Overview The Scheduled Reports API allows you to manage scheduled reports and searches, execute reports on-demand, retry failed executions, and download generated report files.
All scheduled report operations require Scheduled Reports: Read permission.
Get-FalconScheduledReport Search for scheduled reports or searches and retrieve their execution information.
Syntax # Search for scheduled reports Get-FalconScheduledReport [[ - Filter ] < string > ] [[ - Query ] < string > ] [[ - Sort ] < string > ] [[ - Limit ] < int32 > ] [ - Offset < int32 > ] [ - Detailed ] [ - All ] [ - Total ] # Get report by ID Get-FalconScheduledReport - Id < string[] > # Search for report executions Get-FalconScheduledReport - Execution [[ - Filter ] < string > ] [[ - Query ] < string > ] [[ - Sort ] < string > ] [[ - Limit ] < int32 > ] [ - Offset < int32 > ] [ - Detailed ] [ - All ] [ - Total ] # Get execution by ID Get-FalconScheduledReport - Execution - Id < string[] >
Parameters Scheduled report or scheduled search identifier. Must be 32-character hexadecimal string. Aliases: ids
Falcon Query Language (FQL) expression to limit results. Example: last_execution_on:>'2024-01-01'
Perform a generic substring search across available fields. Aliases: q
Property and direction to sort results. Valid values:
created_on.asccreated_on.desclast_updated_on.asclast_updated_on.desclast_execution_on.asclast_execution_on.descnext_execution_on.ascnext_execution_on.desc Maximum number of results per request. Range: 1-5000.
Position to begin retrieving results for pagination.
Retrieve information about scheduled report execution(s) instead of report definitions.
Retrieve detailed information including full report metadata.
Repeat requests until all available results are retrieved.
Display total result count instead of results.
Examples List all reports
Get specific report
Search by name
Recent executions
Get execution details
Count total reports
Get-FalconScheduledReport - Detailed - All
Returns Scheduled report or execution information including report ID, name, schedule, format, last execution time, and status.
Invoke-FalconScheduledReport Execute a scheduled report immediately, outside of its normal schedule.
Syntax Invoke-FalconScheduledReport [ - Id ] < string >
Parameters Report identifier. Must be 32-character hexadecimal string.
Examples Execute report
Execute multiple reports
Pipeline execution
Invoke-FalconScheduledReport - Id 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'
Returns Execution confirmation with execution ID for tracking.
Redo-FalconScheduledReport Retry a failed scheduled report execution.
Syntax Redo-FalconScheduledReport [ - Id ] < string >
Parameters Report identifier for the failed execution to retry. Must be 32-character hexadecimal string.
Examples Retry failed execution
Retry multiple failed reports
Pipeline retry
Redo-FalconScheduledReport - Id 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'
Returns Retry confirmation with new execution ID.
Receive-FalconScheduledReport Download a scheduled report or search result file.
Syntax Receive-FalconScheduledReport [[ - Path ] < object > ] [ - Id ] < string > [ - Force ]
Parameters Destination path for the downloaded report file. Can be:
A string file path
A report object with result_metadata.report_file_name
A report object with report_params.format
If not provided and Id is given, the cmdlet attempts to determine the filename automatically. Aliases: result_metadata, last_executionReport execution identifier. Must be 32-character hexadecimal string. Aliases: ids
Overwrite an existing file when present at the destination path.
Examples Download with auto-filename
Specify download path
Force overwrite
Pipeline download
Download latest execution
Receive-FalconScheduledReport - Id 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6'
When passing a report object to -Path, the cmdlet automatically extracts the filename and execution ID, making downloads easier.
Returns Downloaded file saved to the specified or automatically determined path.
Common Workflows Execute and Download Report # Execute a report $execution = Invoke-FalconScheduledReport - Id 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6' # Wait for completion (poll every 30 seconds) do { Start-Sleep - Seconds 30 $status = Get-FalconScheduledReport - Execution - Id $execution .id } while ( $status .status -eq 'running' ) # Download completed report if ( $status .status -eq 'done' ) { Receive-FalconScheduledReport - Path 'C:\Reports\latest.csv' - Id $execution .id }
Retry All Failed Reports # Find all failed executions from the last week $lastWeek = ( Get-Date ).AddDays( -7 ).ToString( 'yyyy-MM-dd' ) $failed = Get-FalconScheduledReport - Execution - Filter "status:'failed'+last_execution_on:>' $lastWeek '" - Detailed - All # Retry each failed execution foreach ( $report in $failed ) { Write-Host "Retrying report: $( $report .id ) " Redo-FalconScheduledReport - Id $report .id }
Download All Recent Reports # Get all executions from the last 24 hours $yesterday = ( Get-Date ).AddDays( -1 ).ToString( 'yyyy-MM-dd' ) $executions = Get-FalconScheduledReport - Execution - Filter "last_execution_on:>' $yesterday '+status:'done'" - Detailed - All # Create download directory $downloadDir = 'C:\Reports\' + ( Get-Date - Format 'yyyy-MM-dd' ) New-Item - Path $downloadDir - ItemType Directory - Force # Download each completed report foreach ( $exec in $executions ) { $filename = if ( $exec .result_metadata.report_file_name ) { $exec .result_metadata.report_file_name } else { " $( $exec .id ) . $( $exec .report_params.format ) " } $path = Join-Path $downloadDir $filename Receive-FalconScheduledReport - Path $path - Id $exec .id }
Monitor Report Status # Get all scheduled reports $reports = Get-FalconScheduledReport - Detailed - All # Display summary $reports | Select-Object id , name , @ { N = 'LastRun' ; E = { $_ .last_execution.last_execution_on }} , @ { N = 'Status' ; E = { $_ .last_execution.status }} , @ { N = 'NextRun' ; E = { $_ .next_execution_on }} | Format-Table - AutoSize # Export to CSV $reports | Select-Object id , name , schedule , @ { N = 'last_execution_on' ; E = { $_ .last_execution.last_execution_on }} , @ { N = 'status' ; E = { $_ .last_execution.status }} | Export-Csv 'C:\Reports\report_status.csv' - NoTypeInformation
Scheduled reports can be generated in various formats:
CSV - Comma-separated values for data analysisPDF - Formatted document for sharingJSON - Structured data for programmatic processing
The format is determined when the report is configured in the Falcon console.
Permissions Required Operation Permission Get-FalconScheduledReport Scheduled Reports: Read Invoke-FalconScheduledReport Scheduled Reports: Read Redo-FalconScheduledReport Scheduled Reports: Read Receive-FalconScheduledReport Scheduled Reports: Read
Get-FalconReportExecution - Get detailed execution informationGet-FalconReport - Manage report definitionsExport-FalconReport - Export custom reports 