Alphabetical list of all CrowdStrike OAuth2 API operations
Operation ID | Service Collection | Description |
---|---|---|
action_get_v1 | IOC | Get Actions by ids. |
action_query_v1 | IOC | Query Actions. |
ActionUpdateCount | Quarantine | Returns count of potentially affected quarantined files for each action. |
addCIDGroupMembers | MSSP (Flight Control) | Add new CID Group member. |
addRole | MSSP (Flight Control) | Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. |
addUserGroupMembers | MSSP (Flight Control) | Add new User Group member. Maximum 500 members allowed per User Group. |
aggregate_events | Firewall Management | Aggregate events for customer |
aggregate_policy_rules | Firewall Management | Aggregate rules within a policy for customer |
aggregate_rule_groups | Firewall Management | Aggregate rule groups for customer |
aggregate_rules | Firewall Management | Aggregate rules for customer |
aggregate_scans | ODS | Get aggregates on ODS scan data. |
aggregate_scheduled_scans | ODS | Get aggregates on ODS scheduled-scan data. |
AggregateAllowList | Falcon Complete Dashboard | Retrieve aggregate allowlist ticket values based on the matched filter |
AggregateBlockList | Falcon Complete Dashboard | Retrieve aggregate blocklist ticket values based on the matched filter |
AggregateCases | Message Center | Retrieve aggregate case values based on the matched filter |
AggregateDetections | Falcon Complete Dashboard | Retrieve aggregate detection values based on the matched filter |
AggregateDeviceCountCollection | Falcon Complete Dashboard | Retrieve aggregate host/devices count based on the matched filter |
AggregateEscalations | Falcon Complete Dashboard | Retrieve aggregate escalation ticket values based on the matched filter |
AggregateFCIncidents | Falcon Complete Dashboard | Retrieve aggregate incident values based on the matched filter |
AggregateNotificationsExposedDataRecordsV1 | Recon | Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [notification_id created_date rule.id rule.name rule.topic source_category site author] |
AggregateNotificationsV1 | Recon | Get notification aggregates as specified via JSON in request body. |
AggregateRemediations | Falcon Complete Dashboard | Retrieve aggregate remediation ticket values based on the matched filter |
AggregatesDetectionsGlobalCounts | Overwatch Dashboard | Get the total number of detections pushed across all customers |
AggregatesEvents | Overwatch Dashboard | Get aggregate OverWatch detection event info by providing an aggregate query |
AggregatesEventsCollections | Overwatch Dashboard | Get OverWatch detection event collection info by providing an aggregate query |
AggregatesIncidentsGlobalCounts | Overwatch Dashboard | Get the total number of incidents pushed across all customers |
AggregatesOWEventsGlobalCounts | Overwatch Dashboard | Get the total number of OverWatch events across all customers |
api_preempt_proxy_post_graphql | Identity Protection | Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents. |
ArchiveDeleteV1 | Sample Uploads | Delete an archive that was uploaded previously |
ArchiveGetV1 | Sample Uploads | Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully. |
ArchiveListV1 | Sample Uploads | Retrieves the archives files in chunks. |
ArchiveUploadV1 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. This method is deprecated in favor of /archives/entities/archives/v2 |
ArchiveUploadV2 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. |
audit_events_query | Installation Tokens | Search for audit events by providing a FQL filter and paging details. |
audit_events_read | Installation Tokens | Gets the details of one or more audit events by id. |
AzureDownloadCertificate | CSPM Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
BatchActiveResponderCmd | Real Time Response | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. |
BatchAdminCmd | Real Time Response Admin | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
BatchCmd | Real Time Response | Batch executes a RTR read-only command across the hosts mapped to the given batch ID. |
BatchGetCmd | Real Time Response | Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results. |
BatchGetCmdStatus | Real Time Response | Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. |
BatchInitSessions | Real Time Response | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
BatchRefreshSessions | Real Time Response | Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. |
cancel_scans | ODS | Cancel ODS scans for the given scan ids. |
CaseAddActivity | Message Center | Add an activity to case. Only activities of type comment are allowed via API |
CaseAddAttachment | Message Center | Upload an attachment for the case. |
CaseDownloadAttachment | Message Center | retrieves an attachment for the case, given the attachment id |
combinedUserRolesV1 | User Management | Get User Grant(s). This operation lists both direct as well as flight control grants between a User and a Customer. |
combinedQueryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria. |
combinedQueryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria |
combinedUserRolesV1 | User Management | Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer. |
create_network_locations | Firewall Management | Create new network locations provided, and return the ID. |
CreateRegistryEntities | Falcon Container | Create registry entities using the provided detail. |
create_rule | Custom IOA | Create a rule within a rule group. Returns the rule. |
create_rule_group | Firewall Management | Create new rule group on a platform for a customer with a name and description, and return the ID |
create_rule_group_validation | Firewall Management | Validates the request of creating a new rule group on a platform for a customer with a name and description |
create_rule_groupMixin0 | Custom IOA | Create a rule group for a platform with a name and an optional description. Returns the rule group. |
create_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
CreateActionsV1 | Recon | Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule. |
CreateAWSAccount | Kubernetes Protection | Creates a new AWS account in our system for a customer and generates the installation script |
CreateAzureSubscription | Kubernetes Protection | Creates a new Azure Subscription in our system |
CreateCase | Message Center | create a new case |
CreateCaseV2 | Message Center | create a new case |
createCIDGroups | MSSP (Flight Control) | Create new CID Group(s). Maximum 500 CID Group(s) allowed. |
CreateCSPMAwsAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
CreateCSPMAzureAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
CreateCSPMAzureAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
CreateCSPMGCPAccount | D4C Registration | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
CreateD4CAwsAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
createDeviceControlPolicies | Device Control Policies | Create Device Control Policies by specifying details about the policy to create |
CreateExportJobsV1 | Recon | Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1. |
createFirewallPolicies | Firewall Policies | Create Firewall Policies by specifying details about the policy to create |
createHostGroups | Host Group | Create Host Groups by specifying details about the group to create |
createIOAExclusionsV1 | IOA Exclusions | Create the IOA exclusions |
CreateIOC | IOCs | This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used. |
createMLExclusionsV1 | ML Exclusions | Create the ML exclusions |
CreateOrUpdateAWSSettings | Cloud Connect AWS | Create or update Global Settings which are applicable to all provisioned AWS accounts |
createPreventionPolicies | Prevention Policy | Create Prevention Policies by specifying details about the policy to create |
createRTResponsePolicies | Response Policies | Create Response Policies by specifying details about the policy to create |
CreateRulesV1 | Recon | Create monitoring rules. |
createSensorUpdatePolicies | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create |
createSensorUpdatePoliciesV2 | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection |
createSVExclusionsV1 | Sensor Visibility Exclusions | Create the sensor visibility exclusions |
CreateUser | User Management | Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1 |
createUserV1 | User Management | Create a new user. Supports Flight Control. |
createUserGroups | MSSP (Flight Control) | Create new User Group(s). Maximum 500 User Group(s) allowed per customer. |
CrowdScore | Incidents | Query environment wide CrowdScore and return the entity data |
customer_settings_read | Installation Tokens | Check current installation token settings. |
customer_settings_update | Installation Tokens Settings | Update installation token settings. |
delete_network_locations | Firewall Management | Delete network location entities by ID. |
DeleteRegistryEntities | Falcon Container | Delete registry entities by UUID. |
delete_rule_groups | Firewall Management | Delete rule group entities by ID |
delete_rule_groupsMixin0 | Custom IOA | Delete rule groups by ID. |
delete_rules | Custom IOA | Delete rules from a rule group by ID. |
delete_scheduled_scans | ODS | Delete ODS scheduled-scans for the given scheduled-scan ids. |
DeleteActionV1 | Recon | Delete an action from a monitoring rule based on the action ID. |
DeleteAWSAccounts | Cloud Connect AWS | Delete a set of AWS Accounts by specifying their IDs |
DeleteAWSAccountsMixin0 | Kubernetes Protection | Delete AWS accounts. |
DeleteAzureSubscription | Kubernetes Protection | Deletes a new Azure Subscription in our system |
deleteCIDGroupMembers | MSSP (Flight Control) | Delete CID Group members entry. |
deleteCIDGroups | MSSP (Flight Control) | Delete CID groups by ID. |
DeleteCSPMAwsAccount | CSPM Registration | Deletes an existing AWS account or organization in our system. |
DeleteCSPMAzureAccount | CSPM Registration | Deletes an Azure subscription from the system. |
DeleteD4CAwsAccount | D4C Registration | Deletes an existing AWS account or organization in our system. |
deleteDeviceControlPolicies | Device Control Policies | Delete a set of Device Control Policies by specifying their IDs |
deletedRoles | MSSP (Flight Control) | Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified). |
DeleteExportJobsV1 | Recon | Delete export jobs (and their associated file(s)) based on their IDs. |
deleteFirewallPolicies | Firewall Policies | Delete a set of Firewall Policies by specifying their IDs |
deleteHostGroups | Host Group | Delete a set of Host Groups by specifying their IDs |
deleteIOAExclusionsV1 | IOA Exclusions | Delete the IOA exclusions by id |
DeleteIOC | IOCs | This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used. |
DeleteImageDetails | Falcon Container | Delete image details from the CrowdStrike registry. |
deleteMLExclusionsV1 | ML Exclusions | Delete the ML exclusions by id |
DeleteNotificationsV1 | Recon | Delete notifications based on IDs. Notifications cannot be recovered after they are deleted. |
deletePreventionPolicies | Prevention Policy | Delete a set of Prevention Policies by specifying their IDs |
DeleteReport | Falcon X Sandbox | Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. |
deleteRTResponsePolicies | Response Policies | Delete a set of Response Policies by specifying their IDs |
DeleteRulesV1 | Recon | Delete monitoring rules. |
DeleteSampleV2 | Falcon X Sandbox | Removes a sample, including file, meta and submissions from the collection |
DeleteSampleV3 | Sample Uploads | Removes a sample, including file, meta and submissions from the collection |
deleteSensorUpdatePolicies | Sensor Update Policy | Delete a set of Sensor Update Policies by specifying their IDs |
deleteSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Delete the sensor visibility exclusions by id |
DeleteUser | User Management | Delete a user permanently |
deleteUserV1 | User Management | Delete a user permanently. Supports Flight Control. |
deleteUserGroupMembers | MSSP (Flight Control) | Delete User Group members entry. |
deleteUserGroups | MSSP (Flight Control) | Delete user groups by ID. |
DevicesCount | IOC | Number of hosts in your customer account that have observed a given custom IOC |
DevicesRanOn | IOC | Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 |
DiscoverCloudAzureDownloadCertificate | D4C Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
DownloadSensorInstallerById | Sensor Download | Download sensor installer by SHA256 ID |
entities_perform_action | Hosts | Performs the specified action on the provided prevention policy IDs. |
entities_processes | IOC | For the provided ProcessID retrieve the process details |
entitiesRolesV1 | User Management | Get information about a role, supports Flight Control. |
ExtractionCreateV1 | Sample Uploads | Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis. |
ExtractionGetV1 | Sample Uploads | Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
ExtractionListV1 | Sample Uploads | Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
get_accounts | Discover | Get details on accounts by providing one or more IDs. |
get_applications | Discover | Get details on applications by providing one or more IDs. |
get_events | Firewall Management | Get events entities by ID and optionally version |
get_firewall_fields | Firewall Management | Get the firewall field specifications by ID |
get_hosts | Discover | Get details on assets by providing one or more IDs. |
get_iot_hosts | Discover | Get details on IoT assets by providing one or more IDs. |
get_logins | Discover | Get details on logins by providing one or more IDs. |
get_malicious_files_by_ids | ODS | Get malicious files by ids. |
get_network_locations | Firewall Management | Get a summary of network locations entities by ID |
get_network_locations_details | Firewall Management | Get network locations entities by ID |
get_patterns | Custom IOA | Get pattern severities by ID. |
get_platforms | Firewall Management | Get platforms by ID, e.g., windows or mac or droid |
get_platformsMixin0 | Custom IOA | Get platforms by ID. |
get_policy_containers | Firewall Management | Get policy container entities by policy ID |
get_rule_groups | Firewall Management | Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. |
get_rule_groupsMixin0 | Custom IOA | Get rule groups by ID. |
get_rule_types | Custom IOA | Get rule types by ID. |
get_rules | Firewall Management | Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) |
get_rules_get | Custom IOA | Get rules by ID and optionally version in the following format: ID[:version] . |
get_rulesMixin0 | Custom IOA | Get rules by ID and optionally version in the following format: ID[:version] . The max number of IDs is constrained by URL size. |
get_scan_host_metadata_by_ids | ODS | Get scan hosts by ids. |
get_scans_by_scan_ids | ODS | Get Scans by IDs. |
get_scheduled_scans_by_scan_ids | ODS | Get ScheduledScans by IDs. |
GetActionsV1 | Recon | Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint. |
GetAggregateDetects | Detects | Get detect aggregates as specified via json in request body. |
GetAggregateFiles | Quarantine | Get quarantine file aggregates as specified via json in request body. |
GetArtifacts | Falcon X Sandbox | Download IOC packs, PCAP files, and other analysis artifacts. |
getAssessmentsByScoreV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores. |
getAssessmentV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID). |
GetAvailableRoleIds | User Management | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1 . |
GetAWSAccounts | Cloud Connect AWS | Retrieve a set of AWS Accounts by specifying their IDs |
GetAWSAccountsMixin0 | Kubernetes Protection | Provides a list of AWS accounts. |
GetAWSSettings | Cloud Connect AWS | Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts |
GetAzureInstallScript | Kubernetes Protection | Provides the script to run for a given tenant id and subscription IDs. |
GetAzureTenantConfig | Kubernetes Protection | Return the azure tenant config. |
GetAzureTenantIDs | Kubernetes Protection | Provides all the azure subscriptions and tenants. |
GetBehaviorDetections | CSPM Registration | Get list of detected behaviors |
GetBehaviors | Incidents | Get details on behaviors by providing behavior IDs |
GetCaseActivityByIds | Message Center | Retrieve activities for given id's |
GetCaseEntitiesByIDs | Message Center | Retrieve message center cases |
getChanges | FileVantage | Retrieve information on changes |
getChildren | MSSP (Flight Control) | Get link to child customer by child CID(s) |
getChildrenV2 | MSSP (Flight Control) | Get link to child customer by child CID(s) |
getCIDGroupById | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-groups/v2. Get CID groups by ID. |
getCIDGroupByIdV2 | MSSP (Flight Control) | Get CID Groups by ID. |
getCIDGroupMembersBy | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-group-members/v2. Get CID group members by CID group ID. |
getCIDGroupMembersByV2 | MSSP (Flight Control) | Get CID group members by CID Group ID. |
GetClusters | Kubernetes Protection | Provides the clusters acknowledged by the Kubernetes Protection service |
GetCombinedCloudClusters | Kubernetes Protection | Return a combined list of provisioned cloud accounts and known kubernetes clusters. |
GetCombinedSensorInstallersByQuery | Sensor Download | Get sensor installer details by provided query |
getComplianceV1 | Zero Trust Assessment | Get the Zero Trust Assessment compliance report for one customer ID (CID). |
GetConfigurationDetections | CSPM Registration | Get list of active misconfigurations |
GetCredentials | Falcon Container | Gets the registry credentials |
GetCSPMAwsAccount | CSPM Registration | Returns information about the current status of an AWS account. |
GetCSPMAwsAccountScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
GetCSPMAwsConsoleSetupURLs | CSPM Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
GetCSPMAzureAccount | D4C Registration | Return information about Azure account registration |
GetCSPMAzureAccount | CSPM Registration | Return information about Azure account registration |
GetCSPMAzureUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment |
GetCSPMAzureUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
GetCSPMAzureUserScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
GetCSPMCGPAccount | D4C Registration | Returns information about the current status of an GCP account. |
GetCSPMGCPUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment |
GetCSPMGCPUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
GetCSPMPolicy | CSPM Registration | Given a policy ID, returns detailed policy information. |
GetCSPMPolicySettings | CSPM Registration | Returns information about current policy settings. |
GetCSPMScanSchedule | CSPM Registration | Returns scan schedule configuration for one or more cloud platforms. |
GetD4CAwsAccount | D4C Registration | Returns information about the current status of an AWS account. |
GetD4CAWSAccountScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
GetD4CAwsConsoleSetupURLs | D4C Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
getDefaultDeviceControlPolicies | Device Control Policies | Retrieve the configuration for the Default Device Control Policy. |
GetDetectSummaries | Detects | View information about detections |
getDeviceControlPolicies | Device Control Policies | Retrieve a set of Device Control Policies by specifying their IDs |
GetDeviceCountCollectionQueriesByFilter | Falcon Complete Dashboard | Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled |
GetDeviceDetails | Hosts | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. |
GetDeviceDetailsV1 | Hosts | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500) |
GetDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100) |
getEvaluationLogic | Spotlight Evaluation Logic | Get details on evaluation logic items by providing one or more IDs. |
GetEventsBody | Tailored Intelligence | Get event body for the provided event ID |
GetEventsEntities | Tailored Intelligence | Get events entities for specified ids. |
GetExportJobsV1 | Recon | Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1. |
GetFileContentForExportJobsV1 | Recon | Download the file associated with a job ID. |
getFirewallPolicies | Firewall Policies | Retrieve a set of Firewall Policies by specifying their IDs |
GetHelmValuesYaml | Kubernetes Protection | Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart |
GetHorizonD4CScripts | D4C Registration | Returns static install scripts for Horizon. |
getHostGroups | Host Group | Retrieve a set of Host Groups by specifying their IDs |
GetImageAssessmentReport | Falcon Container | Retrieve an assessment report for an image by specifying repository and tag. |
GetIncidents | Incidents | Get details on incidents by providing incident IDs |
GetIndicatorsReport | IOC | Launch an indicators report creation job |
GetIntelActorEntities | Intel | Retrieve specific actors using their actor IDs. |
GetIntelIndicatorEntities | Intel | Retrieve specific indicators using their indicator IDs. |
GetIntelReportEntities | Intel | Retrieve specific reports using their report IDs. |
GetIntelReportPDF | Intel | Return a Report PDF attachment |
GetIntelRuleEntities | Intel | Retrieve details for rule sets for the specified ids. |
GetIntelRuleFile | Intel | Download earlier rule sets. |
GetIOAEvents | CSPM Registration | For CSPM IOA events, gets list of IOA events. |
getIOAExclusionsV1 | IOA Exclusions | Get a set of IOA Exclusions by specifying their IDs |
GetIOAUsers | CSPM Registration | For CSPM IOA users, gets list of IOA users. |
GetIOC | IOCs | This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used. |
GetLatestIntelRuleFile | Intel | Download the latest rule set. |
GetLocations | Kubernetes Protection | Provides the cloud locations acknowledged by the Kubernetes Protection service |
GetMalQueryDownloadV1 | MalQuery | Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time |
GetMalQueryEntitiesSamplesFetchV1 | MalQuery | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing |
GetMalQueryMetadataV1 | MalQuery | Retrieve indexed files metadata by their hash |
GetMalQueryQuotasV1 | MalQuery | Get information about search and download quotas in your environment |
GetMalQueryRequestV1 | MalQuery | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
GetMitreReport | Intel | Export Mitre ATT&CK information for a given actor. |
getMLExclusionsV1 | ML Exclusions | Get a set of ML Exclusions by specifying their IDs |
GetNotificationsDetailedTranslatedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request |
GetNotificationsDetailedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. |
GetNotificationsExposedDataRecordsV1 | Recon | Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints |
GetNotificationsTranslatedV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English. |
GetNotificationsV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. |
GetOnlineState_V1 | Hosts | Get the online status for one or more hosts by specifying each host’s unique ID. |
getPreventionPolicies | Prevention Policy | Retrieve a set of Prevention Policies by specifying their IDs |
GetQuarantineFiles | Quarantine | Get quarantine file metadata for specified ids. |
GetQueriesAlertsV1 | Alerts | Search for alert IDs that match a given query. |
getRemediationsV2 | Spotlight Vulnerabilities | Get details on remediation by providing one or more IDs |
GetReports | Falcon X Sandbox | Get a full sandbox report. |
GetRoles | User Management | Get info about a role |
getRolesByID | MSSP (Flight Control) | Get MSSP Role assignment(s). MSSP Role assignment is of the format :. |
getRTResponsePolicies | Response Policies | Retrieve a set of Response Policies by specifying their IDs |
GetRulesEntities | Tailored Intelligence | Get rules entities for specified ids. |
GetRulesV1 | Recon | Get monitoring rules rules by provided IDs. |
GetSampleV2 | Falcon X Sandbox | Retrieves the file associated with the given ID (SHA256) |
GetSampleV3 | Sample Uploads | Retrieves the file associated with the given ID (SHA256) |
GetScans | Quick Scan | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
GetScansAggregates | Quick Scan | Get scans aggregations as specified via json in request body. |
GetSensorInstallersByQuery | Sensor Download | Get sensor installer IDs by provided query |
GetSensorInstallersCCIDByQuery | Sensor Download | Get CCID to use with sensor installers |
GetSensorInstallersEntities | Sensor Download | Get sensor installer details by provided SHA256 IDs |
getSensorUpdatePolicies | Sensor Update Policy | Retrieve a set of Sensor Update Policies by specifying their IDs |
getSensorUpdatePoliciesV2 | Sensor Update Policy | Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs |
getSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Get a set of Sensor Visibility Exclusions by specifying their IDs |
GetStaticScripts | Kubernetes Protection | Gets static bash scripts that are used during registration. |
GetSubmissions | Falcon X Sandbox | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
GetSummaryReports | Falcon X Sandbox | Get a short summary version of a sandbox report. |
getUserGroupMembersByID | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/user-group-members/v2. Get user group members by user group ID. |
getUserGroupMembersByIDV2 | MSSP (Flight Control) | Get user group members by user group ID. |
getUserGroupsByID | MSSP (Flight Control) | Deprecated : Please use GET /entities/user-groups/v2. Get user groups by ID. |
getUserGroupsByIDV2 | MSSP (Flight Control) | Get user groups by ID. |
getUserGroupsByID | MSSP (Flight Control) | Get user groups by ID. |
GetUserRoleIds | User Management | Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1 . |
GetVulnerabilities | Intel | Get vulnerabilities |
getVulnerabilities | Spotlight Vulnerabilities | Get details on vulnerabilities by providing one or more IDs |
GrantUserRoleIds | User Management | Assign one or more roles to a user |
ImageMatchesPolicy | Falcon Container | Check if an image matches a policy by specifying repository and tag. |
indicator_aggregate_v1 | IOC | Get Indicators aggregates as specified via json in the request body. |
indicator_combined_v1 | IOC | Get Combined for Indicators. |
indicator_create_v1 | IOC | Create Indicators. |
indicator_delete_v1 | IOC | Delete Indicators by ids. |
indicator_get_v1 | IOC | Get Indicators by ids. |
indicator_search_v1 | IOC | Search for Indicators. |
indicator_update_v1 | IOC | Update Indicators. |
ioc_type_query_v1 | IOC | Query IOC Types. |
listAvailableStreamsOAuth2 | Event Streams | Discover all event streams in your environment |
ListAzureAccounts | Kubernetes Protection | Provides the azure subscriptions registered to Kubernetes Protection |
oauth2AccessToken | OAuth2 | Generate an OAuth2 access token |
oauth2RevokeToken | OAuth2 | Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan. |
PatchAzureServicePrincipal | Kubernetes Protection | Adds the client ID for the given tenant ID to our system |
PatchCSPMAwsAccount | CSPM Registration | Patches a existing account in our system for a customer. |
PatchEntitiesAlertsV1 | Alerts | Perform actions on alerts identified by alert ID(s) in request. |
PerformActionV2 | Hosts | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
performDeviceControlPoliciesAction | Device Control Policies | Perform the specified action on the Device Control Policies specified in the request |
performFirewallPoliciesAction | Firewall Policies | Perform the specified action on the Firewall Policies specified in the request |
performGroupAction | Host Group | Perform the specified action on the Host Groups specified in the request |
PerformIncidentAction | Incidents | Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description |
performPreventionPoliciesAction | Prevention Policy | Perform the specified action on the Prevention Policies specified in the request |
performRTResponsePoliciesAction | Response Policies | Perform the specified action on the Response Policies specified in the request |
performSensorUpdatePoliciesAction | Sensor Update Policy | Perform the specified action on the Sensor Update Policies specified in the request |
platform_query_v1 | IOC | Query Platforms. |
PostAggregateAlertsV1 | Alerts | Retrieve aggregates for Alerts across all CIDs. |
PostDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000) |
PostEntitiesAlertsV1 | Alerts | Retrieve all Alerts given their IDs. |
PostMalQueryEntitiesSamplesMultidownloadV1 | MalQuery | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip |
PostMalQueryExactSearchV1 | MalQuery | Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint |
PostMalQueryFuzzySearchV1 | MalQuery | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
PostMalQueryHuntV1 | MalQuery | Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint |
PostMitreAttacks | Intel | Retrieves report and observable IDs associated with the given actor and attacks. |
PreviewRuleV1 | Recon | Preview rules notification count and distribution. This will return aggregations on: channel, count, site. |
ProcessesRanOn | IOC | Search for processes associated with a custom IOC |
ProvisionAWSAccounts | Cloud Connect AWS | Provision AWS Accounts by specifying details about the accounts to provision |
queriesRolesV1 | User Management | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1 . |
query_accounts | Discover | Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_applications | Discover | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of applications IDs which match the filter criteria. |
query_events | Firewall Management | Find all event IDs matching the query with filter |
query_firewall_fields | Firewall Management | Get the firewall field specification IDs for the provided platform |
query_hosts | Discover | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_iot_hosts | Discover | Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_logins | Discover | Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_malicious_files | ODS | Query malicious files. |
query_network_locations | Firewall Management | Get a list of network location IDs |
query_patterns | Custom IOA | Get all pattern severity IDs. |
query_platforms | Firewall Management | Get the list of platform names |
query_platformsMixin0 | Custom IOA | Get all platform IDs. |
query_policy_rules | Firewall Management | Find all firewall rule IDs matching the query with filter, and return them in precedence order |
query_rule_groups | Firewall Management | Find all rule group IDs matching the query with filter |
query_rule_groups_full | Custom IOA | Find all rule groups matching the query with optional filter. |
query_rule_groupsMixin0 | Custom IOA | Finds all rule group IDs matching the query with optional filter. |
query_rule_types | Custom IOA | Get all rule type IDs. |
query_rules | Firewall Management | Find all rule IDs matching the query with filter |
query_rulesMixin0 | Custom IOA | Finds all rule IDs matching the query with optional filter. |
query_scan_host_metadata | ODS | Query scan hosts. |
query_scans | ODS | Query Scans. |
query_scheduled_scans | ODS | Query ScheduledScans. |
QueryActionsV1 | Recon | Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1. |
QueryActivityByCaseID | Message Center | Retrieve activities id's for a case |
QueryAllowListFilter | Falcon Complete Dashboard | Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled |
QueryAWSAccounts | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria |
QueryAWSAccountsForIDs | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria |
QueryBehaviors | Incidents | Search for behaviors by providing a FQL filter, sorting, and paging details |
QueryBlockListFilter | Falcon Complete Dashboard | Retrieve block listtickets that match the provided filter criteria with scrolling enabled |
QueryCasesIdsByFilter | Message Center | Retrieve case id's that match the provided filter criteria |
queryChanges | FileVantage | Returns one or more change IDs |
queryChildren | MSSP (Flight Control) | Query for customers linked as children |
queryCIDGroupMembers | MSSP (Flight Control) | Query a CID groups members by associated CID. |
queryCIDGroups | MSSP (Flight Control) | Query CID Groups. |
queryCombinedDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria |
queryCombinedDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria |
queryCombinedFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria |
queryCombinedPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria |
queryCombinedPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria |
queryCombinedRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedSensorUpdateBuilds | Sensor Update Policy | Retrieve available builds for use with Sensor Update Policies |
queryCombinedSensorUpdateKernels | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
queryCombinedSensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
queryCombinedSensorUpdatePoliciesV2 | Sensor Update Policy | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
queryCombinedSensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
QueryDetectionIdsByFilter | Falcon Complete Dashboard | Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled |
QueryDetects | Detects | Search for detection IDs that match a given query |
queryDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria |
queryDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
QueryDeviceLoginHistory | Hosts | Retrieve details about recent login sessions for a set of devices. |
QueryDevicesByFilter | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
QueryDevicesByFilterScroll | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit) |
QueryEscalationsFilter | Falcon Complete Dashboard | Retrieve escalation tickets that match the provided filter criteria with scrolling enabled |
queryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria. |
QueryEvents | Tailored Intelligence | Get events ids that match the provided filter criteria. |
queryFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria |
queryFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
QueryGetNetworkAddressHistoryV1 | Hosts | Retrieve history of IP and MAC addresses of devices. |
queryGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
QueryHiddenDevices | Hosts | Retrieve hidden hosts that match the provided filter criteria. |
queryHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria |
QueryIncidentIdsByFilter | Falcon Complete Dashboard | Retrieve incidents that match the provided filter criteria with scrolling enabled |
QueryIncidents | Incidents | Search for incidents by providing a FQL filter, sorting, and paging details |
QueryIntelActorEntities | Intel | Get info about actors that match provided FQL filters. |
QueryIntelActorIds | Intel | Get actor IDs that match provided FQL filters. |
QueryIntelIndicatorEntities | Intel | Get info about indicators that match provided FQL filters. |
QueryIntelIndicatorIds | Intel | Get indicators IDs that match provided FQL filters. |
QueryIntelReportEntities | Intel | Get info about reports that match provided FQL filters. |
QueryIntelReportIds | Intel | Get report IDs that match provided FQL filters. |
QueryIntelRuleIds | Intel | Search for rule IDs that match provided filter criteria. |
queryIOAExclusionsV1 | IOA Exclusions | Search for IOA exclusions. |
QueryIOCs | IOCs | This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used. |
queryMLExclusionsV1 | ML Exclusions | Search for ML exclusions. |
QueryMitreAttacks | Intel | Gets MITRE tactics and techniques for the given actor. |
QueryNotificationsExposedDataRecordsV1 | Recon | Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1 |
QueryNotificationsV1 | Recon | Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1. |
queryPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria |
queryPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
QueryQuarantineFiles | Quarantine | Get quarantine file ids that match the provided filter criteria. |
QueryRemediationsFilter | Falcon Complete Dashboard | Retrieve remediation tickets that match the provided filter criteria with scrolling enabled |
QueryReports | Falcon X Sandbox | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
queryRoles | MSSP (Flight Control) | Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional. |
queriesRolesV1 | User Management | Show role IDs for all roles available in your customer account. Supports Flight Control. |
queryRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria. |
queryRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
QueryRules | Tailored Intelligence | Get rules ids that match the provided filter criteria. |
QueryRulesV1 | Recon | Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1. |
QuerySampleV1 | Falcon X Sandbox | Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
querySensorUpdateKernelsDistinct | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
querySensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria |
querySensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
querySensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Search for sensor visibility exclusions. |
QuerySubmissions | Falcon X Sandbox | Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. |
QuerySubmissionsMixin0 | Quick Scan | Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria. |
queryUserGroupMembers | MSSP (Flight Control) | Query User Group member by User UUID. |
queryUserGroups | MSSP (Flight Control) | Query User Groups. |
queryUserV1 | User Management | List user IDs for all users in your customer account. |
QueryVulnerabilities | Intel | Get vulnerabilities IDs |
queryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria |
ReadImageVulnerabilities | Falcon Container | Retrieve known vulnerabilities for the provided image |
ReadRegistryEntities | Falcon Container | Retrieve registry entities associated with the client ID. |
ReadRegistryEntitiesByUUID | Falcon Container | Retrieve registry entities associated with a specific registry entity UUID. |
refreshActiveStreamSession | Event Streams | Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response. |
RegenerateAPIKey | Kubernetes Protection | Regenerate API key for docker registry integrations |
report_executions_download_get | Report Executions | Get report entity download |
report_executions_get | Report Executions | Retrieve report details for the provided report IDs. |
report_executions_query | Report Executions | Find all report execution IDs matching the query with filter |
report_executions_retry | Report Executions | This endpoint will be used to retry report executions |
RequestDeviceEnrollmentV3 | Mobile Enrollment | Trigger on-boarding process for a mobile device. |
RetrieveEmailsByCID | User Management | List the usernames (usually an email address) for all users in your customer account |
RetrieveUser | User Management | Get info about a user |
retrieveUsersGETV1 | User Management | Get info about users including their name, UID and CID by providing user UUIDs. |
RetrieveUserUUID | User Management | Get a user's ID by providing a username (usually an email address) |
RetrieveUserUUIDsByCID | User Management | List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1 . |
revealUninstallToken | Sensor Update Policy | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id' |
RevokeUserRoleIds | User Management | Revoke one or more roles from a user |
RTR_AggregateSessions | Real Time Response | Get aggregates on session data. |
RTR_CheckActiveResponderCommandStatus | Real Time Response | Get status of an executed active-responder command on a single host. |
RTR_CheckAdminCommandStatus | Real Time Response Admin | Get status of an executed RTR administrator command on a single host. |
RTR_CheckCommandStatus | Real Time Response | Get status of an executed command on a single host. |
RTR_CreatePut_Files | Real Time Response Admin | Upload a new put-file to use for the RTR put command. |
RTR_CreateScripts | Real Time Response Admin | Upload a new custom-script to use for the RTR runscript command. |
RTR_DeleteFile | Real Time Response | Delete a RTR session file. |
RTR_DeleteFileV2 | Real Time Response | Delete a RTR session file. (Expanded output, use with RTR_ListFilesV2) |
RTR_DeletePut_Files | Real Time Response Admin | Delete a put-file based on the ID given. Can only delete one file at a time. |
RTR_DeleteQueuedSession | Real Time Response | Delete a queued session command |
RTR_DeleteScripts | Real Time Response Admin | Delete a custom-script based on the ID given. Can only delete one script at a time. |
RTR_DeleteSession | Real Time Response | Delete a session. |
RTR_ExecuteActiveResponderCommand | Real Time Response | Execute an active responder command on a single host. |
RTR_ExecuteAdminCommand | Real Time Response Admin | Execute a RTR administrator command on a single host. |
RTR_ExecuteCommand | Real Time Response | Execute a command on a single host. |
RTR_GetExtractedFileContents | Real Time Response | Get RTR extracted file contents for specified session and sha256. |
RTR_GetPut_Files | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
RTR_GetPut_FilesV2 | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
RTR_GetScripts | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
RTR_GetScriptsV2 | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
RTR_InitSession | Real Time Response | Initialize a new session with the RTR cloud. |
RTR_ListAllSessions | Real Time Response | Get a list of session_ids. |
RTR_ListFiles | Real Time Response | Get a list of files for the specified RTR session. |
RTR_ListFilesV2 | Real Time Response | Get a list of files for the specified RTR session. (Expanded output detail) |
RTR_ListPut_Files | Real Time Response Admin | Get a list of put-file ID's that are available to the user for the put command. |
RTR_ListQueuedSessions | Real Time Response | Get queued session metadata by session ID. |
RTR_ListScripts | Real Time Response Admin | Get a list of custom-script ID's that are available to the user for the runscript command. |
RTR_ListSessions | Real Time Response | Get session metadata by session id. |
RTR_PulseSession | Real Time Response | Refresh a session timeout on a single host. |
RTR_UpdateScripts | Real Time Response Admin | Upload a new scripts to replace an existing one. |
ScanSamples | Quick Scan | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
schedule_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
scheduled_reports_get | Scheduled Reports | Retrieve scheduled reports for the provided report IDs. |
scheduled_reports_launch | Scheduled Reports | Launch scheduled reports executions for the provided report IDs. |
scheduled_reports_query | Scheduled Reports | Find all report IDs matching the query with filter |
setDeviceControlPoliciesPrecedence | Device Control Policies | Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
setFirewallPoliciesPrecedence | Firewall Policies | Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
setPreventionPoliciesPrecedence | Prevention Policy | Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
setRTResponsePoliciesPrecedence | Response Policies | Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
setSensorUpdatePoliciesPrecedence | Sensor Update Policy | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
severity_query_v1 | IOC | Query Severities. |
Submit | Falcon X Sandbox | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
tokens_create | Installation Tokens | Creates a token. |
tokens_delete | Installation Tokens | Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead. |
tokens_query | Installation Tokens | Search for tokens by providing a FQL filter and paging details. |
tokens_read | Installation Tokens | Gets the details of one or more tokens by id. |
tokens_update | Installation Tokens | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. |
TriggerScan | Kubernetes Protection | Triggers a dry run or a full scan of a customer's kubernetes footprint |
update_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
update_network_locations_metadata | Firewall Management | Updates the network locations metadata such as polling_intervals for the cid |
update_network_locations_precedence | Firewall Management | Updates the network locations precedence according to the list of ids provided. |
update_policy_container | Firewall Management | Update an identified policy container, including local logging functionality. |
update_policy_container_v1 | Firewall Management | Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting. |
update_rule_group | Firewall Management | Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
update_rule_group_validation | Firewall Management | Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
update_rule_groupMixin0 | Custom IOA | Update a rule group. The following properties can be modified: name, description, enabled. |
update_rules | Custom IOA | Update rules within a rule group. Return the updated rules. |
UpdateActionV1 | Recon | Update an action for a monitoring rule. |
UpdateAWSAccount | Kubernetes Protection | Updates the AWS account per the query parameters provided |
UpdateAWSAccounts | Cloud Connect AWS | Update AWS Accounts by specifying the ID of the account and details to update |
UpdateCase | Message Center | update an existing case |
updateCIDGroups | MSSP (Flight Control) | Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected. |
UpdateCSPMAzureAccountClientID | D4C Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
UpdateCSPMAzureAccountClientID | CSPM Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
UpdateCSPMAzureTenantDefaultSubscriptionID | CSPM Registration | Update an Azure default subscription_id in our system for given tenant_id |
UpdateCSPMPolicySettings | CSPM Registration | Updates a policy setting - can be used to override policy severity or to disable a policy entirely. |
UpdateCSPMScanSchedule | CSPM Registration | Updates scan schedule configuration for one or more cloud platforms. |
updateDefaultDeviceControlPolicies | Device Control Policies | Update the configuration for the Default Device Control Policy. |
UpdateDetectsByIdsV2 | Detects | Modify the state, assignee, and visibility of detections |
updateDeviceControlPolicies | Device Control Policies | Update Device Control Policies by specifying the ID of the policy and details to update |
UpdateDeviceTags | Hosts | Append or remove one or more Falcon Grouping Tags on one or more hosts. |
updateFirewallPolicies | Firewall Policies | Update Firewall Policies by specifying the ID of the policy and details to update |
updateHostGroups | Host Group | Update Host Groups by specifying the ID of the group and details to update |
updateIOAExclusionsV1 | IOA Exclusions | Update the IOA exclusions |
UpdateIOC | IOCs | This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used. |
updateMLExclusionsV1 | ML Exclusions | Update the ML exclusions |
UpdateNotificationsV1 | Recon | Update notification status or assignee. Accepts bulk requests |
updatePreventionPolicies | Prevention Policy | Update Prevention Policies by specifying the ID of the policy and details to update |
UpdateQfByQuery | Quarantine | Apply quarantine file actions by query. |
UpdateQuarantinedDetectsByIds | Quarantine | Apply action by quarantine file ids |
UpdateRegistryEntities | Falcon Container | Update the registry entity, as identified by the entity UUID, using the provided details. |
updateRTResponsePolicies | Response Policies | Update Response Policies by specifying the ID of the policy and details to update |
UpdateRulesV1 | Recon | Update monitoring rules. |
updateSensorUpdatePolicies | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update |
updateSensorUpdatePoliciesV2 | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection |
updateSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Update the sensor visibility exclusions |
UpdateUser | User Management | Modify an existing user's first or last name |
updateUserV1 | User Management | Modify an existing user's first or last name. Supports Flight Control. |
updateUserGroups | MSSP (Flight Control) | Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected. |
UploadSampleV2 | Falcon X Sandbox | Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
UploadSampleV3 | Sample Uploads | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
upsert_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
userActionV1 | User Management | Apply actions to one or more User. Available action names: reset_2fa, reset_password. |
userRolesActionV1 | User Management | Grant or Revoke one or more role(s) to a user against a CID. |
validate | Custom IOA | Validates field values and checks for matches if a test string is provided. |
validate_filepath_pattern | Firewall Management | Validates that the test pattern matches the executable filepath glob pattern. |
VerifyAWSAccountAccess | Cloud Connect AWS | Performs an Access Verification check on the specified AWS Account IDs |