Most Recent CrowdStrike IDP Exam Dumps

In Falcon Identity Protection, a user baseline is established by observing consistent and repeatable behavior over time, including authentication patterns, endpoint associations, and usage context. According to the CCIS curriculum, one of the strongest indicators that a user has an established baseline is the presence of endpoints for which the user is identified as an owner.

Endpoint ownership is determined through historical authentication behavior and usage frequency. When Falcon identifies that a user consistently logs into specific endpoints over time, those endpoints are marked as owned, which signifies that sufficient historical data exists to confidently model the user's normal behavior. This ownership relationship is only created after Falcon has observed the user long enough to establish a reliable baseline.

The other options do not definitively indicate a baseline:

Logging into multiple endpoints may occur during initial discovery or anomalous activity.

A risk score reflects current risk posture, not baseline maturity.

Recent logon activity alone does not imply historical consistency.

Because endpoint ownership requires sustained, predictable behavior over time, it is the clearest indicator that Falcon has successfully established a user baseline. Therefore, Option B is the correct and verified answer.

To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriate permission scopes. According to the CCIS curriculum, the Identity Protection GraphQL scope with Write permissions must be enabled prior to using the Identity Protection API.

This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.

The other options are incorrect because:

Identity Protection Assessment and Health are read-only data scopes.

The statement that Write permissions are not required is explicitly false per CCIS documentation.

Because GraphQL access requires the Identity Protection GraphQL (Write) scope, Option D is the correct and verified answer.

Falcon Identity Protection integrates directly with Threat Hunter to enable deeper investigation of identity-based activity. According to the CCIS curriculum, selecting Search for involved entities in Threat Hunter allows analysts to pivot from an identity-based detection into Threat Hunter while preserving identity context.

This pivot enables analysts to examine related users, service accounts, endpoints, and authentication behavior using advanced queries and timelines. Importantly, this action maintains the identity-centric investigation flow, bridging detections with broader hunting capabilities.

The other options do not perform this specific pivot:

Investigating users or endpoints remains within entity views.

Searching for events in Threat Hunter does not preserve entity context.

Because Search for involved entities in Threat Hunter is the correct pivot action, Option B is the verified answer.

Within the Domain Security Overview, Goals are used to tailor how identity risks are grouped, evaluated, and reported. The Reduce Attack Surface goal is the only option that incorporates all identity risks into a single, comprehensive security assessment.

The CCIS curriculum explains that Reduce Attack Surface provides a holistic view of identity exposure by aggregating risks related to authentication paths, account hygiene, privileges, misconfigurations, and legacy identity weaknesses. This goal is designed for organizations seeking an overall understanding of their identity security posture rather than focusing on a specific domain such as privileged users or directory hygiene.

Other goals are more specialized:

AD Hygiene focuses on directory configuration issues.

Privileged User Management concentrates on high-privilege identities.

Pen Testing aligns more with adversarial simulation than continuous risk assessment.

Reduce Attack Surface aligns directly with Zero Trust principles, helping organizations identify and eliminate unnecessary identity access paths. Therefore, Option C is the correct and verified answer.

Falcon Identity Protection follows a correlation and enrichment model where events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum, events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typically added to the existing incident, provided they fall within the incident's correlation and suppression window.

This behavior allows Falcon to present a single evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statement A is not true.

The other statements are correct:

Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.

Events can be linked to detections even if the detection is created after the event occurred.

Not all events are security-relevant; many remain informational and never become detections.

This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence, Option A is the correct answer.