What type of access does a user with the Real Time Responder - Read Only Analyst Role have in CrowdStrike Falcon?

A user assigned the Real Time Responder - Read Only Analyst Role in CrowdStrike Falcon is granted read-only access specifically to response commands. This role is designed to allow users to view and analyze response actions without the ability to modify any configurations or execute commands.

The intention behind this role is to enable users, such as analysts or forensic professionals, to monitor and understand the current state of endpoints and the actions that can be taken without risking any changes or unintended consequences of those actions. This is particularly important in environments where oversight and compliance are necessary, as it allows for thorough investigation while maintaining a layer of security by preventing unauthorized changes.

This role contrasts significantly with others that might grant full administrative access or editing rights on alerts, as those would provide capabilities beyond simple observation and analysis, potentially leading to operational risk. Similarly, read-only access to all features is broader than what the Real Time Responder - Read Only Analyst Role encompasses, which is specifically focused on response commands.