Here's what the falcon complete for identity team uses. Hopefully I'm not sharing confidential information here, but I didn't see any confidential markings on it. They're mostly from the predefined rule templates, so probably public info. Rule | Configured Action | Rule Summary | FC – Inactive User Access | Identity Verification | Enforce second factor authentication for user accounts that weren't used over 21 days. | FC - Compromised Password Detected | Reset Password | Automates remediation when a user account password is detected as compromised. | FC - Restrict Workstation Authentication (Admins) | Identity Verification | Enforce best practice preventing Privileged users from using their Admin Accounts on workstations and potentially exposing their credential hash to a workstation local administrator. Reduces risk of those accounts being compromised | FC - Restrict RDP (Programmatic) | Block | Restrict and block Microsoft Remote Desktop operations from an account that is programmatic (service account). | FC - Privileged Users Access Control | Identity Verification | Enables you to control what actions will take place when Privileged Users authenticate or access services on endpoints. | FC - Privileged User Protection from Compromised Password | Identity Verification | Enforces Multi-Factor Authentication for privileged accounts that use compromised passwords. | FC – Domain Admin RDP into DCs | Identity Verification | Enforces Multi-Factor Authentication for a Domain Admin account when attempting to RDP into another endpoint | FC – Fileserver/CIFS | Identity Verification | Enforces Multi-Factor Authentication when accessing a remote File Server Answer from techie_1 on reddit.com
CrowdStrike
crowdstrike.com › tech-hub › identity-protection › crowdstrike-falcon-identity-protection-policies
Get Started with CrowdStrike Falcon Identity Protection Policies | Tech Hub
May 24, 2024 - In this resource you will learn how to create CrowdStrike Falcon Identity Protection policy rules that stop threats.
Reddit
reddit.com › r/crowdstrike › best identity protection policy rules?
r/crowdstrike on Reddit: Best Identity Protection Policy Rules?
October 25, 2022 -
We're about to start using Crowdstrike IDP and looking at all the tasty possibilities around Policy rules. Anyone care to list their favourite enforcements / alerts?
Videos
CrowdStrike
crowdstrike.com › wp-content › uploads › 2024 › 02 › crowdstrike-falcon-identity-threat-protection-data-sheet.pdf pdf
CrowdStrike Products Falcon Identity Threat Protection
with Falcon Identity Threat Protection's out-of-the-box machine-learning-powered · detection rules. With advanced analytics and patented machine learning, uncover · reconnaissance (e.g., LDAP, BloodHound, SharpHound, credential compromise · attacks), lateral movement (e.g., RDP, pass-the-hash (PtH), Mimikatz tool, unusual ·
Reddit
reddit.com › r/crowdstrike › question - how to handle rdp to servers with identity protection policy rules
r/crowdstrike on Reddit: Question - How to handle RDP to servers with Identity Protection Policy Rules
May 1, 2025 -
We've been paying for Identity protection for a while, but we haven't enabled the different policy rules inside the console yet. I'm trying to wrap my head around the concept of MFAing into DC's or other servers using the policies inside CrowdStrike's identity protection platform.
We are deep in the Microsoft ecosystem and use conditional access policies to MFA anything we can. We do not sync our domain admin accounts to the cloud, and these are the accounts we use to remote into our servers. I don't want to sync our DA accounts to the cloud. We don't really have an MFA vehicle for the policy to take advantage of. Whats the best way for us to utilize the crowdstrike policy with accounts that are not synced to the cloud?
Top answer 1 of 3
6
I believe you can designate an "authorizer" for the domain admin account(s) that are not cloud synced to be an account that is cloud synced and configured for MFA and then configure the identity verification policy appropriately. The MFA push notification would then get approved by the authorizer using the method you configure such as Microsoft Authenticator push notification.
2 of 3
1
What MFA product are you using? If you have a one-to-one mapping of domain admin accounts to humans, then simply add an alias of the DA account to the list of identities for which your MFA account will answer. For example,, these could all be assigned to the user 'first.last' account: first.last first.last-admin FLast-test
CrowdStrike
crowdstrike.com › resources › videos › how-to-enforce-risk-based-conditional-access-using-falcon-identity-protection
How to Enforce Risk-based Conditional Access Using Identity ...
August 7, 2025 - See Falcon Data Protection in Action · Video · Falcon Intelligence · Video · How CrowdStrike's Identity Protection Solution Works · Video · Falcon Complete: A Pioneer in MDR · Video · How to secure RDP access to DCs using Falcon Identity protection ·
Reddit
reddit.com › r/crowdstrike › identity protection rules
r/crowdstrike on Reddit: Identity Protection Rules
May 9, 2022 -
I have searched and can't find anything on IDP rules other than basic info on how to create and edit. I have a rule set up that sends me an email alert when it detects a compromised password has been set on an elevated account. This is very simplistic but I don't see how to apply more advanced actions to take. For example, I would like to build some sort of workflow around this event that would send a custom email to the user and then disable the account after a period of time. Is this even possible?
Top answer 1 of 3
5
Within a Fusion workflow you can add/remove a user or endpoint to a watchlist with the Action Type > Identity Protection. Check out the documentation within US1 US2 EU-1 or GOV-1 . An example of usage in a workflow would be as follows: WHEN New Endpoint Detection IF (Technique includes OS Credential Dumping AND Domain includes XYZ Domain) DO THIS Action Add user to watchlist Action Add endpoint to watchlist Action Add comment to detection Action Send Slack Message ELSE IF (Domain does not include XYZ Domain AND Technique includes OS Credential Dumping) DO THIS Action Contain Device Action Send Slack Message
2 of 3
1
What I think currently is available is to create an insight that can notify a group or selected set of users - both predefined. However dynamically notifying the compromised users is not something I have seen. I have heard of azure ad password protection agent that can sit on the onprem DC's that can help enforce these stuffs at source of password change of an user which kinds of eliminate partially the requirement of notifying users. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises I too have been looking for the same feature from crowdstrike.
CrowdStrike
crowdstrike.com › wp-content › uploads › 2023 › 03 › crowdstrike-falcon-identity-protecton-modules.pdf pdf
CrowdStrike Falcon Identity Threat Detection and ...
Identity Threat Protection for active prevention of identity attacks. ... Falcon Identity Threat Detection represents the first level of detection for AD security. Falcon Identity · Threat Detection provides visibility for identity-based attacks and anomalies, comparing live traffic · against behavior baselines and rules to detect attacks and lateral movement.
CIO Solutions
ciosolutions.com › home › a hands-on deep dive into crowdstrike identity protection
CrowdStrike IDP: A Hands-On Deep Dive
October 25, 2025 - Explore key CrowdStrike IDP features and uses including risk detection, threat hunting, MFA enforcement, and more.
CrowdStrike
crowdstrike.com › en-us › resources › videos › identity-protection-solution
How CrowdStrike's Identity Protection Solution Works
July 2, 2024 - Learn how CrowdStrike Identity Protection -- fully integrated with the CrowdStrike Falcon® Platform -- helps ensure comprehensive protection against identity-based attacks in real-time.
CrowdStrike
crowdstrike.com › platform › next-gen identity security › proactive services
Proactive Services | CrowdStrike Falcon® Identity Protection
November 17, 2025 - Get complete visibility and real-time protection across traditional Active Directory (AD) and cloud identity providers such as Entra ID and Okta, empowered with industry-leading threat intelligence. Implement risk-based MFA across your environment with the MFA provider of your choice. Enforce additional security measures when suspicious activities are detected, ensuring robust protection without disrupting user experience. “We now have a partner in CrowdStrike that understands our organisation and what we’re protecting.
Reddit
reddit.com › r/crowdstrike › identity protection covering domain controllers
r/crowdstrike on Reddit: Identity protection covering domain controllers
January 7, 2025 -
We have IDP, and it is seeing all of the domain logins and I have rules in place to enforce MFA on certain logins. That works fine, the issue is it is not seeing any logins when the admins login directly to a domain controller, so I can not enforce MFA there. Anyone else having issues with DCs?
Top answer 1 of 3
4
What do you mean “when admins login directly” ? What type of account are you referencing? My advice would be to create a very generic rule targeting that specific account in simulation mode and see if it is triggered during a login.
2 of 3
1
I got a response back from support after 2 days. I am not thrilled about the response. I'll paste below, but basically in the fine print of a FAQ for a KB of a previous version of the product, they say they don't monitor local logins on DC's. Who is going to find that? Which leads me to the question of why protect all of the other logins if I can just log directly into the DC and bypass security to the most important asset? Not super thrilled about our invest right now. I'd love for an engineer to chime in and say this response is wrong and I should be doing X or change X setting and all will be fine. Otherwise I'm going to be stuck keeping another product around because IdP is not complete coverage. As to the comment below regarding local logins, there are no local users on a DC, only domain admins/users, so every login "should" be monitored, but doesn't seem to be. ---- Thank you for contacting CrowdStrike Technical Support. IDP doesn't monitor DC to DC traffic or local logins since they don't hit the network stack. You may be able to utilize Exposure Management>Accounts to check for local successful\failed logins. The following KB (which applies to the older DC sensor as well as the newer Unified\Falcon sensor) touches on the former. Identity Protection | DC Sensor FAQ Q*: Is the DC sensor looking at all traffic and ports in the DC?* A*: No, it looks only at specific protocols and ports and focuses on Authentication and Authorization related activity and includes Kerberos, LDAP, LDAPS, NTLM and RDP to DC.* Q*: Is authentication traffic between two DC's monitored?* A*: No, authentications from one DC to another DC are filtered out (excluded) from IDP Traffic Inspection. This traffic is excluded as it can cause unnecessary increase in authentication data and may interfere with normal DC to DC replication events, among other things. As such, it also will not appear in IDP logs including Threat Hunter.*
ePlus
eplus.com › docs › default-source › default-document-library › crowdstrike-falcon-identity-protection-modules-solution-brief.pdf pdf
crowdstrike falcon identity protection modules
At ePlus, we engineer transformative technology solutions for the most visionary companies in the world.
Netskope
docs.netskope.com › en › netskope-help › integrations-439794 › netskope-cloud-exchange › risk-exchange-module › user-risk-exchange-workflow › configure-3rd-party-user-risk-exchange-plugins › crowdstrike-falcon-identity-protection-plugin-for-user-risk-exchange
CrowdStrike Falcon Identity Protection Plugin for User Risk ...
If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make this app work
CrowdStrike
crowdstrike.com › en-us › cybersecurity-101 › identity-protection › unified-identity-protection
What is Unified Identity Protection? | CrowdStrike
April 3, 2025 - By merging identity management tools like SSO, MFA, and adaptive authentication with endpoint and cloud security, this approach ensures every layer of identity protection operates in unison, forming a robust defense against sophisticated, evolving threats. Risk-based authentication dynamically adjusts security requirements based on real-time risk signals—such as device security posture, geo-location, and login anomalies—instead of relying on static MFA policies. Conditional access is a set of customizable rules that determine whether access to corporate data is granted or denied based on factors such as device type, location, unusual behavior, device settings and various other conditions.
CrowdStrike
crowdstrike.com › platform › next-gen identity security › identity protection
AI-Powered Identity Protection for Hybrid Environments | CrowdStrike
2 weeks ago - ... Minimize risk with just-in-time access for privileged roles using Falcon Privileged Access. Enforce least privilege, detect threats, and stop misuse — all on the same platform that secures your full identity lifecycle. Augment your team with CrowdStrike experts who monitor, detect, and ...
D3security
docs.d3security.com › integration-docs › integration-docs › crowdstrike-identity-protection
Crowdstrike Identity Protection
As CrowdStrike Identity Protection is using role-based access control (RBAC), the API access token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role.
Beyond Identity
support.beyondidentity.com › hc › en-us › articles › 9295543755543-How-to-use-a-policy-with-CrowdStrike-attributes
How to use a policy with CrowdStrike attributes – Beyond Identity
Log into the Beyond Identity Admin Console and select Policy from the left menu. From the Policy page, select Edit Policy > Add Rule. Refer to the following steps to configure a policy to suit your requirements.
Cloudprotectionworks
cloudprotectionworks.co.uk › Falcon-ITP.php
CrowdStrike Falcon Identity Threat Protection | CloudProtectionWorks.co.uk
Zero-friction identity verification ... for every user. The policies are based on authentication patterns, behavior baselines, individual user risk score and device risk score (via API integration) to verify identities using MFA....