매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
CrowdStrike Certified Identity Specialist 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 CrowdStrike IDP 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 IDP 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 58개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Authentication Traffic Inspection (ATI) is enabled through Identity Configuration Policies, which define how the Falcon sensor captures and inspects identity-related network traffic. According to the CCIS documentation, ATI configuration is performed under Configure > Identity Configuration Policies.
These policies allow administrators to specify which authentication protocols are inspected, which domain controllers are covered, and how identity telemetry is collected. This configuration step is mandatory to enable identity visibility and detection capabilities.
The Enforce menu is used for policy rules and automated actions, not traffic inspection. General settings do not control sensor inspection behavior. Because ATI directly affects sensor data capture, it is managed exclusively through Identity Configuration Policies.
Therefore,
Option Dis the correct and verified answer.
정답:
Explanation:
Falcon Identity Protection follows a correlation and enrichment model where events, detections, and incidents are dynamically linked over time. According to the CCIS curriculum, events that occur after an incident is marked In Progress do not automatically create a new incident. Instead, related events and detections are typically added to the existing incident, provided they fall within the incident’s correlation and suppression window.
This behavior allows Falcon to present a single evolving incident, showing the full progression of an identity attack rather than fragmenting activity into multiple incidents. Therefore, statement A is not true.
The other statements are correct:
Detections can be retroactively associated with incidents that occurred earlier if correlation logic determines relevance.
Events can be linked to detections even if the detection is created after the event occurred.
Not all events are security-relevant; many remain informational and never become detections.
This adaptive correlation model is a core concept in CCIS training and supports efficient investigation and incident lifecycle management. Hence,
Option Ais the correct answer.
정답:
Explanation:
Falcon Threat Hunter provides a direct integration with the API Builder to support advanced investigation workflows and automation. According to the CCIS curriculum, analysts can take an existing Threat Hunter query and convert it into a GraphQL-compatible format by selecting Open Query in API Builder from the Threat Hunter menu.
This option opens the current query in a new window within API Builder, automatically translating the query structure into GraphQL syntax where applicable. This enables security teams to reuse validated hunting logic for automation, reporting, or external integrations without rewriting queries from scratch.
The other menu options serve different purposes:
Export to API Builder is not a valid menu action.
Save as Custom Query stores the query for reuse inside Threat Hunter.
Save as Custom Report generates a reporting artifact, not an API query.
Because Open Query in API Builder is the only option that opens the query in GraphQL format in a new window,
Option Dis the correct and verified answer.
정답:
Explanation:
Falcon Identity Protection establishes a user baseline by observing authentication behavior over time, including login frequency, endpoints used, access patterns, and protocol usage. According to the CCIS curriculum, Falcon typically requires approximately one week of consistent activity to develop an initial, reliable baseline for a user.
This baseline allows Falcon to distinguish normal behavior from anomalies and to calculate accurate risk scores. While the baseline continues to mature over time and becomes more precise with additional data, the first usable behavioral model is generally formed within a week.
Longer timeframes such as one or three months are not required to begin detecting abnormal behavior. Conversely, periods shorter than a week may not provide sufficient behavioral data to accurately model normal usage patterns.
Because Falcon can rapidly establish a functional baseline while continuously refining it,
Option C (One week) is the correct and verified answer.
정답:
Explanation:
In Falcon Identity Protection, the Domains page is where administrators can view the monitoring and health status of domain controllers. The CCIS curriculum explains that this page provides visibility into which domain controllers are actively reporting authentication traffic, their inspection status, and whether Authentication Traffic Inspection (ATI) is enabled.
This view is essential for validating coverage and ensuring that Falcon Identity Protection has sufficient visibility into domain authentication activity. Administrators can quickly identify gaps, such as domain controllers that are not reporting or are misconfigured, and take corrective action.
The other options serve different purposes:
Settings manage general configuration.
System Notifications display alerts and messages.
Connectors manage integrations such as MFA and IDaaS.
Because domain controller visibility and monitoring health are managed at the domain level,
Option C (Domains)is the correct and verified answer.
정답:
Explanation:
In Falcon Identity Protection, the Explore section of the Falcon menu is used to investigate analytical views such as the Event Analysis dashboard. This aligns with the CCIS framework, which defines Explore as the primary area for interactive investigation, analytics, and risk exploration across identity data.
The Event Analysis dashboard is designed to help administrators analyze identity-related authentication events, behavioral patterns, and anomalous activity derived from domain traffic inspection and domain controller telemetry. These analytical capabilities are intentionally placed under Explore because this menu category supports hypothesis-driven investigation rather than enforcement or configuration actions.
By contrast:
Enforce is used to apply policy rules and automated controls.
Threat Hunter is focused on proactive hunting using queries and detection pivots.
Configure is used to manage settings, connectors, policies, and integrations.
The CCIS documentation explicitly associates dashboards such as Risk Analysis and Event Analysis with the Explore menu, emphasizing its role in understandingwhyrisk exists before taking action.
Therefore, Option C (Explore) is the correct and verified answer.
정답:
Explanation:
Falcon Identity Protection is designed to extend―not replace―existing MFA solutions. According to the CCIS curriculum, Identity Protection enhances MFA by adding a risk-driven, policy-based enforcement layer that dynamically triggers MFA challenges when risky or abnormal identity behavior is detected.
Rather than applying MFA uniformly, Falcon evaluates authentication context such as behavioral deviation, privilege usage, and anomaly detection. When risk thresholds are exceeded, Policy Rules can enforce MFA through integrated connectors, providing adaptive, Zero TrustCaligned authentication.
The incorrect options misunderstand Falcon’s role. Identity Protection does detect risky behavior, does not replace MFA providers, and fully supports both cloud and on-premises MFA connectors.
Because Falcon adds intelligence-driven enforcement on top of MFA,
Option A is the correct and verified answer.
정답:
Explanation:
Falcon Identity Protection integrates with Identity-as-a-Service (IDaaS) providers to ingest cloud authentication activity and enforce identity-based policies. According to the CCIS curriculum, Okta SSO is a supported IDaaS connector that enables Falcon to ingest cloud authentication events while also applying Single Sign-On (SSO) policies.
Okta SSO provides rich identity telemetry, including login attempts, device context, and authentication outcomes. This data allows Falcon Identity Protection to correlate on-premises and cloud-based identity activity, extending identity risk analysis beyond Active Directory.
The other options are incorrect:
ADFS is an on-premises federation service, not a cloud IDaaS.
Azure NPS is used for RADIUS-based MFA, not SSO ingestion.
SAML is a protocol, not an IDaaS connector.
Because Okta SSO provides both cloud activity ingestion and SSO enforcement,
Option Bis the correct and verified answer.
정답:
Explanation:
Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.
These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.
The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine―not Policy Rules.
The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.
정답:
Explanation:
Within Falcon Identity Protection, Predefined Report sallow administrators to generate standardized reports based on specific data subjects. The Subject dropdown determines the type of data the report will be built from, such as identity risks, authentication activity, or endpoint-related telemetry.
The category associated with endpoints in the Subject dropdown is Events. Endpoint-related data―such as authentication attempts, logons, protocol usage, and domain controllerCobserved activity―is captured and represented as events within Falcon. These events form the foundational telemetry used for identity detections, investigations, and reporting.
By contrast:
Insights represent aggregated analytical findings derived from events.
Incidents group multiple detections into a single investigative narrative.
Accounts focus on identity entities such as users and service accounts.
Endpoint visibility in reporting is therefore tied directly to Events, as events reflect the raw and enriched activity observed on endpoints and domain controllers. This structure aligns with Falcon’s identity-first security model, where endpoint-observed authentication behavior feeds identity risk scoring and Zero Trust decisions.
The CCIS curriculum explicitly associates endpoint-related reporting with the Events subject, making Option B the correct and verified answer.
정답:
Explanation:
Cloud-based MFA connectors integrate Falcon Identity Protection with third-party MFA providers using application-based authentication, not user credentials. As outlined in the CCIS curriculum, these connectors require an application identifier (Client/Application ID) and secret keys to securely authenticate API communications.
This approach follows modern security best practices by avoiding the use of privileged user credentials and instead leveraging scoped, revocable application secrets. The connector uses these credentials to trigger MFA challenges and exchange authentication context securely.
Options involving usernames, passwords, or domain controller details are incorrect, as Falcon Identity Protection does not store or require privileged account credentials for MFA integrations.
Therefore, Option D is the correct answer.
정답:
Explanation:
Falcon Identity Protection differentiates human accounts and programmatic accounts based on authentication behavior, not naming conventions or assigned roles. According to the CCIS curriculum, human accounts are often used interactively, meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.
Programmatic accounts (such as service accounts) typically authenticate non-interactively, often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.
The incorrect options reflect common misconceptions:
Human accounts are not always administrators.
Programmatic accounts can support MFA in some architectures.
Programmatic accounts are not used interactively.
Because interactive authentication behavior is the defining characteristic of human accounts,
Option Dis the correct and verified answer.
정답:
Explanation:
Within Falcon Identity Protection, a Watched User is a user explicitly designated for heightened monitoring due to potential business risk. According to the CCIS curriculum, watchlists are designed to provide additional visibility into users whose behavior, access level, or role may warrant closer observation, even if they have not yet exhibited confirmed malicious activity.
Watched Users may include executives, administrators, users with access to sensitive systems, or accounts suspected of being targeted. Placing a user on a watchlist does not imply compromise; instead, it ensures their activity is prioritized in investigations, detections, and dashboards.
The other options are incorrect:
Honeytoken Accounts are decoy accounts designed to detect malicious usage.
High Risk is a calculated risk state, not a monitoring classification.
Marked User is not a valid Falcon Identity Protection classification.
Because the CCIS material explicitly identifies Watched Users as accounts requiring observation for potential risk,
Option Cis the correct and verified answer.
정답:
Explanation:
Falcon Identity Protection integrates with third-party MFA providers through MFA connectors to support conditional access and identity verification. The CCIS documentation explains that these connectors allow organizations to enforce MFA challenges based on identity risk, authentication behavior, or policy conditions.
One of the supported MFA authentication methods is Push, where a notification is sent to a registered device or application for user approval. Push-based MFA is widely used due to its balance of usability and security and is fully supported by Falcon Identity Protection when integrated with compatible MFA providers.
The other options are not valid MFA authentication methods within Falcon:
Page and Pull are not recognized MFA mechanisms.
Alarm is related to alerting, not authentication.
By enabling push-based MFA through an MFA connector, organizations can dynamically enforce identity verification in alignment with Zero Trust principles.
Therefore, Option B is the correct and verified answer.
정답:
Explanation:
To integrate Falcon Identity Protection with Azure AD (Entra ID) as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requires Tenant Domain, Application (Client) ID, and Application Secret.
These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.
Other options list incomplete or incorrect credential combinations.
Therefore, Option D is the correct and verified answer.