Exam Passing Guarantee May 04, 2026 IDP Exam with Accurate Quastions!
Test Engine to Practice Test for IDP Valid and Updated Dumps
CrowdStrike IDP Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
NEW QUESTION # 16
What is the recommended action for the"Guest Account Enabled"risk?
- A. Disable the endpoint in Active Directory
- B. Apply a policy rule with an "Access" trigger and "Block" action on the Guest account
- C. Add related endpoints to a watchlist
- D. Disable Guest accounts on all endpoints
Answer: D
Explanation:
In Falcon Identity Protection, the"Guest Account Enabled"risk highlights the presence of local or domain guest accounts that remain active across endpoints. Guest accounts are inherently high-risk because they typically lack strong authentication controls, are rarely monitored, and are frequently abused by attackers for lateral movement and persistence.
The CCIS curriculum explicitly recommendsdisabling Guest accounts on all endpointsas the primary remediation action. This is because guest accounts often bypass standard identity governance processes and violate the principles ofleast privilegeandZero Trust, both of which are foundational to Falcon Identity Protection's security model. Disabling these accounts removes an unnecessary and dangerous authentication path from the environment.
Other options are incorrect because:
* Adding endpoints to a watchlist does not remediate the risk.
* Blocking access via a policy rule is less effective than eliminating the account entirely.
* Disabling endpoints in Active Directory does not directly address the guest account exposure.
Falcon Identity Protection prioritizeselimination of weak identity configurations, and disabling guest accounts is a direct, effective action that immediately lowers identity risk scores and reduces attack surface.
Therefore,Option Cis the correct and verified answer.
NEW QUESTION # 17
The NIST SP 800-207 framework for Zero Trust Architecture defines validation and authentication standards for users in which network locations?
- A. Only those users accessing the network remotely over VPN
- B. All users both inside and outside of the network
- C. Only those users inside the network
- D. Only those users outside the network
Answer: B
Explanation:
TheNIST SP 800-207 Zero Trust Architectureframework fundamentally rejects the concept of implicit trust based on network location. As outlined in both NIST guidance and reinforced in the CCIS curriculum,all users must be continuously validated and authenticated regardless of whether they are inside or outside the network perimeter.
Zero Trust assumes that threats can originate from anywhere, including internal networks. Therefore, authentication and authorization decisions must be made dynamically using identity, device posture, behavior, and risk signals-not network placement.
Falcon Identity Protection aligns directly with this principle by continuously evaluating identity behavior for all users, whether they authenticate from internal corporate networks, remote locations, or cloud environments.
Because Zero Trust applies universally,Option Cis the correct and verified answer.
NEW QUESTION # 18
Which CrowdStrike documentation category would you search to find GraphQL examples?
- A. Identity Protection APIs
- B. XDR
- C. Threat Intelligence
- D. CrowdStrike APIs
Answer: D
Explanation:
GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader "CrowdStrike APIs" documentation category, not limited to a single product.
The CrowdStrike APIs section includes:
* Authentication and API key usage
* GraphQL schema references
* Example GraphQL queries and mutations
* Pagination, filtering, and response handling
While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.
The other options are incorrect:
* Threat Intelligence focuses on adversary data.
* XDR covers detection and correlation concepts.
* Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.
Therefore,Option Ais the correct and verified answer.
NEW QUESTION # 19
How does Identity Protection extend the capabilities of existing multi-factor authentication (MFA)?
- A. Identity Protection does not support on-premises MFA connectors
- B. Identity Protection will replace third-party MFA and trigger as it detects risky or abnormal behaviors
- C. Implementation of a second-layer security control using policy rules as it detects risky or abnormal behaviors
- D. Identity Protection is not going to detect risky user behavior
Answer: C
Explanation:
Falcon Identity Protection is designed toextend-not replace-existing MFA solutions. According to the CCIS curriculum, Identity Protection enhances MFA by adding arisk-driven, policy-based enforcement layerthat dynamically triggers MFA challenges when risky or abnormal identity behavior is detected.
Rather than applying MFA uniformly, Falcon evaluates authentication context such as behavioral deviation, privilege usage, and anomaly detection. When risk thresholds are exceeded, Policy Rules can enforce MFA through integrated connectors, providing adaptive, Zero Trust-aligned authentication.
The incorrect options misunderstand Falcon's role. Identity Protection does detect risky behavior, does not replace MFA providers, and fully supports both cloud and on-premises MFA connectors.
Because Falcon adds intelligence-driven enforcement on top of MFA,Option Ais the correct and verified answer.
NEW QUESTION # 20
Which of the following users would most likely have aHIGHrisk score?
- A. User that recently logged in from a shared endpoint
- B. Privileged user with a Compromised Password
- C. User that is a member of the Domain Admins group
- D. User that has not logged in recently and is marked as Stale
Answer: B
Explanation:
Falcon Identity Protection calculates user risk scores based on a combination ofprivilege level,credential exposure, andbehavioral indicators. According to the CCIS curriculum, aprivileged user with a compromised passwordrepresents one of the highest-risk identity scenarios.
Privileged accounts-such as administrators or service accounts with elevated access-already pose increased risk due to their access scope. When Falcon detects that such an account's credentials have been compromised, the risk escalates significantly because attackers can immediately gain high-impact access without further escalation.
The other options do not inherently represent the same level of risk:
* Logging in from a shared endpoint may increase risk but is context-dependent.
* Stale users are risky but typically lower risk than active compromised credentials.
* Domain Admin group membership alone does not imply compromise.
Becausecredential compromise combined with privilegedramatically increases attack potential,Option Bis the correct and verified answer.
NEW QUESTION # 21
Which of the following Falcon rolesCANNOTenable and disable policy rules?
- A. Identity Protection Domain Administrator
- B. Identity Protection Administrator
- C. Falcon Administrator
- D. Identity Protection Policy Manager
Answer: A
Explanation:
Falcon Identity Protection enforcesrole-based access control (RBAC)to ensure that only authorized users can create, modify, or manage policy rules. Policy rules directly impact identity enforcement actions, making proper role separation critical.
According to the CCIS documentation, the ability toenable and disable policy rulesis granted to theIdentity Protection Policy Managerand theFalcon Administratorroles. These roles are explicitly designed to manage enforcement logic, triggers, and automated identity controls.
TheIdentity Protection Domain Administratorrole, however, is limited todomain-level visibility and management, such as reviewing domain configurations, monitoring risks, and assessing posture. This role doesnothave permissions to modify or control policy enforcement behavior.
This separation prevents accidental or unauthorized changes to identity enforcement rules. Therefore,Option Ais the correct and verified answer.
NEW QUESTION # 22
For false positives, the Detection details can be set to new"Actions"using:
- A. remediations
- B. exceptions
- C. exits
- D. recommendations
Answer: B
Explanation:
When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.
Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.
The other options are incorrect:
* Exitsare not a detection control mechanism.
* Remediationsrefer to corrective actions, not suppression logic.
* Recommendationsprovide guidance but do not change detection behavior.
By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.
NEW QUESTION # 23
The configuration of the Azure AD (Entra ID) Identity-as-a-Service connector requires which three pieces of information?
- A. Tenant Domain, Application ID, Application Secret
- B. Tenant Domain, Token, Configuration File
- C. Tenant Domain, Client Secret, User Identifier
- D. Tenant Domain, Application ID, Scope
Answer: A
Explanation:
To integrate Falcon Identity Protection withAzure AD (Entra ID)as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requiresTenant Domain,Application (Client) ID, andApplication Secret.
These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.
Other options list incomplete or incorrect credential combinations. Therefore,Option Dis the correct and verified answer.
NEW QUESTION # 24
Within the Falcon Identity Protection portal, which page allows you to enable/disable Policy Rules?
- A. Configure
- B. Identity-Based Detections
- C. Enforce
- D. Policy Enforcement
Answer: C
Explanation:
In Falcon Identity Protection, Policy Rules are managed within the Enforce section of the portal. The CCIS documentation explains that Enforce is the operational area where administrators create, enable, disable, and manage Policy Rules and Policy Groups.
This section is specifically designed for identity enforcement logic, allowing security teams to activate or suspend rules without modifying underlying configurations or analytics. Enabling or disabling a Policy Rule immediately affects how identity conditions are enforced across the environment.
Other sections serve different purposes:
Configure manages connectors, domains, subnets, and risk settings.
Identity-Based Detections is used for investigation and monitoring.
Policy Enforcement is not a standalone navigation section in Falcon Identity Protection.
Because rule activation and enforcement control reside exclusively in Enforce, Option B is the correct and verified answer.
NEW QUESTION # 25
Where would a Falcon administrator enable authentication traffic inspection (ATI) for Domain Controllers?
- A. Identity management settings
- B. Identity protection settings
- C. Identity detection configuration
- D. Identity configuration policies
Answer: D
Explanation:
Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled throughIdentity configuration policies.
Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.
The other options are incorrect because:
* Identity management settings focus on identity governance and administration.
* Identity detection configuration controls detection logic, not traffic inspection.
* Identity protection settings manage high-level configuration but do not directly enable ATI.
Because ATI must be explicitly enabled viaIdentity configuration policies,Option Ais the correct and verified answer.
NEW QUESTION # 26
How does CrowdStrike Falcon Identity Protection help customers identify different types of accounts in their domain?
- A. Conducts regular vulnerability assessments on programmatic accounts
- B. Analyzes authentication traffic and automatically classifies programmatic and human accounts
- C. Assigns a human authorizer to each programmatic account for approval
- D. Implements advanced encryption algorithms for account metadata
Answer: B
Explanation:
Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzing authentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.
Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.
This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.
Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.
NEW QUESTION # 27
The Enforce section of Identity Protection is used to:
- A. Gain an overview of the domain and indicate whether the domain follows best security practice
- B. View all identity-based detections and identity-based incidents in the environment
- C. Define policy rules that determine what actions to take in response to certain triggers observed in the environment
- D. Configure domains, appliances, subnets, connectors, risk configuration, and settings
Answer: C
Explanation:
The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement.
According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.
These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon's identity security model.
The other options correspond to different sections of the platform:
Configuration tasks are handled in Configure.
Detections and incidents are reviewed in Monitor or Explore.
Domain posture overviews are displayed in Domain Security Overview.
Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.
NEW QUESTION # 28
Which of the following areNOTincluded within the three-dot menu on Identity-based Detections?
Which of the following are not included within the three-dot menu on Identity-based Detections?
- A. Edit status
- B. Add to Watchlist
- C. Add exclusion
- D. Add comment
Answer: B
Explanation:
In Falcon Identity Protection, thethree-dot (#) action menuon anidentity-based detectionprovides analysts with a limited set of actions that applydirectly to the detection itself. According to the CCIS curriculum, these actions are designed to support investigation workflow, tuning, and documentation.
The supported actions in the detection-level three-dot menu include:
* Edit status, which allows analysts to update the detection state (for example, New, In Progress, or Closed).
* Add comment, which enables collaboration and documentation directly on the detection.
* Add exclusion, where supported, to suppress future detections that match known benign behavior.
Add to Watchlistisnot includedin this menu because watchlists are applied toentities(such as users, service accounts, or endpoints), not to detections. Watchlists are managed from entity views or investigation workflows and are used to increase visibility and monitoring priority for specific identities-not to act on individual detections.
This distinction is emphasized in CCIS training to reinforce the separation betweenentity-centric actionsand detection-centric actions. Because watchlists operate at the entity level,Option Bis the correct and verified answer.
NEW QUESTION # 29
How many days will an identity-based incident be suppressed if new events related to the same incident occur?
- A. 7 days
- B. 14 days
- C. 5 days
- D. 30 days
Answer: C
Explanation:
Falcon Identity Protection usesincident suppression windowsto prevent alert fatigue while still maintaining accurate incident tracking. According to the CCIS documentation, whennew events related to an existing identity-based incident occur, the incident issuppressed for 5 days.
This suppression means that Falcon does not generate a new incident for the same activity during this window. Instead, additional detections areadded to the existing incident, allowing analysts to view the full progression of the threat in a single investigative context.
The 5-day suppression window ensures that ongoing identity attacks-such as repeated authentication abuse or lateral movement-are consolidated rather than fragmented across multiple incidents. This improves investigation efficiency and aligns with Falcon's incident lifecycle management approach.
Because the suppression period is fixed at5 days,Option Dis the correct and verified answer.
NEW QUESTION # 30
Which of the following actions willNOThelp to decrease a domain risk score?
- A. Enforcing NTLMv2 responses
- B. Upgrading endpoints running end-of-life operating systems
- C. Enabling SMB Signing within Active Directory
- D. Upgrading endpoints running end-of-life Acrobat Reader
Answer: D
Explanation:
Falcon Identity Protection evaluatesdomain riskby analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.
Measures such asenabling SMB signing,enforcing NTLMv2, andupgrading unsupported operating systemsremove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.
In contrast,upgrading end-of-life Acrobat Readeraddresses anendpoint application vulnerability, not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.
Because domain risk scoring is strictly tied to identity infrastructure and authentication posture,Option Bdoes not contribute to lowering the domain risk score and is therefore the correct answer.
NEW QUESTION # 31
The events are excluded by default while Low, Medium, and High detections are visible.
- A. Indiscrete
- B. Informational
- C. Inferior
- D. Internal
Answer: B
Explanation:
In Falcon Identity Protection,Informationaldetections represent low-impact events that provide context but do not indicate elevated identity risk. According to the CCIS curriculum,Informational events are excluded by defaultfrom standard detection views to reduce noise and allow analysts to focus on higher-risk activity.
By default,Low, Medium, and High severity detections remain visible, as these contribute directly to identity risk scoring, incident formation, and investigative workflows. Informational detections can still be viewed if filters are adjusted, but they are intentionally hidden in default views.
This design supports efficient threat triage by prioritizing detections that are more likely to represent real security concerns. The other options listed are not valid detection severity classifications within Falcon Identity Protection.
Because Informational events are excluded by default while higher-severity detections remain visible,Option Ais the correct and verified answer.
NEW QUESTION # 32
An account without a phone number, operating system, or role of CEO would typically be defined as:
- A. Corporate
- B. Human
- C. Enterprise
- D. Programmatic
Answer: D
Explanation:
Falcon Identity Protection classifies accounts based onobserved authentication behavior and associated identity attributes, not solely on naming conventions. According to the CCIS curriculum,programmatic accounts(such as service accounts or application accounts) typically lack human-centric attributes like a phone number, assigned operating system, job title, or executive role (for example, CEO).
Human accounts generally have enriched identity context sourced from directory services and identity providers, including user profile details, interactive login behavior, and endpoint associations. In contrast, programmatic accounts authenticate non-interactively, often on predictable schedules, and do not require personal attributes to function.
Falcon analyzes authentication traffic to automatically identify these characteristics and classify the account accordingly. An account missing human identity signals-such as a phone number or endpoint ownership- strongly aligns with programmatic behavior.
Because the absence of personal attributes and interactive context is a defining indicator of aprogrammatic account,Option Ais the correct and verified answer.
NEW QUESTION # 33
Describe the difference between a Human account and a Programmatic account.
- A. A human account is an Administrator
- B. A programmatic account is only used interactively
- C. A human account is often used interactively
- D. A programmatic account is never authorized for multi-factor authentication
Answer: C
Explanation:
Falcon Identity Protection differentiateshuman accountsandprogrammatic accountsbased onauthentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum,human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.
Programmatic accounts (such as service accounts) typically authenticatenon-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.
The incorrect options reflect common misconceptions:
* Human accounts are not always administrators.
* Programmatic accounts can support MFA in some architectures.
* Programmatic accounts are not used interactively.
Because interactive authentication behavior is the defining characteristic of human accounts,Option Dis the correct and verified answer.
NEW QUESTION # 34
Which menu option isNOTincluded in Falcon Identity Threat Detection (ITD)?
- A. Event Analysis
- B. Policy Rules
- C. Settings
- D. Privileged Identities
Answer: B
Explanation:
Falcon Identity Threat Detection (ITD) providesvisibility, analytics, and detectionof identity-based threats but doesnot include enforcement capabilities. According to the CCIS curriculum, ITD customers have access to investigative and analytical features such asEvent Analysis,Privileged Identities, and relevant Settingsfor visibility and monitoring.
Policy Rules, however, are part ofIdentity Threat Protection (ITP)and reside in theEnforcesection of the Falcon console. Policy Rules enable automated responses and enforcement actions, such as blocking access or enforcing MFA, which are not available under ITD-only subscriptions.
This distinction is critical in the CCIS material:
* ITD = Detect and analyze identity threats
* ITP = Detect + enforce policy actions
Because ITD does not include enforcement functionality,Policy Rules are not available, makingOption Dthe correct answer.
NEW QUESTION # 35
What does a modern Zero Trust security architecture offer compared to a traditional wall-and-moat (perimeter- based firewall) approach?
- A. Secures the perimeter of a network and does not allow access to any entities deemed "zero trust"
- B. Continuously authenticates entities regardless of origin
- C. Issues trust certificates to internal entities and zero trust certificates to external entities
- D. Applies machine learning to gauge the trustworthiness of any external entities
Answer: B
Explanation:
A modern Zero Trust security architecture fundamentally differs from the traditional wall-and-moat model by eliminating implicit trust based on network location. As defined inNIST SP 800-207and reinforced in the CCIS curriculum, Zero Trust requirescontinuous authentication and authorization of all entities, regardless of whether they originate from inside or outside the network.
Traditional perimeter-based security assumes that users and devices inside the network are trusted, focusing defenses at the boundary. This approach fails in modern environments where cloud access, remote work, and compromised credentials allow attackers to operate internally without triggering perimeter controls.
Zero Trust replaces this assumption with continuous validation using identity, behavior, device posture, and risk signals. Falcon Identity Protection operationalizes this concept by continuously inspecting authentication traffic and reassessing trust throughout a session, not just at login time.
Because Zero Trust applies universally and continuously,Option Dis the correct and verified answer.
NEW QUESTION # 36
When an endpoint that has not been used in the last90 daysbecomes active, a detection forUse of Stale Endpointis reported.
- A. 90 days
- B. 30 days
- C. 180 days
- D. 60 days
Answer: A
Explanation:
Falcon Identity Protection identifiesstale endpointsas systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for90 daysand then resumes activity will trigger aUse of Stale Endpointdetection.
This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.
The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives.
Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.
Because Falcon explicitly defines stale endpoint activity using a90-day inactivity window,Option Bis the correct answer.
NEW QUESTION # 37
......
Exam Questions for IDP Updated Versions With Test Engine: https://actualtests.passsureexam.com/IDP-pass4sure-exam-dumps.html