Skip to content

Get FalconDetection

Jump to bottom
bk-cs edited this page Apr 28, 2023 · 23 revisions

Get-FalconDetection

SYNOPSIS

Search for detections

DESCRIPTION

Requires 'Detections: Read'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Detection identifier X X
Filter String Falcon Query Language expression to limit results

behaviors.parent_details.parent_md5
behaviors.parent_details.parent_process_graph_id
behaviors.parent_details.parent_cmdline
behaviors.parent_details.parent_sha256
behaviors.parent_details.parent_process_id
behaviors.confidence
behaviors.severity
behaviors.triggering_process_id
behaviors.filename
behaviors.sha256
behaviors.user_name
behaviors.user_id
behaviors.behavior_id
behaviors.timestamp
behaviors.alle
behaviors.objective
behaviors.tactic
behaviors.technique
behaviors.pattern_disposition
behaviors.cmdline
behaviors.triggering_process_graph_id
behaviors.ioc_type
behaviors.ioc_source
behaviors.ioc_value
behaviors.device_id
device.first_seen
device.last_seen
device.modified_timestamp
device.site_name
device.config_id_platform
device.system_manufacturer
device.bios_manufacturer
device.platform_name
device.hostname
device.config_id_build
device.os_version
device.bios_version
device.agent_load_flags
device.release_group
device.status
device.product_type_desc
device.machine_domain
device.agent_local_time
device.device_id
device.system_product_name
device.product_type
device.cid
device.external_ip
device.major_version
device.minor_version
device.platform_id
device.config_id_base
device.ou
device.agent_version
device.local_ip
device.mac_address
device.cpu_signature
device.reduced_functionality_mode
device.serial_number
hostinfo.domain
hostinfo.active_directory_dn_display
quarantined_files.paths
quarantined_files.state
quarantined_files.sha256
quarantined_files.id
q
date_updated
assigned_to_name
max_confidence
detection_id
max_severity
max_severity_displayname
seconds_to_triaged
seconds_to_resolved
status
adversary_ids
cid
first_behavior
last_behavior
Query String Perform a generic substring search across available fields
Sort String Property and direction to sort results adversary_id.asc
adversary_id.desc
devices.hostname.asc
devices.hostname.desc
first_behavior.asc
first_behavior.desc
last_behavior.asc
last_behavior.desc
max_confidence.asc
max_confidence.desc
max_severity.asc
max_severity.desc
Limit Int32 Maximum number of results per request 1 5000
Offset Int32 Position to begin retrieving results
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results

SYNTAX

Get-FalconDetection [[-Filter] <String>] [[-Query] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconDetection -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /detects/queries/detects/v1
POST /detects/entities/summaries/GET/v1

falconpy

QueryDetects
GetDetectSummaries

USAGE

Find detections

Get-FalconDetection -Filter "status:'new'+first_behavior:>'2020-01-01'" -Sort first_behavior.desc [-Detailed] [-All]

Find unassigned detections

Get-FalconDetection -Filter "assigned_to_uid:null" [-All]

2023-04-25: PSFalcon v2.2.5

Clone this wiki locally