UI Extensions
UI extensions embed custom content into existing Falcon console pages. They appear in specific locations (sockets) throughout the console — detection detail panels, host summary tabs, incident sidebars, and more.
Extension types
Section titled “Extension types”Extensions are placed in sockets — predefined insertion points in the Falcon console. Each socket type determines where your extension appears and what contextual data it receives.
| Socket | Location | Context data |
|---|---|---|
dashboard.detection | Detection detail page | Detection ID, host info, MITRE ATT&CK data |
dashboard.incident | Incident detail page | Incident ID, associated detections |
dashboard.host | Host detail page | Host AID, hostname, platform |
dashboard.vulnerability | Vulnerability detail page | CVE data, host info |
dashboard.identity | Identity detail page | Entity info |
sidebar.detection | Detection sidebar panel | Detection ID |
sidebar.incident | Incident sidebar panel | Incident ID |
activity.detection | Detection activity feed | Detection events |
activity.incident | Incident activity feed | Incident events |
tab.detection | Detection detail tab | Detection data |
tab.incident | Incident detail tab | Incident data |
tab.host | Host detail tab | Host data |
action.detection | Detection action menu | Detection ID |
Building with Extension Builder (no-code)
Section titled “Building with Extension Builder (no-code)”The Extension Builder provides a visual, drag-and-drop experience for creating UI extensions without writing code.
- In the App Builder, go to UI extensions.
- Click Create extension and select Extension Builder.
- Choose the socket type.
- Add data sources (API integrations, collections, Falcon APIs).
- Bind data fields to UI components.
- Preview and deploy.
For a walkthrough, see Build a Detection Enrichment App.
Building with the CLI
Section titled “Building with the CLI”For full control over the UI, build extensions using the Foundry CLI.
foundry ui extensions createYou’ll be prompted to choose a template (Vanilla JS or React), name the extension, provide a description, and select sockets.
Development mode
Section titled “Development mode”Run the extension locally with live reload:
foundry ui runThe Falcon console loads your local extension in development mode, visible only to you.
Manifest configuration
Section titled “Manifest configuration”UI extensions are declared in manifest.yml:
ux: extensions: - name: ip-enrichment-panel socket: dashboard.detection description: "Enriches detection details with IP geolocation" entry_point: ui/extensions/ip-enrichment/index.htmlCalling functions from extensions
Section titled “Calling functions from extensions”UI extensions can invoke Foundry functions using the Falcon context object:
// Get the Falcon context (provided by the Foundry runtime)const helloFunction = falcon.cloudFunction({ name: 'hello' });const response = await helloFunction.path('/hello').post({ name: name });