Detection Dashboards
Pull real-time alerts filtered by severity, MITRE ATT&CK technique, or host group.
Investigate Threats
Threat investigation starts with data - detections, incidents, threat intelligence, and adversary behaviors. The CrowdStrike Falcon platform exposes all of this through APIs, AI tooling, custom app development, and a query language for searching raw telemetry. Here’s how to put it to work.
Automated Triage
Enrich detections with threat intelligence and assign priority scores automatically.
Indicator Correlation
Correlate indicators across hosts, identities, and cloud workloads.
Threat Hunting
Search for specific adversary behaviors using Falcon Query Language (FQL).
SOAR Integration
Connect Falcon detections to your orchestration platform and trigger automated investigation workflows.
Third-Party Data Ingestion
Bring external log sources into Next-Gen SIEM so you can hunt across all your security data in one place.
API Service Collections
Section titled “API Service Collections”Endpoint Security
Section titled “Endpoint Security”Manage and query the hosts, alerts, and detections that form the foundation of threat investigation.
- Alerts - Search, filter, and update alert records. Query by severity, technique, hostname, or time range.
- Hosts - Look up device details, check online status, and correlate host data with detection activity.
- Detects - Access raw detection data for granular investigation and custom filtering.
- Incidents - Retrieve and manage incident records that group related detections into actionable cases.
- Host Group - Organize hosts into logical groups for targeted queries and policy enforcement.
Threat Intelligence
Section titled “Threat Intelligence”Research adversaries, track indicators of compromise, and enrich your investigations with CrowdStrike’s intelligence.
- Intel - Query threat actors, intelligence reports, and adversary profiles.
- IOC - Search, create, and manage custom indicators of compromise.
- Recon - Monitor the dark web and adversary forums for mentions of your organization.
- MalQuery - Search CrowdStrike’s malware repository by hash, YARA rule, or fuzzy pattern.
- Tailored Intelligence - Access intelligence tailored to your specific threat landscape.
- Falcon Intelligence Sandbox - Submit files and URLs for dynamic analysis and behavioral detonation.
Identity
Section titled “Identity”Investigate identity-based threats and assess risk across users and entities.
- Identity Protection - Query entities, assess identity risk, and investigate lateral movement.
Developer Resources
Section titled “Developer Resources”Falcon Foundry
Section titled “Falcon Foundry”The MITRE ATT&CK Triage sample demonstrates building a Foundry app that provides a MITRE-prioritized view of XDR detections for faster triage. Foundry’s Fusion SOAR capabilities enable multi-step investigation playbooks - automatically enrich detections with intelligence, check related hosts, and escalate to analysts.
Falcon MCP
Section titled “Falcon MCP”The Falcon MCP connects AI assistants directly to your detection, incident, and intelligence data:
- Detections module - search by severity, MITRE technique, hostname, and time range
- Incidents module - retrieve incident details, behaviors, and CrowdScores
- Intel module - look up threat actors, indicators, and intelligence reports
- IOC module - search and manage custom indicators of compromise
Connect via Claude Desktop, VS Code, or Gemini CLI. For MSSP environments, Flight Control enables cross-tenant investigation.
Falcon Next-Gen SIEM
Section titled “Falcon Next-Gen SIEM”Falcon Next-Gen SIEM lets you search raw security telemetry with CQL queries - going deeper than the detection layer to find the underlying events. Build correlation rules that trigger custom detections on event patterns the standard rules don’t cover. If you’re ingesting third-party log sources, the Parser Template and CrowdStrike Parsing Standard define how to normalize that data so it’s searchable alongside Falcon telemetry.