Detects
| Method | Operation ID | Description |
|---|---|---|
| get_aggregate_detects | GetAggregateDetects | Get detect aggregates as specified via json in request body. |
| update_detects_by_ids | UpdateDetectsByIdsV2 | Modify the state, assignee, and visibility of detections |
| get_detect_summaries | GetDetectSummaries | View information about detections |
| query_detects | QueryDetects | Search for detection IDs that match a given query |
Get detect aggregates as specified via json in request body.
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Query criteria and settings |
from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.get_aggregate_detects(body=BODY)
print(response)from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.GetAggregateDetects(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("GetAggregateDetects", body=BODY)
print(response)Modify the state, assignee, and visibility of detections
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | This endpoint modifies attributes (state and assignee) of detections. This endpoint accepts a query formatted as a JSON array of key-value pairs. You can update one or more attributes one or more detections with a single request. assigned_to_uuid values A user ID, such as 1234567891234567891 ids values One or more detection IDs, which you can find with the /detects/queries/detects/v1 endpoint, the Falcon console, or the Streaming API. show_in_ui values - true: This detection is displayed in Falcon - false: This detection is not displayed in Falcon. Most commonly used together with the status key's false_positive value. status values - new - in_progress - true_positive - false_positive - ignored comment values Optional comment to add to the detection. Comments are displayed with the detection in Falcon and usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time. |
from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.update_detects_by_ids(body=BODY)
print(response)from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.UpdateDetectsByIdsV2(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("UpdateDetectsByIdsV2", body=BODY)
print(response)View information about detections
- Consumes: application/json
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the /detects/queries/detects/v1 endpoint, the Falcon console, or the Streaming API. |
from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.get_detect_summaries(body=BODY)
print(response)from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.GetDetectSummaries(body=BODY)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"Body Payload": "See body description above"
}
response = falcon.command("GetDetectSummaries", body=BODY)
print(response)Search for detection IDs that match a given query
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| offset | query | integer | The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results. |
|
| limit | query | integer | The maximum number of detections to return in this response (default: 9999; max: 9999). Use with the offset parameter to manage pagination of results. |
|
| sort | query | string | Sort detections using these options: - first_behavior: Timestamp of the first behavior associated with this detection - last_behavior: Timestamp of the last behavior associated with this detection - max_severity: Highest severity of the behaviors associated with this detection - max_confidence: Highest confidence of the behaviors associated with this detection - adversary_id: ID of the adversary associated with this detection, if any - devices.hostname: Hostname of the host where this detection was detected Sort either asc (ascending) or desc (descending). For example: `last_behavior |
|
| filter | query | string | Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. Common filter options include: - status - device.device_id - max_severity The full list of valid filter options is extensive. Review it in our documentation inside the Falcon console. |
|
| q | query | string | Search all detection metadata for the provided string |
from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_detects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy.detects import Detects
falcon = Detects(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryDetects(offset=integer,
limit=integer,
sort="string",
filter="string",
q="string"
)
print(response)from falconpy.api_complete import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
PARAMS = {
"offset": integer,
"limit": integer,
"sort": "string",
"filter": "string",
"q": "string"
}
response = falcon.command("QueryDetects", parameters=PARAMS)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
