Which task can the Falcon Administrator NOT do by default?

The task that a Falcon Administrator cannot perform by default is executing Real Time Response actions without additional role permissions. Real Time Response actions are sensitive and impactful, allowing an administrator to interact directly with endpoint systems in order to respond to security incidents. Because of this level of control, such actions require explicit permissions that often go beyond the standard capabilities assigned to a Falcon Administrator.

By default, the Falcon Administrator role is typically configured to manage other aspects of the Falcon platform, such as creating and managing custom Indicators of Compromise (IOCs), managing user roles, and editing user details like email addresses. Each of these responsibilities helps in the overall management of security postures and user account management in the CrowdStrike platform. However, since Real Time Response can involve critical and immediate actions on devices, it is governed by stricter permission requirements. Therefore, only those users with specially assigned roles that include real-time response capabilities can execute those actions, ensuring that such powers are limited to trusted personnel.