CrowdStrike IDP Exam - Topic 1 Question 10 Discussion

In Falcon Identity Protection, identity-based incidents are dynamic and can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident's type is automatically recalculated based on the detections related to the incident, not by manual user actions.

As new identity-based detections are generated---such as credential misuse, lateral movement attempts, or abnormal authentication behavior---the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automatically change the incident type to better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident's classification. The classification logic is driven entirely by Falcon's analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon's ability to adapt incident context as attacks progress, making Option D the correct answer.