CrowdStrike Falcon CrowdStrike Subreddit

Total Service Collections Total Operations Documentation Version Page Updated

Alphabetical list of all CrowdStrike OAuth2 API operations

Operation IDService CollectionDescription
action_get_v1IOCGet Actions by ids.
action_query_v1IOCQuery Actions.
ActionUpdateCountQuarantineReturns count of potentially affected quarantined files for each action.
addCIDGroupMembersMSSP (Flight Control)Add new CID group member.
addRoleMSSP (Flight Control)Create a link between user group and CID group, with zero or more additional roles. The call does not replace any existing link between them. User group ID and CID group ID have to be specified in request.
addUserGroupMembersMSSP (Flight Control)Add new user group member. Maximum 500 members allowed per user group.
aggregate_eventsFirewall ManagementAggregate events for customer
aggregate_external_assetsExposure ManagementReturns external assets aggregates.
aggregate_policy_rulesFirewall ManagementAggregate rules within a policy for customer
aggregate_query_scan_host_metadataODSGet aggregates on ODS scan-hosts data.
aggregate_rule_groupsFirewall ManagementAggregate rule groups for customer
aggregate_rulesFirewall ManagementAggregate rules for customer
aggregate_scansODSGet aggregates on ODS scan data.
aggregate_scheduled_scansODSGet aggregates on ODS scheduled-scan data.
AggregateAlertsFalcon Complete DashboardRetrieve aggregate alerts values based on the matched filter
AggregateAllowListFalcon Complete DashboardRetrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockListFalcon Complete DashboardRetrieve aggregate blocklist ticket values based on the matched filter
AggregateCasesMessage CenterRetrieve aggregate case values based on the matched filter
AggregateDetectionsFalcon Complete DashboardRetrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollectionFalcon Complete DashboardRetrieve aggregate host/devices count based on the matched filter
AggregateEscalationsFalcon Complete DashboardRetrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidentsFalcon Complete DashboardRetrieve aggregate incident values based on the matched filter
AggregateImageAssessmentHistoryContainer ImagesImage assessment history
AggregateImageCountContainer ImagesAggregate count of images
AggregateImageCountByBaseOSContainer ImagesAggregate count of images grouped by Base OS distribution
AggregateImageCountByStateContainer ImagesAggregate count of images grouped by state
AggregateNotificationsExposedDataRecordsV1ReconGet notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [cid notification_id created_date rule.id rule.name rule.topic source_category site author file.name credential_status bot.operating_system.hardware_id bot.bot_id]
AggregateNotificationsV1ReconGet notification aggregates as specified via JSON in request body.
AggregatePreventionPolicyFalcon Complete DashboardRetrieve prevention policies aggregate values based on the matched filter
AggregateRemediationsFalcon Complete DashboardRetrieve aggregate remediation ticket values based on the matched filter
AggregatesDetectionsGlobalCountsOverwatch DashboardGet the total number of detections pushed across all customers
AggregateSensorUpdatePolicyFalcon Complete DashboardRetrieve sensor update policies aggregate values
AggregateSupportIssuesFalcon Complete DashboardRetrieve support issue aggregate values
AggregatesEventsOverwatch DashboardGet aggregate OverWatch detection event info by providing an aggregate query
AggregatesEventsCollectionsOverwatch DashboardGet OverWatch detection event collection info by providing an aggregate query
AggregatesIncidentsGlobalCountsOverwatch DashboardGet the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCountsOverwatch DashboardGet the total number of OverWatch events across all customers
AggregateTotalDeviceCountsFalcon Complete DashboardRetrieve aggregate total host/devices based on the matched filter
api_preempt_proxy_post_graphqlIdentity ProtectionIdentity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
ArchiveDeleteV1Sample UploadsDelete an archive that was uploaded previously
ArchiveGetV1Sample UploadsRetrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully.
ArchiveListV1Sample UploadsRetrieves the archives files in chunks.
ArchiveUploadV1Sample UploadsUploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. This method is deprecated in favor of /archives/entities/archives/v2
ArchiveUploadV2Sample UploadsUploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
audit_events_queryInstallation TokensSearch for audit events by providing a FQL filter and paging details.
audit_events_readInstallation TokensGets the details of one or more audit events by id.
AzureDownloadCertificateCSPM RegistrationReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
BatchActiveResponderCmdReal Time ResponseBatch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchAdminCmdReal Time Response AdminBatch executes a RTR administrator command across the hosts mapped to the given batch ID.
BatchCmdReal Time ResponseBatch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdReal Time ResponseBatch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
BatchGetCmdStatusReal Time ResponseRetrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchInitSessionsReal Time ResponseBatch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessionsReal Time ResponseBatch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
blob_download_external_assetsExposure ManagementDownload the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request.
blob_preview_external_assetsExposure ManagementDownload a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request.
cancel_scansODSCancel ODS scans for the given scan ids.
CaseAddActivityMessage CenterAdd an activity to case. Only activities of type comment are allowed via API
CaseAddAttachmentMessage CenterUpload an attachment for the case.
CaseDownloadAttachmentMessage Centerretrieves an attachment for the case, given the attachment id
cb_exclusions_create_v1Certificate Based ExclusionsCreate new Certificate Based Exclusions.
cb_exclusions_delete_v1Certificate Based ExclusionsDelete the exclusions by id
cb_exclusions_get_v1)Certificate Based ExclusionsFind all exclusion IDs matching the query with filter
cb_exclusions_update_v1Certificate Based ExclusionsUpdates existing Certificate Based Exclusions
cb_exclusions_query_v1Certificate Based ExclusionsSearch for cert-based exclusions.
certificates_get_v1Certificate Based ExclusionsRetrieves certificate signing information for a file
combined_applicationsDiscoverSearch for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
CombinedBaseImagesContainer ImagesRetrieve base images identified by the provided filter criteria
combined_edges_getThreatGraphRetrieve edges for a given vertex id. One edge type must be specified
combined_hostsDiscoverSearch for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
CombinedImageByVulnerabilityCountContainer ImagesRetrieve top x images with the most vulnerabilities
CombinedImageDetailContainer ImagesRetrieve image entities identified by the provided filter criteria
CombinedImageIssuesSummaryContainer ImagesRetrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummaryContainer Imagesaggregates information about vulnerabilities for an image
combinedQueryEvaluationLogicSpotlight Evaluation LogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
combinedQueryVulnerabilitiesSpotlight VulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
combined_ran_on_getThreatGraphLook up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_getThreatGraphRetrieve summary for a given vertex ID
combinedUserRolesV1User ManagementGet User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.
ConnectCSPMGCPAccountCSPM RegistrationCreates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
ConnectD4CGCPAccountD4C RegistrationCreates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
create_network_locationsFirewall ManagementCreate new network locations provided, and return the ID.
create_ruleCustom IOACreate a rule within a rule group. Returns the rule.
create_rule_groupFirewall ManagementCreate new rule group on a platform for a customer with a name and description, and return the ID
create_rule_group_validationFirewall ManagementValidates the request of creating a new rule group on a platform for a customer with a name and description
create_rule_groupMixin0Custom IOACreate a rule group for a platform with a name and an optional description. Returns the rule group.
create_scanODSCreate ODS scan and start or schedule scan for the given scan request.
CreateActionsV1ReconCreate actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
CreateAWSAccountKubernetes ProtectionCreates a new AWS account in our system for a customer and generates the installation script
CreateAzureSubscriptionKubernetes ProtectionCreates a new Azure Subscription in our system
CreateBaseImagesEntitiesContainer ImagesCreates base images using the provided details
CreateCaseMessage Centercreate a new case
CreateCaseV2Message Centercreate a new case
createCIDGroupsMSSP (Flight Control)Create new CID groups. Name is a required field but description is an optional field. Maximum 500 CID groups allowed.
CreateCSPMAwsAccountCSPM RegistrationCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
CreateCSPMAzureAccountCSPM RegistrationCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateCSPMGCPAccountCSPM RegistrationCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
CreateD4CAwsAccountD4C RegistrationCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
CreateD4CGCPAccountD4C RegistrationCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
CreateDeploymentEntityCloud SnapshotsLaunch a snapshot scan for a given cloud asset.
createDeviceControlPoliciesDevice Control PoliciesCreate Device Control Policies by specifying details about the policy to create
CreateDiscoverCloudAzureAccountD4C RegistrationCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateExecutorNodeASPMCreate a new relay node
CreateExportJobsV1ReconLaunch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
createFirewallPoliciesFirewall PoliciesCreate Firewall Policies by specifying details about the policy to create
createHostGroupsHost GroupCreate Host Groups by specifying details about the group to create
CreateIntegrationASPMCreate a new integration
CreateIntegrationTaskASPMCreate new integration task.
createIOAExclusionsV1IOA ExclusionsCreate the IOA exclusions
CreateMigrationV1Host MigrationCreate a device migration job.
createMLExclusionsV1ML ExclusionsCreate the ML exclusions
CreateOrUpdateAWSSettingsCloud Connect AWSCreate or update Global Settings which are applicable to all provisioned AWS accounts
createPoliciesFilevantageCreates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
CreatePoliciesImage Assessment PoliciesCreate Image Assessment policies
CreatePolicyGroupsImage Assessment PoliciesCreate Image Assessment Policy Group entities
createPreventionPoliciesPrevention PolicyCreate Prevention Policies by specifying details about the policy to create
CreateRegistryEntitiesFalcon Container ImageCreate a registry entity using the provided details
createRTResponsePoliciesResponse PoliciesCreate Response Policies by specifying details about the policy to create
createRuleGroupsFilevantageCreates a new rule group of the specified type.
createRulesFilevantageCreates a new rule configuration within the specified rule group.
CreateRulesV1ReconCreate monitoring rules.
CreateSavedSearchesDynamicExecuteAltV1Foundry LogscaleExecute a dynamic saved search
CreateSavedSearchesDynamicExecuteV1Foundry LogscaleExecute a dynamic saved search
CreateSavedSearchesExecuteAltV1Foundry LogscaleExecute a saved search
CreateSavedSearchesExecuteV1Foundry LogscaleExecute a saved search
CreateSavedSearchesIngestAltV1Foundry LogscalePopulate a saved search
CreateSavedSearchesIngestV1Foundry LogscalePopulate a saved search
createScheduledExclusionsFilevantageCreates a new scheduled exclusion configuration for the provided policy id.
createSensorUpdatePoliciesSensor Update PolicyCreate Sensor Update Policies by specifying details about the policy to create
createSensorUpdatePoliciesV2Sensor Update PolicyCreate Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
createSVExclusionsV1Sensor Visibility ExclusionsCreate the sensor visibility exclusions
CreateUserUser ManagementDeprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
createUserGroupsMSSP (Flight Control)Create new user groups. Name is a required field but description is an optional field. Maximum 500 user groups allowed per customer.
createUserV1User ManagementCreate a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1'
CrowdScoreIncidentsQuery environment wide CrowdScore and return the entity data
customer_settings_readInstallation TokensCheck current installation token settings.
customer_settings_updateInstallation Tokens SettingsUpdate installation token settings.
delete_external_assetsExposure ManagementDelete multiple external assets.
delete_network_locationsFirewall ManagementDelete network location entities by ID.
delete_policy_rulesIdentity ProtectionDelete policy rules.
delete_rule_groupsFirewall ManagementDelete rule group entities by ID
delete_rule_groupsMixin0Custom IOADelete rule groups by ID.
delete_rulesCustom IOADelete rules from a rule group by ID.
delete_scheduled_scansODSDelete ODS scheduled-scans for the given scheduled-scan ids.
DeleteActionV1ReconDelete an action from a monitoring rule based on the action ID.
DeleteAWSAccountsCloud Connect AWSDelete a set of AWS Accounts by specifying their IDs
DeleteAWSAccountsMixin0Kubernetes ProtectionDelete AWS accounts.
DeleteAzureSubscriptionKubernetes ProtectionDeletes a new Azure Subscription in our system
DeleteBaseImagesContainer ImagesDeletes base images by base image UUID
deleteCIDGroupMembersMSSP (Flight Control)Deprecated : Please use DELETE /entities/cid-group-members/v2. Delete CID group members.
deleteCIDGroupMembersV2MSSP (Flight Control)Delete CID group members. Prevents removal of a cid group a cid group if it is only part of one cid group.
deleteCIDGroupsMSSP (Flight Control)Delete CID groups by ID.
DeleteCSPMAwsAccountCSPM RegistrationDeletes an existing AWS account or organization in our system.
DeleteCSPMAzureAccountCSPM RegistrationDeletes an Azure subscription from the system.
DeleteD4CAwsAccountD4C RegistrationDeletes an existing AWS account or organization in our system.
DeleteCSPMAzureManagementGroupCSPM RegistrationDeletes Azure management groups from the system.
DeleteCSPMGCPAccountCSPM RegistrationDeletes a GCP account from the system.
DeleteD4CGCPAccountD4C RegistrationDeletes a GCP account from the system.
deleteDeviceControlPoliciesDevice Control PoliciesDelete a set of Device Control Policies by specifying their IDs
deletedRolesMSSP (Flight Control)Delete links or additional roles between user groups and CID groups. User group ID and CID group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID group is dissolved completely (if no roles specified).
DeleteExportJobsV1ReconDelete export jobs (and their associated file(s)) based on their IDs.
DeleteExecutorNodeASPMDelete a relay node
DeleteFileQuick Scan ProDeletes file by its sha256 identifier.
deleteFirewallPoliciesFirewall PoliciesDelete a set of Firewall Policies by specifying their IDs
deleteHostGroupsHost GroupDelete a set of Host Groups by specifying their IDs
DeleteIntegrationASPMDelete an existing integration by its ID
DeleteIntegrationTaskASPMDelete an existing integration task by its ID
deleteIOAExclusionsV1IOA ExclusionsDelete the IOA exclusions by id
deleteMLExclusionsV1ML ExclusionsDelete the ML exclusions by id
DeleteNotificationsV1ReconDelete notifications based on IDs. Notifications cannot be recovered after they are deleted.
DeleteObjectCustom StorageDelete the specified object
DeleteVersionedObjectCustom StorageDelete the specified versioned object.
deletePoliciesFilevantageDeletes 1 or more policies.
DeletePolicyImage Assessment PoliciesDelete Image Assessment Policy by policy UUID
DeletePolicyGroupImage Assessment PoliciesDelete Image Assessment Policy Group entities
deletePreventionPoliciesPrevention PolicyDelete a set of Prevention Policies by specifying their IDs
DeleteRegistryEntitiesFalcon Container ImageDelete the registry entity identified by the entity UUID
DeleteReportFalcon Intelligence SandboxDelete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
deleteRTResponsePoliciesResponse PoliciesDelete a set of Response Policies by specifying their IDs
deleteRuleGroupsFilevantageDeletes 1 or more rule groups
deleteRulesFilevantageDeletes 1 or more rules from the specified rule group.
DeleteRulesV1ReconDelete monitoring rules.
DeleteSampleV2Falcon Intelligence SandboxRemoves a sample, including file, meta and submissions from the collection
DeleteSampleV3Sample UploadsRemoves a sample, including file, meta and submissions from the collection
DeleteScanResultQuick Scan ProDeletes the result of an QuickScan Pro scan.
deleteScheduledExclusionsFilevantageDeletes 1 or more scheduled exclusions from the provided policy id.
deleteSensorUpdatePoliciesSensor Update PolicyDelete a set of Sensor Update Policies by specifying their IDs
deleteSensorVisibilityExclusionsV1Sensor Visibility ExclusionsDelete the sensor visibility exclusions by id
DeleteTagsASPMRemove existing tags
DeleteUserUser ManagementDeprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently
deleteUserGroupMembersMSSP (Flight Control)Delete user group members entry.
deleteUserGroupsMSSP (Flight Control)Delete user groups by ID.
deleteUserV1User ManagementDelete a user permanently.
DevicesCountIOCsNumber of hosts in your customer account that have observed a given custom IOC
DevicesRanOnIOCsFind hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
DiscoverCloudAzureDownloadCertificateD4C RegistrationReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
DownloadFileDownloadsRetrieve a pre-signed URL for the requested file.
DownloadSensorInstallerByIdSensor DownloadDownload sensor installer by SHA256 ID
DownloadSensorInstallerByIdV2Sensor DownloadDownload sensor installer by SHA256 ID
entities_perform_actionHostsPerforms the specified action on the provided group IDs.
entities_processesIOCsFor the provided ProcessID retrieve the process details
entities_vertices_getThreatGraphRetrieve metadata for a given vertex ID
entities_vertices_getv2ThreatGraphRetrieve metadata for a given vertex ID
entitiesRolesV1User ManagementGet info about a role
EnumerateFileDownloadsEnumerate a list of files available for CID.
ExecuteCommandAPI IntegrationsExecute a command.
ExecuteCommandProxyAPI IntegrationsExecute a command and proxy the response directly.
ExecuteQueryASPMExecute a query. The syntax used is identical to that of the query page.
extAggregateClusterAssessmentsCompliance AssessmentsGet the assessments for each cluster.
extAggregateFailedContainersByRulesPathCompliance AssessmentsGet the containers grouped into rules on which they failed.
extAggregateFailedContainersCountBySeverityCompliance AssessmentsGet the failed containers count grouped into severity levels.
extAggregateFailedImagesByRulesPathCompliance AssessmentsGet the images grouped into rules on which they failed.
extAggregateFailedImagesCountBySeverityCompliance AssessmentsGet the failed images count grouped into severity levels.
extAggregateFailedRulesByClustersCompliance AssessmentsGet the failed rules for each cluster grouped into severity levels.
extAggregateFailedRulesByImagesCompliance AssessmentsGet images with failed rules, rule count grouped by severity for each image.
extAggregateFailedRulesCountBySeverityCompliance AssessmentsGet the failed rules count grouped into severity levels.
extAggregateRulesByStatusCompliance AssessmentsGet the rules grouped by their statuses.
extAggregateImageAssessmentsCompliance AssessmentsGet the assessments for each image.
extAggregateRulesAssessmentsCompliance AssessmentsGet the assessments for each rule.
ExtractionCreateV1Sample UploadsExtracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
ExtractionGetV1Sample UploadsRetrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionListV1Sample UploadsRetrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
fdrschema_combined_event_getEvent SchemaFetch combined schema
fdrschema_entities_event_getEvent SchemaFetch event schema by ID
fdrschema_entities_field_getField SchemaFetch field schema by ID
fdrschema_queries_event_getEvent SchemaGet list of event IDs given a particular query.
fdrschema_queries_field_getField SchemaGet list of field IDs given a particular query.
FindContainersByContainerRunTimeVersionKubernetes ProtectionRetrieve containers by container_runtime_version
FindContainersCountAffectedByZeroDayVulnerabilitiesKubernetes ProtectionRetrieve containers count affected by zero day vulnerabilities
get_accountsDiscoverGet details on accounts by providing one or more IDs.
get_applicationsDiscoverGet details on applications by providing one or more IDs.
get_data_scanner_tasksDataScannerRetrieve pending tasks.
get_eventsFirewall ManagementGet events entities by ID and optionally version
get_firewall_fieldsFirewall ManagementGet the firewall field specifications by ID
get_hostsDiscoverGet details on assets by providing one or more IDs.
get_image_registry_credentialsDataScannerRetrieves image registry credentials.
get_iot_hostsDiscoverGet details on IoT assets by providing one or more IDs.
get_loginsDiscoverGet details on logins by providing one or more IDs.
get_malicious_files_by_idsODSGet malicious files by ids.
get_network_locationsFirewall ManagementGet a summary of network locations entities by ID
get_network_locations_detailsFirewall ManagementGet network locations entities by ID
get_patternsCustom IOAGet pattern severities by ID.
get_platformsFirewall ManagementGet platforms by ID, e.g., windows or mac or droid
get_platformsMixin0Custom IOAGet platforms by ID.
get_policy_containersFirewall ManagementGet policy container entities by policy ID
get_policy_rulesIdentity ProtectionGet policy rules.
get_policy_rules_queryIdentity ProtectionQuery policy rule IDs.
get_rule_groupsFirewall ManagementGet rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groupsMixin0Custom IOAGet rule groups by ID.
get_rule_typesCustom IOAGet rule types by ID.
get_rulesFirewall ManagementGet rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules_getCustom IOAGet rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version].
get_rulesMixin0Custom IOAGet rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size.
get_scan_host_metadata_by_idsODSGet scan hosts by ids.
get_scans_by_scan_idsODSGet Scans by IDs.
get_scans_by_scan_ids_v2ODSGet Scans by IDs.
get_scheduled_scans_by_scan_idsODSGet ScheduledScans by IDs.
GetActionsV1ReconGet actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
getActionsMixin0FileVantageRetrieve the processing results for one or more actions.
GetAggregateDetectsDetectsGet detect aggregates as specified via json in request body.
GetAggregateFilesQuarantineGet quarantine file aggregates as specified via json in request body.
GetArtifactsFalcon Intelligence SandboxDownload IOC packs, PCAP files, memory dumps, and other analysis artifacts.
getAssessmentsByScoreV1Zero Trust AssessmentGet Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.
getAssessmentV1Zero Trust AssessmentGet Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1Zero Trust AssessmentGet the Zero Trust Assessment audit report for one customer ID (CID).
GetAvailableRoleIdsUser ManagementDeprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetAWSAccountsCloud Connect AWSRetrieve a set of AWS Accounts by specifying their IDs
GetAWSAccountsMixin0Kubernetes ProtectionProvides a list of AWS accounts.
GetAWSSettingsCloud Connect AWSRetrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAzureInstallScriptKubernetes ProtectionProvides the script to run for a given tenant id and subscription IDs
GetAzureTenantConfigKubernetes ProtectionGets the Azure tenant Config
GetAzureTenantIDsKubernetes ProtectionProvides all the azure subscriptions and tenants
GetBehaviorDetectionsCSPM RegistrationGet list of detected behaviors
GetBehaviorsIncidentsGet details on behaviors by providing behavior IDs
GetCaseActivityByIdsMessage CenterRetrieve activities for given id's
GetCaseEntitiesByIDsMessage CenterRetrieve message center cases
getChangesFilevantageRetrieve information on changes
getChildrenMSSP (Flight Control)Get link to child customer by child CID(s)
getChildrenV2MSSP (Flight Control)Get link to child customer by child CID(s)
getCIDGroupByIdMSSP (Flight Control)Deprecated : Please use GET /mssp/entities/cid-groups/v2. Get CID groups by ID.
getCIDGroupByIdV2MSSP (Flight Control)Get CID Groups by ID.
getCIDGroupMembersByMSSP (Flight Control)Deprecated : Please use GET /mssp/entities/cid-group-members/v2. Get CID group members by CID group ID.
getCIDGroupMembersByV2MSSP (Flight Control)Get CID group members by CID Group ID.
GetClustersKubernetes ProtectionProvides the clusters acknowledged by the Kubernetes Protection service
getCombinedAssessmentsQueryConfiguration AssessmentSearch for assessments in your environment by providing a FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
GetCombinedCloudClustersKubernetes ProtectionReturns a combined list of provisioned cloud accounts and known kubernetes clusters
GetCombinedImagesContainer ImagesGet image assessment results by providing a FQL filter and paging details
GetCombinedPluginConfigsAPI IntegrationsQueries for config resources and returns details
GetCombinedSensorInstallersByQuerySensor DownloadGet sensor installer details by provided query
GetCombinedSensorInstallersByQueryV2Sensor DownloadGet sensor installer details by provided query
GetConfigurationDetectionEntitiesCSPM RegistrationGet misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2CSPM RegistrationGet list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionsCSPM RegistrationGet list of active misconfigurations
getContentsFileVantageRetrieves the content captured for the provided change ID.
GetCredentialsFalcon ContainerGets the registry credentials
GetCredentialsIACCloud SnapshotsRetrieve the registry credentials (external endpoint).
GetCredentialsMixin0ProvisionGets the registry credentials
GetCSPMAwsAccountCSPM RegistrationReturns information about the current status of an AWS account.
GetCSPMAwsAccountScriptsAttachmentCSPM RegistrationReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAwsConsoleSetupURLsCSPM RegistrationReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAzureAccountCSPM RegistrationReturn information about Azure account registration
GetCSPMAzureManagementGroupCSPM RegistrationReturn information about Azure management group registration
CreateCSPMAzureManagementGroupCSPM RegistrationCreates a new management group in our system for a customer.
GetCSPMAzureUserScriptsAttachmentCSPM RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetCSPMCGPAccountCSPM RegistrationReturns information about the current status of an GCP account.
GetCSPMGCPServiceAccountsExtCSPM RegistrationReturns the service account id and client email for external clients.
GetCSPMGCPValidateAccountsExtCSPM RegistrationRun a synchronous health check.
GetCSPMGCPUserScriptsAttachmentCSPM RegistrationReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMPoliciesDetailsCSPM RegistrationGiven an array of policy IDs, returns detailed policies information.
GetCSPMPolicyCSPM RegistrationGiven a policy ID, returns detailed policy information.
GetCSPMPolicySettingsCSPM RegistrationReturns information about current policy settings.
GetCSPMScanScheduleCSPM RegistrationReturns scan schedule configuration for one or more cloud platforms.
GetD4CAwsAccountD4C RegistrationReturns information about the current status of an AWS account.
GetD4CAWSAccountScriptsAttachmentD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetD4CAwsConsoleSetupURLsD4C RegistrationReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CCGPAccountD4C RegistrationReturns information about the current status of an GCP account.
GetD4CGCPUserScriptsD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their GCP environment
GetD4CGCPServiceAccountsExtD4C RegistrationReturns the service account id and client email for external clients.
GetD4CGCPUserScriptsAttachmentD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
getDefaultDeviceControlPoliciesDevice Control PoliciesRetrieve the configuration for a Default Device Control Policy
GetDeliverySettingsDelivery SettingsGet Delivery Settings.
GetDetectSummariesDetectsView information about detections
getDeviceControlPoliciesDevice Control PoliciesRetrieve a set of Device Control Policies by specifying their IDs
GetDeviceCountCollectionQueriesByFilterFalcon Complete DashboardRetrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
GetDeviceDetailsV2HostsGet details on one or more hosts by providing host IDs as a query parameter. Supports up to a maximum 100 IDs.
GetDiscoverCloudAzureAccountD4C RegistrationReturn information about Azure account registration
GetDiscoverCloudAzureTenantIDsD4C RegistrationReturn available tenant ids for discover for cloud
GetDiscoverCloudAzureUserScriptsD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment
GetDiscoverCloudAzureUserScriptsAttachmentD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetDriftIndicatorsValuesByDateDrift IndicatorsReturns the count of Drift Indicators by the date. by default it's for 7 days.
GetExecutorNodesASPMGet all the relay nodes
getEvaluationLogicSpotlight Evaluation LogicGet details on evaluation logic items by providing one or more IDs.
getEvaluationLogicMixin0Configuration Assessment Evaluation LogicGet details on evaluation logic items by providing one or more finding IDs.
GetEventsBodyTailored IntelligenceGet event body for the provided event ID
GetEventsEntitiesTailored IntelligenceGet events entities for specified ids.
GetExportJobsV1ReconGet the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
get_external_assetsExposure ManagementGet details on external assets by providing one or more IDs.
GetFileContentForExportJobsV1ReconDownload the file associated with a job ID.
getFirewallPoliciesFirewall PoliciesRetrieve a set of Firewall Policies by specifying their IDs
GetHelmValuesYamlKubernetes ProtectionProvides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
GetHorizonD4CScriptsD4C RegistrationReturns static install scripts for Horizon.
getHostGroupsHost GroupRetrieve a set of Host Groups by specifying their IDs
GetHostMigrationIDsV1Host MigrationQuery host migration IDs.
GetHostMigrationsV1Host MigrationGet host migration details.
GetIncidentsIncidentsGet details on incidents by providing incident IDs
GetIndicatorsReportIOCLaunch an indicators report creation job
GetIntegrationsASPMGet a list of all the integrations
GetIntegrationTasksASPMGet all the integration tasks
GetIntegrationTypesASPMGet all the integration types
GetIntelActorEntitiesIntelRetrieve specific actors using their actor IDs.
GetIntelIndicatorEntitiesIntelRetrieve specific indicators using their indicator IDs.
GetIntelReportEntitiesIntelRetrieve specific reports using their report IDs.
GetIntelReportPDFIntelReturn a Report PDF attachment
GetIntelRuleEntitiesIntelRetrieve details for rule sets for the specified ids.
GetIntelRuleFileIntelDownload earlier rule sets.
getIOAExclusionsV1IOA ExclusionsGet a set of IOA Exclusions by specifying their IDs
GetLatestIntelRuleFileIntelDownload the latest rule set.
GetLocationsKubernetes ProtectionProvides the cloud locations acknowledged by the Kubernetes Protection service
GetMalQueryDownloadV1MalQueryDownload a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryEntitiesSamplesFetchV1MalQueryFetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
GetMalQueryMetadataV1MalQueryRetrieve indexed files metadata by their hash
GetMalQueryQuotasV1MalQueryGet information about search and download quotas in your environment
GetMalQueryRequestV1MalQueryCheck the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalwareEntitiesIntelGet malware entities for specified IDs.
GetMemoryDumpFalcon Intelligence SandboxGet memory dump content, as binary
GetMemoryDumpExtractedStringsFalcon Intelligence SandboxGet extracted strings from a memory dump
GetMemoryDumpHexDumpFalcon Intelligence SandboxGet hex view of a memory dump
GetMigrationDestinationsV1Host MigrationGet destinations for a migration.
GetMigrationIDsV1Host MigrationQuery migration jobs.
GetMigrationsV1Host MigrationGet migration job details.
GetMitreReportIntelExport Mitre ATT&CK information for a given actor.
getMLExclusionsV1ML ExclusionsGet a set of ML Exclusions by specifying their IDs
GetNotificationsDetailedTranslatedV1ReconGet detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1ReconGet detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1ReconGet notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints
GetNotificationsTranslatedV1ReconGet notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1ReconGet notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
GetObjectCustom StorageGet the bytes for the specified object
GetVersionedObjectCustom StorageGet the bytes for the specified object.
GetObjectMetadataCustom StorageGet the metadata for the specified object
GetVersionedObjectMetadataCustom StorageGet the metadata for the specified object.
GetOnlineState_V1HostsGet the online status for one or more hosts by specifying each host’s unique ID.

Successful requests return an HTTP 200 response and the status for each host identified by a state of online, offline, or unknown for each host, identified by host id.

Make a GET request to /devices/queries/devices/v1 to get a list of host IDs.
getPoliciesFilevantageRetrieves the configuration for 1 or more policies.
getPreventionPoliciesPrevention PolicyRetrieve a set of Prevention Policies by specifying their IDs
GetQuarantineFilesQuarantineGet quarantine file metadata for specified ids.
GetQueriesAlertsV1Alertsretrieves all Alerts ids that match a given query
GetQueriesAlertsV2Alertsretrieves all Alerts ids that match a given query
getRemediationsV2Spotlight VulnerabilitiesGet details on remediation by providing one or more IDs
GetReportsFalcon Intelligence SandboxGet a full sandbox report.
GetRolesUser ManagementDeprecated : Please use GET /user-management/entities/roles/v1. Get info about a role
getRolesByIDMSSP (Flight Control)Get link between user group and CID group by ID. Link ID is a string consisting of multiple components, but should be treated as opaque.
GetRuntimeDetectionsCombinedV2Container DetectionsRetrieve image assessment detections identified by the provided filter criteria.
getRTResponsePoliciesResponse PoliciesRetrieve a set of Response Policies by specifying their IDs
getRuleDetailsConfiguration AssessmentGet rules details for provided one or more rule IDs
getRuleGroupsFilevantageRetrieves the rule group details for 1 or more rule groups.
getRulesFilevantageRetrieves the configuration for 1 or more rules.
GetRulesEntitiesTailored IntelligenceGet rules entities for specified ids.
GetRulesV1ReconGet monitoring rules based on their IDs. IDs can be retrieved using the GET /queries/rules/v1 endpoint.
GetSampleV2Falcon Intelligence SandboxRetrieves the file associated with the given ID (SHA256)
GetSampleV3Sample UploadsRetrieves the file associated with the given ID (SHA256)
GetSavedSearchesExecuteAltV1Foundry LogscaleGet the results of a saved search
GetSavedSearchesExecuteV1Foundry LogscaleGet the results of a saved search
GetSavedSearchesJobResultsDownloadAltV1Foundry LogscaleGet the results of a saved search as a file
GetSavedSearchesJobResultsDownloadV1Foundry LogscaleGet the results of a saved search as a file
GetScanResultQuick Scan ProGets the result of an QuickScan Pro scan.
GetScansQuick ScanCheck the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
GetScansAggregatesQuick ScanGet scans aggregations as specified via json in request body.
GetScanReportCloud SnapshotsRetrieve the scan report for an instance.
getScheduledExclusionsFilevantageRetrieves the configuration of 1 or more scheduled exclusions from the provided policy id.
GetSensorAggregatesIdentity EntitiesGet sensor aggregates as specified via json in request body.
GetSensorDetailsIdentity EntitiesGet details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
GetSensorInstallersByQuerySensor DownloadGet sensor installer IDs by provided query
GetSensorInstallersByQueryV2Sensor DownloadGet sensor installer IDs by provided query
GetSensorInstallersCCIDByQuerySensor DownloadGet CCID to use with sensor installers
GetSensorInstallersEntitiesSensor DownloadGet sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV2Sensor DownloadGet sensor installer details by provided SHA256 IDs
getSensorUpdatePoliciesSensor Update PolicyRetrieve a set of Sensor Update Policies by specifying their IDs
getSensorUpdatePoliciesV2Sensor Update PolicyRetrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
GetSensorUsageWeeklySensor UsageFetches weekly average. Each data point represents the average of how many unique AIDs were seen per week for the previous 28 days.
getSensorVisibilityExclusionsV1Sensor Visibility ExclusionsGet a set of Sensor Visibility Exclusions by specifying their IDs
GetServicesCountASPMGet the total amount of existing services
GetServiceViolationTypesASPMGet the different types of violation
GetStaticScriptsKubernetes ProtectionGets static bash scripts that are used during registration
GetSubmissionsFalcon Intelligence SandboxCheck the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
GetSummaryReportsFalcon Intelligence SandboxGet a short summary version of a sandbox report.
GetTagsASPMGet all tags
getUserGroupMembersByIDMSSP (Flight Control)Deprecated : Please use GET /mssp/entities/user-group-members/v2. Get user group members by user group ID.
getUserGroupMembersByIDV2MSSP (Flight Control)Get user group members by user group ID.
getUserGroupsByIDMSSP (Flight Control)Deprecated : Please use GET /entities/user-groups/v2. Get user groups by ID.
getUserGroupsByIDV2MSSP (Flight Control)Get user groups by ID.
GetUserRoleIdsUser ManagementDeprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetVulnerabilitiesIntelGet vulnerabilities
getVulnerabilitiesSpotlight VulnerabilitiesGet details on vulnerabilities by providing one or more IDs
GrantUserRoleIdsUser ManagementDeprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user
GroupContainersByManagedKubernetes ProtectionGroup the containers by Managed
handleDataScannerProduces the input message into the corresponding Kafka topic.
highVolumeQueryChangesFilevantageReturns 1 or more change ids
HostMigrationsActionsV1Host MigrationPerform an action on host migrations.
HostMigrationAggregatesV1Host MigrationGet host migration aggregates as specified via json in request body.
indicator_aggregate_v1IOCGet Indicators aggregates as specified via json in the request body.
indicator_combined_v1IOCGet Combined for Indicators.
indicator_create_v1IOCCreate Indicators.
indicator_delete_v1IOCDelete Indicators by ids.
indicator_get_device_count_v1IOCGet the number of devices the indicator has run on
indicator_get_devices_ran_on_v1IOCGet the IDs of devices the indicator has run on
indicator_get_processes_ran_on_v1IOCGet the number of processes the indicator has run on
indicator_get_v1IOCGet Indicators by ids.
indicator_search_v1IOCSearch for Indicators.
indicator_update_v1IOCUpdate Indicators.
IngestDataV1Foundry LogscaleIngest data into the application repository
IngestDataAsyncV1Foundry LogscaleIngest data into the application repository asynchronously
ioc_type_query_v1IOCQuery IOC Types.
LaunchScanQuick Scan ProStarts scanning a file uploaded through UploadFileMixin0Mixin93.
listAvailableStreamsOAuth2Event StreamsDiscover all event streams in your environment
ListAzureAccountsKubernetes ProtectionProvides the azure subscriptions registered to Kubernetes Protection
ListObjectsCustom StorageList the object keys in the specified collection in alphabetical order
ListObjectsByVersionCustom StorageList the object keys in the specified collection in alphabetical order.
ListReposV1Foundry LogscaleLists available repositories and views
ListViewV1Foundry LogscaleList views
MigrationsActionsV1Host MigrationPerform an action on a migration job.
MigrationAggregatesV1Host MigrationGet migration aggregates as specified via json in request body.
oauth2AccessTokenOAuth2Generate an OAuth2 access token
oauth2RevokeTokenOAuth2Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
PatchAzureServicePrincipalKubernetes ProtectionAdds the client ID for the given tenant ID to our system
PatchCSPMAwsAccountCSPM RegistrationPatches a existing account in our system for a customer.
PatchEntitiesAlertsV2AlertsPerform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
PatchEntitiesAlertsV3AlertsPerform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
patch_external_assetsExposure ManagementUpdate the details of external assets.
PerformActionV2HostsTake various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
performDeviceControlPoliciesActionDevice Control PoliciesPerform the specified action on the Device Control Policies specified in the request
performFirewallPoliciesActionFirewall PoliciesPerform the specified action on the Firewall Policies specified in the request
performGroupActionHost GroupPerform the specified action on the Host Groups specified in the request
PerformIncidentActionIncidentsPerform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
performPreventionPoliciesActionPrevention PolicyPerform the specified action on the Prevention Policies specified in the request
performRTResponsePoliciesActionResponse PoliciesPerform the specified action on the Response Policies specified in the request
performSensorUpdatePoliciesActionSensor Update PolicyPerform the specified action on the Sensor Update Policies specified in the request
platform_query_v1IOCQuery Platforms.
post_policy_rulesIdentity ProtectionCreate policy rules.
PostAggregatesAlertsV1Alertsretrieves aggregate values for Alerts across all CIDs
PostAggregatesAlertsV2Alertsretrieves aggregate values for Alerts across all CIDs
PostDeliverySettingsDelivery SettingsCreate Delivery Settings.
PostDeviceDetailsV2HostsGet details on one or more hosts by providing host IDs in a POST body. Supports up to a maximum 5000 IDs.
PostEntitiesAlertsV1Alertsretrieves all Alerts given their ids
PostEntitiesAlertsV2Alertsretrieves all Alerts given their composite ids
PostMalQueryEntitiesSamplesMultidownloadV1MalQuerySchedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1MalQuerySearch Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryFuzzySearchV1MalQuerySearch Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
PostMalQueryHuntV1MalQuerySchedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint
PostMitreAttacksIntelRetrieves report and observable IDs associated with the given actor and attacks
PreviewRuleV1ReconPreview rules notification count and distribution. This will return aggregations on: channel, count, site.
ProcessesRanOnIOCsSearch for processes associated with a custom IOC
ProvisionAWSAccountsCloud Connect AWSProvision AWS Accounts by specifying details about the accounts to provision
PutObjectCustom StoragePut the specified new object at the given key or overwrite an existing object at the given key
PutObjectByVersionCustom StoragePut the specified new object at the given key or overwrite an existing object at the given key.
queries_edgetypes_getThreatGraphShow all available edge types
queriesRolesV1User ManagementShow role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1.
query_accountsDiscoverSearch for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria.
query_applicationsDiscoverSearch for applications in your environment by providing a FQL filter and paging details. returns a set of application IDs which match the filter criteria.
query_eventsFirewall ManagementFind all event IDs matching the query with filter
query_firewall_fieldsFirewall ManagementGet the firewall field specification IDs for the provided platform
query_hostsDiscoverSearch for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hostsDiscoverSearch for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts_v2DiscoverSearch for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_loginsDiscoverSearch for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria.
query_malicious_filesODSQuery malicious files.
query_network_locationsFirewall ManagementGet a list of network location IDs
query_patternsCustom IOAGet all pattern severity IDs.
query_platformsFirewall ManagementGet the list of platform names
query_platformsMixin0Custom IOAGet all platform IDs.
query_policy_rulesFirewall ManagementFind all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groupsFirewall ManagementFind all rule group IDs matching the query with filter
query_rule_groups_fullCustom IOAFind all rule groups matching the query with optional filter.
query_rule_groupsMixin0Custom IOAFinds all rule group IDs matching the query with optional filter.
query_rule_typesCustom IOAGet all rule type IDs.
query_rulesFirewall ManagementFind all rule IDs matching the query with filter
query_rulesMixin0Custom IOAFinds all rule IDs matching the query with optional filter.
query_scan_host_metadataODSQuery scan hosts.
query_scansODSQuery Scans.
query_scheduled_scansODSQuery ScheduledScans.
QueryActionsV1ReconQuery actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
queryActionsMixin0FileVantageReturns one or more action IDs.
QueryActivityByCaseIDMessage CenterRetrieve activities id's for a case
QueryAlertIdsByFilterFalcon Complete DashboardRetrieve Alerts Ids that match the provided FQL filter criteria with scrolling enabled
QueryAllowListFilterFalcon Complete DashboardRetrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryAWSAccountsCloud Connect AWSSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
QueryAWSAccountsForIDsCloud Connect AWSSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria
QueryBehaviorsIncidentsSearch for behaviors by providing a FQL filter, sorting, and paging details
QueryBlockListFilterFalcon Complete DashboardRetrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryCasesIdsByFilterMessage CenterRetrieve case id's that match the provided filter criteria
queryChangesFilevantageReturns 1 or more change ids
queryChildrenMSSP (Flight Control)Query for customers linked as children
queryCIDGroupMembersMSSP (Flight Control)Query a CID groups members by associated CID.
queryCIDGroupsMSSP (Flight Control)Query CID groups.
queryCombinedDeviceControlPoliciesDevice Control PoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
queryCombinedDeviceControlPolicyMembersDevice Control PoliciesSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPoliciesFirewall PoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
queryCombinedFirewallPolicyMembersFirewall PoliciesSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedGroupMembersHost GroupSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroupsHost GroupSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
queryCombinedPreventionPoliciesPrevention PolicySearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
queryCombinedPreventionPolicyMembersPrevention PolicySearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePoliciesResponse PoliciesSearch for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
queryCombinedRTResponsePolicyMembersResponse PoliciesSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdateBuildsSensor Update PolicyRetrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernelsSensor Update PolicyRetrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePoliciesSensor Update PolicySearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2Sensor Update PolicySearch for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePolicyMembersSensor Update PolicySearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
QueryDetectionIdsByFilterFalcon Complete DashboardRetrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
QueryDetectsDetectsSearch for detection IDs that match a given query
queryDeviceControlPoliciesDevice Control PoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria
queryDeviceControlPolicyMembersDevice Control PoliciesSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryDeviceLoginHistoryHostsRetrieve details about recent login sessions for a set of devices.
QueryDeviceLoginHistoryV2HostsRetrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified
QueryDevicesByFilterHostsSearch for hosts in your environment by platform, hostname, IP, and other criteria.
QueryDevicesByFilterScrollHostsSearch for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryEscalationsFilterFalcon Complete DashboardRetrieve escalation tickets that match the provided filter criteria with scrolling enabled
queryEvaluationLogicSpotlight Evaluation LogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.
QueryEventsTailored IntelligenceGet events ids that match the provided filter criteria.
query_external_assetsExposure ManagementGet a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints
queryFirewallPoliciesFirewall PoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria
queryFirewallPolicyMembersFirewall PoliciesSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryGetNetworkAddressHistoryV1HostsRetrieve history of IP and MAC addresses of devices.
queryGroupMembersHost GroupSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryHiddenDevicesHostsRetrieve hidden hosts that match the provided filter criteria.
queryHostGroupsHost GroupSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria
QueryIncidentIdsByFilterFalcon Complete DashboardRetrieve incidents that match the provided filter criteria with scrolling enabled
QueryIncidentsIncidentsSearch for incidents by providing a FQL filter, sorting, and paging details
QueryIntelActorEntitiesIntelGet info about actors that match provided FQL filters.
QueryIntelActorIdsIntelGet actor IDs that match provided FQL filters.
QueryIntelIndicatorEntitiesIntelGet info about indicators that match provided FQL filters.
QueryIntelIndicatorIdsIntelGet indicators IDs that match provided FQL filters.
QueryIntelReportEntitiesIntelGet info about reports that match provided FQL filters.
QueryIntelReportIdsIntelGet report IDs that match provided FQL filters.
QueryIntelRuleIdsIntelSearch for rule IDs that match provided filter criteria.
queryIOAExclusionsV1IOA ExclusionsSearch for IOA exclusions.
QueryMalwareIntelGet malware family names that match provided FQL filters.
QueryMitreAttacksForMalwareIntelGets MITRE tactics and techniques for the given malware.
QueryMitreAttacksIntelGets MITRE tactics and techniques for the given actor, returning concatenation of id and tactic and technique ids, example: fancy-bear_TA0011_T1071
queryMLExclusionsV1ML ExclusionsSearch for ML exclusions.
QueryNotificationsExposedDataRecordsV1ReconQuery notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1
QueryNotificationsV1ReconQuery notifications based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, +GET /entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1.
queryPoliciesFilevantageRetrieve the ids of all policies that are assigned the provided policy type.
queryPreventionPoliciesPrevention PolicySearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria
queryPreventionPolicyMembersPrevention PolicySearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryQuarantineFilesQuarantineGet quarantine file ids that match the provided filter criteria.
QueryRemediationsFilterFalcon Complete DashboardRetrieve remediation tickets that match the provided filter criteria with scrolling enabled
QueryReportsFalcon Intelligence SandboxFind sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
queryRolesMSSP (Flight Control)Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queryRTResponsePoliciesResponse PoliciesSearch for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
queryRTResponsePolicyMembersResponse PoliciesSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRuleGroupsFilevantageRetrieve the ids of all rule groups that are of the provided rule group type.
QueryRulesTailored IntelligenceGet rules ids that match the provided filter criteria.
QueryRulesV1ReconQuery monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.
QuerySampleV1Falcon Intelligence SandboxRetrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
QueryScanResultsQuick Scan ProGets QuickScan Pro scan jobs for a given FQL filter.
queryScheduledExclusionsFilevantageRetrieve the ids of all scheduled exclusions contained within the provided policy id.
QuerySensorsByFilterIdentity EntitiesSearch for sensors in your environment by hostname, IP, and other criteria.
querySensorUpdateKernelsDistinctSensor Update PolicyRetrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePoliciesSensor Update PolicySearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria
querySensorUpdatePolicyMembersSensor Update PolicySearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorVisibilityExclusionsV1Sensor Visibility ExclusionsSearch for sensor visibility exclusions.
QuerySubmissionsFalcon Intelligence SandboxFind submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
QuerySubmissionsMixin0Quick ScanFind IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.
queryUserGroupMembersMSSP (Flight Control)Query user group member by user UUID.
queryUserGroupsMSSP (Flight Control)Query user groups.
queryUserV1User ManagementList user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1.
QueryVulnerabilitiesIntelGet vulnerabilities IDs
queryVulnerabilitiesSpotlight VulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria
ReadClusterCombinedKubernetes ProtectionRetrieve kubernetes clusters identified by the provided filter criteria
ReadClusterCountKubernetes ProtectionRetrieve cluster counts
ReadClusterEnrichmentKubernetes ProtectionRetrieve cluster enrichment data
ReadClustersByDateRangeCountKubernetes ProtectionRetrieve clusters by date range counts
ReadClustersByKubernetesVersionCountKubernetes ProtectionBucket clusters by kubernetes version
ReadClustersByStatusCountKubernetes ProtectionBucket clusters by status
ReadCombinedDetectionsContainer DetectionsRetrieve image assessment detections identified by the provided filter criteria
ReadCombinedImagesExportContainer ImagesRetrieve images with an option to expand aggregated vulnerabilities/detections
ReadCombinedVulnerabilitiesContainer VulnerabilitiesRetrieve vulnerability and aggregate data filtered by the provided FQL
ReadCombinedVulnerabilitiesDetailsContainer VulnerabilitiesRetrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfoContainer VulnerabilitiesRetrieve vulnerability and package related info for this customer
ReadContainerAlertsCountContainer AlertsSearch Container Alerts by the provided search criteria
ReadContainerAlertsCountBySeverityContainer AlertsGet Container Alert counts by severity
ReadContainerCombinedKubernetes ProtectionRetrieve containers identified by the provided filter criteria
ReadContainerCountKubernetes ProtectionRetrieve container counts
ReadContainerCountByRegistryKubernetes ProtectionRetrieve top container image registries
ReadContainerImageDetectionsCountByDateKubernetes ProtectionRetrieve count of image assessment detections on running containers over a period of time
ReadContainerEnrichmentKubernetes ProtectionRetrieve container enrichment data
ReadContainerImagesByMostUsedKubernetes ProtectionBucket container by image-digest
ReadContainerImagesByStateKubernetes ProtectionRetrieve count of image states running on containers
ReadContainersByDateRangeCountKubernetes ProtectionRetrieve containers by date range counts
ReadContainersSensorCoverageKubernetes ProtectionBucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCountKubernetes ProtectionRetrieve container vulnerabilities by severity counts
ReadDeploymentCombinedKubernetes ProtectionRetrieve kubernetes deployments identified by the provided filter criteria
ReadDeploymentsCombinedCloud SnapshotsSearch for snapshot jobs identified by the provided filter.
ReadDeploymentCountKubernetes ProtectionRetrieve deployment counts
ReadDeploymentEnrichmentKubernetes ProtectionRetrieve deployment enrichment data
ReadDeploymentsEntitiesCloud SnapshotsRetrieve snapshot jobs identified by the provided IDs.
ReadDeploymentsByDateRangeCountKubernetes ProtectionRetrieve deployments by date range counts
ReadDetectionsContainer DetectionsRetrieve image assessment detection entities identified by the provided filter criteria
ReadDetectionsCountContainer DetectionsAggregate count of detections
ReadDetectionsCountBySeverityContainer DetectionsAggregate counts of detections by severity
ReadDetectionsCountByTypeContainer DetectionsAggregate counts of detections by detection type
ReadDistinctContainerImageCountKubernetes ProtectionRetrieve count of distinct images running on containers
ReadDriftIndicatorsCountDrift IndicatorsReturns the total count of Drift indicators over a time period
ReadDriftIndicatorEntitiesDrift IndicatorsRetrieve Drift Indicator entities identified by the provided IDs
ReadImageVulnerabilitiesFalcon Container CliRetrieve known vulnerabilities for the provided image
ReadKubernetesIomByDateRangeKubernetes ProtectionReturns the count of Kubernetes IOMs by the date. by default it's for 7 days.
ReadKubernetesIomCountKubernetes ProtectionReturns the total count of Kubernetes IOMs over the past seven days
ReadKubernetesIomEntitiesKubernetes ProtectionRetrieve Kubernetes IOM entities identified by the provided IDs
ReadNamespaceCountKubernetes ProtectionRetrieve namespace counts
ReadNamespacesByDateRangeCountKubernetes ProtectionRetrieve namespaces by date range counts
ReadNodeCombinedKubernetes ProtectionRetrieve kubernetes nodes identified by the provided filter criteria
ReadNodeCountKubernetes ProtectionRetrieve node counts
ReadNodeEnrichmentKubernetes ProtectionRetrieve node enrichment data
ReadNodesByCloudCountKubernetes ProtectionBucket nodes by cloud providers
ReadNodesByContainerEngineVersionCountKubernetes ProtectionBucket nodes by their container engine version
ReadNodesByDateRangeCountKubernetes ProtectionRetrieve nodes by date range counts
ReadPackagesByFixableVulnCountContainer PackagesRetrieve top x app packages with the most fixable vulnerabilities
ReadPackagesByVulnCountContainer PackagesRetrieve top x packages with the most vulnerabilities
ReadPackagesCombinedContainer PackagesRetrieve packages identified by the provided filter criteria
ReadPackagesCombinedExportContainer PackagesRetrieve packages identified by the provided filter criteria for the purpose of export
ReadPackagesCountByZeroDayContainer PackagesRetrieve packages count affected by zero day vulnerabilities
ReadPodEnrichmentKubernetes ProtectionRetrieve pod enrichment data
ReadPoliciesImage Assessment PoliciesGet all Image Assessment policies
ReadPolicyExclusionsImage Assessment PoliciesRetrieve Image Assessment Policy Exclusion entities
ReadPolicyGroupsImage Assessment PoliciesRetrieve Image Assessment Policy Group entities
ReadPodCombinedKubernetes ProtectionRetrieve kubernetes pods identified by the provided filter criteria
ReadPodCountKubernetes ProtectionRetrieve pod counts
ReadPodsByDateRangeCountKubernetes ProtectionRetrieve pods by date range counts
ReadRegistryEntitiesFalcon Container ImageRetrieve registry entities identified by the customer id
ReadRegistryEntitiesByUUIDFalcon Container ImageRetrieve the registry entity identified by the entity UUID
ReadRunningContainerImagesKubernetes ProtectionRetrieve images on running containers
ReadUnidentifiedContainersByDateRangeCountUnidentified ContainersReturns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCountUnidentified ContainersReturns the total count of Unidentified Containers over a time period
ReadVulnerabilitiesByImageCountContainer VulnerabilitiesRetrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDateContainer VulnerabilitiesRetrieve top x vulnerabilities with the most recent publication date
ReadVulnerabilityCountContainer VulnerabilitiesAggregate count of vulnerabilities
ReadVulnerabilityCountByActivelyExploitedContainer VulnerabilitiesAggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRatingContainer VulnerabilitiesAggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScoreContainer VulnerabilitiesAggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverityContainer VulnerabilitiesAggregate count of vulnerabilities grouped by severity
ReadVulnerableContainerImageCountKubernetes ProtectionRetrieve count of vulnerable images running on containers
refreshActiveStreamSessionEvent StreamsRefresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
RegenerateAPIKeyKubernetes ProtectionRegenerate API key for docker registry integrations
RegisterCspmSnapshotAccountCloud SnapshotsRegister an account for snapshot scanning.
report_executions_download_getReport ExecutionsGet report entity download
report_executions_getReport ExecutionsRetrieve report details for the provided report IDs.
report_executions_queryReport ExecutionsFind all report execution IDs matching the query with filter
report_executions_retryReport ExecutionsThis endpoint will be used to retry report executions
RequestDeviceEnrollmentV3Mobile EnrollmentTrigger on-boarding process for a mobile device
RequestDeviceEnrollmentV4Mobile EnrollmentTrigger on-boarding process for a mobile device.
RetrieveEmailsByCIDUser ManagementDeprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account
retrieveUserUser ManagementDeprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user
retrieveUsersGETV1User ManagementGet info about users including their name, UID and CID by providing user UUIDs
RetrieveUserUUIDUser ManagementDeprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address)
RetrieveUserUUIDsByCIDUser ManagementDeprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.
revealUninstallTokenSensor Update PolicyReveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
RevokeUserRoleIdsUser ManagementDeprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user
RTR_AggregateSessionsReal Time ResponseGet aggregates on session data.
RTR_CheckActiveResponderCommandStatusReal Time ResponseGet status of an executed active-responder command on a single host.
RTR_CheckAdminCommandStatusReal Time Response AdminGet status of an executed RTR administrator command on a single host.
RTR_CheckCommandStatusReal Time ResponseGet status of an executed command on a single host.
RTR_CreatePut_FilesReal Time Response AdminUpload a new put-file to use for the RTR put command.
RTR_CreateScriptsReal Time Response AdminUpload a new custom-script to use for the RTR runscript command.
RTR_DeleteFileReal Time ResponseDelete a RTR session file.
RTR_DeleteFileV2Real Time ResponseDelete a RTR session file.
RTR_DeletePut_FilesReal Time Response AdminDelete a put-file based on the ID given. Can only delete one file at a time.
RTR_DeleteQueuedSessionReal Time ResponseDelete a queued session command
RTR_DeleteScriptsReal Time Response AdminDelete a custom-script based on the ID given. Can only delete one script at a time.
RTR_DeleteSessionReal Time ResponseDelete a session.
RTR_ExecuteActiveResponderCommandReal Time ResponseExecute an active responder command on a single host.
RTR_ExecuteAdminCommandReal Time Response AdminExecute a RTR administrator command on a single host.
RTR_ExecuteCommandReal Time ResponseExecute a command on a single host.
RTR_GetExtractedFileContentsReal Time ResponseGet RTR extracted file contents for specified session and sha256.
RTR_GetFalconScriptsReal Time Response AdminGet Falcon scripts with metadata and content of script
RTR_GetPut_FilesReal Time Response AdminGet put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2Real Time Response AdminGet put-files based on the ID's given. These are used for the RTR put command.
RTR_GetScriptsReal Time Response AdminGet custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2Real Time Response AdminGet custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_InitSessionReal Time ResponseInitialize a new session with the RTR cloud.
RTR_ListAllSessionsReal Time ResponseGet a list of session_ids.
RTR_ListFalconScriptsReal Time Response AdminGet a list of Falcon script IDs available to the user to run
RTR_ListFilesReal Time ResponseGet a list of files for the specified RTR session.
RTR_ListFilesV2Real Time ResponseGet a list of files for the specified RTR session.
RTR_ListPut_FilesReal Time Response AdminGet a list of put-file ID's that are available to the user for the put command.
RTR_ListQueuedSessionsReal Time ResponseGet queued session metadata by session ID.
RTR_ListScriptsReal Time Response AdminGet a list of custom-script ID's that are available to the user for the runscript command.
RTR_ListSessionsReal Time ResponseGet session metadata by session id.
RTR_PulseSessionReal Time ResponseRefresh a session timeout on a single host.
RTR_UpdateScriptsReal Time Response AdminUpload a new scripts to replace an existing one.
RTRAuditSessionsReal Time Response AuditGet all the RTR sessions created for a customer in a specified duration
RunIntegrationTaskASPMRun an integration task by its ID
ScanSamplesQuick ScanSubmit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
schedule_scanODSCreate ODS scan and start or schedule scan for the given scan request.
scheduled_reports_getScheduled ReportsRetrieve scheduled reports for the provided report IDs.
scheduled_reports_launchScheduled ReportsLaunch scheduled reports executions for the provided report IDs.
scheduled_reports_queryScheduled ReportsFind all report IDs matching the query with filter
SearchAndReadContainerAlertsContainer AlertsSearch Container Alerts by the provided search criteria
SearchAndReadDriftIndicatorEntitiesDrift IndicatorsRetrieve Drift Indicators by the provided search criteria
SearchAndReadKubernetesIomEntitiesKubernetes ProtectionSearch Kubernetes IOM by the provided search criteria
SearchAndReadUnidentifiedContainersUnidentified ContainersSearch Unidentified Containers by the provided search criteria
SearchDetectionsContainer DetectionsRetrieve image assessment detection entities identified by the provided filter criteria
SearchDriftIndicatorsDrift IndicatorsRetrieve all drift indicators that match the given query
SearchKubernetesIomsKubernetes ProtectionSearch Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
SearchObjectsCustom StorageSearch for objects that match the specified filter criteria (returns metadata, not actual objects)
SearchObjectsByVersionCustom StorageSearch for objects that match the specified filter criteria (returns metadata, not actual objects).
ServiceNowGetDeploymentsASPMGet ServiceNow deployments.
ServiceNowGetServicesASPMGet ServiceNow services.
setDeviceControlPoliciesPrecedenceDevice Control PoliciesSets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setFirewallPoliciesPrecedenceFirewall PoliciesSets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setPreventionPoliciesPrecedencePrevention PolicySets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setRTResponsePoliciesPrecedenceResponse PoliciesSets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setSensorUpdatePoliciesPrecedenceSensor Update PolicySets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
severity_query_v1IOCQuery Severities.
signalChangesExternalFileVantageInitiates workflows for the provided change IDs.
startActionsFileVantageInitiates the specified action on the provided change IDs.
SubmitFalcon Intelligence SandboxSubmit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
tokens_createInstallation TokensCreates a token.
tokens_deleteInstallation TokensDeletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_queryInstallation TokensSearch for tokens by providing a FQL filter and paging details.
tokens_readInstallation TokensGets the details of one or more tokens by id.
tokens_updateInstallation TokensUpdates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
TriggerScanKubernetes ProtectionTriggers a dry run or a full scan of a customer's kubernetes footprint
update_network_locationsFirewall ManagementUpdates the network locations provided, and return the ID.
update_network_locations_metadataFirewall ManagementUpdates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedenceFirewall ManagementUpdates the network locations precedence according to the list of ids provided.
update_policy_containerFirewall ManagementUpdate an identified policy container, including local logging functionality.
update_policy_container_v1Firewall ManagementUpdate an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting.
update_data_scanner_tasksDataScannerReports back on task status.
update_rule_groupFirewall ManagementUpdate name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group_validationFirewall ManagementValidates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_groupMixin0Custom IOAUpdate a rule group. The following properties can be modified: name, description, enabled.
update_rulesCustom IOAUpdate rules within a rule group. Return the updated rules.
update_rules_v2Custom IOAUpdate name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
UpdateActionV1ReconUpdate an action for a monitoring rule.
UpdateAWSAccountKubernetes ProtectionUpdates the AWS account per the query parameters provided
UpdateAWSAccountsCloud Connect AWSUpdate AWS Accounts by specifying the ID of the account and details to update
updateCIDGroupsMSSP (Flight Control)Update existing CID groups. CID group ID is expected for each CID group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. CID group member(s) remain unaffected.
UpdateCSPMAzureAccountClientIDCSPM RegistrationUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionIDCSPM RegistrationUpdate an Azure default subscription_id in our system for given tenant_id
UpdateCSPMGCPAccountCSPM RegistrationPatches a existing account in our system for a customer.
UpdateCSPMGCPServiceAccountsExtCSPM RegistrationUpdates an existing GCP service account.
UpdateCSPMPolicySettingsCSPM RegistrationUpdates a policy setting - can be used to override policy severity or to disable a policy entirely.
UpdateCSPMScanScheduleCSPM RegistrationUpdates scan schedule configuration for one or more cloud platforms.
UpdateD4CCPServiceAccountsExtD4C RegistrationUpdates an existing GCP service account.
updateDefaultDeviceControlPoliciesDevice Control PoliciesUpdate the configuration for a Default Device Control Policy
UpdateDetectsByIdsV2DetectsModify the state, assignee, and visibility of detections
updateDeviceControlPoliciesDevice Control PoliciesUpdate Device Control Policies by specifying the ID of the policy and details to update
UpdateDeviceTagsHostsAppend or remove one or more Falcon Grouping Tags on one or more hosts. Tags must be of the form FalconGroupingTags/
UpdateDiscoverCloudAzureAccountClientIDD4C RegistrationUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateExecutorNodeASPMUpdate an existing relay node
updateFirewallPoliciesFirewall PoliciesUpdate Firewall Policies by specifying the ID of the policy and details to update
updateHostGroupsHost GroupUpdate Host Groups by specifying the ID of the group and details to update
updateIOAExclusionsV1IOA ExclusionsUpdate the IOA exclusions
UpdateIntegrationASPMUpdate an existing integration by its ID
UpdateIntegrationTaskASPMUpdate an existing integration task by its ID
updateMLExclusionsV1ML ExclusionsUpdate the ML exclusions
UpdateNotificationsV1ReconUpdate notification status or assignee. Accepts bulk requests
updatePoliciesFilevantageUpdates the general information of the provided policy.
UpdatePoliciesImage Assessment PoliciesUpdate Image Assessment Policy entities
UpdatePolicyExclusionsImage Assessment PoliciesUpdate Image Assessment Policy Exclusion entities
UpdatePolicyGroupsImage Assessment PoliciesUpdate Image Assessment Policy Group entities
updatePolicyHostGroupsFilevantageManage host groups assigned to a policy.
updatePolicyPrecedenceFilevantageUpdates the policy precedence for all policies of a specific type.
UpdatePolicyPrecedenceImage Assessment PoliciesUpdate Image Assessment Policy precedence
updatePolicyRuleGroupsFilevantageManage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
updatePreventionPoliciesPrevention PolicyUpdate Prevention Policies by specifying the ID of the policy and details to update
UpdateQfByQueryQuarantineApply quarantine file actions by query.
UpdateQuarantinedDetectsByIdsQuarantineApply action by quarantine file ids
UpdateRegistryEntitiesFalcon Container ImageUpdate the registry entity, as identified by the entity UUID, using the provided details
updateRTResponsePoliciesResponse PoliciesUpdate Response Policies by specifying the ID of the policy and details to update
updateRuleGroupPrecedenceFilevantageUpdates the rule precedence for all rules in the identified rule group.
updateRuleGroupsFilevantageUpdates the provided rule group.
updateRulesFilevantageUpdates the provided rule configuration within the specified rule group.
UpdateRulesV1ReconUpdate monitoring rules.
updateScheduledExclusionsFilevantageUpdates the provided scheduled exclusion configuration within the provided policy.
updateSensorUpdatePoliciesSensor Update PolicyUpdate Sensor Update Policies by specifying the ID of the policy and details to update
updateSensorUpdatePoliciesV2Sensor Update PolicyUpdate Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
updateSensorVisibilityExclusionsV1Sensor Visibility ExclusionsUpdate the sensor visibility exclusions
UpdateUserUser ManagementDeprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name
updateUserGroupsMSSP (Flight Control)Update existing user group(s). User group ID is expected for each user group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. User group member(s) remain unaffected.
updateUserV1User ManagementModify an existing user's first or last name.
UploadFileMixin0Mixin93Quick Scan ProUploads a file to be further analyzed with QuickScan Pro. The samples expire after 90 days.
UploadSampleV2Falcon Intelligence SandboxUpload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
UploadSampleV3Sample UploadsUpload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
upsert_network_locationsFirewall ManagementUpdates the network locations provided, and return the ID.
UpsertBusinessApplicationsASPMCreate or Update Business Applications
UpsertTagsASPMCreate new or update existing tag. You can update unique tags table or regular tags table.
userActionV1User ManagementApply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload.
userRolesActionV1User ManagementGrant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke
ValidateCSPMGCPServiceAccountExtCSPM RegistrationValidates credentials for a service account
validateCustom IOAValidates field values and checks for matches if a test string is provided.
validate_filepath_patternFirewall ManagementValidates that the test pattern matches the executable filepath glob pattern.
VerifyAWSAccountAccessCloud Connect AWSPerforms an Access Verification check on the specified AWS Account IDs
WorkflowActivitiesCombinedWorkflowsSearch workflow activities based on the provided filter
WorkflowDefinitionsCombinedWorkflowsSearch workflow definitions based on the provided filter
WorkflowDefinitionsExportWorkflowsExports a workflow definition for the given definition ID
WorkflowDefinitionsImportWorkflowsImports a workflow definition based on the provided model
WorkflowDefinitionsUpdateWorkflowsUpdates a workflow definition based on the provided model.
WorkflowExecuteWorkflowsExecutes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowExecuteInternalWorkflowsExecutes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowMockExecuteWorkflowsExecutes an on-demand Workflow with mocks.
WorkflowExecutionResultsWorkflowsGet execution result of a given execution
WorkflowExecutionsActionWorkflowsAllows a user to resume/retry a failed workflow execution.
WorkflowExecutionsCombinedWorkflowsSearch workflow executions based on the provided filter
WorkflowGetHumanInputV1WorkflowsGets one or more specific human inputs by their IDs.
WorkflowTriggersCombinedWorkflowsSearch workflow triggers based on the provided filter
WorkflowUpdateHumanInputV1WorkflowsProvides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
WorkflowSystemDefinitionsDeProvisionWorkflowsDeprovisions a system definition that was previously provisioned on the target CID
WorkflowSystemDefinitionsPromoteWorkflowsPromotes a version of a system definition for a customer. The customer must already have been provisioned. This allows the caller to apply an updated template version to a specific cid and expects all parameters to be supplied. If the template supports multi-instance the customer scope definition ID must be supplied to determine which customer workflow should be updated.
WorkflowSystemDefinitionsProvisionWorkflowsProvisions a system definition onto the target CID by using the template and provided parameters