Falcon Identity Threat Detection
CrowdStrike Falcon® Identity Threat Detection (ITD) offers visibility for identity-based attacks and anomalies, comparing live authentication traffic against baselines as well as detecting attack signatures/patterns.
Request a Demo
Benefits
See identity threats and lateral movement before breaches happen
-
Unify Identity Service and Privileged Account Incidents
Falcon ITD unifies insight for user access to applications, resources and identity stores. It provides actionable insights into user behavior, eliminating security blindspots across hybrid environments. Falcon ITD provides visibility into active escalation of privilege attacks and unexpected service account activity.
-
Detect lateral movement for authenticated accounts
Falcon ITD monitors the domain controllers on premises or in the cloud (via API) to see all authentication traffic. Falcon ITD creates a baseline for all entities and compares behavior against unusual lateral movement, such as RDP requests, Golden Ticket attacks and Mimikatz traffic patterns.
-
Reduce threat detection and response times, without using logs
Falcon ITD reduces time to detect by viewing live authentication traffic, which expedites finding and resolving incidents. Many SOC and SIEM instances do not ingest Active Directory and domain controller logs; Falcon ITD offers up curated traffic feeds to enrich the "what" of identity protection events with the "who" of credential identification.
Features
How Falcon Identity Threat Detection Works

AUTOMATED THREAT DETECTION
- Provides continuous multi-directory visibility into the scope and the impact of access privileges for identities across Microsoft Active Directory (AD) Azure AD, and cloud single sign-on (SSO) solutions
- Automatically classifies identities into hybrid (identities that are on on-premises and cloud AD) and cloud-only (identities that reside only on Azure AD)
- Detects lateral movement and anomalous traffic in real time by any user or service account
- Provides correlated events and risk scoring that can track by credential or entity/endpoint for all related activity for incident response

SIMPLE INTERFACE — NO Command-Line Interface OR SCRIPTING NEEDED
- The Falcon ITD interface offers simple, point-and-click functionality for discovering events and incidents
- Provides continuous assessment of security and incidents around identity threats with easy search features within Threat Hunter, allowing the AD team or security analysts to find the issues quickly and investigate. Threat Hunter also takes human input (resolution of incidents, etc.) to create incident records for troubleshooting and incident response (IR) teams
- Uncovers reconnaissance (e.g. LDAP, BloodHound, SharpHound, credential compromise attacks), lateral movement (e.g., RDP, mimikatz tool, unusual endpoint usage, unusual service logins, etc), and persistence (e.g. Golden Ticket attack) with advanced analytics and patented machine learning technology
- Speeds up security investigations using intuitive threat hunting, with predefined search criteria, e.g. authentication events, unencrypted protocols, user roles, IP reputation, risk scores and more — and with best practice advice

MITRE ATT&CK® COVERAGE
Falcon ITD maps against the MITRE ATT&CK framework to help you build a more complete security coverage. Falcon ITD offers detections for many sub-groups of these top-level techniques:
- Reconnaissance, Execution, Persistence, Privilege Escalation
- Defense Evasion, Credential Access, Discovery, Lateral Movement
- Collection, Command & Control, Impact, Removal
Product Validation