A script interfacing with the Falcon platform typically uses API credentials, so the correct log is the API audit . Falcon UI audit logs track actions performed through the web console. RTR session audit logs track Real Time Response sessions and commands executed on hosts. Prevention policy debug is not the right audit source for platform API activity. When investigating scripted or automated access, administrators must determine which API client or credential performed the action, when it occurred, and what endpoint or operation was invoked. The CCFA user management and audit topics emphasize separating console user activity from API-driven activity so that administrative investigation maps to the correct telemetry source. API audit is therefore the correct answer.