UI Extensions
UI extensions embed custom content into existing Falcon console pages. They appear in specific locations (sockets) throughout the console — detection detail panels, host summary tabs, incident sidebars, and more.
Extension types
Section titled “Extension types”Extensions are placed in sockets — predefined insertion points in the Falcon console. Each socket type determines where your extension appears and what contextual data it receives.
| Display Name | Technical ID | Console Navigation |
|---|---|---|
| Endpoint detection details | activity.detections.details | Endpoint security › Monitor › Endpoint detections |
| Identity Protection detection details | identity.detections.details | Identity protection › Detections › Detections |
| NGSIEM cases details | xdr.cases.panel | Next-Gen SIEM › Monitor and investigate › Cases |
| Host management host details | hosts.host.panel | Host setup and management › Manage endpoints › Host management |
| Automated leads details | automated-leads.leads.details | Next-Gen SIEM › Monitor and investigate › Automated leads |
| Workflow execution details | workflows.executions.execution.details | Fusion SOAR › Workflows › (open an execution) |
| NGSIEM workbench details | ngsiem.workbench.details | Next-Gen SIEM › Cases › open a case › workbench graph canvas › click a node |
The extension does not appear at the list level — open an individual record (detection, case, host, lead, or execution) and the extension renders in the detail panel.
Building with Extension Builder (no-code)
Section titled “Building with Extension Builder (no-code)”The Extension Builder provides a visual, drag-and-drop experience for creating UI extensions without writing code.
- In the App Builder, go to UI extensions.
- Click Create extension and select Extension Builder.
- Choose the socket type.
- Add data sources (API integrations, collections, Falcon APIs).
- Bind data fields to UI components.
- Preview and deploy.
For a walkthrough, see Build a Detection Enrichment App.
Building with the CLI
Section titled “Building with the CLI”For full control over the UI, build extensions using the Foundry CLI.
foundry ui extensions createYou’ll be prompted to choose a template (Vanilla JS or React), name the extension, provide a description, and select sockets.
Development mode
Section titled “Development mode”Run the extension locally with live reload:
foundry ui runThe Falcon console loads your local extension in development mode, visible only to you.
Manifest configuration
Section titled “Manifest configuration”UI extensions are declared in manifest.yml:
ui: extensions: - name: ip-enrichment-panel description: "Enriches detection details with IP geolocation" path: ui/extensions/ip-enrichment/dist entrypoint: ui/extensions/ip-enrichment/dist/index.html sockets: - activity.detections.detailsCalling functions from extensions
Section titled “Calling functions from extensions”UI extensions can invoke Foundry functions using the Falcon context object:
// Get the Falcon context (provided by the Foundry runtime)const helloFunction = falcon.cloudFunction({ name: 'hello' });const response = await helloFunction.path('/hello').post({ name: name });