Best IDP Exam Dumps for the Preparation of Latest IDP Exam Questions [Q15-Q34]

Share

Best IDP Exam Dumps for the Preparation of Latest IDP Exam Questions

Download Latest & Valid Questions For CrowdStrike IDP exam


CrowdStrike IDP Exam Syllabus Topics:

TopicDetails
Topic 1
  • GraphQL API: Covers Identity API documentation, creating API keys, permission levels, pivoting from Threat Hunter to GraphQL, and building queries.
Topic 2
  • Risk Management with Policy Rules: Covers creating and managing policy rules and groups, triggers, conditions, enabling
  • disabling rules, applying changes, and required Falcon roles.
Topic 3
  • Falcon Fusion SOAR for Identity Protection: Explores SOAR workflow automation including triggers, conditions, actions, creating custom
  • templated
  • scheduled workflows, branching logic, and loops.
Topic 4
  • Risk Assessment: Covers entity risk categorization, risk and event analysis dashboards, filtering, user risk reduction, custom insights versus reports, and export scheduling.
Topic 5
  • User Assessment: Examines user attributes, differences between users
  • endpoints
  • entities, risk baselining, risky account types, elevated privileges, watchlists, and honeytoken accounts.
Topic 6
  • Falcon Identity Protection Fundamentals: Introduces the four menu categories (monitor, enforce, explore, configure), subscription differences between ITD and ITP, user roles, permissions, and threat mitigation capabilities.
Topic 7
  • Threat Hunting and Investigation: Focuses on identity-based detections and incidents, investigation pivots, incident trees, detection evolution, filtering, managing exclusions and exceptions, and risk types.
Topic 8
  • Domain Security Assessment: Focuses on domain risk scores, trends, matrices, severity
  • likelihood
  • consequence factors, risk prioritization, score reduction, and configuring security goals and scopes.
Topic 9
  • Configuration and Connectors: Addresses domain controller monitoring, subnet management, risk settings, MFA and IDaaS connectors, authentication traffic inspection, and country-based lists.
Topic 10
  • Multifactor Authentication (MFA) and Identity-as-a-service (IDaaS) Configuration Basics: Focuses on accessing and configuring MFA and IDaaS connectors, configuration fields, and enabling third-party MFA integration.

 

NEW QUESTION # 15
By using compromised credentials, threat actors are able to bypass theExecutionphase of the MITRE ATT&CK framework and move directly into:

  • A. Lateral Movement
  • B. Initial Access
  • C. Weaponization
  • D. Discovery

Answer: D

Explanation:
The CCIS curriculum highlights a critical identity-security concept: when attackers usecompromised credentials, they often bypass traditional malware-based attack phases, including theExecutionphase of the MITRE ATT&CK framework. Because no malicious code needs to be executed, attackers can immediately begin interacting with the environment as a legitimate user.
As a result, threat actors move directly into theDiscoveryphase. During Discovery, attackers enumerate users, groups, privileges, systems, domain relationships, and trust paths to understand the environment and plan further actions. This behavior is commonly observed in identity-based attacks and living-off-the-land techniques.
Falcon Identity Protection is specifically designed to detect this behavior by monitoring authentication traffic, privilege usage, and anomalous identity activity-areas where traditional EDR tools may have limited visibility.
The other options are incorrect:
* Initial Access has already occurred via credential compromise.
* Weaponization and Execution are not required.
* Lateral Movement typically follows Discovery.
Because compromised credentials allow attackers to jump straight intoDiscovery,Option Cis the correct and verified answer.


NEW QUESTION # 16
What trigger will cause a Falcon Fusion Workflow to activate from Falcon Identity Protection?

  • A. New endpoint detection
  • B. New incident
  • C. Alert > Identity detection
  • D. Spotlight user action > Host

Answer: C

Explanation:
Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.
Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.
WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Host relates to vulnerability management workflows rather than identity analytics.
The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections.
Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.


NEW QUESTION # 17
The configuration of the Azure AD (Entra ID) Identity-as-a-Service connector requires which three pieces of information?

  • A. Tenant Domain, Token, Configuration File
  • B. Tenant Domain, Application ID, Scope
  • C. Tenant Domain, Application ID, Application Secret
  • D. Tenant Domain, Client Secret, User Identifier

Answer: C

Explanation:
To integrate Falcon Identity Protection withAzure AD (Entra ID)as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requiresTenant Domain,Application (Client) ID, andApplication Secret.
These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.
Other options list incomplete or incorrect credential combinations. Therefore,Option Dis the correct and verified answer.


NEW QUESTION # 18
How does CrowdStrike Falcon Identity Protection help customers identify different types of accounts in their domain?

  • A. Implements advanced encryption algorithms for account metadata
  • B. Analyzes authentication traffic and automatically classifies programmatic and human accounts
  • C. Assigns a human authorizer to each programmatic account for approval
  • D. Conducts regular vulnerability assessments on programmatic accounts

Answer: B

Explanation:
Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzing authentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.
Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.
This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.
Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.


NEW QUESTION # 19
How should an organization address the domain risk score found in the Domain Security Overview page?

  • A. Address the risks on the list from top to bottom as risks are presented in a descending order
  • B. Prioritizing the risks by severity, addressing the Low (Green) risks first
  • C. Prioritizing the detections by severity, addressing the High (Red) detections first
  • D. Prioritizing the risks by severity, addressing the Medium (Yellow) risks first

Answer: A

Explanation:
TheDomain Security Overviewpage in Falcon Identity Protection presents domain risks in aprioritized, descending order, based on a combination ofseverity, likelihood, and consequence. The CCIS curriculum emphasizes that organizations should address risksfrom top to bottom, as the list is already optimized to reflect the most impactful identity risks first.
This ordering allows security teams to focus remediation efforts where they will produce the greatest reduction in overall domain risk score. Addressing risks sequentially ensures alignment with Falcon's risk modeling and avoids misprioritization that could occur if teams focus only on color-based severity or individual detections.
The incorrect options reflect common misconceptions:
* Medium risks should not be prioritized over higher-impact risks.
* Detections are different from risks and should not be addressed independently of risk context.
* Low risks are intentionally deprioritized by the platform.
By following the descending order provided in the Domain Security Overview, organizations align remediation with Falcon'sZero Trust-driven identity risk scoring methodology, makingOption Athe correct answer.


NEW QUESTION # 20
Which CrowdStrike documentation category would you search to find GraphQL examples?

  • A. Identity Protection APIs
  • B. XDR
  • C. Threat Intelligence
  • D. CrowdStrike APIs

Answer: D

Explanation:
GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader "CrowdStrike APIs" documentation category, not limited to a single product.
The CrowdStrike APIs section includes:
* Authentication and API key usage
* GraphQL schema references
* Example GraphQL queries and mutations
* Pagination, filtering, and response handling
While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.
The other options are incorrect:
* Threat Intelligence focuses on adversary data.
* XDR covers detection and correlation concepts.
* Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.
Therefore,Option Ais the correct and verified answer.


NEW QUESTION # 21
Which of the following actions under the Investigate menu will pivot to Falcon Identity Protection from an identity-based detection?

  • A. Search for events in Threat Hunter
  • B. Investigate involved users
  • C. Investigate involved endpoints
  • D. Search for involved entities in Threat Hunter

Answer: D

Explanation:
Falcon Identity Protection integrates directly withThreat Hunterto enable deeper investigation of identity- based activity. According to the CCIS curriculum, selectingSearch for involved entities in Threat Hunter allows analysts to pivot from an identity-based detection into Threat Hunter while preserving identity context.
This pivot enables analysts to examine related users, service accounts, endpoints, and authentication behavior using advanced queries and timelines. Importantly, this action maintains the identity-centric investigation flow, bridging detections with broader hunting capabilities.
The other options do not perform this specific pivot:
* Investigating users or endpoints remains within entity views.
* Searching for events in Threat Hunter does not preserve entity context.
BecauseSearch for involved entities in Threat Hunteris the correct pivot action,Option Bis the verified answer.


NEW QUESTION # 22
Any countries or regions included in the _ will trigger a geolocation detection.

  • A. Dictionary
  • B. Exclusion
  • C. Allowlist
  • D. Blocklist

Answer: D

Explanation:
Falcon Identity Protection supportsgeolocation-based detectionsto identify potentially risky authentication activity originating from unexpected or prohibited locations. According to the CCIS curriculum, any countries or regions added to theBlocklistwill automatically trigger a geolocation-based detection when authentication traffic is observed from those locations.
The Blocklist is designed to explicitly definedisallowed geographic regions. When an authentication attempt originates from a blocklisted country or region, Falcon treats the activity as suspicious and generates a detection or contributes to increased identity risk.
By contrast:
* An Allowlist defines approved locations and suppresses detections.
* A Dictionary is used for password-related analysis.
* An Exclusion suppresses detections rather than generating them.
Because geolocation detections are triggered byblocklisted locations,Option Ais the correct answer.


NEW QUESTION # 23
Which of the following IDaaS connectors will allow Identity to ingest cloud activity along with applying SSO Policy?

  • A. SAML
  • B. ADFS
  • C. Azure NPS
  • D. Okta SSO

Answer: D

Explanation:
Falcon Identity Protection integrates withIdentity-as-a-Service (IDaaS)providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum,Okta SSOis a supported IDaaS connector that enables Falcon to ingestcloud authentication eventswhile also applying Single Sign-On (SSO) policies.
Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.
The other options are incorrect:
* ADFSis an on-premises federation service, not a cloud IDaaS.
* Azure NPSis used for RADIUS-based MFA, not SSO ingestion.
* SAMLis a protocol, not an IDaaS connector.
Because Okta SSO provides both cloud activity ingestion and SSO enforcement,Option Bis the correct and verified answer.


NEW QUESTION # 24
What setting can be switched under the Domain Security Overview for each Active Directory domain and/or Azure tenant?

  • A. Scope
  • B. Domains
  • C. Goal
  • D. Privileged Identities

Answer: A

Explanation:
In the Domain Security Overview,Scopeis a configurable setting that allows administrators toswitch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.
The CCIS documentation explains that Scope determineswhich domain or tenant's identity data is displayedin the Overview dashboard, including risk scores, trends, and prioritized remediation guidance.
Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.
Other options are incorrect because:
* Privileged Identities represent a subset of users, not a switchable setting.
* Domains are entities, not a dashboard control.
* Goal changes how risks are evaluated, not which environment is displayed.
By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore,Option Dis the correct answer.


NEW QUESTION # 25
Falcon Identity Protection monitors network traffic to build user behavioral profiles to help identify unusual user behavior. How can this be beneficial to create a Falcon Fusion workflow?

  • A. Falcon Fusion is not identity based
  • B. Falcon Fusion will only send emails to the user
  • C. Falcon Fusion will only work with certain users
  • D. Falcon Fusion works with your IT policy enforcement through the use of identity and behavioral analytics

Answer: D

Explanation:
Falcon Identity Protection continuously inspects authentication traffic and network behavior to establish behavioral baselines for users and accounts. These baselines enable the platform to detect deviations that indicate potential compromise, misuse, or insider threat activity. This behavioral intelligence directly enhances the effectiveness ofFalcon Fusion workflows.
Falcon Fusion leveragesidentity and behavioral analyticsas decision points within workflows, allowing automated actions to be triggered when abnormal behavior is detected. For example, a workflow can automatically enforce MFA, notify administrators, isolate risky sessions, or initiate remediation when a user deviates from their established baseline.
The CCIS curriculum highlights that Falcon Fusion is designed tointegrate identity risk signals with IT policy enforcement, enabling Zero Trust-aligned automation. This capability goes far beyond simple notifications and supports coordinated responses across security and IT teams.
Options A, B, and C are incorrect because Falcon Fusion is fully identity-aware, applies broadly across users and entities, and supports a wide range of actions beyond email notifications. Therefore,Option Daccurately describes how behavioral profiling strengthens Falcon Fusion workflows.


NEW QUESTION # 26
Which of the following would cause an identity-based incident type to change?

  • A. A user linked detections to the incident in the console
  • B. A user changed the incident type in the console
  • C. Detections related to the incident
  • D. An exclusion added to the incident

Answer: C

Explanation:
In Falcon Identity Protection,identity-based incidents are dynamicand can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident'stype is automatically recalculatedbased on thedetections related to the incident, not by manual user actions.
As new identity-based detections are generated-such as credential misuse, lateral movement attempts, or abnormal authentication behavior-the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automaticallychange the incident typeto better reflect the observed threat activity.
Manual actions such as adding exclusions or linking detections do not directly change the incident type.
Similarly, users cannot manually override an incident's classification. The classification logic is driven entirely by Falcon's analytics engine to ensure consistent, objective threat categorization.
This automated behavior is emphasized in CCIS training to highlight Falcon's ability toadapt incident context as attacks progress, makingOption Dthe correct answer.


NEW QUESTION # 27
When an endpoint that has not been used in the last90 daysbecomes active, a detection forUse of Stale Endpointis reported.

  • A. 90 days
  • B. 30 days
  • C. 180 days
  • D. 60 days

Answer: A

Explanation:
Falcon Identity Protection identifiesstale endpointsas systems that have not authenticated or shown activity for an extended period and then suddenly become active. According to the CCIS curriculum, an endpoint that has been inactive for90 daysand then resumes activity will trigger aUse of Stale Endpointdetection.
This detection is important because attackers frequently exploit dormant or forgotten systems to re-enter environments, evade monitoring, or move laterally. A long period of inactivity followed by sudden authentication activity is considered a strong identity risk signal.
The 90-day threshold is used to establish a reliable inactivity baseline while minimizing false positives.
Shorter timeframes could incorrectly flag normal usage patterns, while longer timeframes could delay detection of genuine threats.
Because Falcon explicitly defines stale endpoint activity using a90-day inactivity window,Option Bis the correct answer.


NEW QUESTION # 28
When creating an API client, which scope withWritepermissions must be enabled prior to using Identity Protection API?

  • A. Identity Protection GraphQL
  • B. Identity Protection Health
  • C. There is no need for Write permissions in order to use IDP API
  • D. Identity Protection Assessment

Answer: A

Explanation:
To interact with Falcon Identity Protection using GraphQL, the API client must be created with the appropriate permission scopes. According to the CCIS curriculum, theIdentity Protection GraphQLscope withWrite permissionsmust be enabled prior to using the Identity Protection API.
This scope allows the API client to execute GraphQL queries and mutations related to identity detections, incidents, users, and risk data. Even when performing read-only operations, CrowdStrike requires the GraphQL Write scope to authorize GraphQL query execution within the Falcon platform.
The other options are incorrect because:
* Identity Protection Assessment and Health are read-only data scopes.
* The statement that Write permissions are not required is explicitly false per CCIS documentation.
Because GraphQL access requires theIdentity Protection GraphQL (Write)scope,Option Dis the correct and verified answer.


NEW QUESTION # 29
Describe the difference between a Human account and a Programmatic account.

  • A. A programmatic account is only used interactively
  • B. A programmatic account is never authorized for multi-factor authentication
  • C. A human account is an Administrator
  • D. A human account is often used interactively

Answer: D


NEW QUESTION # 30
What does a modern Zero Trust security architecture offer compared to a traditional wall-and-moat (perimeter- based firewall) approach?

  • A. Secures the perimeter of a network and does not allow access to any entities deemed "zero trust"
  • B. Issues trust certificates to internal entities and zero trust certificates to external entities
  • C. Continuously authenticates entities regardless of origin
  • D. Applies machine learning to gauge the trustworthiness of any external entities

Answer: C

Explanation:
A modern Zero Trust security architecture fundamentally differs from the traditional wall-and-moat model by eliminating implicit trust based on network location. As defined inNIST SP 800-207and reinforced in the CCIS curriculum, Zero Trust requirescontinuous authentication and authorization of all entities, regardless of whether they originate from inside or outside the network.
Traditional perimeter-based security assumes that users and devices inside the network are trusted, focusing defenses at the boundary. This approach fails in modern environments where cloud access, remote work, and compromised credentials allow attackers to operate internally without triggering perimeter controls.
Zero Trust replaces this assumption with continuous validation using identity, behavior, device posture, and risk signals. Falcon Identity Protection operationalizes this concept by continuously inspecting authentication traffic and reassessing trust throughout a session, not just at login time.
Because Zero Trust applies universally and continuously,Option Dis the correct and verified answer.


NEW QUESTION # 31
Which of the following isNOTa default insight but can be created with a custom insight?

  • A. Using Unmanaged Endpoints
  • B. Poorly Protected Accounts with SPN
  • C. Compromised Password
  • D. GPO Exposed Password

Answer: B

Explanation:
In Falcon Identity Protection,default insightsare prebuilt analytical views provided by CrowdStrike to immediately highlight common and high-impact identity risks across the environment. These default insights are automatically available in theRisk AnalysisandInsightsareas and are designed to surface well-known identity exposure patterns without requiring customization.
Examples ofdefault insightsincludeUsing Unmanaged Endpoints,GPO Exposed Password, and Compromised Password. These insights are natively provided because they represent frequent and high-risk identity attack vectors such as credential exposure, unmanaged authentication sources, and password compromise, all of which directly contribute to elevated identity risk scores.
Poorly Protected Accounts with SPN (Service Principal Name), however, isnot provided as a default insight. While Falcon Identity Protection does collect and analyze SPN-related risk signals-such as Kerberoasting exposure and weak service account protections-this specific grouping must be created by administrators usingcustom insight filters. Custom insights allow teams to define precise conditions, combine attributes (privilege level, SPN presence, password age, MFA status), and tailor risk visibility to their organization's threat model.
This distinction is emphasized in the CCIS curriculum, which explains thatcustom insights extend beyond default coverage, enabling deeper, organization-specific identity risk analysis. Therefore,Option Dis the correct answer.


NEW QUESTION # 32
To enforce conditional access policies with Identity Verification, an MFA connector can be configured for different authentication methods such as:

  • A. Push
  • B. Page
  • C. Pull
  • D. Alarm

Answer: A

Explanation:
Falcon Identity Protection integrates with third-party MFA providers throughMFA connectorsto support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.
One of the supported MFA authentication methods isPush, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.
The other options are not valid MFA authentication methods within Falcon:
* Page and Pull are not recognized MFA mechanisms.
* Alarm is related to alerting, not authentication.
By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles. Therefore,Option Bis the correct and verified answer.


NEW QUESTION # 33
Which of the following actions willNOThelp to decrease a domain risk score?

  • A. Upgrading endpoints running end-of-life operating systems
  • B. Enabling SMB Signing within Active Directory
  • C. Enforcing NTLMv2 responses
  • D. Upgrading endpoints running end-of-life Acrobat Reader

Answer: D

Explanation:
Falcon Identity Protection evaluatesdomain riskby analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.
Measures such asenabling SMB signing,enforcing NTLMv2, andupgrading unsupported operating systemsremove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.
In contrast,upgrading end-of-life Acrobat Readeraddresses anendpoint application vulnerability, not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.
Because domain risk scoring is strictly tied to identity infrastructure and authentication posture,Option Bdoes not contribute to lowering the domain risk score and is therefore the correct answer.


NEW QUESTION # 34
......

Exam Materials for You to Prepare & Pass IDP Exam: https://www.testpassking.com/IDP-exam-testking-pass.html