Falcon Fusion workflows integrate directly with Falcon Identity Protection throughidentity-based triggers, allowing automated responses to identity threats. The correct trigger that activates a Falcon Fusion workflow from Identity Protection isAlert > Identity detection.
Identity detections are generated when Falcon observes suspicious or malicious identity behavior, such as credential abuse, abnormal authentication patterns, lateral movement attempts, or policy violations related to identity risk. These detections are distinct from endpoint-only detections or incidents and are specifically designed to representidentity-based attack activity.
WhileNew incidentandNew endpoint detectionare valid Falcon Fusion triggers in other Falcon modules, they are not the primary triggers for identity-focused automation. Similarly,Spotlight user action > Hostrelates to vulnerability management workflows rather than identity analytics.
The CCIS curriculum emphasizes that Falcon Fusion enablesautomated identity response, such as notifying security teams, disabling accounts, enforcing MFA, or triggering SOAR actions, based onidentity detections. Therefore, workflows tied toAlert > Identity detectionallow organizations to respond quickly and consistently to identity threats, makingOption Cthe correct answer.
Submit