The NIST SP 800-207 Zero Trust Architecture framework fundamentally rejects the concept of implicit trust based on network location. As outlined in both NIST guidance and reinforced in the CCIS curriculum, all users must be continuously validated and authenticated regardless of whether they are inside or outside the network perimeter .

Zero Trust assumes that threats can originate from anywhere, including internal networks. Therefore, authentication and authorization decisions must be made dynamically using identity, device posture, behavior, and risk signals—not network placement.

Falcon Identity Protection aligns directly with this principle by continuously evaluating identity behavior for all users , whether they authenticate from internal corporate networks, remote locations, or cloud environments.

Because Zero Trust applies universally, Option C is the correct and verified answer.

To retrieve identity-based detections and incident-related data using the CrowdStrike APIs, the API key must include the correct permission scope . According to the CCIS curriculum, the Identity Protection Detections scope is required to access identity-based detection and incident information through GraphQL.

This scope allows API queries to retrieve:

Identity-based detections

Associated incident metadata

Detection attributes such as severity, status, and related entities

Incident data in Falcon Identity Protection is derived from detections , making the Detections scope the authoritative permission set for this information. Without this scope, GraphQL queries related to identity detections and incidents will fail authorization.

The other scopes are either too narrow or unrelated to detection retrieval. Therefore, Option A is the correct and verified answer.

Falcon Identity Protection enforces role-based access control (RBAC) to ensure that only authorized users can create, modify, or manage policy rules. Policy rules directly impact identity enforcement actions, making proper role separation critical.

According to the CCIS documentation, the ability to enable and disable policy rules is granted to the Identity Protection Policy Manager and the Falcon Administrator roles. These roles are explicitly designed to manage enforcement logic, triggers, and automated identity controls.

The Identity Protection Domain Administrator role, however, is limited to domain-level visibility and management , such as reviewing domain configurations, monitoring risks, and assessing posture. This role does not have permissions to modify or control policy enforcement behavior.

This separation prevents accidental or unauthorized changes to identity enforcement rules. Therefore, Option A is the correct and verified answer.

Falcon Identity Protection is architected as a log-free identity security platform , a core tenet emphasized throughout the CCIS curriculum. Unlike traditional SIEM- or log-based solutions, Falcon Identity Protection does not require string-based queries to continuously assess identity events or associate them with threats.

Instead, the platform relies on machine-learning-powered detection rules , real-time authentication traffic inspection , and API-based connectors to collect and analyze identity telemetry directly from domain controllers and identity providers. This approach eliminates the operational complexity of building, tuning, and maintaining query logic.

String-based queries are commonly associated with legacy log aggregation tools and SIEM platforms, where analysts must manually search logs to identify suspicious behavior. Falcon Identity Protection replaces this model with behavioral baselining and automated correlation , enabling continuous identity risk assessment without human-driven query execution.

Because Falcon does not require string-based queries to operate, Option D is the correct and verified answer.

GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum, GraphQL examples are documented under the broader “CrowdStrike APIs” documentation category , not limited to a single product.

The CrowdStrike APIs section includes:

Authentication and API key usage

GraphQL schema references

Example GraphQL queries and mutations

Pagination, filtering, and response handling

While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized under CrowdStrike APIs to provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.

The other options are incorrect:

Threat Intelligence focuses on adversary data.

XDR covers detection and correlation concepts.

Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.

Therefore, Option A is the correct and verified answer.

Falcon Identity Protection establishes a user baseline by observing authentication behavior over time, including login frequency, endpoints used, access patterns, and protocol usage. According to the CCIS curriculum, Falcon typically requires approximately one week of consistent activity to develop an initial, reliable baseline for a user.

This baseline allows Falcon to distinguish normal behavior from anomalies and to calculate accurate risk scores. While the baseline continues to mature over time and becomes more precise with additional data, the first usable behavioral model is generally formed within a week.

Longer timeframes such as one or three months are not required to begin detecting abnormal behavior. Conversely, periods shorter than a week may not provide sufficient behavioral data to accurately model normal usage patterns.

Because Falcon can rapidly establish a functional baseline while continuously refining it, Option C (One week) is the correct and verified answer.

In Falcon Identity Protection, default insights are prebuilt analytical views provided by CrowdStrike to immediately highlight common and high-impact identity risks across the environment. These default insights are automatically available in the Risk Analysis and Insights areas and are designed to surface well-known identity exposure patterns without requiring customization.

Examples of default insights include Using Unmanaged Endpoints , GPO Exposed Password , and Compromised Password . These insights are natively provided because they represent frequent and high-risk identity attack vectors such as credential exposure, unmanaged authentication sources, and password compromise, all of which directly contribute to elevated identity risk scores.

Poorly Protected Accounts with SPN (Service Principal Name) , however, is not provided as a default insight . While Falcon Identity Protection does collect and analyze SPN-related risk signals—such as Kerberoasting exposure and weak service account protections—this specific grouping must be created by administrators using custom insight filters . Custom insights allow teams to define precise conditions, combine attributes (privilege level, SPN presence, password age, MFA status), and tailor risk visibility to their organization’s threat model.

This distinction is emphasized in the CCIS curriculum, which explains that custom insights extend beyond default coverage , enabling deeper, organization-specific identity risk analysis. Therefore, Option D is the correct answer.

The Enforce section of Falcon Identity Protection is dedicated to policy-based identity enforcement. According to the CCIS curriculum, this section allows administrators to define and manage Policy Rules and Policy Groups that specify how the platform should respond when identity-related conditions are detected.

These rules evaluate triggers such as risky authentication behavior, privilege misuse, compromised credentials, or elevated risk scores, and then execute actions like blocking access, enforcing MFA, or initiating Falcon Fusion workflows. Enforce is therefore the execution layer of Falcon’s identity security model.

The other options correspond to different sections of the platform:

Configuration tasks are handled in Configure.

Detections and incidents are reviewed in Monitor or Explore.

Domain posture overviews are displayed in Domain Security Overview.

Because Enforce directly controls what actions are taken in response to identity risk, Option B is the correct and verified answer.

Falcon Identity Protection calculates user risk scores based on a combination of privilege level , credential exposure , and behavioral indicators . According to the CCIS curriculum, a privileged user with a compromised password represents one of the highest-risk identity scenarios.

Privileged accounts—such as administrators or service accounts with elevated access—already pose increased risk due to their access scope. When Falcon detects that such an account’s credentials have been compromised, the risk escalates significantly because attackers can immediately gain high-impact access without further escalation.

The other options do not inherently represent the same level of risk:

Logging in from a shared endpoint may increase risk but is context-dependent.

Stale users are risky but typically lower risk than active compromised credentials.

Domain Admin group membership alone does not imply compromise.

Because credential compromise combined with privilege dramatically increases attack potential, Option B is the correct and verified answer.

In Falcon Identity Protection, a user baseline is established by observing consistent and repeatable behavior over time, including authentication patterns, endpoint associations, and usage context. According to the CCIS curriculum, one of the strongest indicators that a user has an established baseline is the presence of endpoints for which the user is identified as an owner .

Endpoint ownership is determined through historical authentication behavior and usage frequency. When Falcon identifies that a user consistently logs into specific endpoints over time, those endpoints are marked as owned , which signifies that sufficient historical data exists to confidently model the user’s normal behavior. This ownership relationship is only created after Falcon has observed the user long enough to establish a reliable baseline.

The other options do not definitively indicate a baseline:

Logging into multiple endpoints may occur during initial discovery or anomalous activity.

A risk score reflects current risk posture, not baseline maturity.

Recent logon activity alone does not imply historical consistency.

Because endpoint ownership requires sustained, predictable behavior over time , it is the clearest indicator that Falcon has successfully established a user baseline. Therefore, Option B is the correct and verified answer.