Within Falcon Identity Protection,Predefined Reportsallow administrators to generate standardized reports based on specific data subjects. TheSubject dropdowndetermines the type of data the report will be built from, such as identity risks, authentication activity, or endpoint-related telemetry.
The category associated withendpointsin the Subject dropdown isEvents. Endpoint-related data—such as authentication attempts, logons, protocol usage, and domain controller–observed activity—is captured and represented aseventswithin Falcon. These events form the foundational telemetry used for identity detections, investigations, and reporting.
By contrast:
Insightsrepresent aggregated analytical findings derived from events.
Incidentsgroup multiple detections into a single investigative narrative.
Accountsfocus on identity entities such as users and service accounts.
Endpoint visibility in reporting is therefore tied directly toEvents, as events reflect the raw and enriched activity observed on endpoints and domain controllers. This structure aligns with Falcon’s identity-first security model, where endpoint-observed authentication behavior feeds identity risk scoring and Zero Trust decisions.
The CCIS curriculum explicitly associatesendpoint-related reportingwith theEventssubject, makingOption Bthe correct and verified answer.
