Alphabetical list of all CrowdStrike OAuth2 API operations
| Operation ID | Service Collection | Description |
|---|---|---|
| action_get_v1 | IOC | Get Actions by ids. |
| action_query_v1 | IOC | Query Actions. |
| ActionUpdateCount | Quarantine | Returns count of potentially affected quarantined files for each action. |
| addCIDGroupMembers | MSSP (Flight Control) | Add new CID group member. |
| addRole | MSSP (Flight Control) | Create a link between user group and CID group, with zero or more additional roles. The call does not replace any existing link between them. User group ID and CID group ID have to be specified in request. |
| addUserGroupMembers | MSSP (Flight Control) | Add new user group member. Maximum 500 members allowed per user group. |
| aggregate_events | Firewall Management | Aggregate events for customer |
| aggregate_external_assets | Exposure Management | Returns external assets aggregates. |
| aggregate_policy_rules | Firewall Management | Aggregate rules within a policy for customer |
| aggregate_query_scan_host_metadata | ODS | Get aggregates on ODS scan-hosts data. |
| aggregate_rule_groups | Firewall Management | Aggregate rule groups for customer |
| aggregate_rules | Firewall Management | Aggregate rules for customer |
| aggregate_scans | ODS | Get aggregates on ODS scan data. |
| aggregate_scheduled_scans | ODS | Get aggregates on ODS scheduled-scan data. |
| AggregateAlerts | Falcon Complete Dashboard | Retrieve aggregate alerts values based on the matched filter |
| AggregateAllowList | Falcon Complete Dashboard | Retrieve aggregate allowlist ticket values based on the matched filter |
| AggregateBlockList | Falcon Complete Dashboard | Retrieve aggregate blocklist ticket values based on the matched filter |
| AggregateCases | Message Center | Retrieve aggregate case values based on the matched filter |
| AggregateDetections | Falcon Complete Dashboard | Retrieve aggregate detection values based on the matched filter |
| AggregateDeviceCountCollection | Falcon Complete Dashboard | Retrieve aggregate host/devices count based on the matched filter |
| AggregateEscalations | Falcon Complete Dashboard | Retrieve aggregate escalation ticket values based on the matched filter |
| AggregateFCIncidents | Falcon Complete Dashboard | Retrieve aggregate incident values based on the matched filter |
| AggregateImageAssessmentHistory | Container Images | Image assessment history |
| AggregateImageCount | Container Images | Aggregate count of images |
| AggregateImageCountByBaseOS | Container Images | Aggregate count of images grouped by Base OS distribution |
| AggregateImageCountByState | Container Images | Aggregate count of images grouped by state |
| AggregateIntelligenceQueries | CAO Hunting | Aggregate intelligence queries. |
| AggregateNotificationsExposedDataRecordsV1 | Recon | Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [cid notification_id created_date rule.id rule.name rule.topic source_category site author file.name credential_status bot.operating_system.hardware_id bot.bot_id] |
| AggregateNotificationsV1 | Recon | Get notification aggregates as specified via JSON in request body. |
| AggregatePreventionPolicy | Falcon Complete Dashboard | Retrieve prevention policies aggregate values based on the matched filter |
| AggregateRemediations | Falcon Complete Dashboard | Retrieve aggregate remediation ticket values based on the matched filter |
| AggregatesDetectionsGlobalCounts | Overwatch Dashboard | Get the total number of detections pushed across all customers |
| aggregates_rule_versions_post_v1 | Correlation Rules | Get rules aggregates as specified via json in the request body. |
| AggregateSensorUpdatePolicy | Falcon Complete Dashboard | Retrieve sensor update policies aggregate values |
| AggregateSupportIssues | Falcon Complete Dashboard | Retrieve support issue aggregate values |
| AggregatesEvents | Overwatch Dashboard | Get aggregate OverWatch detection event info by providing an aggregate query |
| AggregatesEventsCollections | Overwatch Dashboard | Get OverWatch detection event collection info by providing an aggregate query |
| AggregatesIncidentsGlobalCounts | Overwatch Dashboard | Get the total number of incidents pushed across all customers |
| AggregatesOWEventsGlobalCounts | Overwatch Dashboard | Get the total number of OverWatch events across all customers |
| AggregateTotalDeviceCounts | Falcon Complete Dashboard | Retrieve aggregate total host/devices based on the matched filter |
| aggregateUsersV1 | User Management | Get user aggregates as specified via json in request body. |
| api_preempt_proxy_post_graphql | Identity Protection | Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents. |
| ArchiveDeleteV1 | Sample Uploads | Delete an archive that was uploaded previously |
| ArchiveGetV1 | Sample Uploads | Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully. |
| ArchiveListV1 | Sample Uploads | Retrieves the archives files in chunks. |
| ArchiveUploadV1 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. This method is deprecated in favor of /archives/entities/archives/v2 |
| ArchiveUploadV2 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. |
| audit_events_query | Installation Tokens | Search for audit events by providing a FQL filter and paging details. |
| audit_events_read | Installation Tokens | Gets the details of one or more audit events by id. |
| AzureDownloadCertificate | CSPM Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| AzureRefreshCertificate | CSPM Registration | Refresh certificate and returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| BatchActiveResponderCmd | Real Time Response | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. |
| BatchAdminCmd | Real Time Response Admin | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| BatchCmd | Real Time Response | Batch executes a RTR read-only command across the hosts mapped to the given batch ID. |
| BatchGetCmd | Real Time Response | Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results. |
| BatchGetCmdStatus | Real Time Response | Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. |
| BatchInitSessions | Real Time Response | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| BatchRefreshSessions | Real Time Response | Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. |
| blob_download_external_assets | Exposure Management | Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request. |
| blob_preview_external_assets | Exposure Management | Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request. |
| cancel_scans | ODS | Cancel ODS scans for the given scan ids. |
| CaseAddActivity | Message Center | Add an activity to case. Only activities of type comment are allowed via API |
| CaseAddAttachment | Message Center | Upload an attachment for the case. |
| CaseDownloadAttachment | Message Center | retrieves an attachment for the case, given the attachment id |
| cb_exclusions_create_v1 | Certificate Based Exclusions | Create new Certificate Based Exclusions. |
| cb_exclusions_delete_v1 | Certificate Based Exclusions | Delete the exclusions by id |
| cb_exclusions_get_v1) | Certificate Based Exclusions | Find all exclusion IDs matching the query with filter |
| cb_exclusions_update_v1 | Certificate Based Exclusions | Updates existing Certificate Based Exclusions |
| cb_exclusions_query_v1 | Certificate Based Exclusions | Search for cert-based exclusions. |
| certificates_get_v1 | Certificate Based Exclusions | Retrieves certificate signing information for a file |
| cloud_registration_aws_create_account | Cloud AWS Registration | Creates a new account in our system for a customer. |
| cloud_registration_aws_delete_account | Cloud AWS Registration | Deletes an existing AWS account or organization in our system. |
| cloud_registration_aws_get_accounts | Cloud AWS Registration | Retrieve existing AWS accounts by account IDs. |
| cloud_registration_aws_query_accounts | Cloud AWS Registration | Retrieve existing AWS accounts by account IDs. |
| cloud_registration_aws_update_account | Cloud AWS Registration | Patches a existing account in our system for a customer. |
| cloud_registration_azure_download_script | Cloud Azure Registration | Retrieve script to create resources |
| cloud_security_assets_combined_compliance_by_account | Cloud Security Assets | Gets combined compliance data aggregated by account and region. Results can be filtered and sorted. |
| cloud_security_assets_entities_get | Cloud Security Assets | Gets raw resources based on the provided IDs param. Maximum of 100 resources can be requested with this method. Use POST method with same path if more are required. |
| cloud_security_assets_queries | Cloud Security Assets | Gets a list of resource IDs for the given parameters, filters and sort criteria. |
| cloud_security_registration_oci_create_account | Cloud Security OCI Registration | Create OCI tenancy account in CSPM. |
| cloud_security_registration_oci_delete_account | Cloud Security OCI Registration | Delete an existing OCI tenancy in CSPM. |
| cloud_security_registration_oci_download_script | Cloud Security OCI Registration | Retrieve script to create resources in tenancy OCID. |
| cloud_security_registration_oci_get_account | Cloud Security OCI Registration | Retrieve a list of OCI tenancies with support for FQL filtering, sorting, and pagination. |
| cloud_security_registration_oci_rotate_key | Cloud Security OCI Registration | Refresh key for the OCI Tenancy. |
| cloud_security_registration_oci_update_account | Cloud Security OCI Registration | Update an existing OCI account. |
| cloud_security_registration_oci_validate_tenancy | Cloud Security OCI Registration | Validate the OCI account in CSPM for a provided CID. For internal clients only. |
| combined_applications | Discover | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria. |
| CombinedBaseImages | Container Images | Retrieve base images identified by the provided filter criteria |
| CombinedDevicesByFilter | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria. Returns full device records. |
| combined_ecosystem_subsidiaries | Exposure Management | Retrieves a list of ecosystem subsidiaries with their detailed information. |
| combined_edges_get | ThreatGraph | Retrieve edges for a given vertex id. One edge type must be specified |
| CombinedHiddenDevicesByFilter | Hosts | Search for hidden hosts in your environment by platform, hostname, IP, and other criteria. Returns full device records. |
| combined_hosts | Discover | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria. |
| CombinedImageByVulnerabilityCount | Container Images | Retrieve top x images with the most vulnerabilities |
| CombinedImageDetail | Container Images | Retrieve image entities identified by the provided filter criteria |
| CombinedImageIssuesSummary | Container Images | Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities |
| CombinedImageVulnerabilitySummary | Container Images | aggregates information about vulnerabilities for an image |
| combinedQueryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria. |
| combinedQueryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria |
| CombinedReleaseNotesV1 | Deployments | Queries for releases resources and returns details. |
| CombinedReleasesV1Mixin0 | Deployments | Queries for releases resources and returns details. |
| combined_ran_on_get | ThreatGraph | Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment. |
| combined_rules_get_v1 | Correlation Rules | Find all rules matching the query and filter. |
| combined_rules_get_v2 | Correlation Rules | Find all rules matching the query and filter. |
| combined_summary_get | ThreatGraph | Retrieve summary for a given vertex ID |
| combinedUserRolesV1 | User Management | Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer. |
| ConnectCSPMGCPAccount | CSPM Registration | Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id |
| ConnectD4CGCPAccount | D4C Registration | Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id |
| create_network_locations | Firewall Management | Create new network locations provided, and return the ID. |
| create_rule | Custom IOA | Create a rule within a rule group. Returns the rule. |
| create_rule_group | Firewall Management | Create new rule group on a platform for a customer with a name and description, and return the ID |
| create_rule_group_validation | Firewall Management | Validates the request of creating a new rule group on a platform for a customer with a name and description |
| create_rule_groupMixin0 | Custom IOA | Create a rule group for a platform with a name and an optional description. Returns the rule group. |
| create_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
| CreateActionsV1 | Recon | Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule. |
| CreateAWSAccount | Kubernetes Protection | Creates a new AWS account in our system for a customer and generates the installation script |
| CreateAzureSubscription | Kubernetes Protection | Creates a new Azure Subscription in our system |
| CreateBaseImagesEntities | Container Images | Creates base images using the provided details |
| CreateCase | Message Center | create a new case |
| CreateCaseV2 | Message Center | create a new case |
| createCIDGroups | MSSP (Flight Control) | Create new CID groups. Name is a required field but description is an optional field. Maximum 500 CID groups allowed. |
| createContentUpdatePolicies | Content Update Policies | Create Content Update Policies by specifying details about the policy to create. |
| CreateCSPMAwsAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
| CreateCSPMAzureAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
| CreateCSPMGCPAccount | CSPM Registration | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
| CreateD4CAwsAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
| CreateD4CGCPAccount | D4C Registration | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
| CreateDeploymentEntity | Cloud Snapshots | Launch a snapshot scan for a given cloud asset. |
| createDeviceControlPolicies | Device Control Policies | Create Device Control Policies by specifying details about the policy to create |
| CreateDiscoverCloudAzureAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
| CreateExecutorNode | ASPM | Create a new relay node |
| CreateExportJobsV1 | Recon | Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1. |
| createFirewallPolicies | Firewall Policies | Create Firewall Policies by specifying details about the policy to create |
| createHostGroups | Host Group | Create Host Groups by specifying details about the group to create |
| CreateIntegration | ASPM | Create a new integration |
| CreateIntegrationTask | ASPM | Create new integration task. |
| createIOAExclusionsV1 | IOA Exclusions | Create the IOA exclusions |
| CreateMigrationV1 | Host Migration | Create a device migration job. |
| createMLExclusionsV1 | ML Exclusions | Create the ML exclusions |
| CreateOrUpdateAWSSettings | Cloud Connect AWS | Create or update Global Settings which are applicable to all provisioned AWS accounts |
| createPolicies | Filevantage | Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type. |
| CreatePolicies | Image Assessment Policies | Create Image Assessment policies |
| CreatePolicyGroups | Image Assessment Policies | Create Image Assessment Policy Group entities |
| createPreventionPolicies | Prevention Policy | Create Prevention Policies by specifying details about the policy to create |
| CreateRegistryEntities | Falcon Container | Create a registry entity using the provided details |
| createRTResponsePolicies | Response Policies | Create Response Policies by specifying details about the policy to create |
| createRuleGroups | Filevantage | Creates a new rule group of the specified type. |
| createRules | Filevantage | Creates a new rule configuration within the specified rule group. |
| CreateRulesV1 | Recon | Create monitoring rules. |
| CreateSavedSearchesDynamicExecuteAltV1 | Foundry Logscale | Execute a dynamic saved search |
| CreateSavedSearchesDynamicExecuteV1 | Foundry Logscale | Execute a dynamic saved search |
| CreateSavedSearchesExecuteAltV1 | Foundry Logscale | Execute a saved search |
| CreateSavedSearchesExecuteV1 | Foundry Logscale | Execute a saved search |
| CreateSavedSearchesIngestAltV1 | Foundry Logscale | Populate a saved search |
| CreateSavedSearchesIngestV1 | Foundry Logscale | Populate a saved search |
| createScheduledExclusions | Filevantage | Creates a new scheduled exclusion configuration for the provided policy id. |
| createSensorUpdatePolicies | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create |
| createSensorUpdatePoliciesV2 | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection |
| createSVExclusionsV1 | Sensor Visibility Exclusions | Create the sensor visibility exclusions |
| CreateUser | User Management | Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1 |
| createUserGroups | MSSP (Flight Control) | Create new user groups. Name is a required field but description is an optional field. Maximum 500 user groups allowed per customer. |
| createUserV1 | User Management | Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1' |
| CrowdScore | Incidents | Query environment wide CrowdScore and return the entity data |
| customer_settings_read | Installation Tokens | Check current installation token settings. |
| customer_settings_update | Installation Tokens Settings | Update installation token settings. |
| delete_external_assets | Exposure Management | Delete multiple external assets. |
| delete_network_locations | Firewall Management | Delete network location entities by ID. |
| delete_policy_rules | Identity Protection | Delete policy rules. |
| delete_rule_groups | Firewall Management | Delete rule group entities by ID |
| delete_rule_groupsMixin0 | Custom IOA | Delete rule groups by ID. |
| delete_rules | Custom IOA | Delete rules from a rule group by ID. |
| delete_scheduled_scans | ODS | Delete ODS scheduled-scans for the given scheduled-scan ids. |
| DeleteActionV1 | Recon | Delete an action from a monitoring rule based on the action ID. |
| DeleteAWSAccounts | Cloud Connect AWS | Delete a set of AWS Accounts by specifying their IDs |
| DeleteAWSAccountsMixin0 | Kubernetes Protection | Delete AWS accounts. |
| DeleteAzureSubscription | Kubernetes Protection | Deletes a new Azure Subscription in our system |
| DeleteBaseImages | Container Images | Deletes base images by base image UUID |
| deleteCIDGroupMembers | MSSP (Flight Control) | Deprecated : Please use DELETE /entities/cid-group-members/v2. Delete CID group members. |
| deleteCIDGroupMembersV2 | MSSP (Flight Control) | Delete CID group members. Prevents removal of a cid group a cid group if it is only part of one cid group. |
| deleteContentUpdatePolicies | Content Update Policies | Delete a set of Content Update Policies by specifying their IDs. |
| deleteCIDGroups | MSSP (Flight Control) | Delete CID groups by ID. |
| DeleteCSPMAwsAccount | CSPM Registration | Deletes an existing AWS account or organization in our system. |
| DeleteCSPMAzureAccount | CSPM Registration | Deletes an Azure subscription from the system. |
| DeleteD4CAwsAccount | D4C Registration | Deletes an existing AWS account or organization in our system. |
| DeleteCSPMAzureManagementGroup | CSPM Registration | Deletes Azure management groups from the system. |
| DeleteCSPMGCPAccount | CSPM Registration | Deletes a GCP account from the system. |
| DeleteD4CGCPAccount | D4C Registration | Deletes a GCP account from the system. |
| deleteDeviceControlPolicies | Device Control Policies | Delete a set of Device Control Policies by specifying their IDs |
| deletedRoles | MSSP (Flight Control) | Delete links or additional roles between user groups and CID groups. User group ID and CID group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID group is dissolved completely (if no roles specified). |
| DeleteExportJobsV1 | Recon | Delete export jobs (and their associated file(s)) based on their IDs. |
| DeleteExecutorNode | ASPM | Delete a relay node |
| DeleteFile | Quick Scan Pro | Deletes file by its sha256 identifier. |
| deleteFirewallPolicies | Firewall Policies | Delete a set of Firewall Policies by specifying their IDs |
| deleteHostGroups | Host Group | Delete a set of Host Groups by specifying their IDs |
| DeleteIntegration | ASPM | Delete an existing integration by its ID |
| DeleteIntegrationTask | ASPM | Delete an existing integration task by its ID |
| deleteIOAExclusionsV1 | IOA Exclusions | Delete the IOA exclusions by id |
| deleteMLExclusionsV1 | ML Exclusions | Delete the ML exclusions by id |
| DeleteNotificationsV1 | Recon | Delete notifications based on IDs. Notifications cannot be recovered after they are deleted. |
| DeleteObject | Custom Storage | Delete the specified object |
| DeleteVersionedObject | Custom Storage | Delete the specified versioned object. |
| deletePolicies | Filevantage | Deletes 1 or more policies. |
| DeletePolicy | Image Assessment Policies | Delete Image Assessment Policy by policy UUID |
| DeletePolicyGroup | Image Assessment Policies | Delete Image Assessment Policy Group entities |
| deletePreventionPolicies | Prevention Policy | Delete a set of Prevention Policies by specifying their IDs |
| DeleteRegistryEntities | Falcon Container | Delete the registry entity identified by the entity UUID |
| DeleteReport | Falcon Intelligence Sandbox | Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. |
| deleteRTResponsePolicies | Response Policies | Delete a set of Response Policies by specifying their IDs |
| deleteRuleGroups | Filevantage | Deletes 1 or more rule groups |
| deleteRules | Filevantage | Deletes 1 or more rules from the specified rule group. |
| DeleteRulesV1 | Recon | Delete monitoring rules. |
| DeleteSampleV2 | Falcon Intelligence Sandbox | Removes a sample, including file, meta and submissions from the collection |
| DeleteSampleV3 | Sample Uploads | Removes a sample, including file, meta and submissions from the collection |
| DeleteScanResult | Quick Scan Pro | Deletes the result of an QuickScan Pro scan. |
| deleteScheduledExclusions | Filevantage | Deletes 1 or more scheduled exclusions from the provided policy id. |
| deleteSensorUpdatePolicies | Sensor Update Policy | Delete a set of Sensor Update Policies by specifying their IDs |
| deleteSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Delete the sensor visibility exclusions by id |
| DeleteTags | ASPM | Remove existing tags |
| DeleteUser | User Management | Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently |
| deleteUserGroupMembers | MSSP (Flight Control) | Delete user group members entry. |
| deleteUserGroups | MSSP (Flight Control) | Delete user groups by ID. |
| deleteUserV1 | User Management | Delete a user permanently. |
| DescribeCollection | Custom Storage | Fetch metadata about an existing collection. |
| DescribeCollections | Custom Storage | Fetch metadata about one or more existing collections. |
| DevicesCount | IOCs | Number of hosts in your customer account that have observed a given custom IOC |
| DevicesRanOn | IOCs | Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 |
| DiscoverCloudAzureDownloadCertificate | D4C Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| DownloadExportFile | Falcon Container | Download an export file. |
| DownloadFeedArchive | Intelligence Feeds | Downloads feed file contents as a zip archive. |
| DownloadFile | Downloads | Retrieve a pre-signed URL for the requested file. |
| DownloadSensorInstallerById | Sensor Download | Download sensor installer by SHA256 ID |
| DownloadSensorInstallerByIdV2 | Sensor Download | Download sensor installer by SHA256 ID |
| entities_latest_rules_get_v1 | Correlation Rules | Retrieve latest rule versions by rule IDs. |
| entities_perform_action | Hosts | Performs the specified action on the provided group IDs. |
| entities_processes | IOCs | For the provided ProcessID retrieve the process details |
| entities_rule_versions_delete_v1 | Correlation Rules | Delete versions by IDs. |
| entities_rule_versions_export_post_v1 | Correlation Rules | Export rule versions. |
| entities_rule_versions_import_post_v1 | Correlation Rules | Import rule versions. |
| entities_rule_versions_publish_patch_v1 | Correlation Rules | Publish existing rule version. |
| entities_rules_delete_v1 | Correlation Rules | Delete rules by IDs. |
| entities_rules_get_v1 | Correlation Rules | Retrieve rules by IDs. |
| entities_rules_get_v2 | Correlation Rules | Retrieve rule versions by IDs. |
| entities_rules_patch_v1 | Correlation Rules | Update a correlation rule. |
| entities_rules_post_v1 | Correlation Rules | Create a correlation rule. |
| entities_states_v1 | Device Content | Retrieve the host content state for a number of ids between 1 and 100. |
| entities_vertices_get | ThreatGraph | Retrieve metadata for a given vertex ID |
| entities_vertices_getv2 | ThreatGraph | Retrieve metadata for a given vertex ID |
| entitiesRolesV1 | User Management | Get info about a role |
| EnumerateFile | Downloads | Enumerate a list of files available for CID. |
| ExecuteCommand | API Integrations | Execute a command. |
| ExecuteCommandProxy | API Integrations | Execute a command and proxy the response directly. |
| ExecuteFunctionData | ASPM | A selected list of queryLanguage queries. |
| ExecuteFunctions | ASPM | A selected list of queryLanguage services queries. |
| ExecuteFunctionsCount | ASPM | A selected list of queryLanguage count queries. |
| ExecuteFunctionDataCount | ASPM | A selected list of queryLanguage count queries. |
| ExecuteFunctionDataQuery | ASPM | A selected list of queryLanguage queries. |
| ExecuteFunctionDataQueryCount | ASPM | A selected list of queryLanguage count queries. |
| ExecuteFunctionsOvertime | ASPM | A selected list of queryLanguage overtime queries. |
| ExecuteFunctionsQuery | ASPM | A selected list of queryLanguage services queries. |
| ExecuteFunctionsQueryCount | ASPM | A selected list of queryLanguage count queries. |
| ExecuteFunctionsQueryOvertime | ASPM | A selected list of queryLanguage overtime queries. |
| ExecuteQuery | ASPM | Execute a query. The syntax used is identical to that of the query page. |
| extAggregateClusterAssessments | Container Image Compliance | Get the assessments for each cluster. |
| extAggregateFailedContainersByRulesPath | Container Image Compliance | Get the containers grouped into rules on which they failed. |
| extAggregateFailedContainersCountBySeverity | Container Image Compliance | Get the failed containers count grouped into severity levels. |
| extAggregateFailedImagesByRulesPath | Container Image Compliance | Get the images grouped into rules on which they failed. |
| extAggregateFailedImagesCountBySeverity | Container Image Compliance | Get the failed images count grouped into severity levels. |
| extAggregateFailedRulesByClusters | Container Image Compliance | Get the failed rules for each cluster grouped into severity levels. |
| extAggregateFailedRulesByImages | Container Image Compliance | Get images with failed rules, rule count grouped by severity for each image. |
| extAggregateFailedRulesCountBySeverity | Container Image Compliance | Get the failed rules count grouped into severity levels. |
| extAggregateRulesByStatus | Container Image Compliance | Get the rules grouped by their statuses. |
| extAggregateImageAssessments | Container Image Compliance | Get the assessments for each image. |
| extAggregateRulesAssessments | Container Image Compliance | Get the assessments for each rule. |
| ExtractionCreateV1 | Sample Uploads | Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis. |
| ExtractionGetV1 | Sample Uploads | Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
| ExtractionListV1 | Sample Uploads | Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
| fdrschema_combined_event_get | Event Schema | Fetch combined schema |
| fdrschema_entities_event_get | Event Schema | Fetch event schema by ID |
| fdrschema_entities_field_get | Field Schema | Fetch field schema by ID |
| fdrschema_queries_event_get | Event Schema | Get list of event IDs given a particular query. |
| fdrschema_queries_field_get | Field Schema | Get list of field IDs given a particular query. |
| FindContainersByContainerRunTimeVersion | Kubernetes Protection | Retrieve containers by container_runtime_version |
| FindContainersCountAffectedByZeroDayVulnerabilities | Kubernetes Protection | Retrieve containers count affected by zero day vulnerabilities |
| get_accounts | Discover | Get details on accounts by providing one or more IDs. |
| get_applications | Discover | Get details on applications by providing one or more IDs. |
| get_data_scanner_tasks | DataScanner | Retrieve pending tasks. |
| get_ecosystem_subsidiaries | Exposure Management | Retrieves detailed information about ecosystem subsidiaries by ID. |
| get_events | Firewall Management | Get events entities by ID and optionally version |
| get_firewall_fields | Firewall Management | Get the firewall field specifications by ID |
| get_hosts | Discover | Get details on assets by providing one or more IDs. |
| get_image_registry_credentials | DataScanner | Retrieves image registry credentials. |
| get_iot_hosts | Discover | Get details on IoT assets by providing one or more IDs. |
| get_logins | Discover | Get details on logins by providing one or more IDs. |
| get_malicious_files_by_ids | ODS | Get malicious files by ids. |
| get_network_locations | Firewall Management | Get a summary of network locations entities by ID |
| get_network_locations_details | Firewall Management | Get network locations entities by ID |
| get_patterns | Custom IOA | Get pattern severities by ID. |
| get_platforms | Firewall Management | Get platforms by ID, e.g., windows or mac or droid |
| get_platformsMixin0 | Custom IOA | Get platforms by ID. |
| get_policy_containers | Firewall Management | Get policy container entities by policy ID |
| get_policy_rules | Identity Protection | Get policy rules. |
| get_policy_rules_query | Identity Protection | Query policy rule IDs. |
| get_rule_groups | Firewall Management | Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. |
| get_rule_groupsMixin0 | Custom IOA | Get rule groups by ID. |
| get_rule_types | Custom IOA | Get rule types by ID. |
| get_rules | Firewall Management | Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) |
| get_rules_get | Custom IOA | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. |
| get_rulesMixin0 | Custom IOA | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size. |
| get_scan_host_metadata_by_ids | ODS | Get scan hosts by ids. |
| get_scans_by_scan_ids | ODS | Get Scans by IDs. |
| get_scans_by_scan_ids_v2 | ODS | Get Scans by IDs. |
| get_scheduled_scans_by_scan_ids | ODS | Get ScheduledScans by IDs. |
| GetActionsV1 | Recon | Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint. |
| getActionsMixin0 | FileVantage | Retrieve the processing results for one or more actions. |
| GetAggregateDetects | Detects | Get detect aggregates as specified via json in request body. |
| GetAggregateFiles | Quarantine | Get quarantine file aggregates as specified via json in request body. |
| GetArchiveExport | CAO Hunting | Creates an Archive Export. |
| GetArtifacts | Falcon Intelligence Sandbox | Download IOC packs, PCAP files, memory dumps, and other analysis artifacts. |
| getAssessmentsByScoreV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores. |
| getAssessmentV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID). |
| getAuditV1 | Zero Trust Assessment | Get the Zero Trust Assessment audit report for one customer ID (CID). |
| GetAvailableRoleIds | User Management | Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1. |
| GetAWSAccounts | Cloud Connect AWS | Retrieve a set of AWS Accounts by specifying their IDs |
| GetAWSAccountsMixin0 | Kubernetes Protection | Provides a list of AWS accounts. |
| GetAWSSettings | Cloud Connect AWS | Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts |
| GetAzureInstallScript | Kubernetes Protection | Provides the script to run for a given tenant id and subscription IDs |
| GetAzureTenantConfig | Kubernetes Protection | Gets the Azure tenant Config |
| GetAzureTenantIDs | Kubernetes Protection | Provides all the azure subscriptions and tenants |
| GetBehaviorDetections | CSPM Registration | Get list of detected behaviors |
| GetBehaviors | Incidents | Get details on behaviors by providing behavior IDs |
| GetCaseActivityByIds | Message Center | Retrieve activities for given id's |
| GetCaseEntitiesByIDs | Message Center | Retrieve message center cases |
| getChanges | Filevantage | Retrieve information on changes |
| getChildren | MSSP (Flight Control) | Get link to child customer by child CID(s) |
| getChildrenV2 | MSSP (Flight Control) | Get link to child customer by child CID(s) |
| getCIDGroupById | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-groups/v2. Get CID groups by ID. |
| getCIDGroupByIdV2 | MSSP (Flight Control) | Get CID Groups by ID. |
| getCIDGroupMembersBy | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-group-members/v2. Get CID group members by CID group ID. |
| getCIDGroupMembersByV2 | MSSP (Flight Control) | Get CID group members by CID Group ID. |
| GetCloudSecurityIntegrationState | ASPM | Get Cloud Security integration state. |
| GetClusters | Kubernetes Protection | Provides the clusters acknowledged by the Kubernetes Protection service |
| getCombinedAssessmentsQuery | Configuration Assessment | Search for assessments in your environment by providing a FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria |
| GetCombinedCloudClusters | Kubernetes Protection | Returns a combined list of provisioned cloud accounts and known kubernetes clusters |
| GetCombinedImages | Container Images | Get image assessment results by providing a FQL filter and paging details |
| GetCombinedPluginConfigs | API Integrations | Queries for config resources and returns details |
| GetCombinedSensorInstallersByQuery | Sensor Download | Get sensor installer details by provided query |
| GetCombinedSensorInstallersByQueryV2 | Sensor Download | Get sensor installer details by provided query |
| GetCombinedVulnerabilitiesSARIF | Serverless Vulnerabilities | Retrieve all lambda vulnerabilities that match the given query and return in the SARIF format. |
| GetConfigurationDetectionEntities | CSPM Registration | Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections. |
| GetConfigurationDetectionIDsV2 | CSPM Registration | Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections. |
| GetConfigurationDetections | CSPM Registration | Get list of active misconfigurations |
| getContents | FileVantage | Retrieves the content captured for the provided change ID. |
| getContentUpdatePolicies | Content Update Policies | Retrieve a set of Content Update Policies by specifying their IDs. |
| GetCredentials | Falcon Container | Gets the registry credentials |
| GetCredentialsIAC | Cloud Snapshots | Retrieve the registry credentials (external endpoint). |
| GetCredentialsMixin0 | Provision | Gets the registry credentials |
| GetCSPMAwsAccount | CSPM Registration | Returns information about the current status of an AWS account. |
| GetCSPMAwsAccountScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
| GetCSPMAwsConsoleSetupURLs | CSPM Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
| GetCSPMAzureAccount | CSPM Registration | Return information about Azure account registration |
| GetCSPMAzureManagementGroup | CSPM Registration | Return information about Azure management group registration |
| CreateCSPMAzureManagementGroup | CSPM Registration | Creates a new management group in our system for a customer. |
| GetCSPMAzureUserScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
| GetCSPMCGPAccount | CSPM Registration | Returns information about the current status of an GCP account. |
| GetCSPMGCPServiceAccountsExt | CSPM Registration | Returns the service account id and client email for external clients. |
| GetCSPMGCPValidateAccountsExt | CSPM Registration | Run a synchronous health check. |
| GetCSPMGCPUserScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
| GetCSPMPoliciesDetails | CSPM Registration | Given an array of policy IDs, returns detailed policies information. |
| GetCSPMPolicy | CSPM Registration | Given a policy ID, returns detailed policy information. |
| GetCSPMPolicySettings | CSPM Registration | Returns information about current policy settings. |
| GetCSPMScanSchedule | CSPM Registration | Returns scan schedule configuration for one or more cloud platforms. |
| GetD4CAwsAccount | D4C Registration | Returns information about the current status of an AWS account. |
| GetD4CAWSAccountScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
| GetD4CAwsConsoleSetupURLs | D4C Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
| GetD4CCGPAccount | D4C Registration | Returns information about the current status of an GCP account. |
| GetD4CGCPUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment |
| GetD4CGCPServiceAccountsExt | D4C Registration | Returns the service account id and client email for external clients. |
| GetD4CGCPUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
| getDefaultDeviceControlPolicies | Device Control Policies | Retrieve the configuration for a Default Device Control Policy |
| getDefaultDeviceControlSettings | Device Control Policies | Get default device control settings (USB and Bluetooth). |
| GetDeliverySettings | Delivery Settings | Get Delivery Settings. |
| GetDeploymentsExternalV1 | Deployments | Get deployment resources by IDs. |
| GetDetectSummaries | Detects | View information about detections |
| getDeviceControlPolicies | Device Control Policies | Retrieve a set of Device Control Policies by specifying their IDs |
| getDeviceControlPoliciesV2 | Device Control Policies | Get device control policies for the given filter criteria. Supports USB and Bluetooth. |
| GetDeviceCountCollectionQueriesByFilter | Falcon Complete Dashboard | Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled |
| GetDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing host IDs as a query parameter. Supports up to a maximum 100 IDs. |
| GetDiscoverCloudAzureAccount | D4C Registration | Return information about Azure account registration |
| GetDiscoverCloudAzureTenantIDs | D4C Registration | Return available tenant ids for discover for cloud |
| GetDiscoverCloudAzureUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment |
| GetDiscoverCloudAzureUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
| GetDriftIndicatorsValuesByDate | Drift Indicators | Returns the count of Drift Indicators by the date. by default it's for 7 days. |
| GetEntityIDsByQueryPOST | Deployments | returns the release notes for the IDs in the request. |
| GetExecutorNodes | ASPM | Get all the relay nodes |
| getEvaluationLogic | Spotlight Evaluation Logic | Get details on evaluation logic items by providing one or more IDs. |
| getEvaluationLogicMixin0 | Configuration Assessment Evaluation Logic | Get details on evaluation logic items by providing one or more finding IDs. |
| GetEventsBody | Tailored Intelligence | Get event body for the provided event ID |
| GetEventsEntities | Tailored Intelligence | Get events entities for specified ids. |
| GetExecutorNodesMetadata | ASPM | Get metadata about all executor nodes. |
| GetExportJobsV1 | Recon | Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1. |
| get_external_assets | Exposure Management | Get details on external assets by providing one or more IDs. |
| GetFileContentForExportJobsV1 | Recon | Download the file associated with a job ID. |
| getFirewallPolicies | Firewall Policies | Retrieve a set of Firewall Policies by specifying their IDs |
| GetHelmValuesYaml | Kubernetes Protection | Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart |
| GetHorizonD4CScripts | D4C Registration | Returns static install scripts for Horizon. |
| getHostGroups | Host Group | Retrieve a set of Host Groups by specifying their IDs |
| GetHostMigrationIDsV1 | Host Migration | Query host migration IDs. |
| GetHostMigrationsV1 | Host Migration | Get host migration details. |
| GetIncidents | Incidents | Get details on incidents by providing incident IDs |
| GetIndicatorsReport | IOC | Launch an indicators report creation job |
| GetIntegrations | ASPM | Get a list of all the integrations |
| GetIntegrationsV2 | ASPM | Get a list of all the integrations. |
| GetIntegrationTasks | ASPM | Get all the integration tasks |
| GetIntegrationTasksV2 | ASPM | Get all the integration tasks. |
| GetIntegrationTasksMetadata | ASPM | Get metadata about all integration tasks. |
| GetIntegrationTypes | ASPM | Get all the integration types |
| GetIntelActorEntities | Intel | Retrieve specific actors using their actor IDs. |
| GetIntelIndicatorEntities | Intel | Retrieve specific indicators using their indicator IDs. |
| GetIntelligenceQueries | CAO Hunting | Retrieves a list of Intelligence queries. |
| GetIntelReportEntities | Intel | Retrieve specific reports using their report IDs. |
| GetIntelReportPDF | Intel | Return a Report PDF attachment |
| GetIntelRuleEntities | Intel | Retrieve details for rule sets for the specified ids. |
| GetIntelRuleFile | Intel | Download earlier rule sets. |
| getIOAExclusionsV1 | IOA Exclusions | Get a set of IOA Exclusions by specifying their IDs |
| GetLatestIntelRuleFile | Intel | Download the latest rule set. |
| GetLocations | Kubernetes Protection | Provides the cloud locations acknowledged by the Kubernetes Protection service |
| GetLookupV1 | NGSIEM | Download lookup file from NGSIEM. |
| GetLookupFromPackageWithNamespaceV1 | NGSIEM | Download lookup file in namespaced package from NGSIEM. |
| GetLookupFromPackageV1 | NGSIEM | Download lookup file in package from NGSIEM. |
| GetMalQueryDownloadV1 | MalQuery | Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time |
| GetMalQueryEntitiesSamplesFetchV1 | MalQuery | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing |
| GetMalQueryMetadataV1 | MalQuery | Retrieve indexed files metadata by their hash |
| GetMalQueryQuotasV1 | MalQuery | Get information about search and download quotas in your environment |
| GetMalQueryRequestV1 | MalQuery | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
| GetMalwareEntities | Intel | Get malware entities for specified IDs. |
| GetMalwareMitreReport | Intel | Export Mitre ATT&CK information for a given malware family. |
| GetMemoryDump | Falcon Intelligence Sandbox | Get memory dump content, as binary |
| GetMemoryDumpExtractedStrings | Falcon Intelligence Sandbox | Get extracted strings from a memory dump |
| GetMemoryDumpHexDump | Falcon Intelligence Sandbox | Get hex view of a memory dump |
| GetMigrationDestinationsV1 | Host Migration | Get destinations for a migration. |
| GetMigrationIDsV1 | Host Migration | Query migration jobs. |
| GetMigrationsV1 | Host Migration | Get migration job details. |
| GetMitreReport | Intel | Export Mitre ATT&CK information for a given actor. |
| getMLExclusionsV1 | ML Exclusions | Get a set of ML Exclusions by specifying their IDs |
| GetNotificationsDetailedTranslatedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request |
| GetNotificationsDetailedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. |
| GetNotificationsExposedDataRecordsV1 | Recon | Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints |
| GetNotificationsTranslatedV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English. |
| GetNotificationsV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. |
| GetObject | Custom Storage | Get the bytes for the specified object |
| GetObjectMetadata | Custom Storage | Get the metadata for the specified object |
| GetSchema | Custom Storage | Get the bytes of the specified schema of the requested collection. |
| GetSchemaMetadata | Custom Storage | Get the metadata for the specified schema of the requested collection. |
| GetVersionedObject | Custom Storage | Get the bytes for the specified object. |
| GetVersionedObjectMetadata | Custom Storage | Get the metadata for the specified object. |
| GetOnlineState_V1 | Hosts | Get the online status for one or more hosts by specifying each host’s unique ID. Successful requests return an HTTP 200 response and the status for each host identified by a state of online, offline, or unknown for each host, identified by host id.Make a GET request to /devices/queries/devices/v1 to get a list of host IDs. |
| getPolicies | Filevantage | Retrieves the configuration for 1 or more policies. |
| getPreventionPolicies | Prevention Policy | Retrieve a set of Prevention Policies by specifying their IDs |
| GetQuarantineFiles | Quarantine | Get quarantine file metadata for specified ids. |
| GetQueriesAlertsV1 | Alerts | retrieves all Alerts ids that match a given query |
| GetQueriesAlertsV2 | Alerts | retrieves all Alerts ids that match a given query |
| getRemediationsV2 | Spotlight Vulnerabilities | Get details on remediation by providing one or more IDs |
| GetReports | Falcon Intelligence Sandbox | Get a full sandbox report. |
| GetRoles | User Management | Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role |
| getRolesByID | MSSP (Flight Control) | Get link between user group and CID group by ID. Link ID is a string consisting of multiple components, but should be treated as opaque. |
| GetRuntimeDetectionsCombinedV2 | Container Detections | Retrieve image assessment detections identified by the provided filter criteria. |
| getRTResponsePolicies | Response Policies | Retrieve a set of Response Policies by specifying their IDs |
| getRuleDetails | Configuration Assessment | Get rules details for provided one or more rule IDs |
| getRuleGroups | Filevantage | Retrieves the rule group details for 1 or more rule groups. |
| getRules | Filevantage | Retrieves the configuration for 1 or more rules. |
| GetRulesEntities | Tailored Intelligence | Get rules entities for specified ids. |
| GetRulesV1 | Recon | Get monitoring rules based on their IDs. IDs can be retrieved using the GET /queries/rules/v1 endpoint. |
| GetSampleV2 | Falcon Intelligence Sandbox | Retrieves the file associated with the given ID (SHA256) |
| GetSampleV3 | Sample Uploads | Retrieves the file associated with the given ID (SHA256) |
| GetSavedSearchesExecuteAltV1 | Foundry Logscale | Get the results of a saved search |
| GetSavedSearchesExecuteV1 | Foundry Logscale | Get the results of a saved search |
| GetSavedSearchesJobResultsDownloadAltV1 | Foundry Logscale | Get the results of a saved search as a file |
| GetSavedSearchesJobResultsDownloadV1 | Foundry Logscale | Get the results of a saved search as a file |
| GetScanResult | Quick Scan Pro | Gets the result of an QuickScan Pro scan. |
| GetScans | Quick Scan | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
| GetScansAggregates | Quick Scan | Get scans aggregations as specified via json in request body. |
| GetScanReport | Cloud Snapshots | Retrieve the scan report for an instance. |
| GetSearchStatusV1 | NGSIEM | Get status of a NGSIEM search. |
| getScheduledExclusions | Filevantage | Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id. |
| GetSensorAggregates | Identity Entities | Get sensor aggregates as specified via json in request body. |
| GetSensorDetails | Identity Entities | Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs. |
| GetSensorInstallersByQuery | Sensor Download | Get sensor installer IDs by provided query |
| GetSensorInstallersByQueryV2 | Sensor Download | Get sensor installer IDs by provided query |
| GetSensorInstallersCCIDByQuery | Sensor Download | Get CCID to use with sensor installers |
| GetSensorInstallersEntities | Sensor Download | Get sensor installer details by provided SHA256 IDs |
| GetSensorInstallersEntitiesV2 | Sensor Download | Get sensor installer details by provided SHA256 IDs |
| getSensorUpdatePolicies | Sensor Update Policy | Retrieve a set of Sensor Update Policies by specifying their IDs |
| getSensorUpdatePoliciesV2 | Sensor Update Policy | Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs |
| GetSensorUsageWeekly | Sensor Usage | Fetches weekly average. Each data point represents the average of how many unique AIDs were seen per week for the previous 28 days. |
| getSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Get a set of Sensor Visibility Exclusions by specifying their IDs |
| getServiceArtifacts | ASPM | Retrieve service artifacts. |
| GetServicesCount | ASPM | Get the total amount of existing services |
| GetServiceViolationTypes | ASPM | Get the different types of violation |
| GetStaticScripts | Kubernetes Protection | Gets static bash scripts that are used during registration |
| GetSubmissions | Falcon Intelligence Sandbox | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| GetSummaryReports | Falcon Intelligence Sandbox | Get a short summary version of a sandbox report. |
| GetTags | ASPM | Get all tags |
| getUserGroupMembersByID | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/user-group-members/v2. Get user group members by user group ID. |
| getUserGroupMembersByIDV2 | MSSP (Flight Control) | Get user group members by user group ID. |
| getUserGroupsByID | MSSP (Flight Control) | Deprecated : Please use GET /entities/user-groups/v2. Get user groups by ID. |
| getUserGroupsByIDV2 | MSSP (Flight Control) | Get user groups by ID. |
| GetUserRoleIds | User Management | Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1. |
| GetVulnerabilities | Intel | Get vulnerabilities |
| getVulnerabilities | Spotlight Vulnerabilities | Get details on vulnerabilities by providing one or more IDs |
| GrantUserRoleIds | User Management | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user |
| GroupContainersByManaged | Kubernetes Protection | Group the containers by Managed |
| handle | DataScanner | Produces the input message into the corresponding Kafka topic. |
| highVolumeQueryChanges | Filevantage | Returns 1 or more change ids |
| HostMigrationsActionsV1 | Host Migration | Perform an action on host migrations. |
| HostMigrationAggregatesV1 | Host Migration | Get host migration aggregates as specified via json in request body. |
| indicator_aggregate_v1 | IOC | Get Indicators aggregates as specified via json in the request body. |
| indicator_combined_v1 | IOC | Get Combined for Indicators. |
| indicator_create_v1 | IOC | Create Indicators. |
| indicator_delete_v1 | IOC | Delete Indicators by ids. |
| indicator_get_device_count_v1 | IOC | Get the number of devices the indicator has run on |
| indicator_get_devices_ran_on_v1 | IOC | Get the IDs of devices the indicator has run on |
| indicator_get_processes_ran_on_v1 | IOC | Get the number of processes the indicator has run on |
| indicator_get_v1 | IOC | Get Indicators by ids. |
| indicator_search_v1 | IOC | Search for Indicators. |
| indicator_update_v1 | IOC | Update Indicators. |
| IngestDataV1 | Foundry Logscale | Ingest data into the application repository |
| IngestDataAsyncV1 | Foundry Logscale | Ingest data into the application repository asynchronously |
| ioc_type_query_v1 | IOC | Query IOC Types. |
| LaunchExportJob | Falcon Container | Launch an export job of a Container Security resource. Maximum of 1 job in progress per resource. |
| LaunchScan | Quick Scan Pro | Starts scanning a file uploaded through UploadFileQuickScanPro. |
| listAvailableStreamsOAuth2 | Event Streams | Discover all event streams in your environment |
| ListAzureAccounts | Kubernetes Protection | Provides the azure subscriptions registered to Kubernetes Protection |
| ListCollections | Custom Storage | List available collection names in alphabetical order. |
| ListFeedTypes | Intelligence Feeds | Lists the accessible feeds for a given customer. |
| ListObjects | Custom Storage | List the object keys in the specified collection in alphabetical order |
| ListObjectsByVersion | Custom Storage | List the object keys in the specified collection in alphabetical order. |
| ListReposV1 | Foundry Logscale | Lists available repositories and views |
| ListSchemas | Custom Storage | Get the list of schemas for the requested collection in reverse version order (latest first). |
| ListViewV1 | Foundry Logscale | List views |
| MigrationsActionsV1 | Host Migration | Perform an action on a migration job. |
| MigrationAggregatesV1 | Host Migration | Get migration aggregates as specified via json in request body. |
| oauth2AccessToken | OAuth2 | Generate an OAuth2 access token |
| oauth2RevokeToken | OAuth2 | Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan. |
| PatchAzureServicePrincipal | Kubernetes Protection | Adds the client ID for the given tenant ID to our system |
| PatchCSPMAwsAccount | CSPM Registration | Patches a existing account in our system for a customer. |
| patchDeviceControlPoliciesClassesV1 | Device Control Policies | Update device control policy's classes (USB and Bluetooth). |
| patchDeviceControlPoliciesV2 | Device Control Policies | Update Device Control Policies by specifying the ID of the policy and details to update |
| PatchEntitiesAlertsV2 | Alerts | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
| PatchEntitiesAlertsV3 | Alerts | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
| patch_external_assets | Exposure Management | Update the details of external assets. |
| PerformActionV2 | Hosts | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| performContentUpdatePoliciesAction | Content Update Policies | Perform the specified action on the Content Update Policies specified in the request. |
| performDeviceControlPoliciesAction | Device Control Policies | Perform the specified action on the Device Control Policies specified in the request |
| performFirewallPoliciesAction | Firewall Policies | Perform the specified action on the Firewall Policies specified in the request |
| performGroupAction | Host Group | Perform the specified action on the Host Groups specified in the request |
| PerformIncidentAction | Incidents | Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description |
| performPreventionPoliciesAction | Prevention Policy | Perform the specified action on the Prevention Policies specified in the request |
| performRTResponsePoliciesAction | Response Policies | Perform the specified action on the Response Policies specified in the request |
| performSensorUpdatePoliciesAction | Sensor Update Policy | Perform the specified action on the Sensor Update Policies specified in the request |
| platform_query_v1 | IOC | Query Platforms. |
| post_external_assets_inventory_v1 | Exposure Management | Add external assets for external asset scanning. |
| post_policy_rules | Identity Protection | Create policy rules. |
| PostAggregatesAlertsV1 | Alerts | retrieves aggregate values for Alerts across all CIDs |
| PostAggregatesAlertsV2 | Alerts | retrieves aggregate values for Alerts across all CIDs |
| PostCombinedAlertsV1 | Alerts | Retrieves all Alerts that match a particular FQL filter. This API is intended for retrieval of large amounts of Alerts(>10k) using a pagination based on a after token. |
| PostDeliverySettings | Delivery Settings | Create Delivery Settings. |
| postDeviceControlPoliciesV2 | Device Control Policies | Create Device Control Policies by specifying details about the policy to create. |
| PostDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing host IDs in a POST body. Supports up to a maximum 5000 IDs. |
| PostEntitiesAlertsV1 | Alerts | retrieves all Alerts given their ids |
| PostEntitiesAlertsV2 | Alerts | retrieves all Alerts given their composite ids |
| PostMalQueryEntitiesSamplesMultidownloadV1 | MalQuery | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip |
| PostMalQueryExactSearchV1 | MalQuery | Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint |
| PostMalQueryFuzzySearchV1 | MalQuery | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
| PostMalQueryHuntV1 | MalQuery | Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint |
| PostMitreAttacks | Intel | Retrieves report and observable IDs associated with the given actor and attacks |
| PreviewRuleV1 | Recon | Preview rules notification count and distribution. This will return aggregations on: channel, count, site. |
| ProcessesRanOn | IOCs | Search for processes associated with a custom IOC |
| ProvisionAWSAccounts | Cloud Connect AWS | Provision AWS Accounts by specifying details about the accounts to provision |
| PutObject | Custom Storage | Put the specified new object at the given key or overwrite an existing object at the given key |
| PutObjectByVersion | Custom Storage | Put the specified new object at the given key or overwrite an existing object at the given key. |
| queries_edgetypes_get | ThreatGraph | Show all available edge types |
| queries_rules_get_v1 | Correlation Rules | Find all rule IDs matching the query and filter. |
| queries_rules_get_v2 | Correlation Rules | Find all rule version IDs matching the query and filter. |
| queries_states_v1 | Device Content | Query for the content state of the host. |
| queriesRolesV1 | User Management | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1. |
| query_accounts | Discover | Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria. |
| query_applications | Discover | Search for applications in your environment by providing a FQL filter and paging details. returns a set of application IDs which match the filter criteria. |
| query_ecosystem_subsidiaries | Exposure Management | Retrieves a list of IDs for ecosystem subsidiaries. |
| query_events | Firewall Management | Find all event IDs matching the query with filter |
| query_firewall_fields | Firewall Management | Get the firewall field specification IDs for the provided platform |
| query_hosts | Discover | Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_iot_hosts | Discover | Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_iot_hosts_v2 | Discover | Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_logins | Discover | Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria. |
| query_malicious_files | ODS | Query malicious files. |
| query_network_locations | Firewall Management | Get a list of network location IDs |
| query_patterns | Custom IOA | Get all pattern severity IDs. |
| query_platforms | Firewall Management | Get the list of platform names |
| query_platformsMixin0 | Custom IOA | Get all platform IDs. |
| query_policy_rules | Firewall Management | Find all firewall rule IDs matching the query with filter, and return them in precedence order |
| query_rule_groups | Firewall Management | Find all rule group IDs matching the query with filter |
| query_rule_groups_full | Custom IOA | Find all rule groups matching the query with optional filter. |
| query_rule_groupsMixin0 | Custom IOA | Finds all rule group IDs matching the query with optional filter. |
| query_rule_types | Custom IOA | Get all rule type IDs. |
| query_rules | Firewall Management | Find all rule IDs matching the query with filter |
| query_rulesMixin0 | Custom IOA | Finds all rule IDs matching the query with optional filter. |
| query_scan_host_metadata | ODS | Query scan hosts. |
| query_scans | ODS | Query Scans. |
| query_scheduled_scans | ODS | Query ScheduledScans. |
| QueryActionsV1 | Recon | Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1. |
| queryActionsMixin0 | FileVantage | Returns one or more action IDs. |
| QueryActivityByCaseID | Message Center | Retrieve activities id's for a case |
| QueryAlertIdsByFilter | Falcon Complete Dashboard | Retrieve Alerts Ids that match the provided FQL filter criteria with scrolling enabled |
| QueryAllowListFilter | Falcon Complete Dashboard | Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled |
| QueryAWSAccounts | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria |
| QueryAWSAccountsForIDs | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria |
| QueryBehaviors | Incidents | Search for behaviors by providing a FQL filter, sorting, and paging details |
| QueryBlockListFilter | Falcon Complete Dashboard | Retrieve block listtickets that match the provided filter criteria with scrolling enabled |
| QueryCasesIdsByFilter | Message Center | Retrieve case id's that match the provided filter criteria |
| queryChanges | Filevantage | Returns 1 or more change ids |
| queryChildren | MSSP (Flight Control) | Query for customers linked as children |
| queryCIDGroupMembers | MSSP (Flight Control) | Query a CID groups members by associated CID. |
| queryCIDGroups | MSSP (Flight Control) | Query CID groups. |
| queryCombinedContentUpdatePolicyMembers | Content Update Policies | Search for members of a Content Update Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria. |
| queryCombinedContentUpdatePolicies | Content Update Policies | Search for Content Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Content Update Policies which match the filter criteria. |
| queryCombinedDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria |
| queryCombinedDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria |
| queryCombinedFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria |
| queryCombinedPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria |
| queryCombinedPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria |
| queryCombinedRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedSensorUpdateBuilds | Sensor Update Policy | Retrieve available builds for use with Sensor Update Policies |
| queryCombinedSensorUpdateKernels | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
| queryCombinedSensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
| queryCombinedSensorUpdatePoliciesV2 | Sensor Update Policy | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
| queryCombinedSensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryContentUpdatePolicyMembers | Content Update Policies | Search for members of a Content Update Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria. |
| queryContentUpdatePolicies | Content Update Policies | Search for Content Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Content Update Policy IDs which match the filter criteria. |
| QueryDetectionIdsByFilter | Falcon Complete Dashboard | Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled |
| QueryDetects | Detects | Search for detection IDs that match a given query |
| queryDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria |
| queryDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryDeviceLoginHistory | Hosts | Retrieve details about recent login sessions for a set of devices. |
| QueryDeviceLoginHistoryV2 | Hosts | Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified |
| QueryDevicesByFilter | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
| QueryDevicesByFilterScroll | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit) |
| QueryEscalationsFilter | Falcon Complete Dashboard | Retrieve escalation tickets that match the provided filter criteria with scrolling enabled |
| queryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria. |
| QueryEvents | Tailored Intelligence | Get events ids that match the provided filter criteria. |
| QueryExportJobs | Falcon Container | Query export jobs entities. |
| query_external_assets | Exposure Management | Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints |
| QueryFeedArchives | Intelligence Feeds | Queries the accessible feeds for a customer. Returns a list of feed IDs which can be later downloaded. |
| queryFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria |
| queryFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryGetNetworkAddressHistoryV1 | Hosts | Retrieve history of IP and MAC addresses of devices. |
| queryGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryHiddenDevices | Hosts | Retrieve hidden hosts that match the provided filter criteria. |
| queryHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria |
| QueryIncidentIdsByFilter | Falcon Complete Dashboard | Retrieve incidents that match the provided filter criteria with scrolling enabled |
| QueryIncidents | Incidents | Search for incidents by providing a FQL filter, sorting, and paging details |
| QueryIntelActorEntities | Intel | Get info about actors that match provided FQL filters. |
| QueryIntelActorIds | Intel | Get actor IDs that match provided FQL filters. |
| QueryIntelIndicatorEntities | Intel | Get info about indicators that match provided FQL filters. |
| QueryIntelIndicatorIds | Intel | Get indicators IDs that match provided FQL filters. |
| QueryIntelReportEntities | Intel | Get info about reports that match provided FQL filters. |
| QueryIntelReportIds | Intel | Get report IDs that match provided FQL filters. |
| QueryIntelRuleIds | Intel | Search for rule IDs that match provided filter criteria. |
| queryIOAExclusionsV1 | IOA Exclusions | Search for IOA exclusions. |
| QueryMalware | Intel | Get malware family names that match provided FQL filters. |
| QueryMitreAttacksForMalware | Intel | Gets MITRE tactics and techniques for the given malware. |
| QueryMitreAttacks | Intel | Gets MITRE tactics and techniques for the given actor, returning concatenation of id and tactic and technique ids, example: fancy-bear_TA0011_T1071 |
| queryMLExclusionsV1 | ML Exclusions | Search for ML exclusions. |
| QueryNotificationsExposedDataRecordsV1 | Recon | Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1 |
| QueryNotificationsV1 | Recon | Query notifications based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, +GET /entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1. |
| queryPinnableContentVersions | Content Update Policies | Search for content versions available for pinning given the category. |
| queryPolicies | Filevantage | Retrieve the ids of all policies that are assigned the provided policy type. |
| queryPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria |
| queryPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryQuarantineFiles | Quarantine | Get quarantine file ids that match the provided filter criteria. |
| QueryReleaseNotesV1 | Deployments | Queries for release-notes resources and returns IDs. |
| QueryRemediationsFilter | Falcon Complete Dashboard | Retrieve remediation tickets that match the provided filter criteria with scrolling enabled |
| QueryReports | Falcon Intelligence Sandbox | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
| queryRoles | MSSP (Flight Control) | Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional. |
| queryRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria. |
| queryRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| queryRuleGroups | Filevantage | Retrieve the ids of all rule groups that are of the provided rule group type. |
| QueryRules | Tailored Intelligence | Get rules ids that match the provided filter criteria. |
| QueryRulesV1 | Recon | Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1. |
| QuerySampleV1 | Falcon Intelligence Sandbox | Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
| QueryScanResults | Quick Scan Pro | Gets QuickScan Pro scan jobs for a given FQL filter. |
| queryScheduledExclusions | Filevantage | Retrieve the ids of all scheduled exclusions contained within the provided policy id. |
| QuerySensorsByFilter | Identity Entities | Search for sensors in your environment by hostname, IP, and other criteria. |
| querySensorUpdateKernelsDistinct | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
| querySensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria |
| querySensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| querySensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Search for sensor visibility exclusions. |
| QuerySubmissions | Falcon Intelligence Sandbox | Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. |
| QuerySubmissionsMixin0 | Quick Scan | Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria. |
| queryUserGroupMembers | MSSP (Flight Control) | Query user group member by user UUID. |
| queryUserGroups | MSSP (Flight Control) | Query user groups. |
| queryUserV1 | User Management | List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1. |
| QueryVulnerabilities | Intel | Get vulnerabilities IDs |
| queryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria |
| ReadClusterCombined | Kubernetes Protection | Retrieve kubernetes clusters identified by the provided filter criteria |
| ReadClusterCombinedV2 | Kubernetes Protection | Retrieve kubernetes clusters identified by the provided filter criteria |
| ReadClusterCount | Kubernetes Protection | Retrieve cluster counts |
| ReadClusterEnrichment | Kubernetes Protection | Retrieve cluster enrichment data |
| ReadClustersByDateRangeCount | Kubernetes Protection | Retrieve clusters by date range counts |
| ReadClustersByKubernetesVersionCount | Kubernetes Protection | Bucket clusters by kubernetes version |
| ReadClustersByStatusCount | Kubernetes Protection | Bucket clusters by status |
| ReadCombinedDetections | Container Detections | Retrieve image assessment detections identified by the provided filter criteria |
| ReadCombinedImagesExport | Container Images | Retrieve images with an option to expand aggregated vulnerabilities/detections |
| ReadCombinedVulnerabilities | Container Vulnerabilities | Retrieve vulnerability and aggregate data filtered by the provided FQL |
| ReadCombinedVulnerabilitiesDetails | Container Vulnerabilities | Retrieve vulnerability details related to an image |
| ReadCombinedVulnerabilitiesInfo | Container Vulnerabilities | Retrieve vulnerability and package related info for this customer |
| ReadContainerAlertsCount | Container Alerts | Search Container Alerts by the provided search criteria |
| ReadContainerAlertsCountBySeverity | Container Alerts | Get Container Alert counts by severity |
| ReadContainerCombined | Kubernetes Protection | Retrieve containers identified by the provided filter criteria |
| ReadContainerCount | Kubernetes Protection | Retrieve container counts |
| ReadContainerCountByRegistry | Kubernetes Protection | Retrieve top container image registries |
| ReadContainerImageDetectionsCountByDate | Kubernetes Protection | Retrieve count of image assessment detections on running containers over a period of time |
| ReadContainerEnrichment | Kubernetes Protection | Retrieve container enrichment data |
| ReadContainerImagesByMostUsed | Kubernetes Protection | Bucket container by image-digest |
| ReadContainerImagesByState | Kubernetes Protection | Retrieve count of image states running on containers |
| ReadContainersByDateRangeCount | Kubernetes Protection | Retrieve containers by date range counts |
| ReadContainersSensorCoverage | Kubernetes Protection | Bucket containers by agent type and calculate sensor coverage |
| ReadContainerVulnerabilitiesBySeverityCount | Kubernetes Protection | Retrieve container vulnerabilities by severity counts |
| ReadDeploymentCombined | Kubernetes Protection | Retrieve kubernetes deployments identified by the provided filter criteria |
| ReadDeploymentsCombined | Cloud Snapshots | Search for snapshot jobs identified by the provided filter. |
| ReadDeploymentCount | Kubernetes Protection | Retrieve deployment counts |
| ReadDeploymentEnrichment | Kubernetes Protection | Retrieve deployment enrichment data |
| ReadDeploymentsEntities | Cloud Snapshots | Retrieve snapshot jobs identified by the provided IDs. |
| ReadDeploymentsByDateRangeCount | Kubernetes Protection | Retrieve deployments by date range counts |
| ReadDetections | Container Detections | Retrieve image assessment detection entities identified by the provided filter criteria |
| ReadDetectionsCount | Container Detections | Aggregate count of detections |
| ReadDetectionsCountBySeverity | Container Detections | Aggregate counts of detections by severity |
| ReadDetectionsCountByType | Container Detections | Aggregate counts of detections by detection type |
| ReadDistinctContainerImageCount | Kubernetes Protection | Retrieve count of distinct images running on containers |
| ReadDriftIndicatorsCount | Drift Indicators | Returns the total count of Drift indicators over a time period |
| ReadDriftIndicatorEntities | Drift Indicators | Retrieve Drift Indicator entities identified by the provided IDs |
| ReadExportJobs | Falcon Container | Read export jobs entities. |
| ReadImageVulnerabilities | Falcon Container | Retrieve known vulnerabilities for the provided image |
| ReadKubernetesIomByDateRange | Kubernetes Protection | Returns the count of Kubernetes IOMs by the date. by default it's for 7 days. |
| ReadKubernetesIomCount | Kubernetes Protection | Returns the total count of Kubernetes IOMs over the past seven days |
| ReadKubernetesIomEntities | Kubernetes Protection | Retrieve Kubernetes IOM entities identified by the provided IDs |
| ReadNamespaceCount | Kubernetes Protection | Retrieve namespace counts |
| ReadNamespacesByDateRangeCount | Kubernetes Protection | Retrieve namespaces by date range counts |
| ReadNodeCombined | Kubernetes Protection | Retrieve kubernetes nodes identified by the provided filter criteria |
| ReadNodeCount | Kubernetes Protection | Retrieve node counts |
| ReadNodeEnrichment | Kubernetes Protection | Retrieve node enrichment data |
| ReadNodesByCloudCount | Kubernetes Protection | Bucket nodes by cloud providers |
| ReadNodesByContainerEngineVersionCount | Kubernetes Protection | Bucket nodes by their container engine version |
| ReadNodesByDateRangeCount | Kubernetes Protection | Retrieve nodes by date range counts |
| ReadPackagesByFixableVulnCount | Container Packages | Retrieve top x app packages with the most fixable vulnerabilities |
| ReadPackagesByImageCount | Container Packages | Retrieves the N most frequently used packages across images. |
| ReadPackagesByVulnCount | Container Packages | Retrieve top x packages with the most vulnerabilities |
| ReadPackagesCombined | Container Packages | Retrieve packages identified by the provided filter criteria |
| ReadPackagesCombinedV2 | Container Packages | Retrieve packages identified by the provided filter criteria. |
| ReadPackagesCombinedExport | Container Packages | Retrieve packages identified by the provided filter criteria for the purpose of export |
| ReadPackagesCountByZeroDay | Container Packages | Retrieve packages count affected by zero day vulnerabilities |
| ReadPodEnrichment | Kubernetes Protection | Retrieve pod enrichment data |
| ReadPolicies | Image Assessment Policies | Get all Image Assessment policies |
| ReadPolicyExclusions | Image Assessment Policies | Retrieve Image Assessment Policy Exclusion entities |
| ReadPolicyGroups | Image Assessment Policies | Retrieve Image Assessment Policy Group entities |
| ReadPodCombined | Kubernetes Protection | Retrieve kubernetes pods identified by the provided filter criteria |
| ReadPodCount | Kubernetes Protection | Retrieve pod counts |
| ReadPodsByDateRangeCount | Kubernetes Protection | Retrieve pods by date range counts |
| ReadRegistryEntities | Falcon Container | Retrieve registry entities identified by the customer id |
| ReadRegistryEntitiesByUUID | Falcon Container | Retrieve the registry entity identified by the entity UUID |
| ReadRequestBody | FaaS Execution | Retrieve a large request body, such as a file, that has spilled into object storage. |
| ReadRunningContainerImages | Kubernetes Protection | Retrieve images on running containers |
| ReadUnidentifiedContainersByDateRangeCount | Unidentified Containers | Returns the count of Unidentified Containers over the last 7 days |
| ReadUnidentifiedContainersCount | Unidentified Containers | Returns the total count of Unidentified Containers over a time period |
| ReadVulnerabilitiesByImageCount | Container Vulnerabilities | Retrieve top x vulnerabilities with the most impacted images |
| ReadVulnerabilitiesPublicationDate | Container Vulnerabilities | Retrieve top x vulnerabilities with the most recent publication date |
| ReadVulnerabilityCount | Container Vulnerabilities | Aggregate count of vulnerabilities |
| ReadVulnerabilityCountByActivelyExploited | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by actively exploited |
| ReadVulnerabilityCountByCPSRating | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by csp_rating |
| ReadVulnerabilityCountByCVSSScore | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by cvss score |
| ReadVulnerabilityCountBySeverity | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by severity |
| ReadVulnerableContainerImageCount | Kubernetes Protection | Retrieve count of vulnerable images running on containers |
| refreshActiveStreamSession | Event Streams | Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response. |
| RegenerateAPIKey | Kubernetes Protection | Regenerate API key for docker registry integrations |
| RegisterCspmSnapshotAccount | Cloud Snapshots | Register an account for snapshot scanning. |
| report_executions_download_get | Report Executions | Get report entity download |
| report_executions_get | Report Executions | Retrieve report details for the provided report IDs. |
| report_executions_query | Report Executions | Find all report execution IDs matching the query with filter |
| report_executions_retry | Report Executions | This endpoint will be used to retry report executions |
| RequestDeviceEnrollmentV3 | Mobile Enrollment | Trigger on-boarding process for a mobile device |
| RequestDeviceEnrollmentV4 | Mobile Enrollment | Trigger on-boarding process for a mobile device. |
| RetrieveEmailsByCID | User Management | Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account |
| RetrieveRelayInstances | ASPM | Retrieve the relay instances in CSV format. |
| retrieveUser | User Management | Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user |
| retrieveUsersGETV1 | User Management | Get info about users including their name, UID and CID by providing user UUIDs |
| RetrieveUserUUID | User Management | Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address) |
| RetrieveUserUUIDsByCID | User Management | Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1. |
| revealUninstallToken | Sensor Update Policy | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id' |
| RevokeUserRoleIds | User Management | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user |
| RTR_AggregateSessions | Real Time Response | Get aggregates on session data. |
| RTR_CheckActiveResponderCommandStatus | Real Time Response | Get status of an executed active-responder command on a single host. |
| RTR_CheckAdminCommandStatus | Real Time Response Admin | Get status of an executed RTR administrator command on a single host. |
| RTR_CheckCommandStatus | Real Time Response | Get status of an executed command on a single host. |
| RTR_CreatePut_Files | Real Time Response Admin | Upload a new put-file to use for the RTR put command. |
| RTR_CreateScripts | Real Time Response Admin | Upload a new custom-script to use for the RTR runscript command. |
| RTR_DeleteFile | Real Time Response | Delete a RTR session file. |
| RTR_DeleteFileV2 | Real Time Response | Delete a RTR session file. |
| RTR_DeletePut_Files | Real Time Response Admin | Delete a put-file based on the ID given. Can only delete one file at a time. |
| RTR_DeleteQueuedSession | Real Time Response | Delete a queued session command |
| RTR_DeleteScripts | Real Time Response Admin | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_DeleteSession | Real Time Response | Delete a session. |
| RTR_ExecuteActiveResponderCommand | Real Time Response | Execute an active responder command on a single host. |
| RTR_ExecuteAdminCommand | Real Time Response Admin | Execute a RTR administrator command on a single host. |
| RTR_ExecuteCommand | Real Time Response | Execute a command on a single host. |
| RTR_GetExtractedFileContents | Real Time Response | Get RTR extracted file contents for specified session and sha256. |
| RTR_GetFalconScripts | Real Time Response Admin | Get Falcon scripts with metadata and content of script |
| RTR_GetPut_Files | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
| RTR_GetPut_FilesV2 | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
| RTR_GetScripts | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
| RTR_GetScriptsV2 | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
| RTR_InitSession | Real Time Response | Initialize a new session with the RTR cloud. |
| RTR_ListAllSessions | Real Time Response | Get a list of session_ids. |
| RTR_ListFalconScripts | Real Time Response Admin | Get a list of Falcon script IDs available to the user to run |
| RTR_ListFiles | Real Time Response | Get a list of files for the specified RTR session. |
| RTR_ListFilesV2 | Real Time Response | Get a list of files for the specified RTR session. |
| RTR_ListPut_Files | Real Time Response Admin | Get a list of put-file ID's that are available to the user for the put command. |
| RTR_ListQueuedSessions | Real Time Response | Get queued session metadata by session ID. |
| RTR_ListScripts | Real Time Response Admin | Get a list of custom-script ID's that are available to the user for the runscript command. |
| RTR_ListSessions | Real Time Response | Get session metadata by session id. |
| RTR_PulseSession | Real Time Response | Refresh a session timeout on a single host. |
| RTR_UpdateScripts | Real Time Response Admin | Upload a new scripts to replace an existing one. |
| RTRAuditSessions | Real Time Response Audit | Get all the RTR sessions created for a customer in a specified duration |
| RunIntegrationTask | ASPM | Run an integration task by its ID |
| RunIntegrationTaskAdmin | ASPM | Run an integration task by its ID with admin scope |
| RunIntegrationTaskV2 | ASPM | Run an integration task by its ID |
| ScanSamples | Quick Scan | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
| schedule_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
| scheduled_reports_get | Scheduled Reports | Retrieve scheduled reports for the provided report IDs. |
| scheduled_reports_launch | Scheduled Reports | Launch scheduled reports executions for the provided report IDs. |
| scheduled_reports_query | Scheduled Reports | Find all report IDs matching the query with filter |
| SearchAndReadContainerAlerts | Container Alerts | Search Container Alerts by the provided search criteria |
| SearchAndReadDriftIndicatorEntities | Drift Indicators | Retrieve Drift Indicators by the provided search criteria |
| SearchAndReadKubernetesIomEntities | Kubernetes Protection | Search Kubernetes IOM by the provided search criteria |
| SearchAndReadUnidentifiedContainers | Unidentified Containers | Search Unidentified Containers by the provided search criteria |
| SearchDetections | Container Detections | Retrieve image assessment detection entities identified by the provided filter criteria |
| SearchDriftIndicators | Drift Indicators | Retrieve all drift indicators that match the given query |
| SearchIndicators | Intelligence Indicator Graph | Search indicators based on FQL filter. |
| SearchIntelligenceQueries | CAO Hunting | Search intelligence queries that match the provided conditions. |
| SearchKubernetesIoms | Kubernetes Protection | Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query |
| SearchObjects | Custom Storage | Search for objects that match the specified filter criteria (returns metadata, not actual objects) |
| SearchObjectsByVersion | Custom Storage | Search for objects that match the specified filter criteria (returns metadata, not actual objects). |
| ServiceNowGetDeployments | ASPM | Get ServiceNow deployments. |
| ServiceNowGetServices | ASPM | Get ServiceNow services. |
| SetCloudSecurityIntegrationState | ASPM | Set Cloud Security integration state. |
| setContentUpdatePoliciesPrecedence | Content Update Policies | Sets the precedence of Content Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies when updating precedence. |
| setDeviceControlPoliciesPrecedence | Device Control Policies | Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setFirewallPoliciesPrecedence | Firewall Policies | Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setPreventionPoliciesPrecedence | Prevention Policy | Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setRTResponsePoliciesPrecedence | Response Policies | Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setSensorUpdatePoliciesPrecedence | Sensor Update Policy | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| severity_query_v1 | IOC | Query Severities. |
| signalChangesExternal | FileVantage | Initiates workflows for the provided change IDs. |
| startActions | FileVantage | Initiates the specified action on the provided change IDs. |
| StartSearchV1 | NGSIEM | Initiate a NGSIEM search. |
| StopSearchV1 | NGSIEM | Stop a NGSIEM search. |
| Submit | Falcon Intelligence Sandbox | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| tokens_create | Installation Tokens | Creates a token. |
| tokens_delete | Installation Tokens | Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead. |
| tokens_query | Installation Tokens | Search for tokens by providing a FQL filter and paging details. |
| tokens_read | Installation Tokens | Gets the details of one or more tokens by id. |
| tokens_update | Installation Tokens | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. |
| TriggerScan | Kubernetes Protection | Triggers a dry run or a full scan of a customer's kubernetes footprint |
| update_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
| update_network_locations_metadata | Firewall Management | Updates the network locations metadata such as polling_intervals for the cid |
| update_network_locations_precedence | Firewall Management | Updates the network locations precedence according to the list of ids provided. |
| update_policy_container | Firewall Management | Update an identified policy container, including local logging functionality. |
| update_policy_container_v1 | Firewall Management | Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting. |
| update_data_scanner_tasks | DataScanner | Reports back on task status. |
| update_rule_group | Firewall Management | Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
| update_rule_group_validation | Firewall Management | Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
| update_rule_groupMixin0 | Custom IOA | Update a rule group. The following properties can be modified: name, description, enabled. |
| update_rules | Custom IOA | Update rules within a rule group. Return the updated rules. |
| update_rules_v2 | Custom IOA | Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules. |
| UpdateActionV1 | Recon | Update an action for a monitoring rule. |
| UpdateAWSAccount | Kubernetes Protection | Updates the AWS account per the query parameters provided |
| UpdateAWSAccounts | Cloud Connect AWS | Update AWS Accounts by specifying the ID of the account and details to update |
| updateCIDGroups | MSSP (Flight Control) | Update existing CID groups. CID group ID is expected for each CID group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. CID group member(s) remain unaffected. |
| updateContentUpdatePolicies | Content Update Policies | Update Content Update Policies by specifying the ID of the policy and details to update. |
| UpdateCSPMAzureAccountClientID | CSPM Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
| UpdateCSPMAzureTenantDefaultSubscriptionID | CSPM Registration | Update an Azure default subscription_id in our system for given tenant_id |
| UpdateCSPMGCPAccount | CSPM Registration | Patches a existing account in our system for a customer. |
| UpdateCSPMGCPServiceAccountsExt | CSPM Registration | Updates an existing GCP service account. |
| UpdateCSPMPolicySettings | CSPM Registration | Updates a policy setting - can be used to override policy severity or to disable a policy entirely. |
| UpdateCSPMScanSchedule | CSPM Registration | Updates scan schedule configuration for one or more cloud platforms. |
| UpdateD4CCPServiceAccountsExt | D4C Registration | Updates an existing GCP service account. |
| updateDefaultDeviceControlPolicies | Device Control Policies | Update the configuration for a Default Device Control Policy |
| updateDefaultDeviceControlSettings | Device Control Policies | Update the configuration for Default Device Control Settings. |
| UpdateDetectsByIdsV2 | Detects | Modify the state, assignee, and visibility of detections |
| updateDeviceControlPolicies | Device Control Policies | Update Device Control Policies by specifying the ID of the policy and details to update |
| UpdateDeviceTags | Hosts | Append or remove one or more Falcon Grouping Tags on one or more hosts. Tags must be of the form FalconGroupingTags/ |
| UpdateDiscoverCloudAzureAccountClientID | D4C Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
| UpdateExecutorNode | ASPM | Update an existing relay node |
| updateFirewallPolicies | Firewall Policies | Update Firewall Policies by specifying the ID of the policy and details to update |
| updateHostGroups | Host Group | Update Host Groups by specifying the ID of the group and details to update |
| updateIOAExclusionsV1 | IOA Exclusions | Update the IOA exclusions |
| UpdateIntegration | ASPM | Update an existing integration by its ID |
| UpdateIntegrationTask | ASPM | Update an existing integration task by its ID |
| updateMLExclusionsV1 | ML Exclusions | Update the ML exclusions |
| UpdateNotificationsV1 | Recon | Update notification status or assignee. Accepts bulk requests |
| updatePolicies | Filevantage | Updates the general information of the provided policy. |
| UpdatePolicies | Image Assessment Policies | Update Image Assessment Policy entities |
| UpdatePolicyExclusions | Image Assessment Policies | Update Image Assessment Policy Exclusion entities |
| UpdatePolicyGroups | Image Assessment Policies | Update Image Assessment Policy Group entities |
| updatePolicyHostGroups | Filevantage | Manage host groups assigned to a policy. |
| updatePolicyPrecedence | Filevantage | Updates the policy precedence for all policies of a specific type. |
| UpdatePolicyPrecedence | Image Assessment Policies | Update Image Assessment Policy precedence |
| updatePolicyRuleGroups | Filevantage | Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy. |
| updatePreventionPolicies | Prevention Policy | Update Prevention Policies by specifying the ID of the policy and details to update |
| UpdateQfByQuery | Quarantine | Apply quarantine file actions by query. |
| UpdateQuarantinedDetectsByIds | Quarantine | Apply action by quarantine file ids |
| UpdateRegistryEntities | Falcon Container | Update the registry entity, as identified by the entity UUID, using the provided details |
| updateRTResponsePolicies | Response Policies | Update Response Policies by specifying the ID of the policy and details to update |
| updateRuleGroupPrecedence | Filevantage | Updates the rule precedence for all rules in the identified rule group. |
| updateRuleGroups | Filevantage | Updates the provided rule group. |
| updateRules | Filevantage | Updates the provided rule configuration within the specified rule group. |
| UpdateRulesV1 | Recon | Update monitoring rules. |
| updateScheduledExclusions | Filevantage | Updates the provided scheduled exclusion configuration within the provided policy. |
| updateSensorUpdatePolicies | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update |
| updateSensorUpdatePoliciesV2 | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection |
| updateSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Update the sensor visibility exclusions |
| UpdateUser | User Management | Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name |
| updateUserGroups | MSSP (Flight Control) | Update existing user group(s). User group ID is expected for each user group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. User group member(s) remain unaffected. |
| updateUserV1 | User Management | Modify an existing user's first or last name. |
| UploadFileMixin0Mixin93 | Quick Scan Pro | Uploads a file to be further analyzed with QuickScan Pro. The samples expire after 90 days. |
| UploadLookupV1 | NGSIEM | Upload a lookup file to NGSIEM. |
| UploadSampleV2 | Falcon Intelligence Sandbox | Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
| UploadSampleV3 | Sample Uploads | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
| upsert_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
| UpsertBusinessApplications | ASPM | Create or Update Business Applications |
| UpsertTags | ASPM | Create new or update existing tag. You can update unique tags table or regular tags table. |
| userActionV1 | User Management | Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload. |
| userRolesActionV1 | User Management | Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke |
| ValidateCSPMGCPServiceAccountExt | CSPM Registration | Validates credentials for a service account |
| validate | Custom IOA | Validates field values and checks for matches if a test string is provided. |
| validate_filepath_pattern | Firewall Management | Validates that the test pattern matches the executable filepath glob pattern. |
| VerifyAWSAccountAccess | Cloud Connect AWS | Performs an Access Verification check on the specified AWS Account IDs |
| WorkflowActivitiesCombined | Workflows | Search workflow activities based on the provided filter |
| WorkflowActivitiesContentCombined | Workflows | Search for activities by name. Returns all supported activities if no filter is specified. |
| WorkflowDefinitionsCombined | Workflows | Search workflow definitions based on the provided filter |
| WorkflowDefinitionsExport | Workflows | Exports a workflow definition for the given definition ID |
| WorkflowDefinitionsImport | Workflows | Imports a workflow definition based on the provided model |
| WorkflowDefinitionsUpdate | Workflows | Updates a workflow definition based on the provided model. |
| WorkflowExecute | Workflows | Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) |
| WorkflowExecuteInternal | Workflows | Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s). |
| WorkflowMockExecute | Workflows | Executes an on-demand Workflow with mocks. |
| WorkflowExecutionResults | Workflows | Get execution result of a given execution |
| WorkflowExecutionsAction | Workflows | Allows a user to resume/retry a failed workflow execution. |
| WorkflowExecutionsCombined | Workflows | Search workflow executions based on the provided filter |
| WorkflowGetHumanInputV1 | Workflows | Gets one or more specific human inputs by their IDs. |
| WorkflowTriggersCombined | Workflows | Search workflow triggers based on the provided filter |
| WorkflowUpdateHumanInputV1 | Workflows | Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted. |
| WorkflowSystemDefinitionsDeProvision | Workflows | Deprovisions a system definition that was previously provisioned on the target CID |
| WorkflowSystemDefinitionsPromote | Workflows | Promotes a version of a system definition for a customer. The customer must already have been provisioned. This allows the caller to apply an updated template version to a specific cid and expects all parameters to be supplied. If the template supports multi-instance the customer scope definition ID must be supplied to determine which customer workflow should be updated. |
| WorkflowSystemDefinitionsProvision | Workflows | Provisions a system definition onto the target CID by using the template and provided parameters |