Actions
List Detections
Search for detections in your environment.
Basic Parameters
Parameter | Description |
---|---|
Filter | Filter detections using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results. Common filter options include:status , device.device_id , max_severity . The full list of valid filter options is extensive. Review it in CrowdStrike’s documentation inside the Falcon console. |
Advanced Parameters
Parameter | Description |
---|---|
Limit | The maximum number of detections to return in this response (default: 9999, max: 9999). |
Offset | The first detection to return, where 0 is the latest detection. |
Query | Search for specific detections using the detection metadata. |
Sort | Sort detections using these options:- first_behavior : Timestamp of the first behavior associated with this detection |
last_behavior
: Timestamp of the last behavior associated with this detectionmax_severity
: Highest severity of the behaviors associated with this detectionmax_confidence
: Highest confidence of the behaviors associated with this detectionadversary_id
: ID of the adversary associated with this detection, if anydevices.hostname
: Hostname of the host where this detection was detectedSort eitherasc
(ascending) ordesc
(descending). For example:last_behavior\|asc
. |
Example Output
Workflow Library Example
Preview this Workflow on desktop
Was this page helpful?