How can I set up least privilege access for custom roles?

To ensure least privilege access when creating custom roles in CrowdStrike Falcon, carefully evaluate the specific permissions needed for each role. Start by reviewing the predefined roles and their permissions, then create a custom role that includes only the necessary permissions for the user's tasks. Avoid granting full access unless absolutely required. Regularly review role assignments and permissions to adapt to changing organizational needs or user responsibilities, which helps mitigate risks associated with overprivileged accounts.

What do I do if a user didn't get their Falcon Console invite?

If a user does not receive their invitation to the Falcon Console, first verify that you correctly entered their email address during the role assignment process. Advise the user to check their spam or junk folder for the invitation email. If the email is not found, you can resend the invitation by navigating to Users & Roles > Users, selecting the user, and clicking 'Resend Invitation.' Ensure that the email server settings allow for CrowdStrike emails to be delivered and not blocked by filters.

Can I change a predefined role in CrowdStrike Falcon?

No, predefined roles in CrowdStrike Falcon cannot be modified directly. However, you can create a custom role that replicates the desired permissions of a predefined role and adjust it as necessary. This approach allows for flexibility while maintaining the integrity of predefined roles for other users. Always document any custom roles created to ensure clarity in role management and to facilitate future reviews or changes as user needs evolve.

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

CrowdStrike Falcon allows administrators to assign custom roles and permissions to users, ensuring least privilege access and role-based security management. By properly configuring user roles, organizations can control access to security settings, investigations, and threat response actions.

This guide explains how to create, assign, and manage user roles in the Falcon Console.

Step 1: Log Into the Falcon Console

Open a browser and go to the CrowdStrike console. There are two possibilities:
- https://falcon.crowdstrike.com.
- https://falcon.us-2.crowdstrike.com/
Sign in using your admin credentials.
In the left-hand menu, navigate to Settings > Users & Roles.

Step 2: Review Default Roles in CrowdStrike

CrowdStrike Falcon provides several predefined roles that can be assigned to users:

Role Name	Permissions
Administrator	Full access to all settings, sensors, and API integration.
Analyst	Read-only access to detections, reports, and activity monitoring.
Investigator	Ability to access and analyze threat intelligence but not modify policies.
Responder	Can contain hosts, remove threats, and initiate real-time response.
Sensor Manager	Manage sensor deployments and configurations.

📌 Tip: If none of the default roles meet your needs, you can create a custom role.

Step 3: Create a Custom User Role

In Users & Roles, click the Roles tab.
Click Create Role.
Enter a Role Name and Description.
Select the permissions the role should have:
- Read-Only (View detections and reports but cannot take action).
- Standard (Manage endpoints and respond to threats).
- Full Access (Modify policies, containment, and sensor settings).
Click Save Role.

Step 4: Assign a Role to a User

Go to Users & Roles > Users.
Click Invite User (or edit an existing user).
Enter the user's email address and select their role.
Assign specific permissions (if applicable).
Click Send Invitation.

📌 Note: The user will receive an email to complete their registration in the Falcon Console.

Step 5: Modify or Remove a User Role

In Users & Roles > Roles, locate the role you want to modify.
Click Edit to adjust permissions.
To delete a role, click Delete Role (cannot be undone).

Best Practices for Role Management

Principle of Least Privilege

Always assign the minimum permissions necessary for users to perform their job functions. This reduces the risk of accidental or malicious misuse of privileged access.

Regular Access Reviews

Conduct quarterly reviews of user roles and permissions
Remove access for users who have changed roles or left the organization
Audit custom roles to ensure they still align with business needs

Role Naming Conventions

Use clear, descriptive names for custom roles that indicate their purpose:

Good examples: "SOC-Analyst-L1", "IR-Team-Lead", "Compliance-Auditor"
Avoid generic names: "Custom Role 1", "Test Role", "Special Access"

Documentation

Maintain documentation for all custom roles including:

Purpose and intended users
Permissions granted and rationale
Approval and review history
Date created and last modified

Common Custom Role Examples

SOC Analyst (Tier 1)

Permissions:

View detections and alerts
Access host information
View threat intelligence
Run queries in Event Search

Restrictions:

Cannot contain hosts
Cannot modify prevention policies
Cannot delete detections

Incident Responder

Permissions:

All SOC Analyst permissions
Real-time response access
Host containment/lift containment
Execute response actions

Restrictions:

Cannot modify sensor deployment
Cannot access user management

Compliance Auditor

Permissions:

Read-only access to all detections
Access to reports and dashboards
View prevention policies
Export data for compliance reporting

Restrictions:

No modification rights
Cannot execute response actions

Troubleshooting

User Cannot Access Specific Features

If a user reports they cannot access expected features:

Verify their assigned role in Users & Roles > Users
Check if the role has the necessary permissions
Confirm the user has completed their Falcon Console registration
Check if there are any IP restrictions or conditional access policies

Role Assignment Not Taking Effect

Allow 5-10 minutes for role changes to propagate
Ask the user to log out and log back in
Clear browser cache and cookies

Cannot Delete a Role

You cannot delete a role if:

Users are currently assigned to that role (reassign them first)
It is a predefined system role

Additional Resources

Last reviewed: January 2025
Applies to: CrowdStrike Falcon Console

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Step 1: Log Into the Falcon Console

Step 2: Review Default Roles in CrowdStrike

Step 3: Create a Custom User Role

Step 4: Assign a Role to a User

Step 5: Modify or Remove a User Role

Best Practices for Role Management

Principle of Least Privilege

Regular Access Reviews

Role Naming Conventions

Documentation

Common Custom Role Examples

SOC Analyst (Tier 1)

Incident Responder

Compliance Auditor

Troubleshooting

User Cannot Access Specific Features

Role Assignment Not Taking Effect

Cannot Delete a Role

Additional Resources

Frequently Asked Questions

Need Professional Help?

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

How to Configure CrowdStrike Exclusions for Hyper-V Hosts

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Step 1: Log Into the Falcon Console

Step 2: Review Default Roles in CrowdStrike

Step 3: Create a Custom User Role

Step 4: Assign a Role to a User

Step 5: Modify or Remove a User Role

Best Practices for Role Management

Principle of Least Privilege

Regular Access Reviews

Role Naming Conventions

Documentation

Common Custom Role Examples

SOC Analyst (Tier 1)

Incident Responder

Compliance Auditor

Troubleshooting

User Cannot Access Specific Features

Role Assignment Not Taking Effect

Cannot Delete a Role

Additional Resources

Frequently Asked Questions

Need Professional Help?

Related Articles

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

How to Configure CrowdStrike Exclusions for Hyper-V Hosts