Back to Tech Center

How to Generate Your First Detection

February 1, 2022

Tech Center
CrowdStrike Tech Center

The greatest minds in cybersecurity are at Fal.Con in Las Vegas, Sept. 18-21.

Register now to build skills at hands-on workshops and learn from skilled threat hunters.


In this document and video, you’ll see how to generate your first detection.  You will also see how Falcon adds context to alerts, empowering the security admin to take appropriate corrective action.



Windows system with falcon sensor installed.

Generating a Test Alert

To generate an alert open cmd.exe clicking on the windows icon or hitting the windows button on your keyboard. Then type “cmd.”

CMD prompt detection command

In the Command Prompt window type

In the Command Prompt window, type the following commands:

“Sc query csagent”

You should see a that the Falcon Agent is installed and running

Next type:

“choice /m crowdstrike_sample_detection”

Type “Y”

The Falcon User Interface

In the Falcon UI a new alert appears in the Activity App. 

Choice detection 12-21

This alert is rated as “Low” and also has a Falcon icon associated with it.  This indicates that Falcon OverWatch has flagged this activity as suspicious.  Had this not been a test detection, it would have been accompanied by an email from the OverWatch team with additional detail.  

Click on the alert expands the detection for additional details

Choice Process Tree 12-21

This additional detail is important to determine if a seemingly routine command is associated with everyday activity or part of a larger, malicious attack.  Click on each node and watch the execution details pane on the right update to provide information on each executable in the process tree.


CrowdStrike Falcon® goes above and beyond to provide relevant information so that our customers have more information at their fingertips to quickly and effectively make important security decisions.  

More resources


Related Content