Skip to main content

Get-FalconAlert

Search for alerts in the CrowdStrike Falcon platform. Required Permission: Alerts: Read

Syntax

# Search for alerts by filter
Get-FalconAlert [-Filter <string>] [-Query <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-All] [-Total]

# Get detailed alert information
Get-FalconAlert -Detailed -Filter <string> [-Sort <string>] [-Limit <int32>] [-After <string>] [-All] [-Total]

# Retrieve specific alerts by ID
Get-FalconAlert -Id <string[]> [-IncludeHidden <boolean>]

Parameters

Id
string[]
Alert identifier(s). Can be provided via pipeline.Aliases: composite_ids, composite_id, ids
IncludeHidden
boolean
Include hidden alerts when retrieving results by identifier.
Filter
string
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.
Query
string
Perform a generic substring search across available fields.Aliases: q
Sort
string
Property and direction to sort results.
Limit
int32
Maximum number of results per request.Range: 1-10000 (maximum 1000 when using -Detailed)
Offset
int32
Position to begin retrieving results (used for pagination).
After
string
Pagination token to retrieve the next set of results (used with -Detailed).
Detailed
switch
Retrieve detailed information for alerts.Required when using the combined endpoint.
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all alerts with a specific severity
Get-FalconAlert -Filter "severity:'High'" -All

# Search for alerts using a query string
Get-FalconAlert -Query "malware" -Limit 100

Invoke-FalconAlertAction

Perform actions on alerts in the CrowdStrike Falcon platform. Required Permission: Alerts: Write

Syntax

# Perform a single action
Invoke-FalconAlertAction -Name <string> [-Value <string>] [-IncludeHidden <boolean>] -Id <string[]>

# Perform multiple actions
Invoke-FalconAlertAction -Action <hashtable[]> [-IncludeHidden <boolean>] -Id <string[]>

Parameters

Name
string
required
Action to perform on the alert(s).Valid values:
  • add_tag - Add a tag to the alert
  • append_comment - Add a comment to the alert
  • assign_to_name - Assign alert to a user by name
  • assign_to_user_id - Assign alert to a user by ID
  • assign_to_uuid - Assign alert to a user by UUID
  • remove_tag - Remove a specific tag from the alert
  • remove_tags_by_prefix - Remove tags matching a prefix
  • show_in_ui - Show/hide alert in UI
  • unassign - Unassign the alert
  • update_status - Update the alert status
Value
string
Value for the chosen action (e.g., tag name, comment text, user ID, status value).
Action
hashtable[]
One or more hashtables defining multiple name/value pairs for batch operations.Aliases: action_parametersExample: @(@{name='add_tag'; value='investigated'}, @{name='update_status'; value='in_progress'})
IncludeHidden
boolean
Include hidden alerts when performing action.Default: $trueAliases: include_hidden
Id
string[]
required
Alert identifier(s). Can be provided via pipeline.Aliases: composite_ids, composite_id, ids

Examples

# Add a tag to specific alerts
Invoke-FalconAlertAction -Name add_tag -Value 'investigated' -Id $AlertIds

Notes

  • Maximum of 1000 alert IDs can be processed per request
  • When using -Action, multiple operations can be performed in a single API call
  • The -IncludeHidden parameter defaults to $true when not specified

Build docs developers (and LLMs) love

Get started for freeTalk to us