Skip to main content
The Recon API provides access to Falcon Intelligence Recon capabilities, enabling monitoring of external threat intelligence sources for brand protection, credential leaks, and domain reconnaissance.

Overview

Falcon Intelligence Recon helps organizations monitor the dark web, paste sites, and other external sources for:
  • Exposed credentials: Leaked usernames, passwords, and authentication data
  • Brand monitoring: Typosquatting, phishing, and impersonation
  • Data breaches: Compromised customer or employee information
  • Third-party risks: Supply chain and vendor exposure
Monitoring rules trigger notifications when threats are detected, with configurable actions for alerting and response.

Monitoring Rules

Search for monitoring rules

Get-FalconReconRule
Get-FalconReconRule [-Filter <string>] [-Query <string>] [-Sort <string>] [-SecondarySort <string>] [-Limit <int32>] [-Offset <int32>] [-Detailed] [-All] [-Total]
Filter
string
Falcon Query Language expression to limit results
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results. Options: created_timestamp|asc, created_timestamp|desc, last_updated_timestamp|asc, last_updated_timestamp|desc
SecondarySort
string
Secondary sort property and direction
Limit
int32
Maximum number of results per request (1-500)
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example: List all high-priority monitoring rules 
Get-FalconReconRule -Filter "priority:'high'" -Detailed -All

Get rule details by ID

Get-FalconReconRule -Id <string[]>
Id
string[]
required
Monitoring rule identifier(s)

Create a monitoring rule

New-FalconReconRule
New-FalconReconRule -Name <string> -Topic <string> -Filter <string> -Priority <string> -Permission <string> [-BreachMonitoring <boolean>] [-BreachMonitorOnly <boolean>] [-SubstringMatching <boolean>] [-MatchOnTsqResultType <string[]>] [-OriginatingTemplateId <string>]
Name
string
required
Monitoring rule name
Topic
string
required
Monitoring rule topic. Options: SA_ALIAS, SA_AUTHOR, SA_BIN, SA_BRAND_PRODUCT, SA_CUSTOM, SA_CVE, SA_DOMAIN, SA_EMAIL, SA_IP, SA_THIRD_PARTY, SA_VIP
Filter
string
required
Falcon Query Language expression to define what to monitor
Priority
string
required
Monitoring rule priority: high, medium, or low
Permission
string
required
Permission level: public (All Intel users) or private (Recon Admins)
BreachMonitoring
boolean
Monitor for breach data
BreachMonitorOnly
boolean
Monitor only for breach data (requires BreachMonitoring: True)
SubstringMatching
boolean
Monitor for substring matches (Typosquatting topic only)
MatchOnTsqResultType
string[]
Monitor for basedomains and/or subdomains (Typosquatting topic only)
OriginatingTemplateId
string
Identifier of originating rule template, if based on one
Example: Create a domain monitoring rule 
New-FalconReconRule -Name "Monitor Company Domains" -Topic SA_DOMAIN -Filter "domain:*'example.com'" -Priority high -Permission private -BreachMonitoring $true

Modify a monitoring rule

Edit-FalconReconRule
Edit-FalconReconRule -Id <string> -Name <string> -Filter <string> -Priority <string> -Permission <string> [-BreachMonitoring <boolean>] [-BreachMonitorOnly <boolean>] [-SubstringMatching <boolean>] [-MatchOnTsqResultType <string[]>]
Id
string
required
Monitoring rule identifier
Name
string
required
Updated monitoring rule name
Filter
string
required
Updated monitoring rule filter
Priority
string
required
Updated priority: high, medium, or low
Permission
string
required
Updated permission level: public or private

Delete monitoring rules

Remove-FalconReconRule
Remove-FalconReconRule -Id <string[]> [-DeleteNotification <boolean>]
Id
string[]
required
Monitoring rule identifier(s)
DeleteNotification
boolean
Delete notifications generated by rule(s)

Preview rule notifications

Get-FalconReconRulePreview
Get-FalconReconRulePreview -Topic <string> -Filter <string>
Topic
string
required
Monitoring rule topic
Filter
string
required
Monitoring rule filter to preview
Example: Preview notification count 
Get-FalconReconRulePreview -Topic SA_EMAIL -Filter "email:*'@example.com'"

Notifications

Search for notifications

Get-FalconReconNotification
Get-FalconReconNotification [-Filter <string>] [-Query <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-Detailed] [-All] [-Total] [-Intel] [-Translate] [-Combined]
Filter
string
Falcon Query Language expression to limit results
string
Perform a generic substring search
Sort
string
Property and direction to sort results. Options: created_date|asc, created_date|desc, updated_date|asc, updated_date|desc
Limit
int32
Maximum number of results per request (1-500)
Intel
switch
Include raw intelligence content
Translate
switch
Translate to English
Combined
switch
Include raw intelligence content and translate to English
Example: Get recent high-priority notifications 
Get-FalconReconNotification -Filter "rule.priority:'high'+created_date:>'2024-01-01'" -Sort "created_date|desc" -Detailed -All

Get notification details by ID

Get-FalconReconNotification -Id <string[]> [-Intel] [-Translate] [-Combined]
Id
string[]
required
Notification identifier(s)

Modify notification status

Edit-FalconReconNotification
Edit-FalconReconNotification -Id <string> -Status <string> -AssignedToUuid <string> [-Message <string>] [-IdpSendStatus <string>]
Id
string
required
Notification identifier
Status
string
required
Notification status: new, in-progress, closed-false-positive, or closed-true-positive
AssignedToUuid
string
required
User identifier to assign the notification to
Message
string
Optional message or note
Example: Assign and close a notification 
Edit-FalconReconNotification -Id "abc123" -Status closed-true-positive -AssignedToUuid "user-uuid-here" -Message "Confirmed credential leak, reset performed"

Delete notifications

Remove-FalconReconNotification -Id <string[]>
Id
string[]
required
Notification identifier(s)

Exposed Data Records

Search for exposed data records

Get-FalconReconRecord
Get-FalconReconRecord [-Filter <string>] [-Query <string>] [-Sort <string>] [-Limit <int>] [-Offset <int>] [-Detailed] [-All] [-Total]
Filter
string
Falcon Query Language expression to limit results
string
Perform a generic substring search
Sort
string
Property and direction to sort results
Example: Search for records by domain 
Get-FalconReconRecord -Filter "email_domain:'example.com'" -Detailed -All

Get record details by ID

Get-FalconReconRecord -Id <string[]>
Id
string[]
required
Exposed data record identifier(s)

Rule Actions

Search for actions

Get-FalconReconAction
Get-FalconReconAction [-Filter <string>] [-Query <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] [-Detailed] [-All] [-Total]
Filter
string
Falcon Query Language expression to limit results

Get action details by ID

Get-FalconReconAction -Id <string[]>
Id
string[]
required
Action identifier(s)

Create a rule action

New-FalconReconAction
New-FalconReconAction -RuleId <string> -Type <string> -Frequency <string> -Recipient <string[]> [-ContentFormat <string>] [-TriggerMatchless <boolean>]
RuleId
string
required
Monitoring rule identifier
Type
string
required
Notification type: email
Frequency
string
required
Notification frequency: asap, daily, or weekly
Recipient
string[]
required
Email address(es) for notifications
ContentFormat
string
Email format: standard or enhanced
TriggerMatchless
boolean
Send email when no matches are found
Example: Create email action for a rule 
New-FalconReconAction -RuleId "rule-uuid" -Type email -Frequency asap -Recipient "[email protected]" -ContentFormat enhanced

Modify an action

Edit-FalconReconAction
Edit-FalconReconAction -Id <string> -Frequency <string> -Recipient <string[]> -Status <string> -ContentFormat <string> -TriggerMatchless <boolean>
Id
string
required
Action identifier
Frequency
string
required
Action frequency: asap, daily, or weekly
Recipient
string[]
required
Email address(es)
Status
string
required
Action status: enabled or muted
ContentFormat
string
required
Email format: standard or enhanced
TriggerMatchless
boolean
required
Send email when no matches are found

Delete an action

Remove-FalconReconAction -Id <string>
Id
string
required
Action identifier

Export Jobs

Create an export job

Invoke-FalconReconExport
Invoke-FalconReconExport -Entity <string> -Filter <string> -Sort <string> -ExportType <string> -HumanReadable <boolean>
Entity
string
required
Entity type: notification-exposed-data-record
Filter
string
required
Falcon Query Language expression to filter export data
Sort
string
required
Property and direction to sort results (see cmdlet help for full list)
ExportType
string
required
Export file format: csv or json
HumanReadable
boolean
required
Use property names that match the Falcon UI
Example: Export exposed credentials 
$JobId = Invoke-FalconReconExport -Entity notification-exposed-data-record -Filter "email_domain:'example.com'" -Sort "created_date|desc" -ExportType csv -HumanReadable $true

Check export job status

Get-FalconReconExport
Get-FalconReconExport -Id <string[]>
Id
string[]
required
Recon export job identifier(s)

Download export file

Receive-FalconReconExport
Receive-FalconReconExport -Path <string> -Id <string>
Path
string
required
Destination path for downloaded file
Id
string
required
Recon export job identifier
Example: Download completed export 
Receive-FalconReconExport -Path ./exposed-data.csv -Id $JobId

Delete export job

Remove-FalconReconExport -Id <string[]>
Id
string[]
required
Recon export job identifier(s)

Common Workflows

Monitor for exposed credentials

# Create monitoring rule
$Rule = New-FalconReconRule -Name "Employee Email Monitoring" -Topic SA_EMAIL -Filter "email:*'@example.com'" -Priority high -Permission private -BreachMonitoring $true

# Create email alert action
New-FalconReconAction -RuleId $Rule.id -Type email -Frequency asap -Recipient "[email protected]" -ContentFormat enhanced

# Check for new notifications
Get-FalconReconNotification -Filter "rule.id:'$($Rule.id)'+status:'new'" -Detailed -All

Review and triage notifications

# Get high-priority notifications
$Notifications = Get-FalconReconNotification -Filter "rule.priority:'high'+status:'new'" -Detailed -All

# Review and assign
foreach ($Notification in $Notifications) {
    Edit-FalconReconNotification -Id $Notification.id -Status in-progress -AssignedToUuid "analyst-uuid" -Message "Investigating"
}

Export and analyze breach data

# Start export job
$Job = Invoke-FalconReconExport -Entity notification-exposed-data-record -Filter "created_date:>'2024-01-01'" -Sort "created_date|desc" -ExportType csv -HumanReadable $true

# Wait for completion
do {
    Start-Sleep -Seconds 5
    $Status = Get-FalconReconExport -Id $Job.id
} until ($Status.status -eq 'done')

# Download results
Receive-FalconReconExport -Path ./breach-data.csv -Id $Job.id

# Clean up
Remove-FalconReconExport -Id $Job.id
Requires Monitoring rules (Falcon Intelligence Recon): Read and Write permissions.

Build docs developers (and LLMs) love

Get started for freeTalk to us