CrowdStrike IDP Exam Questions

Falcon Identity Protection is designed to address the growing threat of identity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection provides proactive identity risk mitigation rather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. Through Policy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated with Privileged Access Management (PAM) or IAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure by detecting and preventing identity misuse in real time.

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore, Option C is the correct and verified answer.

The Falcon sensor for Windows plays a critical role in Falcon Identity Protection by collecting and validating domain authentication events directly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP through Authentication Traffic Inspection (ATI).

This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic---those functions belong to Active Directory and network infrastructure components.

By providing high-fidelity authentication telemetry without relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore, Option D is the correct and verified answer.

In Falcon Identity Protection, detection status is visually indicated using a toggle control within the detection configuration interface. According to the CCIS documentation, when a detection is enabled, the toggle next to Detection Enabled is displayed in green.

A green toggle indicates that the detection logic is active and that Falcon will generate detections when the defined conditions are met. When the toggle is gray, the detection is disabled and will not generate alerts or contribute to incident formation.

Falcon does not rely on textual ''Enabled'' or ''Disabled'' tags to indicate detection status. Instead, the toggle color provides a clear, immediate visual indicator to administrators.

Because a green toggle explicitly represents an enabled detection, Option B is the correct and verified answer.

Falcon Identity Protection integrates with third-party MFA providers through MFA connectors to support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.

One of the supported MFA authentication methods is Push, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.

The other options are not valid MFA authentication methods within Falcon:

Page and Pull are not recognized MFA mechanisms.

Alarm is related to alerting, not authentication.

By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles. Therefore, Option B is the correct and verified answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon's Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon's analytics engine---not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.