View information about detections.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Detection IDThe ID of the detection. You can find the detection ID in the Endpoint Detections page.

Example Output

{
	"meta": {
		"query_time": 2,
		"powered_by": "<string>",
		"trace_id": "<string>"
	},
	"resources": [
		{
			"cid": "<string>",
			"created_timestamp": "2025-04-01T16:47:40.861269818Z",
			"detection_id": "<string>",
			"device": {
				"device_id": "<string>",
				"cid": "<string>",
				"agent_load_flags": "<string>",
				"agent_local_time": "2005-10-24T08:37:37.889Z",
				"agent_version": "<string>",
				"bios_manufacturer": "<string>",
				"bios_version": "<string>",
				"config_id_base": "<string>",
				"config_id_build": "<string>",
				"config_id_platform": "<string>",
				"external_ip": "<string>",
				"hostname": "<string>",
				"first_seen": "<string>",
				"last_login_timestamp": "<string>",
				"last_login_user": "<string>",
				"last_seen": "<string>",
				"local_ip": "<string>",
				"mac_address": "<string>",
				"machine_domain": "<string>",
				"major_version": "<string>",
				"minor_version": "<string>",
				"os_version": "<string>",
				"ou": [
					"<string>",
					"<string>"
				],
				"platform_id": "<string>",
				"platform_name": "<string>",
				"product_type": "<string>",
				"product_type_desc": "<string>",
				"site_name": "<string>",
				"status": "<string>",
				"system_manufacturer": "<string>",
				"system_product_name": "<string>",
				"groups": [
					"<string>",
					"<string>"
				],
				"modified_timestamp": "<string>",
				"instance_id": "<string>",
				"service_provider": "<string>",
				"service_provider_account_id": "<string>"
			},
			"behaviors": [
				{
					"device_id": "<string>",
					"timestamp": "<string>",
					"template_instance_id": "<string>",
					"behavior_id": "<string>",
					"filename": "<string>",
					"filepath": "<string>",
					"alleged_filetype": "<string>",
					"cmdline": "<string>",
					"scenario": "<string>",
					"objective": "<string>",
					"tactic": "<string>",
					"tactic_id": "<string>",
					"technique": "<string>",
					"technique_id": "<string>",
					"display_name": "<string>",
					"description": "<string>",
					"severity": 12,
					"confidence": 106,
					"ioc_type": "<string>",
					"ioc_value": "<string>",
					"ioc_source": "<string>",
					"ioc_description": "<string>",
					"user_name": "<string>",
					"user_id": "<string>",
					"control_graph_id": "<string>",
					"triggering_process_graph_id": "<string>",
					"sha256": "<string>",
					"md5": "<string>",
					"parent_details": {
						"parent_sha256": "<string>",
						"parent_md5": "<string>",
						"parent_cmdline": "<string>",
						"parent_process_graph_id": "<string>"
					},
					"pattern_disposition": 3254,
					"pattern_disposition_details": {
						"indicator": false,
						"detect": false,
						"inddet_mask": false,
						"sensor_only": false,
						"rooting": false,
						"kill_process": false,
						"kill_subprocess": false,
						"quarantine_machine": false,
						"quarantine_file": false,
						"policy_disabled": false,
						"kill_parent": false,
						"operation_blocked": false,
						"process_blocked": true,
						"registry_operation_blocked": false,
						"critical_process_disabled": false,
						"bootup_safeguard_enabled": false,
						"fs_operation_blocked": false,
						"handle_operation_downgraded": false,
						"kill_action_failed": false,
						"blocking_unsupported_or_disabled": false,
						"suspend_process": false,
						"suspend_parent": false
					},
					"rule_instance_id": "<string>",
					"rule_instance_version": 41
				}
			],
			"email_sent": false,
			"first_behavior": "<string>",
			"last_behavior": "<string>",
			"max_confidence": 31,
			"max_severity": 6,
			"max_severity_displayname": "<string>",
			"show_in_ui": true,
			"status": "<string>",
			"hostinfo": {
				"active_directory_dn_display": [
					"<string>",
					"<string>"
				],
				"domain": "<string>"
			},
			"seconds_to_triaged": 2,
			"seconds_to_resolved": 1,
			"behaviors_processed": [],
			"date_updated": "<string>"
		},
		{
			"cid": "<string>",
			"created_timestamp": "<string>",
			"detection_id": "<string>",
			"device": {
				"device_id": "<string>",
				"cid": "<string>",
				"agent_load_flags": "<string>",
				"agent_local_time": "2023-08-27T09:51:17.268Z",
				"agent_version": "<string>",
				"bios_manufacturer": "<string>",
				"bios_version": "<string>",
				"config_id_base": "<string>",
				"config_id_build": "<string>",
				"config_id_platform": "<string>",
				"external_ip": "<string>",
				"hostname": "<string>",
				"first_seen": "2022-08-18T13:06:28Z",
				"last_login_timestamp": "2025-03-26T14:12:17Z",
				"last_login_user": "<string>",
				"last_seen": "2025-04-01T16:26:56Z",
				"local_ip": "<string>",
				"mac_address": "<string>",
				"machine_domain": "<string>",
				"major_version": "<string>",
				"minor_version": "<string>",
				"os_version": "<string>",
				"ou": [
					"<string>",
					"<string>"
				],
				"platform_id": "<string>",
				"platform_name": "<string>",
				"product_type": "<string>",
				"product_type_desc": "<string>",
				"site_name": "<string>",
				"status": "<string>",
				"system_manufacturer": "<string>",
				"system_product_name": "<string>",
				"groups": [
					"<string>",
					"<string>"
				],
				"modified_timestamp": "2025-04-01T16:27:08Z",
				"instance_id": "<string>",
				"service_provider": "<string>",
				"service_provider_account_id": "<string>"
			},
			"behaviors": [
				{
					"device_id": "<string>",
					"timestamp": "2025-04-01T16:47:33Z",
					"template_instance_id": "<string>",
					"behavior_id": "<string>",
					"filename": "<string>",
					"filepath": "<string>",
					"alleged_filetype": "<string>",
					"cmdline": "<string>",
					"scenario": "<string>",
					"objective": "<string>",
					"tactic": "<string>",
					"tactic_id": "<string>",
					"technique": "<string>",
					"technique_id": "<string>",
					"display_name": "<string>",
					"description": "<string>",
					"severity": 2,
					"confidence": 115,
					"ioc_type": "<string>",
					"ioc_value": "<string>",
					"ioc_source": "<string>",
					"ioc_description": "<string>",
					"user_name": "<string>",
					"user_id": "<string>",
					"control_graph_id": "<string>",
					"triggering_process_graph_id": "<string>",
					"sha256": "<string>",
					"md5": "<string>",
					"parent_details": {
						"parent_sha256": "<string>",
						"parent_md5": "<string>",
						"parent_cmdline": "<string>",
						"parent_process_graph_id": "<string>"
					},
					"pattern_disposition": 2065,
					"pattern_disposition_details": {
						"indicator": false,
						"detect": false,
						"inddet_mask": false,
						"sensor_only": false,
						"rooting": false,
						"kill_process": false,
						"kill_subprocess": false,
						"quarantine_machine": false,
						"quarantine_file": false,
						"policy_disabled": false,
						"kill_parent": false,
						"operation_blocked": false,
						"process_blocked": true,
						"registry_operation_blocked": false,
						"critical_process_disabled": false,
						"bootup_safeguard_enabled": false,
						"fs_operation_blocked": false,
						"handle_operation_downgraded": false,
						"kill_action_failed": false,
						"blocking_unsupported_or_disabled": false,
						"suspend_process": false,
						"suspend_parent": false
					},
					"rule_instance_id": "<string>",
					"rule_instance_version": 38
				}
			],
			"email_sent": false,
			"first_behavior": "2025-04-01T16:47:33Z",
			"last_behavior": "2025-04-01T16:47:33Z",
			"max_confidence": 180,
			"max_severity": 11,
			"max_severity_displayname": "<string>",
			"show_in_ui": true,
			"status": "<string>",
			"hostinfo": {
				"active_directory_dn_display": [
					"<string>",
					"<string>"
				],
				"domain": "<string>"
			},
			"seconds_to_triaged": 0,
			"seconds_to_resolved": 1,
			"behaviors_processed": [],
			"date_updated": "2025-04-01T16:47:46Z"
		}
	],
	"errors": []
}

Workflow Library Example

Run Crowdstrike Query

Preview this Workflow on desktop