Skip to main content

Overview

Falcon Identity Protection provides real-time detection and response capabilities for identity-based threats. You can create custom policy rules to detect suspicious authentication patterns, configure automated responses, query identity data using GraphQL, and monitor devices enrolled in identity protection.
Identity Protection operations require various Identity Protection permissions depending on the specific action.

GraphQL Interface

Execute GraphQL Queries

Interact with Falcon Identity using the GraphQL API for advanced queries and data retrieval.
Basic GraphQL Query
$Query = @'
query {
  entities(type: "user", archived: false, first: 10) {
    nodes {
      entityId
      primaryDisplayName
      secondaryDisplayName
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
'@

Invoke-FalconIdentityGraph -String $Query
Query with Variables
$Query = @'
query GetUserEvents($userId: String!, $after: Cursor) {
  timeline(scope: "user", id: $userId, first: 50, after: $after) {
    nodes {
      timestamp
      eventType
      description
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
'@

$Variables = @{
  userId = 'S-1-5-21-1234567890-1234567890-1234567890-1001'
}

Invoke-FalconIdentityGraph -String $Query -Variable $Variables
Paginate Through All Results
$Query = @'
query GetAllUsers($after: Cursor) {
  entities(type: "user", archived: false, first: 100, after: $after) {
    nodes {
      entityId
      primaryDisplayName
      riskScore
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
'@

Invoke-FalconIdentityGraph -String $Query -All
String
string
required
Complete GraphQL statement (query or mutation)
Variable
hashtable
Hashtable containing variables referenced in your GraphQL statement
All
switch
Repeat requests until all results are retrieved. Requires your GraphQL statement to include an ‘after’ cursor variable definition and pageInfo { hasNextPage endCursor }.
Requires Identity Protection GraphQL: Write permission, plus additional Identity Protection permissions depending on the query scope.

GraphQL Best Practices

1

Use Pagination

Always include pageInfo { hasNextPage endCursor } for queries that return multiple results.
2

Define Variables

Use GraphQL variables instead of string interpolation for dynamic queries to prevent injection issues.
3

Limit Result Sets

Specify a reasonable first value (e.g., 100-500) to avoid overwhelming responses.
4

Request Only Needed Fields

Query only the fields you need to reduce response size and improve performance.

Identity Hosts

Get Identity Hosts

Retrieve information about devices enrolled in Falcon Identity Protection.
List All Identity Hosts
Get-FalconIdentityHost -Detailed
Filter by Domain
Get-FalconIdentityHost -Filter "domain_name:'contoso.local'" -Detailed
Get Specific Host
Get-FalconIdentityHost -Id 'abcdef1234567890abcdef1234567890'
High-Risk Hosts
Get-FalconIdentityHost -Filter "risk_score:>=70" -Sort 'risk_score|desc' -Detailed
Id
string[]
Device identifier(s) - 32-character hexadecimal string
Filter
string
Falcon Query Language expression to filter results. Common filters:
  • domain_name:'example.local' - Filter by domain
  • risk_score:>=50 - Filter by risk score
  • hostname:'DC-*' - Filter by hostname pattern
Sort
string
Property and direction to sort results
Limit
integer
Maximum results per request (1-200)
Offset
integer
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count instead of results

Policy Rules

Get Policy Rules

Retrieve Falcon Identity Protection policy rules.
List All Rules
Get-FalconIdentityRule -Detailed
Get by Name
Get-FalconIdentityRule -Name 'Block Suspicious Access' -Detailed
Get Enabled Rules Only
Get-FalconIdentityRule -Enabled $true -Detailed
Get Rules in Simulation Mode
Get-FalconIdentityRule -SimulationMode $true -Detailed
Get Specific Rule
Get-FalconIdentityRule -Id 'rule-12345678-1234-1234-1234-123456789012'
Id
string[]
Policy rule identifier(s)
Name
string
Filter by rule name
Enabled
boolean
Filter by enablement status: $true or $false
SimulationMode
boolean
Filter by simulation mode: $true or $false
Detailed
switch
Retrieve detailed information

Create Policy Rules

Create custom identity protection rules to detect and respond to threats.
Block High-Risk Access
$Activity = @{
  accessType = @('kerberos', 'ntlm')
}

$SourceEndpoint = @{
  groupMembership = @('high-risk-devices')
}

New-FalconIdentityRule `
  -Name 'Block High-Risk Device Access' `
  -Action 'BLOCK' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -Activity $Activity `
  -SourceEndpoint $SourceEndpoint
MFA for Sensitive Access
$Destination = @{
  groupMembership = @('domain-admins', 'enterprise-admins')
}

New-FalconIdentityRule `
  -Name 'Require MFA for Admin Access' `
  -Action 'MFA' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -Destination $Destination
Alert on Suspicious Login
$SourceUser = @{
  entityId = @('S-1-5-21-1234567890-1234567890-1234567890-1001')
}

New-FalconIdentityRule `
  -Name 'Watch VIP User Access' `
  -Action 'ADD_TO_WATCH_LIST' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -SourceUser $SourceUser
Force Password Change on Alert
New-FalconIdentityRule `
  -Name 'Force Password Reset on Compromise Alert' `
  -Action 'FORCE_PASSWORD_CHANGE' `
  -Trigger 'alert' `
  -Enabled $true `
  -SimulationMode $false
Simulation Mode Rule
New-FalconIdentityRule `
  -Name 'Test SSO Policy' `
  -Action 'APPLY_SSO_POLICY' `
  -Trigger 'federatedAccess' `
  -Enabled $true `
  -SimulationMode $true
Name
string
required
Descriptive rule name
Action
string
required
Action to take when rule triggers:
  • ADD_TO_WATCH_LIST - Monitor and generate alerts
  • ALLOW - Explicitly permit the activity
  • APPLY_SSO_POLICY - Apply SSO policy
  • BLOCK - Block the activity
  • FORCE_PASSWORD_CHANGE - Require password reset
  • MFA - Require multi-factor authentication
Trigger
string
required
Event type that activates the rule:
  • access - Authentication/access events
  • accountEvent - Account changes (creation, modification)
  • alert - Security alerts
  • federatedAccess - Federated/SSO access events
Enabled
boolean
required
Whether the rule is active: $true or $false
SimulationMode
boolean
required
Run in simulation mode (log only, no action): $true or $false
Activity
object
Hashtable defining activity-based conditions:
  • accessType - Array of access types: 'kerberos', 'ntlm', 'ldap', etc.
  • accessTypeCustom - Custom access type string
Destination
object
Hashtable defining destination-based conditions:
  • entityId - Array of destination entity IDs (SIDs, hostnames)
  • groupMembership - Array of group names
SourceEndpoint
object
Hashtable defining source endpoint conditions:
  • entityId - Array of device IDs or hostnames
  • groupMembership - Array of device group names
SourceUser
object
Hashtable defining source user conditions:
  • entityId - Array of user SIDs or usernames
  • groupMembership - Array of user group names
Requires Identity Protection Policy Rules: Write permission.

Remove Policy Rules

Delete identity protection rules.
Remove Rule
Remove-FalconIdentityRule -Id 'rule-12345678-1234-1234-1234-123456789012'
Remove Multiple Rules
Remove-FalconIdentityRule -Id @('rule-12345678-1234-1234-1234-123456789012', 'rule-23456789-2345-2345-2345-234567890123')
Id
string[]
required
Policy rule identifier(s) to remove
Removing a policy rule is permanent and immediately stops its enforcement. Ensure you have proper authorization before deleting rules.

Common Use Cases

Protect Privileged Accounts

Privileged Account Protection
# MFA for Domain Admin Access
$AdminGroups = @{
  groupMembership = @('domain-admins', 'enterprise-admins', 'schema-admins')
}

New-FalconIdentityRule `
  -Name 'MFA Required for Privileged Groups' `
  -Action 'MFA' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -Destination $AdminGroups

# Block access from high-risk endpoints
$HighRiskEndpoints = @{
  groupMembership = @('quarantined-devices', 'unmanaged-devices')
}

$PrivilegedDestination = @{
  groupMembership = @('domain-controllers', 'sensitive-servers')
}

New-FalconIdentityRule `
  -Name 'Block Risky Endpoint to Sensitive Access' `
  -Action 'BLOCK' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -SourceEndpoint $HighRiskEndpoints `
  -Destination $PrivilegedDestination

Monitor VIP Users

VIP User Monitoring
# Get VIP user SIDs
$VipUsers = @{
  entityId = @(
    'S-1-5-21-1234567890-1234567890-1234567890-1001',  # CEO
    'S-1-5-21-1234567890-1234567890-1234567890-1002',  # CFO
    'S-1-5-21-1234567890-1234567890-1234567890-1003'   # CTO
  )
}

New-FalconIdentityRule `
  -Name 'Monitor VIP User Activity' `
  -Action 'ADD_TO_WATCH_LIST' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -SourceUser $VipUsers

# Force password change on alert for VIP users
New-FalconIdentityRule `
  -Name 'VIP Compromise Response' `
  -Action 'FORCE_PASSWORD_CHANGE' `
  -Trigger 'alert' `
  -Enabled $true `
  -SimulationMode $false `
  -SourceUser $VipUsers

Conditional Access by Protocol

Protocol-Based Access Control
# Allow only Kerberos for sensitive systems
$ModernAuth = @{
  accessType = @('kerberos')
}

$SensitiveServers = @{
  groupMembership = @('finance-servers', 'hr-systems')
}

New-FalconIdentityRule `
  -Name 'Require Kerberos for Sensitive Systems' `
  -Action 'ALLOW' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -Activity $ModernAuth `
  -Destination $SensitiveServers

# Block legacy NTLM to critical infrastructure
$LegacyAuth = @{
  accessType = @('ntlm')
}

$CriticalInfra = @{
  groupMembership = @('domain-controllers', 'certificate-authorities')
}

New-FalconIdentityRule `
  -Name 'Block NTLM to Critical Infrastructure' `
  -Action 'BLOCK' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -Activity $LegacyAuth `
  -Destination $CriticalInfra

Investigation Workflow

Identity Threat Investigation
# Step 1: Find high-risk hosts
$HighRiskHosts = Get-FalconIdentityHost -Filter "risk_score:>=80" -Detailed

# Step 2: Get user activity on high-risk host
$Query = @'
query GetHostActivity($hostId: String!, $after: Cursor) {
  timeline(scope: "device", id: $hostId, first: 100, after: $after) {
    nodes {
      timestamp
      eventType
      user {
        primaryDisplayName
        riskScore
      }
      description
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}
'@

foreach ($Host in $HighRiskHosts[0..4]) {
  $Variables = @{ hostId = $Host.device_id }
  $Activity = Invoke-FalconIdentityGraph -String $Query -Variable $Variables -All
  
  # Analyze activity
  $SuspiciousActivity = $Activity | Where-Object { $_.user.riskScore -ge 70 }
  
  if ($SuspiciousActivity) {
    Write-Host "High-risk activity detected on $($Host.hostname)"
    $SuspiciousActivity | Format-Table timestamp, eventType, user.primaryDisplayName, description
  }
}

# Step 3: Create monitoring rule for suspicious users
$SuspiciousUserIds = $SuspiciousActivity.user | Select-Object -Unique -ExpandProperty entityId

$WatchUsers = @{
  entityId = $SuspiciousUserIds
}

New-FalconIdentityRule `
  -Name 'Monitor Suspicious Users from Investigation' `
  -Action 'ADD_TO_WATCH_LIST' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $false `
  -SourceUser $WatchUsers

Testing Rules with Simulation Mode

Before enforcing rules in production, test them in simulation mode:
Safe Rule Testing
# Create rule in simulation mode
$TestRule = New-FalconIdentityRule `
  -Name 'TEST - Block NTLM Authentication' `
  -Action 'BLOCK' `
  -Trigger 'access' `
  -Enabled $true `
  -SimulationMode $true `
  -Activity @{ accessType = @('ntlm') }

# Monitor for 1 week, check impact
Start-Sleep -Seconds (7 * 24 * 60 * 60)

# Query simulated events via GraphQL
$Query = @'
query GetSimulationEvents {
  entities(type: "idpPolicyRule", archived: false) {
    nodes {
      entityId
      primaryDisplayName
      simulationMode
      matchCount
    }
  }
}
'@

$Results = Invoke-FalconIdentityGraph -String $Query

# If simulation looks good, disable simulation mode
# (Note: This would require an Edit cmdlet not shown in source)
Simulation mode logs rule matches without taking action, allowing you to validate rule logic before enforcement.

Best Practices

1

Start with Simulation

Always create new rules in simulation mode initially to validate behavior before enforcement.
2

Use Specific Conditions

Define precise conditions using entity IDs and group membership to avoid overly broad rules.
3

Layer Defenses

Combine multiple rules with different actions (monitor, MFA, block) for defense in depth.
4

Monitor Rule Effectiveness

Use GraphQL queries to track rule matches and adjust as needed.
5

Document Rule Purpose

Use descriptive names that clearly indicate the rule’s intent and scope.
6

Regular Review

Periodically review rules with Get-FalconIdentityRule -Detailed to ensure they remain relevant.

GraphQL Schema Examples

query GetUserRisk($userId: String!) {
  entities(type: "user", id: $userId) {
    nodes {
      entityId
      primaryDisplayName
      riskScore
      riskScoreDescription
      riskFactors
    }
  }
}

query GetAuthTimeline($userId: String!, $after: Cursor) {
  timeline(scope: "user", id: $userId, first: 100, after: $after) {
    nodes {
      timestamp
      eventType
      sourceEndpoint {
        primaryDisplayName
      }
      destination {
        primaryDisplayName
      }
      protocol
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}

query GetCompromisedAccounts {
  entities(type: "user", archived: false, first: 1000) {
    nodes {
      entityId
      primaryDisplayName
      riskScore
      compromised
      lastSeenTimestamp
    }
  }
}

User Management

Manage user accounts and role assignments

MSSP Management

Configure multi-tenant access with Flight Control

Build docs developers (and LLMs) love

Get started for freeTalk to us