Skip to main content
The Discover API provides comprehensive asset visibility across your organization, including endpoints, applications, user accounts, IoT devices, and external attack surface.

Overview

Falcon Discover helps organizations maintain asset inventory and identify security gaps:
  • Host discovery: Managed and unmanaged endpoints
  • Application inventory: Installed software and browser extensions
  • Account tracking: User accounts and login events
  • IoT devices: Internet of Things and embedded systems
  • External assets: Public-facing infrastructure and domains

Host Assets

Search for hosts

Get-FalconAsset
Get-FalconAsset [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-Include <string[]>] [-Detailed] [-All] [-Total]
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (max: 100 for queries, 1000 for combined)
Offset
int32
Position to begin retrieving results (not valid with -Detailed)
Include
string[]
Include additional properties: login_event, system_insights, third_party, risk_factors
Detailed
switch
Retrieve detailed information (uses combined endpoint with pagination via After)
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example: List all unmanaged hosts 
Get-FalconAsset -Filter "entity_type:'unmanaged'" -Detailed -All
Example: Get hosts with recent login events 
Get-FalconAsset -Filter "last_seen_timestamp:>'2024-01-01'" -Include login_event -Detailed -All

Get host details by ID

Get-FalconAsset -Id <string[]>
Id
string[]
required
Asset identifier(s) (AID values)

Applications

Search for applications

Get-FalconAsset
Get-FalconAsset -Application [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Include <string[]>] [-Detailed] [-All] [-Total]
Application
switch
required
Search for applications
Filter
string
Falcon Query Language expression to limit results
Include
string[]
Include additional properties: browser_extension, host_info, install_usage
Detailed
switch
Retrieve detailed information
Example: Find applications by name 
Get-FalconAsset -Application -Filter "name:*'Chrome'" -Detailed -All
Example: Get applications with installation details 
Get-FalconAsset -Application -Include install_usage,host_info -Detailed -All

Get application details by ID

Get-FalconAsset -Application -Id <string[]>
Id
string[]
required
Application identifier(s)

User Accounts

Search for user accounts

Get-FalconAsset
Get-FalconAsset -Account [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-Detailed] [-All] [-Total]
Account
switch
required
Search for user account assets
Filter
string
Falcon Query Language expression to limit results
Detailed
switch
Retrieve detailed information
Example: Find privileged accounts 
Get-FalconAsset -Account -Filter "admin_privileges:'Yes'" -Detailed -All
Example: Search for accounts by username 
Get-FalconAsset -Account -Filter "username:*'admin'" -Detailed -All

Get account details by ID

Get-FalconAsset -Account -Id <string[]>
Id
string[]
required
Account identifier(s)

Login Events

Search for login events

Get-FalconAsset
Get-FalconAsset -Login [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-Detailed] [-All] [-Total]
Login
switch
required
Search for login events
Filter
string
Falcon Query Language expression to limit results
Detailed
switch
Retrieve detailed information
Example: Get recent failed logins 
Get-FalconAsset -Login -Filter "login_status:'Failed'+login_timestamp:>'2024-01-01'" -Detailed -All
Example: Track logins by account 
Get-FalconAsset -Login -Filter "account_name:'administrator'" -Detailed -All

Get login event details by ID

Get-FalconAsset -Login -Id <string[]>
Id
string[]
required
Login event identifier(s)

IoT Devices

Search for IoT devices

Get-FalconAsset
Get-FalconAsset -IoT [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-After <string>] [-Detailed] [-All] [-Total]
IoT
switch
required
Search for IoT assets
Filter
string
Falcon Query Language expression to limit results
After
string
Pagination token to retrieve the next set of results
Detailed
switch
Retrieve detailed information
Example: List all IoT devices 
Get-FalconAsset -IoT -Detailed -All
Example: Find IoT devices by type 
Get-FalconAsset -IoT -Filter "device_type:'IP Camera'" -Detailed -All

Get IoT device details by ID

Get-FalconAsset -IoT -Id <string[]>
Id
string[]
required
IoT device identifier(s)

External Assets

Search for external assets

Get-FalconAsset
Get-FalconAsset -External [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-After <string>] [-Detailed] [-All] [-Total]
External
switch
required
Search for external assets
Filter
string
Falcon Query Language expression to limit results
After
string
Pagination token to retrieve the next set of results
Detailed
switch
Retrieve detailed information
Example: List external web servers 
Get-FalconAsset -External -Filter "asset_type:'web_server'" -Detailed -All
Example: Find assets by domain 
Get-FalconAsset -External -Filter "domain:*'example.com'" -Detailed -All

Get external asset details by ID

Get-FalconAsset -External -Id <string[]>
Id
string[]
required
External asset identifier(s)

Common Workflows

Inventory all assets

# Get all hosts
$Hosts = Get-FalconAsset -Detailed -All

# Get all applications
$Apps = Get-FalconAsset -Application -Detailed -All

# Get all accounts
$Accounts = Get-FalconAsset -Account -Detailed -All

# Get IoT devices
$IoT = Get-FalconAsset -IoT -Detailed -All

# Get external assets
$External = Get-FalconAsset -External -Detailed -All

Write-Host "Total hosts: $($Hosts.Count)"
Write-Host "Total applications: $($Apps.Count)"
Write-Host "Total accounts: $($Accounts.Count)"
Write-Host "Total IoT devices: $($IoT.Count)"
Write-Host "Total external assets: $($External.Count)"

Find unmanaged assets

# Get unmanaged hosts
$Unmanaged = Get-FalconAsset -Filter "entity_type:'unmanaged'" -Detailed -All

foreach ($Host in $Unmanaged) {
    Write-Host "Unmanaged: $($Host.hostname) - $($Host.ip_address)"
    Write-Host "  Last seen: $($Host.last_seen_timestamp)"
    Write-Host "  OS: $($Host.os_version)"
}

Track software installations

# Find specific application
$AppName = "Adobe Reader"
$Apps = Get-FalconAsset -Application -Filter "name:*'$AppName'" -Include host_info,install_usage -Detailed -All

foreach ($App in $Apps) {
    Write-Host "$($App.name) $($App.version)"
    Write-Host "  Installed on: $($App.host_count) hosts"
    Write-Host "  Last used: $($App.last_used_timestamp)"
}

Audit privileged accounts

# Get all admin accounts
$Admins = Get-FalconAsset -Account -Filter "admin_privileges:'Yes'" -Detailed -All

# Get recent login activity
foreach ($Admin in $Admins) {
    $Logins = Get-FalconAsset -Login -Filter "account_id:'$($Admin.id)'" -Detailed -All
    
    Write-Host "Admin: $($Admin.username)"
    Write-Host "  Login count: $($Logins.Count)"
    Write-Host "  Last login: $($Logins[0].login_timestamp)"
}

Monitor login patterns

# Get failed login attempts in the last 24 hours
$Since = (Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ')
$FailedLogins = Get-FalconAsset -Login -Filter "login_status:'Failed'+login_timestamp:>'$Since'" -Detailed -All

# Group by account
$FailedLogins | Group-Object account_name | Sort-Object Count -Descending | Select-Object Name, Count

Discover IoT security risks

# Get all IoT devices
$IoTDevices = Get-FalconAsset -IoT -Detailed -All

# Identify devices with vulnerabilities
foreach ($Device in $IoTDevices) {
    if ($Device.vulnerabilities -gt 0) {
        Write-Host "$($Device.device_name) - $($Device.device_type)"
        Write-Host "  IP: $($Device.ip_address)"
        Write-Host "  Vulnerabilities: $($Device.vulnerabilities)"
        Write-Host "  Firmware: $($Device.firmware_version)"
    }
}

Map external attack surface

# Get all external-facing web servers
$WebServers = Get-FalconAsset -External -Filter "asset_type:'web_server'" -Detailed -All

foreach ($Server in $WebServers) {
    Write-Host "Server: $($Server.hostname)"
    Write-Host "  IP: $($Server.ip_address)"
    Write-Host "  Ports: $($Server.open_ports -join ', ')"
    Write-Host "  SSL Grade: $($Server.ssl_grade)"
    Write-Host "  Exposed services: $($Server.services -join ', ')"
}

Correlate hosts with login events

# Get hosts with login event data included
$Hosts = Get-FalconAsset -Filter "last_seen_timestamp:>'2024-01-01'" -Include login_event -Detailed -All

foreach ($Host in $Hosts) {
    Write-Host "Host: $($Host.hostname)"
    
    if ($Host.login_event) {
        Write-Host "  Recent logins:"
        foreach ($Login in $Host.login_event) {
            Write-Host "    $($Login.account_name) - $($Login.login_timestamp) - $($Login.login_status)"
        }
    }
}

Asset Facets

Host Facets

  • login_event: Recent login activity on the host
  • system_insights: System configuration and security posture
  • third_party: Third-party integrations and connections
  • risk_factors: Identified security risks

Application Facets

  • browser_extension: Browser extensions associated with the application
  • host_info: Hosts where the application is installed
  • install_usage: Installation and usage statistics

Filter Examples

Host Filters

# Operating system
Get-FalconAsset -Filter "os_version:*'Windows 10'"

# Network
Get-FalconAsset -Filter "ip_address:'192.168.1.*'"

# Time-based
Get-FalconAsset -Filter "last_seen_timestamp:>'2024-01-01T00:00:00Z'"

# Entity type
Get-FalconAsset -Filter "entity_type:'managed'"

Application Filters

# Application name
Get-FalconAsset -Application -Filter "name:*'Office'"

# Vendor
Get-FalconAsset -Application -Filter "vendor:'Microsoft'"

# Version
Get-FalconAsset -Application -Filter "version:*'2019'"

Account Filters

# Username
Get-FalconAsset -Account -Filter "username:*'admin'"

# Privileges
Get-FalconAsset -Account -Filter "admin_privileges:'Yes'"

# Account type
Get-FalconAsset -Account -Filter "account_type:'Local'"
Requires Falcon Discover: Read and Falcon Discover IoT: Read permissions.
Use the -Include parameter with -Detailed to enrich host and application data with additional context in a single request.

Build docs developers (and LLMs) love

Get started for freeTalk to us