Create an API client in the Falcon console under API Clients and Keys with the Detections: Read and Hosts: Read scopes; note the client_id and client_secret (YOUR_SECRET)
Obtain an OAuth2 access token by POSTing to the /oauth2/token endpoint with client_id and client_secret as form fields; tokens expire after a short period so cache and refresh them
Search for detection IDs with GET /detects/queries/detects/v1 using the filter parameter (FQL — Falcon Query Language) to narrow by status, severity, or time range (e.g., created_timestamp:>='2024-01-01T00:00:00Z')
Retrieve full detection details by POSTing the list of detection IDs to /detects/entities/summaries/v1 with a JSON body; each detection summary includes device, tactic, technique, severity, and status fields
Update detection status (true_positive, false_positive, ignored, or in_progress) with PATCH /detects/entities/detects/v1 providing the detection id and updated fields to reflect analyst triage
Paginate ID search results using the offset parameter; the response includes total count so you can calculate the number of pages needed
Known gotchas
FQL filter syntax is specific to CrowdStrike and differs from standard query languages; string values must be single-quoted and field names are case-sensitive
The detections query endpoint returns IDs only; forgetting to call the summaries endpoint is a common integration error that leaves you with no actionable data
CrowdStrike token endpoints differ by cloud environment (US-1, US-2, EU-1, US-GOV-1); using the wrong base URL will return authentication errors that can appear misleadingly like credential problems
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp