve Identity Protection detection and incident information?
Options:
Identity Protection Detections
Identity Protection Incidents
Identity Protection Assessment
Identity Protection Data
Answer:
AExplanation:
To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correctpermission scope. According to the CCIS curriculum, theIdentity Protection Detectionsscope is required to access identity-based detection and incident information through GraphQL.
This scope allows API queries to retrieve:
Identity-based detections
Associated incident metadata
Detection attributes such as severity, status, and related entities
Incident data in Falcon Identity Protection isderived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.
The other scopes are either too narrow or unrelated to detection retrieval. Therefore,Option Ais the correct and verified answer.
Falcon Identity Protection can continuously assess identity events and associate them with potential threatsWITHOUTwhich of the following?
Options:
Machine-learning-powered detection rules
API-based connectors
Ingesting logs
The need for string-based queries
Answer:
DExplanation:
Falcon Identity Protection is architected as alog-free identity security platform, a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection doesnot require string-based queriesto continuously assess identity events or associate them with threats.
Instead, the platform relies onmachine-learning-powered detection rules,real-time authentication traffic inspection, andAPI-based connectorsto collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.
String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model withbehavioral baselining and automated correlation, enabling continuous identity risk assessment without human-driven query execution.
Because Falcon does not require string-based queries to operate,Option Dis the correct and verified answer.
Under which CrowdStrike documentation category could you find Identity Protection API information?
Options:
Tools and Reference
Falcon Management
CrowdStrike Store
CrowdStrike APIs
Answer:
DExplanation:
Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum,Identity Protection API information is located under the “CrowdStrike APIs” documentation category.
This category includes:
API authentication and scopes
Identity Protection GraphQL schemas
Query examples for detections, incidents, users, and risk
Usage guidance and limitations
CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.
Because all product APIs—including Identity Protection—are documented underCrowdStrike APIs,Option Dis the correct and verified answer.
The NIST SP 800-207 framework for Zero Trust Architecture defines validation and authentication standards for users in which network locations?
Options:
Only those users inside the network
Only those users accessing the network remotely over VPN
All users both inside and outside of the network
Only those users outside the network
Answer:
CExplanation:
TheNIST SP 800-207 Zero Trust Architectureframework fundamentally rejects the concept of implicit trust based on network location. As outlined in both NIST guidance and reinforced in the CCIS curriculum,all users must be continuously validated and authenticated regardless of whether they are inside or outside the network perimeter.
Zero Trust assumes that threats can originate from anywhere, including internal networks. Therefore, authentication and authorization decisions must be made dynamically using identity, device posture, behavior, and risk signals—not network placement.
Falcon Identity Protection aligns directly with this principle by continuously evaluating identity behavior forall users, whether they authenticate from internal corporate networks, remote locations, or cloud environments.
Because Zero Trust applies universally,Option Cis the correct and verified answer.
Falcon Identity Protection monitors network traffic to build user behavioral profiles to help identify unusual user behavior. How can this be beneficial to create a Falcon Fusion workflow?
Options:
Falcon Fusion is not identity based
Falcon Fusion will only work with certain users
Falcon Fusion will only send emails to the user
Falcon Fusion works with your IT policy enforcement through the use of identity and behavioral analytics
Answer:
DExplanation:
Falcon Identity Protection continuously inspects authentication traffic and network behavior to establishbehavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.
Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.
The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.
Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.
Which option can be selected from the Threat Hunter menu to open the current Threat Hunter query in a new window as Graph API format?
Options:
Export to API Builder
Save as Custom Query
Save as Custom Report
Open Query in API Builder
Answer:
DExplanation:
Falcon Threat Hunter provides a direct integration with theAPI Builderto support advanced investigation workflows and automation. According to the CCIS curriculum, analysts can take an existing Threat Hunter query and convert it into aGraphQL-compatible formatby selectingOpen Query in API Builderfrom the Threat Hunter menu.
This option opens the current query in a new window within API Builder, automatically translating the query structure into GraphQL syntax where applicable. This enables security teams to reuse validated hunting logic for automation, reporting, or external integrations without rewriting queries from scratch.
The other menu options serve different purposes:
Export to API Builderis not a valid menu action.
Save as Custom Querystores the query for reuse inside Threat Hunter.
Save as Custom Reportgenerates a reporting artifact, not an API query.
BecauseOpen Query in API Builderis the only option that opens the query in GraphQL format in a new window,Option Dis the correct and verified answer.
How does the Falcon sensor for Windows contribute to the enforcement in Falcon Identity Protection?
Options:
Enforces strict password complexity rules for user accounts
Encrypts network traffic to ensure secure communication
Manages user access and permissions on domain controllers
Collects and validates domain authentication events
Answer:
DExplanation:
The Falcon sensor for Windows plays a critical role in Falcon Identity Protection bycollecting and validating domain authentication eventsdirectly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP throughAuthentication Traffic Inspection (ATI).
This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic—those functions belong to Active Directory and network infrastructure components.
By providinghigh-fidelity authentication telemetrywithout relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore,Option Dis the correct and verified answer.
Which of the following are minimum requirements for showing the Falcon Identity Verification Dialog on the end user’s machine?
Options:
Internet Explorer 9 and Windows Server 2008
.NET 3.5 and PowerShell 5.1
Windows Vista and .NET 3.5
Windows Server 2008 and PowerShell 5.1
Answer:
AExplanation:
The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum,Internet Explorer 9 and Windows Server 2008represent theminimum supported requirementsfor rendering the Identity Verification Dialog on an end user’s system.
This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.
The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore,Option Ais the correct and verified answer.
Which section of the Falcon menu is used to investigate the Event Analysis dashboard?
Options:
Enforce
Threat Hunter
Explore
Configure
Answer:
CExplanation:
In Falcon Identity Protection, theExploresection of the Falcon menu is used to investigate analytical views such as theEvent Analysis dashboard. This aligns with the CCIS framework, which defines Explore as the primary area forinteractive investigation, analytics, and risk explorationacross identity data.
The Event Analysis dashboard is designed to help administrators analyzeidentity-related authentication events, behavioral patterns, and anomalous activity derived from domain traffic inspection and domain controller telemetry. These analytical capabilities are intentionally placed underExplorebecause this menu category supports hypothesis-driven investigation rather than enforcement or configuration actions.
By contrast:
Enforceis used to apply policy rules and automated controls.
Threat Hunteris focused on proactive hunting using queries and detection pivots.
Configureis used to manage settings, connectors, policies, and integrations.
The CCIS documentation explicitly associates dashboards such asRisk AnalysisandEvent Analysiswith the Explore menu, emphasizing its role in understandingwhyrisk exists before taking action. Therefore,Option C (Explore)is the correct and verified answer.
Which of the following isNOTa default insight but can be created with a custom insight?
Options:
Using Unmanaged Endpoints
GPO Exposed Password
Compromised Password
Poorly Protected Accounts with SPN
Answer:
DExplanation:
In Falcon Identity Protection,default insightsare prebuilt analytical views provided by CrowdStrike to immediately highlight common and high-impact identity risks across the environment. These default insights are automatically available in theRisk AnalysisandInsightsareas and are designed to surface well-known identity exposure patterns without requiring customization.
Examples ofdefault insightsincludeUsing Unmanaged Endpoints,GPO Exposed Password, andCompromised Password. These insights are natively provided because they represent frequent and high-risk identity attack vectors such as credential exposure, unmanaged authentication sources, and password compromise, all of which directly contribute to elevated identity risk scores.
Poorly Protected Accounts with SPN (Service Principal Name), however, isnot provided as a default insight. While Falcon Identity Protection does collect and analyze SPN-related risk signals—such as Kerberoasting exposure and weak service account protections—this specific grouping must be created by administrators usingcustom insight filters. Custom insights allow teams to define precise conditions, combine attributes (privilege level, SPN presence, password age, MFA status), and tailor risk visibility to their organization’s threat model.
This distinction is emphasized in the CCIS curriculum, which explains thatcustom insights extend beyond default coverage, enabling deeper, organization-specific identity risk analysis. Therefore,Option Dis the correct answer.
Where would a Falcon administrator enable authentication traffic inspection (ATI) for Domain Controllers?
Options:
Identity configuration policies
Identity management settings
Identity detection configuration
Identity protection settings
Answer:
AExplanation:
Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled throughIdentity configuration policies.
Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.
The other options are incorrect because:
Identity management settings focus on identity governance and administration.
Identity detection configuration controls detection logic, not traffic inspection.
Identity protection settings manage high-level configuration but do not directly enable ATI.
Because ATI must be explicitly enabled viaIdentity configuration policies,Option Ais the correct and verified answer.
Which of the following isNOTan available Goal within the Domain Security Overview?
Options:
Privileged Users Management
Business Privileged Users Management
AD Hygiene
Pen Testing
Answer:
BExplanation:
The Domain Security Overview in Falcon Identity Protection usesGoalsto frame identity risks into focused security assessment perspectives. These goals allow organizations to evaluate identity posture based on specific security priorities such as directory hygiene, privilege exposure, or overall attack surface reduction.
According to the CCIS curriculum, theavailable GoalsincludePrivileged Users Management,AD Hygiene,Pen Testing, andReduce Attack Surface. These goals are predefined by CrowdStrike and determine how risks are grouped, weighted, and presented in reports.
Business Privileged Users Managementisnot an available Goalwithin the Domain Security Overview. While Falcon Identity Protection does support the concept ofbusiness privilegesand evaluates their impact on users and entities, this concept is handled through risk analysis and configuration—not as a selectable Domain Security Goal.
The CCIS documentation clearly distinguishes betweenGoals(which control reporting and assessment views) andbusiness privilege modeling(which influences risk scoring). Therefore,Option Bis the correct and verified answer.
