To integrate Falcon Identity Protection withAzure AD (Entra ID)as an Identity-as-a-Service (IDaaS) provider, specific application-level credentials are required. According to the CCIS curriculum, the connector configuration requiresTenant Domain,Application (Client) ID, andApplication Secret.
These values are generated when registering an application in Azure AD and are used to authenticate Falcon Identity Protection securely via OAuth-based API access. This method ensures least-privilege access and allows the connector to ingest cloud authentication activity and apply SSO-related policy enforcement.
Other options list incomplete or incorrect credential combinations. Therefore,Option Dis the correct and verified answer.

GraphQL is the underlying query technology used by multiple CrowdStrike platforms, including Falcon Identity Protection. According to the CCIS curriculum,GraphQL examples are documented under the broader "CrowdStrike APIs" documentation category, not limited to a single product.
The CrowdStrike APIs section includes:
* Authentication and API key usage
* GraphQL schema references
* Example GraphQL queries and mutations
* Pagination, filtering, and response handling
While Identity Protection uses GraphQL for identity-specific queries, the examples themselves are centralized underCrowdStrike APIsto provide consistency across Falcon modules. Product-specific use cases are then layered on top of these core examples.
The other options are incorrect:
* Threat Intelligence focuses on adversary data.
* XDR covers detection and correlation concepts.
* Identity Protection APIs describe endpoints and permissions, not general GraphQL usage examples.
Therefore,Option Ais the correct and verified answer.

In Falcon Identity Protection,identity-based incidents are dynamicand can evolve over time as additional detections are associated with them. According to the CCIS curriculum, an incident'stype is automatically recalculatedbased on thedetections related to the incident, not by manual user actions.
As new identity-based detections are generated-such as credential misuse, lateral movement attempts, or abnormal authentication behavior-the platform continuously reassesses the incident. If the newly added detections indicate a different or more severe attack pattern, Falcon may automaticallychange the incident typeto better reflect the observed threat activity.
Manual actions such as adding exclusions or linking detections do not directly change the incident type.
Similarly, users cannot manually override an incident's classification. The classification logic is driven entirely by Falcon's analytics engine to ensure consistent, objective threat categorization.
This automated behavior is emphasized in CCIS training to highlight Falcon's ability toadapt incident context as attacks progress, makingOption Dthe correct answer.

In the Domain Security Overview,Scopeis a configurable setting that allows administrators toswitch between Active Directory domains and Azure tenants. This capability is essential for organizations managing multiple identity environments, as it enables targeted risk assessment and comparison across different identity infrastructures.
The CCIS documentation explains that Scope determineswhich domain or tenant's identity data is displayedin the Overview dashboard, including risk scores, trends, and prioritized remediation guidance.
Changing the scope does not alter risk calculations; it simply refocuses the analysis on the selected identity environment.
Other options are incorrect because:
* Privileged Identities represent a subset of users, not a switchable setting.
* Domains are entities, not a dashboard control.
* Goal changes how risks are evaluated, not which environment is displayed.
By allowing granular control over which domain or tenant is analyzed, Scope supports accurate identity risk management in complex, hybrid environments. Therefore,Option Dis the correct answer.