Free CrowdStrike IDP Exam Dumps June 2026

The Falcon Identity Verification Dialog is used to prompt users for identity verification during conditional access enforcement. According to the CCIS curriculum, Internet Explorer 9 and Windows Server 2008 represent the minimum supported requirements for rendering the Identity Verification Dialog on an end user's system.

This requirement exists because the dialog relies on supported browser and OS components to present authentication challenges reliably during enforcement workflows. Systems that do not meet these minimum requirements may fail to display the dialog correctly, impacting the enforcement of MFA or identity verification actions.

The other options reference runtime frameworks or PowerShell versions that are not directly responsible for rendering the verification dialog. Therefore, Option A is the correct and verified answer.

Falcon Identity Protection uses incident suppression windows to prevent alert fatigue while still maintaining accurate incident tracking. According to the CCIS documentation, when new events related to an existing identity-based incident occur, the incident is suppressed for 5 days.

This suppression means that Falcon does not generate a new incident for the same activity during this window. Instead, additional detections are added to the existing incident, allowing analysts to view the full progression of the threat in a single investigative context.

The 5-day suppression window ensures that ongoing identity attacks---such as repeated authentication abuse or lateral movement---are consolidated rather than fragmented across multiple incidents. This improves investigation efficiency and aligns with Falcon's incident lifecycle management approach.

Because the suppression period is fixed at 5 days, Option D is the correct and verified answer.

In Falcon Identity Protection, default insights are prebuilt analytical views provided by CrowdStrike to immediately highlight common and high-impact identity risks across the environment. These default insights are automatically available in the Risk Analysis and Insights areas and are designed to surface well-known identity exposure patterns without requiring customization.

Examples of default insights include Using Unmanaged Endpoints, GPO Exposed Password, and Compromised Password. These insights are natively provided because they represent frequent and high-risk identity attack vectors such as credential exposure, unmanaged authentication sources, and password compromise, all of which directly contribute to elevated identity risk scores.

Poorly Protected Accounts with SPN (Service Principal Name), however, is not provided as a default insight. While Falcon Identity Protection does collect and analyze SPN-related risk signals---such as Kerberoasting exposure and weak service account protections---this specific grouping must be created by administrators using custom insight filters. Custom insights allow teams to define precise conditions, combine attributes (privilege level, SPN presence, password age, MFA status), and tailor risk visibility to their organization's threat model.

This distinction is emphasized in the CCIS curriculum, which explains that custom insights extend beyond default coverage, enabling deeper, organization-specific identity risk analysis. Therefore, Option D is the correct answer.

Falcon Identity Protection integrates directly with Threat Hunter to enable deeper investigation of identity-based activity. According to the CCIS curriculum, selecting Search for involved entities in Threat Hunter allows analysts to pivot from an identity-based detection into Threat Hunter while preserving identity context.

This pivot enables analysts to examine related users, service accounts, endpoints, and authentication behavior using advanced queries and timelines. Importantly, this action maintains the identity-centric investigation flow, bridging detections with broader hunting capabilities.

The other options do not perform this specific pivot:

Investigating users or endpoints remains within entity views.

Searching for events in Threat Hunter does not preserve entity context.

Because Search for involved entities in Threat Hunter is the correct pivot action, Option B is the verified answer.