Skip to content
CrowdStrike Developer Center

Detects

The Detects service collection provides operations for aggregating, updating, and querying detection data. Get detection aggregates, modify detection states and assignees, view detection summaries, and search for detection IDs using FQL filters.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

DEPRECATED: This entire service collection is deprecated. Developers should leverage operations from the Alerts service collection instead. These endpoints will be decommissioned on September 30, 2025.

Table of Contents

Section titled “Table of Contents”
OperationDescription
GetAggregateDetects
get_aggregate_detects		Get detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2
update_detects_by_ids		Modify the state, assignee, and visibility of detections.
GetDetectSummaries
get_detect_summaries		View information about detections.
QueryDetects
query_detects		Search for detection IDs that match a given query.

GetAggregateDetects

Section titled “GetAggregateDetects”

Get detect aggregates as specified via json in request body.

POST /detects/aggregates/detects/GET/v1
Scope Detects: READ Consumes · Produces application/json
PEP 8 get_aggregate_detects

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL string to sort bucket results. _count - sort by document count; _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram (aggregates counts on a specified time interval, requires use of “interval” field), date_range (aggregates counts on custom defined date range buckets), terms (buckets alerts by the value of a specified field), range (buckets alerts by specified numeric ranges of a specified field), cardinality (returns the count of distinct values in a specified field), max (returns the maximum value of a specified field), min (returns the minimum value of a specified field), avg (returns the average value of the specified field), sum (returns the total sum of all values for the specified field), percentiles (returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99).

Code Examples

Section titled “Code Examples”
from falconpy import Detects


falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.get_aggregate_detects(date_ranges="string",
                                        exclude="string",
                                        field="string",
                                        filter="string",
                                        from=integer,
                                        include="string",
                                        interval="string",
                                        max_doc_count=integer,
                                        min_doc_count=integer,
                                        missing="string",
                                        name="string",
                                        q="string",
                                        ranges=ranges,
                                        size=integer,
                                        sort="string",
                                        sub_aggregates=["string"],
                                        time_zone="string",
                                        type="string")
print(response)

UpdateDetectsByIdsV2

Section titled “UpdateDetectsByIdsV2”

Modify the state, assignee, and visibility of detections. You can update one or more attributes of one or more detections with a single request.

PATCH /detects/entities/detects/v2
Scope Detects: WRITE Consumes · Produces application/json
PEP 8 update_detects_by_ids

Parameters

Section titled “Parameters”
NameTypeData typeDescription
assigned_to_uuidbodystringA user UID (Ex: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) to assign the detection to.
bodybodydictionaryFull body payload in JSON format.
commentbodystringOptional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. A detection can have multiple comments over time.
idsbodystring or list of stringsID(s) of the detection to update, which you can find with the QueryDetects operation, the Falcon console, or the Streaming API.
new_behaviors_processedbodystring or list of stringsNew behaviors processed.
show_in_uibodybooleanBoolean determining if this detection is displayed in the Falcon console. true: This detection is displayed in Falcon. false: This detection is not displayed in Falcon. Most commonly used together with the status key’s false_positive value.
statusbodystringCurrent status of the detection. Allowed values: ignored, new, in_progress, true_positive, false_positive.

Code Examples

Section titled “Code Examples”
from falconpy import Detects


falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_detects_by_ids(assigned_to_uuid="string",
                                        comment="string",
                                        ids=id_list,
                                        new_behaviors_processed=id_list,
                                        show_in_ui=boolean,
                                        status="string")
print(response)

GetDetectSummaries

Section titled “GetDetectSummaries”

View information about detections.

POST /detects/entities/summaries/GET/v1
Scope Detects: READ Consumes · Produces application/json
PEP 8 get_detect_summaries

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsID(s) of the detections to retrieve. View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the QueryDetects operation, the Falcon console, or the Streaming API.

In order to use this method, either a body keyword or the ids keyword must be provided.

Code Examples

Section titled “Code Examples”
from falconpy import Detects


falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_detect_summaries(ids=id_list)
print(response)

QueryDetects

Section titled “QueryDetects”

Search for detection IDs that match a given query.

GET /detects/queries/detects/v1
Scope Detects: READ Consumes · Produces application/json
PEP 8 query_detects

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter detections using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results. See the available FQL filters table below for more detail.
limitqueryintegerThe maximum number of detections to return in this response (default: 100; max: 9999). Use with the offset parameter to manage pagination of results.
offsetqueryintegerThe first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results.
parametersquerydictionaryFull query string parameters payload in JSON format.
qquerystringSearch all detection metadata for the provided string.
sortquerystringSort detections using these options: first_behavior (timestamp of the first behavior), last_behavior (timestamp of the last behavior), max_severity (highest severity), max_confidence (highest confidence), adversary_id (ID of the adversary), devices.hostname (hostname of the host). Sort either asc (ascending) or desc (descending). Example: last_behavior|asc
Available FQL Filters
Section titled “Available FQL Filters”

The following tables detail acceptable values for the filter keyword described above. Filter options are broken out into four categories:

  • General
  • Behavioral
  • Devices
  • Miscellaneous
General
Section titled “General”
adversary_idsdate_updatedlast_behaviormax_severity_displaynamestatus
assigned_to_namedetection_idmax_confidenceseconds_to_resolved
cidfirst_behaviormax_severityseconds_to_triaged
Behavioral - behaviors.filter
Section titled “Behavioral - behaviors.filter”

Example: behaviors.ioc_type

alleged_filetypemd5sha256
behavior_idobjectivetactic
cmdlineparent_details.parent_cmdlinetechnique
confidenceparent_details.parent_md5timestamp
control_graph_idparent_details.parent_process_idtriggering_process_id
device_idparent_details.parent_process_graph_idtriggering_process_graph_id
filenameparent_details.parent_sha256user_id
ioc_sourcepattern_dispositionuser_name
ioc_typescenario
ioc_valueseverity
Devices - device.filter
Section titled “Devices - device.filter”

Example: device.platform_name

agent_load_flagsfirst_seenplatform_name
agent_local_timehostnameproduct_type
agent_versionlast_seenproduct_type_desc
bios_manufacturerlocal_iprelease_group
bios_versionmac_addressreduced_functionality_mode
cidmachine_domainserial_number
config_id_basemajor_versionsite_name
config_id_buildminor_versionstatus
config_id_platformmodified_timestampsystem_product_name
cpu_signatureos_versionsystem_manufacturer
device_idou
external_ipplatform_id
Miscellaneous
Section titled “Miscellaneous”
hostinfo.domainquarantined_files.idquarantined_files.sha256
hostinfo.active_directory_dn_displayquarantined_files.pathsquarantined_files.state

Code Examples

Section titled “Code Examples”
from falconpy import Detects


falcon = Detects(client_id=CLIENT_ID,
                 client_secret=CLIENT_SECRET
                 )


response = falcon.query_detects(filter="string",
                                limit="string",
                                offset="string",
                                q="string",
                                sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use