Falcon Identity Protection evaluatesdomain riskby analyzing identity-related weaknesses such as insecure authentication protocols, legacy directory configurations, and exposure to credential-based attacks. Actions that harden Active Directory and authentication mechanisms will directly reduce domain risk scores.

Measures such asenabling SMB signing,enforcing NTLMv2, andupgrading unsupported operating systemsremove common identity attack paths and are explicitly recommended in the CCIS curriculum as effective domain risk remediation steps.

In contrast,upgrading end-of-life Acrobat Readeraddresses anendpoint application vulnerability, not an identity or directory-related risk. While important for endpoint hygiene, it does not influence identity telemetry, authentication behavior, or domain controller security assessed by Falcon Identity Protection.

Because domain risk scoring is strictly tied to identity infrastructure and authentication posture,Option Bdoes not contribute to lowering the domain risk score and is therefore the correct answer.

Falcon Identity Protection automatically differentiateshuman and programmatic accountsby analyzingauthentication traffic patterns. According to the CCIS curriculum, the platform uses behavioral analytics to observe how accounts authenticate, including frequency, protocol usage, timing, and access patterns.

Human users typically authenticate interactively and exhibit variable behavior, while programmatic or service accounts authenticate predictably and non-interactively. Falcon leverages these differences to automatically classify account types without requiring manual tagging or administrative input.

This classification is critical for accurate risk scoring, privilege analysis, and detection logic. Programmatic accounts often carry elevated privileges and long-lived credentials, making them attractive targets for attackers. Automatically identifying them allows Falcon to apply appropriate risk models and detections.

Because Falcon usesauthentication traffic analysisto classify account types,Option Cis the correct and verified answer.

Falcon Identity Protection is designed to address the growing threat ofidentity brokers, which act as intermediaries that abuse identity infrastructure to facilitate lateral movement, privilege escalation, and persistent access. The CCIS curriculum emphasizes that Falcon Identity Protection providesproactive identity risk mitigationrather than reactive session monitoring or password vaulting.

The platform continuously inspects authentication traffic and identity behavior across Active Directory and Azure AD environments, building behavioral baselines and identifying abnormal activity associated with brokered identity attacks. ThroughPolicy Rules, organizations can automatically enforce controls such as blocking risky authentications, enforcing MFA, or triggering remediation workflows when identity abuse is detected.

The incorrect options describe capabilities associated withPrivileged Access Management (PAM)orIAM middleware, which are not the focus of Falcon Identity Protection. Falcon does not record interactive sessions, act as an HRIS bridge, or store delegated credentials. Instead, it protects identity infrastructure bydetecting and preventing identity misuse in real time.

This proactive enforcement model aligns directly with Zero Trust principles and makes Falcon Identity Protection a strong solution against identity broker activity. Therefore,Option Cis the correct and verified answer.

Authentication Traffic Inspection (ATI) is enabled throughIdentity Configuration Policies, which define how the Falcon sensor captures and inspects identity-related network traffic. According to the CCIS documentation, ATI configuration is performed underConfigure > Identity Configuration Policies.

These policies allow administrators to specify which authentication protocols are inspected, which domain controllers are covered, and how identity telemetry is collected. This configuration step is mandatory to enable identity visibility and detection capabilities.

The Enforce menu is used for policy rules and automated actions, not traffic inspection. General settings do not control sensor inspection behavior. Because ATI directly affects sensor data capture, it is managed exclusively through Identity Configuration Policies.

Therefore,Option Dis the correct and verified answer.

In Falcon Identity Protection, detection status is visually indicated using atoggle controlwithin the detection configuration interface. According to the CCIS documentation, when a detection isenabled, the toggle next toDetection Enabledis displayed ingreen.

A green toggle indicates that the detection logic is active and that Falcon will generate detections when the defined conditions are met. When the toggle is gray, the detection is disabled and will not generate alerts or contribute to incident formation.

Falcon does not rely on textual “Enabled” or “Disabled” tags to indicate detection status. Instead, the toggle color provides a clear, immediate visual indicator to administrators.

Because agreen toggleexplicitly represents an enabled detection,Option Bis the correct and verified answer.

In Falcon Identity Protection,identity-based incidents are dynamicand can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident’stype is automatically recalculatedbased on thedetections related to the incident, not by manual user actions.

As new identity-based detections are generated—such as credential misuse, lateral movement attempts, or abnormal authentication behavior—the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automaticallychange the incident typeto better reflect the observed threat activity.

Manual actions such as adding exclusions or linking detections do not directly change the incident type. Similarly, users cannot manually override an incident’s classification. The classification logic is driven entirely by Falcon’s analytics engine to ensure consistent, objective threat categorization.

This automated behavior is emphasized in CCIS training to highlight Falcon’s ability toadapt incident context as attacks progress, makingOption Dthe correct answer.

Policy Rules in Falcon Identity Protection are designed to automate enforcement and response actions based on identity-related conditions observed in the environment. According to the CCIS curriculum, Policy Rules evaluate identity signals such as authentication behavior, risk levels, privilege status, and detection outcomes, then execute predefined actions when specific criteria are met.

These actions may include blocking authentication, enforcing MFA, generating alerts, or triggering Falcon Fusion workflows. This design supports Falcon’s Zero Trust and continuous validation model, where trust decisions are dynamically enforced rather than statically assigned. Policy Rules therefore act as the operational bridge between identity analytics and enforcement.

The incorrect options confuse Policy Rules with other platform components. Administrative permissions are governed by RBAC, sensor data collection scope is controlled through configuration settings, and behavioral learning is handled by Falcon’s analytics engine—not Policy Rules.

The CCIS documentation explicitly defines Policy Rules as logic-based enforcement mechanisms, making Option A the correct and verified answer.