The Read-Only Analyst role is specifically designed for users who need to view data within the CrowdStrike Falcon platform but are not authorized to make any changes. This role provides access to monitor detections, view dashboards, and run reports. It strictly prohibits any modification of configurations, such as prevention policies, sensor settings, or user management. This adheres to the principle of least privilege, ensuring that personnel with monitoring duties cannot inadvertently or intentionally alter the security posture of the organization.

A. Support: This is not a standard, assignable role for internal users. The "Support" role typically refers to granting temporary, audited access to CrowdStrike's own support personnel for troubleshooting.

C. Administrator: This role has full read and write permissions across the entire platform, including the ability to modify all configurations, which directly violates the scenario's main restriction.

D. Prevention Analyst: This role is permitted to manage and modify prevention policies. Since policies are a core part of the system's configuration, this role does not meet the requirement.

1. CrowdStrike Falcon® Platform Documentation

"Host and Cloud Security 2023: User Management - Role Permissions". This official documentation outlines the specific permissions for each built-in role. The "Read-Only Analyst" role is explicitly defined as having view-only access to detections

events

and reports without any write or configuration privileges.

2. NIST Special Publication 800-53 Rev. 5

"Security and Privacy Controls for Information Systems and Organizations

" Section AC-6 (Least Privilege). This standard provides the foundational security principle that users should be granted access only to the information and resources that are necessary for their legitimate roles

which the "Read-Only Analyst" role exemplifies for monitoring tasks.