Free Preparation Discussions
MENU
CrowdStrike IDP Exam Questions
- Topic 1: Zero Trust Architecture: Covers NIST SP 800-207 framework, Zero Trust principles, Falcon's implementation, differences from traditional security models, use cases, and Zero Trust Assessment score calculation.
- Topic 2: Identity Protection Tenets: Examines Falcon Identity Protection's architecture, domain traffic inspection, EDR complementation, human vulnerability protection, log-free detections, and identity-based attack mitigation.
- Topic 3: Falcon Identity Protection Fundamentals: Introduces the four menu categories (monitor, enforce, explore, configure), subscription differences between ITD and ITP, user roles, permissions, and threat mitigation capabilities.
- Topic 4: Domain Security Assessment: Focuses on domain risk scores, trends, matrices, severity/likelihood/consequence factors, risk prioritization, score reduction, and configuring security goals and scopes.
- Topic 5: Risk Assessment: Covers entity risk categorization, risk and event analysis dashboards, filtering, user risk reduction, custom insights versus reports, and export scheduling.
- Topic 6: User Assessment: Examines user attributes, differences between users/endpoints/entities, risk baselining, risky account types, elevated privileges, watchlists, and honeytoken accounts.
- Topic 7: Threat Hunting and Investigation: Focuses on identity-based detections and incidents, investigation pivots, incident trees, detection evolution, filtering, managing exclusions and exceptions, and risk types.
- Topic 8: Risk Management with Policy Rules: Covers creating and managing policy rules and groups, triggers, conditions, enabling/disabling rules, applying changes, and required Falcon roles.
- Topic 9: Configuration and Connectors: Addresses domain controller monitoring, subnet management, risk settings, MFA and IDaaS connectors, authentication traffic inspection, and country-based lists.
- Topic 10: Multifactor Authentication (MFA) and Identity-as-a-service (IDaaS) Configuration Basics: Focuses on accessing and configuring MFA and IDaaS connectors, configuration fields, and enabling third-party MFA integration.
- Topic 11: Falcon Fusion SOAR for Identity Protection: Explores SOAR workflow automation including triggers, conditions, actions, creating custom/templated/scheduled workflows, branching logic, and loops.
- Topic 12: GraphQL API: Covers Identity API documentation, creating API keys, permission levels, pivoting from Threat Hunter to GraphQL, and building queries.
Free CrowdStrike IDP Exam Actual Questions
Note: Premium Questions for IDP were last updated On Apr. 21, 2026 (see below)
When creating an API key, which scope should be selected to retrieve Identity Protection detection and incident information?
To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correct permission scope. According to the CCIS curriculum, the Identity Protection Detections scope is required to access identity-based detection and incident information through GraphQL.
This scope allows API queries to retrieve:
Identity-based detections
Associated incident metadata
Detection attributes such as severity, status, and related entities
Incident data in Falcon Identity Protection is derived from detections, making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.
The other scopes are either too narrow or unrelated to detection retrieval. Therefore, Option A is the correct and verified answer.
What setting can be switched under the Domain Security Overview for each Active Directory domain and/or Azure tenant?
In the Domain Security Overview, Scope is a configurable setting that allows administrators to switch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.
The CCIS documentation explains that Scope determines which domain or tenant's identity data is displayed in the Overview dashboard, including risk scores, trends, and prioritized remediation guidance. Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.
Other options are incorrect because:
Privileged Identities represent a subset of users, not a switchable setting.
Domains are entities, not a dashboard control.
Goal changes how risks are evaluated, not which environment is displayed.
By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore, Option D is the correct answer.
The CISO of your organization recently read a report about the increased usage of identity brokers and is interested in finding a solution for the company. Which of the following makes Falcon Identity a valid solution for the organization?
Falcon Identity Protection is designed to address the growing threat of identity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection provides proactive identity risk mitigation rather than reactive session monitoring or password vaulting.
The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. Through Policy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.
The incorrect options describe capabilities associated with Privileged Access Management (PAM) or IAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure by detecting and preventing identity misuse in real time.
This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore, Option C is the correct and verified answer.
How does the Falcon sensor for Windows contribute to the enforcement in Falcon Identity Protection?
The Falcon sensor for Windows plays a critical role in Falcon Identity Protection by collecting and validating domain authentication events directly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP through Authentication Traffic Inspection (ATI).
This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic---those functions belong to Active Directory and network infrastructure components.
By providing high-fidelity authentication telemetry without relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore, Option D is the correct and verified answer.
Which of the following demonstrates a detection is enabled?
In Falcon Identity Protection, detection status is visually indicated using a toggle control within the detection configuration interface. According to the CCIS documentation, when a detection is enabled, the toggle next to Detection Enabled is displayed in green.
A green toggle indicates that the detection logic is active and that Falcon will generate detections when the defined conditions are met. When the toggle is gray, the detection is disabled and will not generate alerts or contribute to incident formation.
Falcon does not rely on textual ''Enabled'' or ''Disabled'' tags to indicate detection status. Instead, the toggle color provides a clear, immediate visual indicator to administrators.
Because a green toggle explicitly represents an enabled detection, Option B is the correct and verified answer.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Frank Green
13 hours agoRikki
19 days agoChau
26 days agoVallie
1 month agoMarvel
1 month agoCorazon
2 months agoMarsha
2 months agoTiffiny
2 months agoMee
2 months agoTheron
3 months agoPearly
3 months agoStevie
3 months agoJess
3 months ago