The CrowdStrike CCIS exam preparation guide is designed to provide candidates with necessary information about the Identity Specialist exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the CrowdStrike Certified Identity Specialist (CCIS) exam.
It is recommended for all the candidates to refer the CCIS objectives and sample questions provided in this preparation guide. The CrowdStrike Identity Specialist certification is mainly targeted to the candidates who want to build their career in Falcon Specialist domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual CrowdStrike Identity Specialist exam.
CrowdStrike CCIS Exam Summary:
|
Exam Name
|
CrowdStrike Identity Specialist |
| Exam Code | CCIS |
| Exam Price | $250 USD |
| Duration | 90 minutes |
| Number of Questions | 60 |
| Passing Score | 80% |
| Recommended Training / Books | CCIS Training |
| Schedule Exam | PEARSON VUE |
| Sample Questions | CrowdStrike CCIS Sample Questions |
| Recommended Practice | CrowdStrike Certified Identity Specialist (CCIS) Practice Test |
CrowdStrike Identity Specialist Syllabus:
| Section | Objectives |
|---|---|
| Zero Trust Architecture |
- Describe what the NIST SP 800-207 framework for Zero Trust architecture defines
- Describe the security need and impetus for the Zero Trust architecture
- Describe the implementation of the Zero Trust architecture within Falcon Identity Protection
- Describe the fundamental principles of Zero Trust (continuous validation, etc.)
- Describe the difference between a traditional "wall-and-moat" security model and a modern Zero Trust model
- Describe some of the key use cases for Falcon Zero Trust
- Describe how a Falcon user's Zero Trust Assessment (ZTA) score is calculated
|
| Identity Protection Tenets |
- Describe the identity protection architecture employed at CrowdStrike as a part of the Falcon Identity Protection module
- Describe how Falcon Identity Protection inspects traffic in the domain
- Describe how Falcon Identity Protection complements traditional EDR solutions
- Describe how Falcon Identity Protection helps secure against the human elements of security vulnerability
- Describe how Falcon Identity Protection empowers the team to mitigate and prevent identity based exploits and attacks
- Identify key differences between Falcon Identity Protection log-free detections and traditional EDR solutions
- Describe the threat landscape and the need for identity-based security solutions
|
| Falcon Identity Protection Fundamentals |
- Identify the menu categories (monitor, enforce, explore and configure) of Falcon Identity Protection
- Describe the contents of each menu category (monitor, enforce, explore and configure) within Falcon Identity Protection
- Identify the goal of each menu category (monitor, enforce, explore and configure)
- Recognize the availability of specific tools limited by product subscription for Identity Threat Detection vs. Identity Threat Protection (ITD vs. ITP)
- Describe the purpose of Falcon Identity Protection in general security terms
- Explain how Falcon Identity Protection works to mitigate threats that bypass traditional MITRE ATT&CK framework vectors
- Describe the Falcon roles working within Falcon Identity Protection and the features available to those roles
|
| Domain Security Assessment |
- Explain what the Risk Score represents in the domain
- Describe how the Score Trend is represented and how to affect the score
- Explain the Risk Matrix and how risks are represented
- Describe how to lower the domain risk score
- Explain and describe how to prioritize addressing risks in the domains
- Describe where Falcon Identity Protection fits in the security model
- Explain the factors that contribute to the domain risk scores
- Describe what "Severity," "Likelihood" and "Consequence" mean in terms of potential risk factors related to identity
- Define the goals in the Domain Security overview and how they relate to identity protection outcomes
- Describe how to change the "Goal" and what each goal in the domain security overview is geared toward
- Describe how to change "Scope" and what that does for the Overview dashboard
|
| Risk Assessment |
- Describe the categories of entity risk (low, medium, high) and their thresholds
- Demonstrate how to move a user from higher to lower risk
- Describe the elements that contribute to higher Risk Scores
- Explain the Risk Analysis dashboard
- Explain the Event Analysis dashboard
- Apply filters for targeted risk analysis
- Explain how to generate custom insights with filters
- Describe how to create a custom report
- Explain the difference of when one creates a custom insight versus a custom report
- Describe how to export and schedule custom reports
|
| User Assessment |
- Describe the attributes and data points associated with users in Falcon Identity Protection
- Explain the difference between a user, an endpoint and an entity
- Describe the difference between human and programmatic accounts
- Describe the icons and their meaning when identifying users
- Explain what the default insights do in the Users view
- Explain how to create custom filters in the Users view
- Describe how high-risk users are baselined
- Explain the risk baselining process and various timelines needed for accurate baselines
- Describe the various risky types of accounts (stale, never logged in, compromised password, etc.) and the risks they pose
- Explain how to add custom lists to the Compromised Password directory
- Explain what risks users with elevated privileges pose and how to assess those users
- Explain the user watchlist and honeytoken accounts
- Describe the use cases for a honeytoken account
|
| Threat Hunting and Investigation |
- Describe an identity-based detection
- Describe an identity-based incident
- Describe the investigation pivots available from an identity-based incident
- Explain the difference between an identity-based incident and detection
- Describe how to pivot to related entities
- Explain how to navigate an identity-based incident tree
- Describe the evolution of an incident over time as more detections accumulate
- Describe the information contained in the different types of identity-based detections
- Explain the key information highlighted in various detections
- Describe how to filter and search for detections
- Demonstrate how to investigate the history of an incident and potential incident type changes
- Explain how to enable/disable detection exclusions
- Describe how to add exceptions to detection exclusions
- Describe the logic behind detection exclusions
- Describe the use cases for enabling or disabling detection types
- Describe the difference between a detection-based risk and an analysis-based risk
|
| Risk Management with Policy Rules |
- Describe the purpose of policy rules and policy groups
- Demonstrate the policy rule creation process
- Explain the purpose of the various triggers and conditions within a policy rule
- Explain how to enable and disable policy rules
- Explain how to group, ungroup and manage groups of rules
- Describe how to apply any changes made to policy rules
- Describe the Falcon role(s) necessary to write and manage policy rules
|
| Configuration and Connectors |
- Describe how to monitor the domain controllers (DCs) in the domain (visibility into the DCs reporting and endpoints per DC)
- Describe how to create and manage subnets
- Explain how to enforce policy rules using subnets
- Explain the risk configuration settings
- Describe how to add exceptions to risk configurations
- Explain the two types of connectors (MFA, IDaaS)
- Explain the two types of MFA connectors (Cloud MFA, On-Premises RADIUS MFA)
- Identify the supported MFA and IDaaS connectors
- Describe where to find connector setup documentation
- Describe how to enable authentication traffic inspection (ATI) on DCs in the domain
- Describe the available configuration options within Falcon Identity Protection policies as it relates to data captured by the Falcon sensor
- Describe what business privileges are, and how they impact entities
- Explain how configured blocklisted/allowlisted countries impact detections
|
| Multifactor Authentication (MFA) and Identity-as-a-service (IDaaS) Configuration Basics |
- Explain how to access the IDaaS and MFA configuration settings
- Explain the configuration fields associated with the various connectors
- Describe how to configure the settings for MFA connectors
- Describe how to enable third-party MFA for Falcon Identity Protection
- Describe how Falcon Identity Protection extends on capabilities of existing MFA providers and does not intend to replace it
|
| Falcon Fusion SOAR for Identity Protection |
- Describe the building blocks of a Falcon Fusion SOAR workflow
- Explain how to define triggers
- Explain how to add conditions
- Explain what various conditions do and how to combine them to limit the scope of a workflow
- Describe how to create custom, templated, scheduled and on-demand workflows
- Describe how to create branching workflows and loops
- Create workflows in Falcon Fusion SOAR to accomplish specific goals
|
| GraphQL API |
- Describe where you can find Identity API (GraphQL) documentation
- Create an API key specific to Falcon Identity Protection
- Describe the differences between the different Falcon Identity Protection API permissions
- Pivot from a Threat Hunter search into GraphQL
- Build a simple query that returns all privileged users with high risk
|