Skip to main content

Get-FalconOverWatchEvent

Retrieve the total number of Falcon OverWatch events across all customers. Required Permission: OverWatch Dashboard: Read

Syntax

Get-FalconOverWatchEvent -Filter <string>

Parameters

Filter
string
required
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.

Examples

# Get total OverWatch events for a specific time period
Get-FalconOverWatchEvent -Filter "timestamp:>'2026-03-01'"

# Get events for specific customer
Get-FalconOverWatchEvent -Filter "cid:'abc123def456'"

Notes

  • This cmdlet returns aggregate counts of OverWatch events
  • Results represent global event data across all customers
  • Use precise FQL filters to narrow down results to relevant time periods or customer identifiers

Get-FalconOverWatchDetection

Retrieve the total number of Falcon OverWatch detections across all customers. Required Permission: OverWatch Dashboard: Read

Syntax

Get-FalconOverWatchDetection -Filter <string>

Parameters

Filter
string
required
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.

Examples

# Get total OverWatch detections for a specific time period
Get-FalconOverWatchDetection -Filter "timestamp:>'2026-03-01'"

# Get detections for specific customer
Get-FalconOverWatchDetection -Filter "cid:'abc123def456'"

Notes

  • This cmdlet returns aggregate counts of OverWatch detections
  • Results represent global detection data across all customers
  • OverWatch detections indicate potential threats identified by CrowdStrike’s human threat hunters

Get-FalconOverWatchIncident

Retrieve the total number of Falcon OverWatch incidents across all customers. Required Permission: OverWatch Dashboard: Read

Syntax

Get-FalconOverWatchIncident -Filter <string>

Parameters

Filter
string
required
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.

Examples

# Get total OverWatch incidents for a specific time period
Get-FalconOverWatchIncident -Filter "timestamp:>'2026-03-01'"

# Get incidents for specific customer
Get-FalconOverWatchIncident -Filter "cid:'abc123def456'"

Notes

  • This cmdlet returns aggregate counts of OverWatch incidents
  • Results represent global incident data across all customers
  • OverWatch incidents represent confirmed security threats identified by CrowdStrike’s threat hunting team

About Falcon OverWatch

Falcon OverWatch is CrowdStrike’s managed threat hunting service that proactively searches for threats in your environment 24/7/365. The OverWatch dashboard cmdlets provide aggregate metrics to help you understand the global threat landscape.

Key Concepts

Events

Raw telemetry data collected and analyzed by OverWatch threat hunters

Detections

Potential threats identified through OverWatch hunting activities

Incidents

Confirmed security threats requiring immediate attention

Common Use Cases

Use these cmdlets to track the volume of security events, detections, and incidents over time to understand your organization’s threat exposure.
Retrieve aggregate metrics for specific time periods to demonstrate security monitoring coverage and threat detection capabilities.
Compare event, detection, and incident counts across different time periods to identify trends and patterns in threat activity.

Best Practices

All OverWatch dashboard cmdlets require a Filter parameter with valid FQL syntax. Always specify a time range to ensure relevant results.
Use relative time filters like timestamp:>'now-24h' for dynamic queries, or absolute timestamps for fixed reporting periods.
OverWatch dashboard data represents aggregate counts across all customers. Ensure you filter by appropriate customer identifiers (CID) when needed.

Build docs developers (and LLMs) love

Get started for freeTalk to us