Search for detections in your environment.

Basic Parameters

ParameterDescription
FilterFilter detections using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results. Common filter options include:status, device.device_id, max_severity. The full list of valid filter options is extensive. Review it in CrowdStrike’s documentation inside the Falcon console.
Return All PagesAutomatically fetch all resources, page by page.

Advanced Parameters

ParameterDescription
LimitThe maximum number of detections to return in this response (default: 9999, max: 9999).
OffsetThe first detection to return, where 0 is the latest detection.
QuerySearch for specific detections using the detection metadata.
SortSort detections using these options:- first_behavior: Timestamp of the first behavior associated with this detection- last_behavior: Timestamp of the last behavior associated with this detection- max_severity: Highest severity of the behaviors associated with this detection- max_confidence: Highest confidence of the behaviors associated with this detection- adversary_id: ID of the adversary associated with this detection, if any- devices.hostname: Hostname of the host where this detection was detectedSort either asc (ascending) or desc (descending). For example: last_behavior|asc.

Example Output

{
	"meta": {
		"query_time": 0.004152658,
		"pagination": {
			"offset": 0,
			"limit": 100,
			"total": 1
		},
		"powered_by": "legacy-detects",
		"trace_id": "000000-0000000-000000-000000"
	},
	"resources": [
		"ldt:123456789012345678901234567890:12345678"
	],
	"errors": []
}

Workflow Library Example

Run Crowdstrike Query

Preview this Workflow on desktop

Was this page helpful?