Detections

Find and analyze detections to understand malicious activity in your environment.

API Scopes

Alerts: READ

Tools

`falcon_get_detection_details`

Required scopes: Alerts: READ

Retrieve details for detection IDs you already have.

Use ONLY when you have specific composite detection ID(s). To find detections by criteria (severity, status, hostname, etc.), use falcon_search_detections.

Example prompts:

"Get me the details for this detection"

`falcon_search_detections`

Required scopes: Alerts: READ

Find detections by criteria and return their complete details.

Use this tool to discover detections - filter by severity, status, hostname, time range, etc. Returns full detection information including behaviors, device context, and threat details.

Example prompts:

"Show me new high severity detections from the last 7 days"
"Find all unassigned critical detections"

Resources

falcon://detections/search/fql-guide: Contains the guide for the filter param of the falcon_search_detections tool.

Home
- Getting Started
- Modules
  - Overview
  - Cloud Security
  - Custom IOA
  - Detections
  - Discover
  - Firewall
  - Hosts
  - Identity Protection
  - Incidents
  - Intel
  - IOC
  - NGSIEM
  - Scheduled Reports
  - Sensor Usage
  - Serverless
  - Spotlight
- Usage
- Deployment
- Development
- Examples
  - Basic Usage
  - MCP Config
- Changelog

Detections

API Scopes

Tools

falcon_get_detection_details

falcon_search_detections

Resources

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

`falcon_get_detection_details`

`falcon_search_detections`