CrowdStrike Falcon Identity
Threat Detection

CrowdStrike Falcon® Identity Threat Detection enables hyper-accurate detection of identity-based threats in real-time, leveraging AI and behavioral analytics to provide deep actionable insights to stop modern attacks like ransomware.


Insights & Analytics for All Credentials

Falcon Identity Threat Detection lets you see all Service and Privileged accounts on your network and cloud with full credential profiles and weak authentication discovery across every domain. Analyze every domain in your organization for potential vulnerability from stale credentials, weak or stale passwords, see all service connections and weak authentication protocols in use.

Detect lateral movement for authenticated accounts

Falcon Identity Threat Detection monitors the domain controllers on premises or in the cloud (via API) to see all authentication traffic. It creates a baseline for all entities and compares behavior against unusual lateral movement, Golden Ticket attacks, Mimikatz traffic patterns and other related threats. It can help you see Escalation of Privilege and anomalous Service Account activity.

AD Security without using logs

Falcon Identity Threat Detection reduces time to detect by viewing live authentication traffic, which expedites finding and resolving incidents. See real-time events and potential incidents during authentication by rogue users of any type. It offers curated traffic feeds to enrich the "what" of identity protection events with the "who" of credential identification.


How Falcon Identity Threat Detection Works

Automated threat detection

  • Provides continuous multi-directory visibility into the status, scope, and impact of access privileges for identities across Microsoft Active Directory (AD) Azure AD, and cloud single sign-on (SSO) solutions
  • Automatically classifies identities into hybrid (identities that are on on-premises and cloud AD) and cloud-only (identities that reside only on Azure AD) with risk scores. Flag accounts as honeytokens to safely lure adversaries and track their attack paths with dedicated insights.
  • Detects lateral movement and anomalous traffic in real time by any user or service account
  • Provides correlated events and risk scoring that can track by credential or entity/endpoint for all related activity for incident response
Identity protection secure remote

Simple controls- no scripting needed

  • Falcon Identity Threat Detection offers simple, point-and-click functionality for discovering all the credentials across your environment and their security posture on managed or unmanaged devices, as well as service account activity.
  • Provides continuous assessment of security and incidents around identity threats with easy search features within Threat Hunter, allowing the AD team or security analysts to find the issues quickly and investigate. Threat Hunter also takes human input (resolution of incidents, etc.) to create incident records for troubleshooting and incident response (IR) teams
  • Uncovers reconnaissance (e.g. LDAP, BloodHound, SharpHound, credential compromise attacks), lateral movement (e.g., RDP, SMB to DC, mimikatz tool, unusual endpoint usage, unusual service logins, duplicate passwords, etc), and persistence (e.g. Golden Ticket attack) with advanced analytics and patented machine learning technology
  • Speeds up security investigations using intuitive threat hunting, with predefined search criteria, e.g. authentication events, unencrypted protocols, user roles, IP reputation, risk scores and more — and with best practice advice
Suspicious lateral movement identity protection

MITRE ATT&CK® coverage

Falcon Identity Threat Detection maps against the MITRE ATT&CK framework to help you build a more complete security coverage. It offers detections for many sub-groups of these top-level techniques:

  • Reconnaissance, execution, persistence, privilege escalation
  • Defense evasion, credential access, discovery, lateral movement
  • Collection, command and control, impact, removal
Identity protection secure active directory

Customers trust CrowdStrike

Expensify logo
Full logo
Verizon logo

Deloitte logo
Goldman Sachs logo
Lands End logo

Tested and proven leader

CrowdStrike is proud to be recognized a leader by industry analyst and independent testing organizations.

Gartner peer logo

“This really helps to detect incidents as cyberattacks and react – indeed, we need to go fast, it is easy to navigate, the GUI is really simple” – CISO, $1B Services Company

Gartner peer logo

“We got unprecedented visibility into our Active Directory environment as soon as we started with the proof of concept (POC). Falcon Identity Threat Detection was easy to deploy and provided live visibility into authentication traffic, authentication policies, user roles, where the users are logging in from, which resources they are accessing, and so much more.” – Systems Security Engineer, $3B Finance Company

Gartner peer logo

“With really simple user interface and real-time threat detection, I’d say Falcon Identity Threat Detection is helping us secure the identity layer from sophisticated threats that compromise user accounts.” – CTO, $10B Finance Company