Falcon Identity Protection differentiates human accounts and programmatic accounts based on authentication behavior , not naming conventions or assigned roles. According to the CCIS curriculum, human accounts are often used interactively , meaning they authenticate through direct user actions such as workstation logins, VPN access, or application access.

Programmatic accounts (such as service accounts) typically authenticate non-interactively , often on a predictable schedule or in response to automated processes. Falcon analyzes authentication frequency, protocol usage, timing, and access patterns to classify account types automatically.

The incorrect options reflect common misconceptions:

Human accounts are not always administrators.

Programmatic accounts can support MFA in some architectures.

Programmatic accounts are not used interactively.

Because interactive authentication behavior is the defining characteristic of human accounts, Option D is the correct and verified answer.

Identity Protection API documentation is part of CrowdStrike’s centralized API documentation structure. According to the CCIS curriculum, Identity Protection API information is located under the “CrowdStrike APIs” documentation category .

This category includes:

API authentication and scopes

Identity Protection GraphQL schemas

Query examples for detections, incidents, users, and risk

Usage guidance and limitations

CrowdStrike consolidates all API-related documentation in one location to ensure consistent access and maintenance across Falcon modules. Identity Protection APIs are not documented under Falcon Management, Store, or general reference sections.

Because all product APIs—including Identity Protection—are documented under CrowdStrike APIs , Option D is the correct and verified answer.

Falcon Identity Protection is designed to address the growing threat of identity brokers , which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection provides proactive identity risk mitigation rather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. Through Policy Rules , organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated with Privileged Access Management (PAM) or IAM middleware , which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure by detecting and preventing identity misuse in real time .

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore, Option C is the correct and verified answer.

Falcon Identity Protection provides flexible control over how identity-based detections are handled through the Detection Exclusions framework. According to the CCIS curriculum, administrators can either disable an entire detection type or, where supported, exclude specific entities such as users, service accounts, or endpoints from triggering that detection.

Not all detections support entity-level exclusions. For detections that do, exclusions allow organizations to suppress known benign behavior without disabling the detection globally. This is particularly useful for service accounts or legacy systems that generate expected but non-malicious activity. When entity-level exclusion is not supported, administrators may choose to disable the detection entirely , which stops it from generating alerts across the environment.

The CCIS documentation clearly explains this dual model:

All detections can be disabled , regardless of type

Only some detections support entity-based exclusions

This approach balances operational flexibility with security integrity and avoids the misconception that exclusions automatically create security gaps. Therefore, Option C is the correct and verified answer.

Authentication Traffic Inspection (ATI) is a foundational capability of Falcon Identity Protection that enables the platform to analyze authentication traffic from domain controllers. According to the CCIS documentation, ATI is enabled through Identity configuration policies .

Identity configuration policies define how the Falcon sensor captures and inspects authentication-related traffic, including Kerberos, NTLM, LDAP, and other identity protocols. Enabling ATI at this level ensures that domain controllers provide the necessary telemetry for identity risk analysis, detections, and behavioral profiling.

The other options are incorrect because:

Identity management settings focus on identity governance and administration.

Identity detection configuration controls detection logic, not traffic inspection.

Identity protection settings manage high-level configuration but do not directly enable ATI.

Because ATI must be explicitly enabled via Identity configuration policies , Option A is the correct and verified answer.

When an identity-based detection is determined to be a false positive , Falcon Identity Protection allows administrators to take corrective action using exceptions . According to the CCIS curriculum, exceptions are the mechanism by which detections can be suppressed for specific entities or conditions without disabling the detection entirely.

Exceptions are configured from the Detection details view and are intended to handle known, acceptable behavior that would otherwise continue to trigger detections. This allows security teams to reduce noise while maintaining visibility into true threats. Exceptions are especially valuable in environments with complex authentication patterns or legacy configurations.

The other options are incorrect:

Exits are not a detection control mechanism.

Remediations refer to corrective actions, not suppression logic.

Recommendations provide guidance but do not change detection behavior.

By using exceptions , Falcon ensures that false positives are handled in a controlled and auditable way, aligning with best practices outlined in the CCIS material. Therefore, Option C is the correct answer.

The Falcon sensor for Windows plays a critical role in Falcon Identity Protection by collecting and validating domain authentication events directly from domain controllers. According to the CCIS curriculum, the sensor inspects authentication protocols such as Kerberos, NTLM, and LDAP through Authentication Traffic Inspection (ATI) .

This telemetry enables Falcon Identity Protection to analyze authentication behavior, build identity baselines, detect anomalies, and generate identity-based detections. The sensor does not enforce password policies, manage permissions, or encrypt network traffic—those functions belong to Active Directory and network infrastructure components.

By providing high-fidelity authentication telemetry without relying on log ingestion, the Falcon sensor enables real-time identity threat detection and Zero Trust enforcement. Therefore, Option D is the correct and verified answer.