List Detections

Search for detections in your environment.

Basic Parameters

Parameter	Description
Filter	Filter detections using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results. Common filter options include:`status`, `device.device_id`, `max_severity`. The full list of valid filter options is extensive. Review it in CrowdStrike's documentation inside the Falcon console.

Advanced Parameters

Parameter	Description
Limit	The maximum number of detections to return in this response (default: 9999, max: 9999).
Offset	The first detection to return, where `0` is the latest detection.
Query	Search for specific detections using the detection metadata.
Sort	Sort detections using these options: `first_behavior`: Timestamp of the first behavior associated with this detection `last_behavior`: Timestamp of the last behavior associated with this detection `max_severity`: Highest severity of the behaviors associated with this detection `max_confidence`: Highest confidence of the behaviors associated with this detection `adversary_id`: ID of the adversary associated with this detection, if any `devices.hostname`: Hostname of the host where this detection was detected Sort either `asc` (ascending) or `desc` (descending). For example: `last_behavior\|asc`.

Example Output

{
    "meta": {
        "query_time": 0.004152658,
        "pagination": {
            "offset": 0,
            "limit": 100,
            "total": 1
        },
        "powered_by": "legacy-detects",
        "trace_id": "000000-0000000-000000-000000"
    },
    "resources": [
        "ldt:123456789012345678901234567890:12345678"
    ],
    "errors": []
}

Workflow Library Example

Run Crowdstrike Query

Preview this Workflow on desktop

List Detections

Basic Parameters​

Advanced Parameters​

Example Output​

Workflow Library Example​

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example