Call a Specialist Today! 020 3893 1921 Free Delivery! Free Delivery!

CrowdStrike Falcon Identity Threat Detection
Detect identity threats in real time

Falcon Identity Threat Detection

CrowdStrike Falcon Identity Threat Detection enables hyper-accurate detection of identity-based threats in real-time, leveraging AI and behavioral analytics to provide deep actionable insights to stop modern attacks like ransomware.

See Live Identity Attack Traffic

CrowdStrike Falcon Identity Threat Detection, a part of the CrowdStrike Falcon Platform, provides visibility for identity-based attacks and anomalies, comparing live traffic against behavior baselines and rules to detect attacks and lateral movement. Real-time identity threat detection alerts on compromised credentials and infected machines within the network or cloud, or other unusual authentication traffic. Since most breaches involve compromised credentials and lateral movement, the best path for securing every domain in your environment is by automating threat detection and creating dynamic risk profiling and alerting on identity traffic.

Real-Time Traffic Alerting

Detect anomalous activity without requiring logs. Falcon Identity Threat Detection offers threat detection, a low false positive rate and the ability to detect threats that are difficult to detect via post-event, log-based security tools.

Hybrid Identity Store-Ready

Falcon Identity Threat Detection works for identity stores on-premises or in the cloud, and for users/applications anywhere without any agents on endpoints or servers outside the domain controllers.

Key Benefits of Choosing Identity Threat Detection

Know what accounts are doing before breaches happen

betterprotection icon


Falcon Identity Threat Detection lets you see all Service and Privileged accounts on your network and cloud with full credential profiles and weak authentication discovery across every domain. Analyze every domain in your organization for potential vulnerability from stale credentials, weak or stale passwords, see all service connections and weak authentication protocols in use.


Falcon Identity Threat Detection monitors the domain controllers on premises or in the cloud (via API) to see all authentication traffic. It creates a baseline for all entities and compares behavior against unusual lateral movement, Golden Ticket attacks, Mimikatz traffic patterns and other related threats. It can help you see Escalation of Privilege and anomalous Service Account activity.

fast icon


Falcon Identity Threat Detection reduces time to detect by viewing live authentication traffic, which expedites finding and resolving incidents. See real-time events and potential incidents during authentication by rogue users of any type. It offers curated traffic feeds to enrich the "what" of identity protection events with the "who" of credential identification.

Automated Threat Detection

  • Provides continuous multi-directory visibility into the status, scope, and impact of access privileges for identities across Microsoft Active Directory (AD) Azure AD, and cloud single sign-on (SSO) solutions

  • Automatically classifies identities into hybrid (identities that are on on-premises and cloud AD) and cloud-only (identities that reside only on Azure AD) with risk scores

  • Detects lateral movement and anomalous traffic in real time by any user or service account

  • Provides correlated events and risk scoring that can track by credential or entity/endpoint for all related activity for incident response

Simple Controls - No Scripting Needed

  • Falcon Identity Threat Detection offers simple, point-and-click functionality for discovering all the credentials across your environment and their security posture on managed or unmanaged devices, as well as service account activity.

  • Provides continuous assessment of security and incidents around identity threats with easy search features within Threat Hunter, allowing the AD team or security analysts to find the issues quickly and investigate. Threat Hunter also takes human input (resolution of incidents, etc.) to create incident records for troubleshooting and incident response (IR) teams

  • Uncovers reconnaissance (e.g. LDAP, BloodHound, SharpHound, credential compromise attacks), lateral movement (e.g., RDP, mimikatz tool, unusual endpoint usage, unusual service logins, etc), and persistence (e.g. Golden Ticket attack) with advanced analytics and patented machine learning technology

  • Speeds up security investigations using intuitive threat hunting, with predefined search criteria, e.g. authentication events, unencrypted protocols, user roles, IP reputation, risk scores and more - and with best practice advice


Falcon Identity Threat Detection maps against the MITRE ATT&CK framework to help you build a more complete security coverage. It offers detections for many sub-groups of these top-level techniques:

  • Reconnaissance, Execution, Persistence, Privilege Escalation

  • Defense Evasion, Credential Access, Discovery, Lateral Movement

  • Collection, Command & Control, Impact, Removal

Key Capabilities

Discover all identities - even stale accounts - and detect identity threats in real time.

Extended Protocol Coverage

Falcon Identity Threat Detection provides granular visibility over incidents involving protocols like NTLM, Kerberos and LDAP/S, which are impossible or difficult to detect with traditional tools like next-generation firewalls, and user and entity behavior analytics (UEBA).

Speed to Value

Most installations take less than an hour to see all identities on the network and start identifying anomalies immediately.

Behavior-Based Indicators and Profiling

Falcon Identity Threat Detection profiles are based on both static information from identity stores and dynamic information in real time to catch insider threats, lateral movement and privilege or service account abuse. Eliminate risk guesswork and prioritize authentication tasks based on 100+ behavior analytics and risk scores for every account.

Visibility into Identity Store Attacks

Detect identity store threats (and typical red-team exercise tests) like NTLM/LDAPS protocol threats, Golden Ticket attacks, Passthe-Hash and other credential theft, as well as persistence techniques.

Tools for Incident Response

Falcon Identity Threat Detection internal Threat Hunter feature offers visibility for all credential attacks and incident response, showing the chain of activity and subsequent increase in risk score. Threat Hunter is easy to use - no command-line interface or sophisticated security knowledge is required to operate and administer. It integrates with many popular ticketing platforms.

Deep Integration with Other Security Tools

Falcon Identity Threat Detection can export in common event format (CEF) or Log Event Extended Format (LEEF) to any SIEM or to SOAR tools via API.


Download the CrowdStrike Falcon Identity Threat Detection Datasheet (.PDF)

It appears you don't have a PDF plugin for this browser. No biggie... you can click here to download the PDF file.