Identity Protection
Accessing and managing CrowdStrike Falcon Identity Protection capabilities
API Scopes
Section titled “API Scopes”Identity Protection Assessment:readIdentity Protection Detections:readIdentity Protection Entities:readIdentity Protection Timeline:readIdentity Protection GraphQL:write
falcon_investigate_entity
Section titled “falcon_investigate_entity”Required scopes: Identity Protection Assessment:read, Identity Protection Detections:read, Identity Protection Entities:read, Identity Protection Timeline:read, Identity Protection GraphQL:write
Investigate one or more Identity Protection entities by ID, name, email, IP, or domain.
Use this to look up entity details, activity timelines, relationship graphs, and risk assessments; at least one identifier must be supplied, and multiple identifiers are combined with AND logic (email and IP cannot be combined — email takes precedence). Returns a structured response with an investigation_summary, resolved entity IDs, and results keyed by each requested investigation type.