List Detections
Search for detections in your environment.
Basic Parameters
| Parameter | Description |
|---|---|
| Filter | Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. Common filter options include: status, device.device_id, max_severity. The full list of valid filter options is extensive. Review it in CrowdStrike's documentation inside the Falcon console. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Limit | The maximum number of detections to return in this response (default: 9999, max: 9999). |
| Offset | The first detection to return, where 0 is the latest detection. |
| Query | Search for specific detections using the detection metadata. |
| Sort | Sort detections using these options: - first_behavior: Timestamp of the first behavior associated with this detection- last_behavior: Timestamp of the last behavior associated with this detection- max_severity: Highest severity of the behaviors associated with this detection- max_confidence: Highest confidence of the behaviors associated with this detection- adversary_id: ID of the adversary associated with this detection, if any- devices.hostname: Hostname of the host where this detection was detectedSort either asc (ascending) or desc (descending). For example: `last_behavior |
Example Output
{
"meta": {
"query_time": 0.004152658,
"pagination": {
"offset": 0,
"limit": 100,
"total": 1
},
"powered_by": "legacy-detects",
"trace_id": "000000-0000000-000000-000000"
},
"resources": [
"ldt:123456789012345678901234567890:12345678"
],
"errors": []
}
Workflow Library Example
Preview this Workflow on desktop