Free CrowdStrike IDP Practice Exam with Questions & Answers | Set: 2

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.

Falcon Identity Protection integrates directly withThreat Hunterto enable deeper investigation of identity-based activity. According to the CCIS curriculum, selectingSearch for involved entities in Threat Hunterallows analysts to pivot from an identity-based detection into Threat Hunter while preserving identity context.

This pivot enables analysts to examine related users, service accounts, endpoints, and authentication behavior using advanced queries and timelines. Importantly, this action maintains the identity-centric investigation flow, bridging detections with broader hunting capabilities.

The other options do not perform this specific pivot:

Investigating users or endpoints remains within entity views.

Searching for events in Threat Hunter does not preserve entity context.

BecauseSearch for involved entities in Threat Hunteris the correct pivot action,Option Bis the verified answer.

Falcon Threat Hunter provides a direct integration with theAPI Builderto support advanced investigation workflows and automation. According to the CCIS curriculum, analysts can take an existing Threat Hunter query and convert it into aGraphQL-compatible formatby selectingOpen Query in API Builderfrom the Threat Hunter menu.

This option opens the current query in a new window within API Builder, automatically translating the query structure into GraphQL syntax where applicable. This enables security teams to reuse validated hunting logic for automation, reporting, or external integrations without rewriting queries from scratch.

The other menu options serve different purposes:

Export to API Builderis not a valid menu action.

Save as Custom Querystores the query for reuse inside Threat Hunter.

Save as Custom Reportgenerates a reporting artifact, not an API query.

BecauseOpen Query in API Builderis the only option that opens the query in GraphQL format in a new window,Option Dis the correct and verified answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.

The Falcon sensor for Windows plays a critical role in Falcon Identity Protection bycollecting and validating domain authentication eventsdirectly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP throughAuthentication Traffic Inspection (ATI).

This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic—those functions belong to Active Directory and network infrastructure components.

By providinghigh-fidelity authentication telemetrywithout relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore,Option Dis the correct and verified answer.

When an identity-based detection is determined to be afalse positive, Falcon Identity Protection allows administrators to take corrective action usingexceptions. According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from theDetection detailsview and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exitsare not a detection control mechanism.

Remediationsrefer to corrective actions, not suppression logic.

Recommendationsprovide guidance but do not change detection behavior.

By usingexceptions, Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore,Option Cis the correct answer.

In Falcon Identity Protection, theDomainspage is where administrators can view themonitoring and health status of domain controllers. The CCIS curriculum explains that this page provides visibility into which domain controllers are actively reporting authentication traffic, their inspection status, and whether Authentication Traffic Inspection (ATI) is enabled.

This view is essential for validating coverage and ensuring that Falcon Identity Protection has sufficient visibility into domain authentication activity. Administrators can quickly identify gaps, such as domain controllers that are not reporting or are misconfigured, and take corrective action.

The other options serve different purposes:

Settingsmanage general configuration.

System Notificationsdisplay alerts and messages.

Connectorsmanage integrations such as MFA and IDaaS.

Because domain controller visibility and monitoring health are managed at the domain level,Option C (Domains)is the correct and verified answer.