Is the CCIS practice exam free?

Yes. ExamCademy offers all 88 CCIS practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the CCIS practice questions?

All CCIS questions are community-created and reviewed by moderators to align with CrowdStrike's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the CCIS exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official CrowdStrike documentation and hands-on experience for best results.

CCIS Practice Exam — Free 88+ Questions

88Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

User Assessment

Question 2

Threat Hunting and Investigation

Question 3

Risk Management with Policy Rules

Question 4

Falcon Identity Protection Fundamentals

Question 5

Identity Protection Tenets

Question 6

Falcon Identity Protection Fundamentals

Question 7

GraphQL API

Question 8

Risk Assessment

Question 9

Risk Management with Policy Rules

Question 10

Falcon Identity Protection Fundamentals

Question 11

Falcon Identity Protection Fundamentals

Question 12

Falcon Identity Protection Fundamentals

Question 13

Risk Assessment

Question 14

Threat Hunting and Investigation

Question 15

Risk Assessment

Question 16

Risk Management with Policy Rules

Question 17

Falcon Identity Protection Fundamentals

Question 18

Identity Protection Tenets

Question 19

MFA and IDAAS Configuration Basics

Question 20

User Assessment

Question 21

Risk Management with Policy Rules

Question 22

Falcon Identity Protection Fundamentals

Question 23

Falcon Identity Protection Fundamentals

Question 24

Identity Protection Tenets

Question 25

Risk Management with Policy Rules

Page 1 of 4 • Questions 1-25 of 88

1 2 3 4

→

Know a question that should be here? Contribute to this exam

What does the following Icon indicate about the user?

Question Image

A Never logged in
B Stale
C Not connected
D Disabled

When an endpoint which has not been used in the last _______________ becomes active, a detection for Use of Stale Endpoint is reported.

A 180 days
B 90 days
C 30 days
D 60 days

What is the purpose behind creating Policy Rules?

A Policy Rules determine what actions to take in response to certain triggers/conditions observed within the environment
B Policy Rules determine what actions an admin in the console can take before making adjustments
C Policy Rules determine how the console tracks and learns behavior for users in the environment
D Policy Rules determine the scope in which the sensor collects information on the environment

Using the Identity Protection API, which role is used to return any admin user?

A "roles": "AdminAccountRole"
B "roles": DomainAdminsRole"
C "roles": BusinessPrivilegeRole"
D "roles": PrivilegedAccountRole"

Which of the following is a valid format for uploading a custom dictionary for compromised passwords?

A Comma-Separated Value (CSV) file
B A text (txt) file
C Tab-Separated Value (TSV) file
D Extensive Markup Language (XML) file

Which of the following are minimum requirements for showing the Falcon Identity Verification Dialog on the end user's machine?

A Tenant Domain, Client Secret User Identifier
B Tenant Domain, Application ID, Scope
C Tenant Domain, Application ID, Application Secret
D Tenant Domain, Token Configuration File

When creating an API client, which scope with Write permissions must be enabled prior to using Identity Protection API?

A Identity Protection Health
B Identity Protection GraphQL
C There is no need for Write permissions in order to use IDP API
D Identity Protection Assessment

What is the minimum risk score for an entity to be considered "High Risk"?

A 7
B 7.5
C 8
D 8.5

How could a conditional access policy prevent a threat actor from using a privileged account?

A Automatically reset privileged account passwords every 30 days
B Prevent users from logging in outside business hours
C Require multi-factor authentication when a privileged account is used from an endpoint outside the user's baseline
D Audit RDP to identity unusual access by privileged users

Which section of the Falcon menu holds information about Domain Security Overview, Identity Based Detections, Detections Dashboard, Identity-Based Incidents, and Privileged Identities?

A Explore
B Enforce
C Monitor
D Configure

What role does a human authorizer play in the context of CrowdStrike Falcon Identity Protection?

A They enforce password complexity rules for programmatic accounts
B They have the authority to approve or deny multi-factor authentication requests on behalf of programmatic accounts
C They are responsible for generating encryption keys for programmatic accounts
D They analyze traffic data and provide recommendations for access approval

Which of the following actions under the Investigate menu will pivot to Falcon Identity Protection from an Identity-based detection?

A Investigate involved users
B Investigate involved endpoints
C Search for involved entities in Threat Hunter
D Search for events in Threat Hunter

Remediating which severity level would have the most impact on a user's risk score?

A High
B Medium
C Low
D Critical

A detection is a warning about a(n) _______________ security event; an event that does not conform to the pattern of behavior for an entity.

A risky
B active
C anomalous
D exclusion

On the Risk Analysis dashboard, ________________ displays a four-quadrant graph that plots the risk score and impact for each department or OU.

A Membership by Impact
B Outliers
C Risk Matrix
D Impact by Severity

You have been tasked with protecting shares on the Human Resources file server with Multi-Factor Authentication. Which of the following policy conditions would you use to trigger a Policy Rule?

A User type
B Data source
C Access type
D Source network type

Where in the Identity Protection Module can one view the monitoring status of domain controllers?

A Connectors
B System Notifications
C Domains
D Settings

The Enforce section of Identity Protection is used to:

A Configure domains, appliances, subnets, connectors, risk configuration, and settings
B Define policy rules that determine what actions to take in response to certain triggers observed in the environment
C View all Identity Based Detections and identity based incidents in the environment
D Gain an overview of the domain and indicate whether the domain follows best security practice

To enable sending Multi-factor authentication (MFA) requests to an end user, the external MFA provider must be configured first. How long does it take to register the change?

A 30 minutes
B 10 minutes
C 5 minutes
D 40 minutes

In the _______________ view, user accounts will have some of the following data: Organizational Unit, Domain / Tenant, Title, Department.

A Dating Profile
B User Management
C Business Card
D Name Plate

An administrator wants to remove a rule from an existing rule group. How would that be accomplished?

A Open the three-dot menu and select "Remove from group"
B Open the three-dot menu and select "Detach from group"
C Select the checkbox next to the individual rule and click "Ungroup"
D Click and drag the rule out of the group

Falcon Identity Protection can continuously assess identity events and associate them with potential threats WITHOUT which of the following?

A Ingesting logs
B API-based connectors
C The need for string-based queries
D Machine-learning-powered detection rules

How does Falcon Identity Protection work to mitigate threats that bypass the traditional MITRE framework?

A Refreshes TTPs directly from the MITRE framework on a recurring basis
B Combines the MITRE ATT&CK framework with the Cyber Kill Chain
C Complementing the MITRE framework with Falcon-specific detection methods
D Complementing the MITRE framework with other threat intelligence platforms

Which of the following would cause an identity based incident type to change?

A A user changed the incident type in the console
B An exclusion added to the incident
C A user linked detections to the incident in the console
D Detections related to the incident

In CrowdStrike Falcon Identity Protection, what can be done when abnormal or risky user behavior is detected?

A The incident can be escalated to the security team for further investigation
B The Falcon user can be automatically granted additional access privileges
C An Identity Protection message can be sent to the user and incident logs generated
D A Policy Rule can be applied to challenge the user for a second factor

CCISPreview

About the CCIS Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

CCISPreview

About the CCIS Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25