CrowdStrike Falcon Twitter URL

Alphabetical list of all CrowdStrike OAuth2 API operations

Total Service Collections Total Operations Documentation Version Page Updated

Operation IDService CollectionDescription
ActionUpdateCountQuarantineReturns count of potentially affected quarantined files for each action.
addCIDGroupMembersMSSP (Flight Control)Add new CID Group member.
addRoleMSSP (Flight Control)Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
addUserGroupMembersMSSP (Flight Control)Add new User Group member. Maximum 500 members allowed per User Group.
aggregate_eventsFirewall ManagementAggregate events for customer
aggregate_policy_rulesFirewall ManagementAggregate rules within a policy for customer
aggregate_rule_groupsFirewall ManagementAggregate rule groups for customer
aggregate_rulesFirewall ManagementAggregate rules for customer
AggregateAllowListFalcon Complete DashboardRetrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockListFalcon Complete DashboardRetrieve aggregate blocklist ticket values based on the matched filter
AggregateCasesMessage CenterRetrieve aggregate case values based on the matched filter
AggregateDetectionsFalcon Complete DashboardRetrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollectionFalcon Complete DashboardRetrieve aggregate host/devices count based on the matched filter
AggregateEscalationsFalcon Complete DashboardRetrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidentsFalcon Complete DashboardRetrieve aggregate incident values based on the matched filter
AggregateNotificationsV1ReconGet notification aggregates as specified via JSON in request body.
AggregateRemediationsFalcon Complete DashboardRetrieve aggregate remediation ticket values based on the matched filter
AggregatesDetectionsGlobalCountsOverwatch DashboardGet the total number of detections pushed across all customers
AggregatesEventsOverwatch DashboardGet aggregate OverWatch detection event info by providing an aggregate query
AggregatesEventsCollectionsOverwatch DashboardGet OverWatch detection event collection info by providing an aggregate query
AggregatesIncidentsGlobalCountsOverwatch DashboardGet the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCountsOverwatch DashboardGet the total number of OverWatch events across all customers
api_preempt_proxy_post_graphqlIdentity ProtectionIdentity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
audit_events_queryInstallation TokensSearch for audit events by providing a FQL filter and paging details.
audit_events_readInstallation TokensGets the details of one or more audit events by id.
AzureDownloadCertificateCSPM RegistrationReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
BatchActiveResponderCmdReal Time ResponseBatch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchAdminCmdReal Time Response AdminBatch executes a RTR administrator command across the hosts mapped to the given batch ID.
BatchCmdReal Time ResponseBatch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdReal Time ResponseBatch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
BatchGetCmdStatusReal Time ResponseRetrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchInitSessionsReal Time ResponseBatch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessionsReal Time ResponseBatch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
CaseAddActivityMessage CenterAdd an activity to case. Only activities of type comment are allowed via API
CaseAddAttachmentMessage CenterUpload an attachment for the case.
CaseDownloadAttachmentMessage Centerretrieves an attachment for the case, given the attachment id
combinedUserRolesV1User ManagementGet User Grant(s). This operation lists both direct as well as flight control grants between a User and a Customer.
combinedQueryEvaluationLogicSpotlight Evaluation LogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
combinedQueryVulnerabilitiesSpotlight VulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
create_ruleCustom IOACreate a rule within a rule group. Returns the rule.
create_rule_groupFirewall ManagementCreate new rule group on a platform for a customer with a name and description, and return the ID
create_rule_groupMixin0Custom IOACreate a rule group for a platform with a name and an optional description. Returns the rule group.
CreateActionsV1ReconCreate actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
CreateAWSAccountKubernetes ProtectionCreates a new AWS account in our system for a customer and generates the installation script
CreateCaseMessage Centercreate a new case
createCIDGroupsMSSP (Flight Control)Create new CID Group(s). Maximum 500 CID Group(s) allowed.
CreateCSPMAwsAccountCSPM RegistrationCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
CreateCSPMAzureAccountD4C RegistrationCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateCSPMAzureAccountCSPM RegistrationCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateCSPMGCPAccountD4C RegistrationCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
createDeviceControlPoliciesDevice Control PoliciesCreate Device Control Policies by specifying details about the policy to create
createFirewallPoliciesFirewall PoliciesCreate Firewall Policies by specifying details about the policy to create
createHostGroupsHost GroupCreate Host Groups by specifying details about the group to create
createIOAExclusionsV1IOA ExclusionsCreate the IOA exclusions
CreateIOC
Deprecated
IOCsThis operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
createMLExclusionsV1ML ExclusionsCreate the ML exclusions
CreateOrUpdateAWSSettingsCloud Connect AWSCreate or update Global Settings which are applicable to all provisioned AWS accounts
createPreventionPoliciesPrevention PolicyCreate Prevention Policies by specifying details about the policy to create
createRTResponsePoliciesResponse PoliciesCreate Response Policies by specifying details about the policy to create
CreateRulesV1ReconCreate monitoring rules.
createSensorUpdatePoliciesSensor Update PolicyCreate Sensor Update Policies by specifying details about the policy to create
createSensorUpdatePoliciesV2Sensor Update PolicyCreate Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
createSVExclusionsV1Sensor Visibility ExclusionsCreate the sensor visibility exclusions
CreateUserUser ManagementCreate a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
createUserV1User ManagementCreate a new user. Supports Flight Control.
createUserGroupsMSSP (Flight Control)Create new User Group(s). Maximum 500 User Group(s) allowed per customer.
CrowdScoreIncidentsQuery environment wide CrowdScore and return the entity data
customer_settings_readInstallation TokensCheck current installation token settings.
delete_rule_groupsFirewall ManagementDelete rule group entities by ID
delete_rule_groupsMixin0Custom IOADelete rule groups by ID.
delete_rulesCustom IOADelete rules from a rule group by ID.
DeleteActionV1ReconDelete an action from a monitoring rule based on the action ID.
DeleteAWSAccountsCloud Connect AWSDelete a set of AWS Accounts by specifying their IDs
DeleteAWSAccountsMixin0Kubernetes ProtectionDelete AWS accounts.
deleteCIDGroupMembersMSSP (Flight Control)Delete CID Group members entry.
deleteCIDGroupsMSSP (Flight Control)Delete CID groups by ID.
DeleteCSPMAwsAccountCSPM RegistrationDeletes an existing AWS account or organization in our system.
DeleteCSPMAzureAccountCSPM RegistrationDeletes an Azure subscription from the system.
deleteDeviceControlPoliciesDevice Control PoliciesDelete a set of Device Control Policies by specifying their IDs
deletedRolesMSSP (Flight Control)Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
deleteFirewallPoliciesFirewall PoliciesDelete a set of Firewall Policies by specifying their IDs
deleteHostGroupsHost GroupDelete a set of Host Groups by specifying their IDs
deleteIOAExclusionsV1IOA ExclusionsDelete the IOA exclusions by id
DeleteIOC
Deprecated
IOCsThis operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
DeleteImageDetailsFalcon ContainerDelete image details from the CrowdStrike registry.
deleteMLExclusionsV1ML ExclusionsDelete the ML exclusions by id
DeleteNotificationsV1ReconDelete notifications based on IDs. Notifications cannot be recovered after they are deleted.
deletePreventionPoliciesPrevention PolicyDelete a set of Prevention Policies by specifying their IDs
DeleteReportFalcon X SandboxDelete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
deleteRTResponsePoliciesResponse PoliciesDelete a set of Response Policies by specifying their IDs
DeleteRulesV1ReconDelete monitoring rules.
DeleteSampleV2Falcon X SandboxRemoves a sample, including file, meta and submissions from the collection
DeleteSampleV3Sample UploadsRemoves a sample, including file, meta and submissions from the collection
deleteSensorUpdatePoliciesSensor Update PolicyDelete a set of Sensor Update Policies by specifying their IDs
deleteSensorVisibilityExclusionsV1Sensor Visibility ExclusionsDelete the sensor visibility exclusions by id
DeleteUserUser ManagementDelete a user permanently
deleteUserV1User ManagementDelete a user permanently. Supports Flight Control.
deleteUserGroupMembersMSSP (Flight Control)Delete User Group members entry.
deleteUserGroupsMSSP (Flight Control)Delete user groups by ID.
DevicesCountIOCNumber of hosts in your customer account that have observed a given custom IOC
DevicesRanOnIOCFind hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
DiscoverCloudAzureDownloadCertificateD4C RegistrationReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
DownloadSensorInstallerByIdSensor DownloadDownload sensor installer by SHA256 ID
entities_processesIOCFor the provided ProcessID retrieve the process details
entitiesRolesV1User ManagementGet information about a role, supports Flight Control.
get_accountsDiscoverGet details on accounts by providing one or more IDs.
GetImageAssessmentReportFalcon ContainerRetrieve an assessment report for an image by specifying repository and tag.
get_eventsFirewall ManagementGet events entities by ID and optionally version
get_firewall_fieldsFirewall ManagementGet the firewall field specifications by ID
get_hostsDiscoverGet details on assets by providing one or more IDs.
get_loginsDiscoverGet details on logins by providing one or more IDs.
get_patternsCustom IOAGet pattern severities by ID.
get_platformsFirewall ManagementGet platforms by ID, e.g., windows or mac or droid
get_platformsMixin0Custom IOAGet platforms by ID.
get_policy_containersFirewall ManagementGet policy container entities by policy ID
get_rule_groupsFirewall ManagementGet rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groupsMixin0Custom IOAGet rule groups by ID.
get_rule_typesCustom IOAGet rule types by ID.
get_rulesFirewall ManagementGet rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules_getCustom IOAGet rules by ID and optionally version in the following format: ID[:version].
get_rulesMixin0Custom IOAGet rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.
GetActionsV1ReconGet actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
GetAggregateDetectsDetectsGet detect aggregates as specified via json in request body.
GetAggregateFilesQuarantineGet quarantine file aggregates as specified via json in request body.
GetArtifactsFalcon X SandboxDownload IOC packs, PCAP files, and other analysis artifacts.
getAssessmentV1Zero Trust AssessmentGet Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
GetAvailableRoleIdsUser ManagementShow role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetAWSAccountsCloud Connect AWSRetrieve a set of AWS Accounts by specifying their IDs
GetAWSAccountsMixin0Kubernetes ProtectionProvides a list of AWS accounts.
GetAWSSettingsCloud Connect AWSRetrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetBehaviorDetectionsCSPM RegistrationGet list of detected behaviors
GetBehaviorsIncidentsGet details on behaviors by providing behavior IDs
GetCaseActivityByIdsMessage CenterRetrieve activities for given id's
GetCaseEntitiesByIDsMessage CenterRetrieve message center cases
getChangesFileVantageRetrieve information on changes
getChildrenMSSP (Flight Control)Get link to child customer by child CID(s)
getCIDGroupByIdMSSP (Flight Control)Get CID groups by ID.
getCIDGroupMembersByMSSP (Flight Control)Get CID group members by CID group ID.
GetClustersKubernetes ProtectionProvides the clusters acknowledged by the Kubernetes Protection service
GetCombinedSensorInstallersByQuerySensor DownloadGet sensor installer details by provided query
getComplianceV1Zero Trust AssessmentGet the Zero Trust Assessment compliance report for one customer ID (CID).
GetConfigurationDetectionsCSPM RegistrationGet list of active misconfigurations
GetCredentialsFalcon ContainerGets the registry credentials
GetCSPMAwsAccountCSPM RegistrationReturns information about the current status of an AWS account.
GetCSPMAwsAccountScriptsAttachmentCSPM RegistrationReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAwsConsoleSetupURLsCSPM RegistrationReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAzureAccountD4C RegistrationReturn information about Azure account registration
GetCSPMAzureAccountCSPM RegistrationReturn information about Azure account registration
GetCSPMAzureUserScriptsD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment
GetCSPMAzureUserScriptsAttachmentD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetCSPMAzureUserScriptsAttachmentCSPM RegistrationReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetCSPMCGPAccountD4C RegistrationReturns information about the current status of an GCP account.
GetCSPMGCPUserScriptsD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their GCP environment
GetCSPMGCPUserScriptsAttachmentD4C RegistrationReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMPolicyCSPM RegistrationGiven a policy ID, returns detailed policy information.
GetCSPMPolicySettingsCSPM RegistrationReturns information about current policy settings.
GetCSPMScanScheduleCSPM RegistrationReturns scan schedule configuration for one or more cloud platforms.
GetDetectSummariesDetectsView information about detections
getDeviceControlPoliciesDevice Control PoliciesRetrieve a set of Device Control Policies by specifying their IDs
GetDeviceCountCollectionQueriesByFilterFalcon Complete DashboardRetrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
GetDeviceDetailsHostsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API.
GetDeviceDetailsV1
Deprecated
HostsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500)
GetDeviceDetailsV2HostsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100)
getEvaluationLogicSpotlight Evaluation LogicGet details on evaluation logic items by providing one or more IDs.
getFirewallPoliciesFirewall PoliciesRetrieve a set of Firewall Policies by specifying their IDs
GetHelmValuesYamlKubernetes ProtectionProvides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
getHostGroupsHost GroupRetrieve a set of Host Groups by specifying their IDs
GetIncidentsIncidentsGet details on incidents by providing incident IDs
GetIntelActorEntitiesIntelRetrieve specific actors using their actor IDs.
GetIntelIndicatorEntitiesIntelRetrieve specific indicators using their indicator IDs.
GetIntelReportEntitiesIntelRetrieve specific reports using their report IDs.
GetIntelReportPDFIntelReturn a Report PDF attachment
GetIntelRuleEntitiesIntelRetrieve details for rule sets for the specified ids.
GetIntelRuleFileIntelDownload earlier rule sets.
GetIOAEventsCSPM RegistrationFor CSPM IOA events, gets list of IOA events.
getIOAExclusionsV1IOA ExclusionsGet a set of IOA Exclusions by specifying their IDs
GetIOAUsersCSPM RegistrationFor CSPM IOA users, gets list of IOA users.
GetIOC
Deprecated
IOCsThis operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
GetLatestIntelRuleFileIntelDownload the latest rule set.
GetLocationsKubernetes ProtectionProvides the cloud locations acknowledged by the Kubernetes Protection service
GetMalQueryDownloadV1MalQueryDownload a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryEntitiesSamplesFetchV1MalQueryFetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
GetMalQueryMetadataV1MalQueryRetrieve indexed files metadata by their hash
GetMalQueryQuotasV1MalQueryGet information about search and download quotas in your environment
GetMalQueryRequestV1MalQueryCheck the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
getMLExclusionsV1ML ExclusionsGet a set of ML Exclusions by specifying their IDs
GetNotificationsDetailedTranslatedV1ReconGet detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1ReconGet detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsTranslatedV1ReconGet notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1ReconGet notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
GetOnlineState_V1HostsGet the online status for one or more hosts by specifying each host’s unique ID.
getPreventionPoliciesPrevention PolicyRetrieve a set of Prevention Policies by specifying their IDs
GetQuarantineFilesQuarantineGet quarantine file metadata for specified ids.
GetQueriesAlertsV1AlertsSearch for alert IDs that match a given query.
getRemediationsV2Spotlight VulnerabilitiesGet details on remediation by providing one or more IDs
GetReportsFalcon X SandboxGet a full sandbox report.
GetRolesUser ManagementGet info about a role
getRolesByIDMSSP (Flight Control)Get MSSP Role assignment(s). MSSP Role assignment is of the format :.
getRTResponsePoliciesResponse PoliciesRetrieve a set of Response Policies by specifying their IDs
GetRulesV1ReconGet monitoring rules rules by provided IDs.
GetSampleV2Falcon X SandboxRetrieves the file associated with the given ID (SHA256)
GetSampleV3Sample UploadsRetrieves the file associated with the given ID (SHA256)
GetScansQuick ScanCheck the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
GetScansAggregatesQuick ScanGet scans aggregations as specified via json in request body.
GetSensorInstallersByQuerySensor DownloadGet sensor installer IDs by provided query
GetSensorInstallersCCIDByQuerySensor DownloadGet CCID to use with sensor installers
GetSensorInstallersEntitiesSensor DownloadGet sensor installer details by provided SHA256 IDs
getSensorUpdatePoliciesSensor Update PolicyRetrieve a set of Sensor Update Policies by specifying their IDs
getSensorUpdatePoliciesV2Sensor Update PolicyRetrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
getSensorVisibilityExclusionsV1Sensor Visibility ExclusionsGet a set of Sensor Visibility Exclusions by specifying their IDs
GetSubmissionsFalcon X SandboxCheck the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
GetSummaryReportsFalcon X SandboxGet a short summary version of a sandbox report.
getUserGroupMembersByIDMSSP (Flight Control)Get user group members by user group ID.
getUserGroupsByIDMSSP (Flight Control)Get user groups by ID.
GetUserRoleIdsUser ManagementShow role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.
getVulnerabilitiesSpotlight VulnerabilitiesGet details on vulnerabilities by providing one or more IDs
GrantUserRoleIdsUser ManagementAssign one or more roles to a user
ImageMatchesPolicyFalcon ContainerCheck if an image matches a policy by specifying repository and tag.
indicator_combined_v1IOCGet Combined for Indicators.
indicator_create_v1IOCCreate Indicators.
indicator_delete_v1IOCDelete Indicators by ids.
indicator_get_v1IOCGet Indicators by ids.
indicator_search_v1IOCSearch for Indicators.
indicator_update_v1IOCUpdate Indicators.
listAvailableStreamsOAuth2Event StreamsDiscover all event streams in your environment
oauth2AccessTokenOAuth2Generate an OAuth2 access token
oauth2RevokeTokenOAuth2Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
PatchCSPMAwsAccountCSPM RegistrationPatches a existing account in our system for a customer.
PatchEntitiesAlertsV1AlertsPerform actions on alerts identified by alert ID(s) in request.
PerformActionV2HostsTake various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
performDeviceControlPoliciesActionDevice Control PoliciesPerform the specified action on the Device Control Policies specified in the request
performFirewallPoliciesActionFirewall PoliciesPerform the specified action on the Firewall Policies specified in the request
performGroupActionHost GroupPerform the specified action on the Host Groups specified in the request
PerformIncidentActionIncidentsPerform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
performPreventionPoliciesActionPrevention PolicyPerform the specified action on the Prevention Policies specified in the request
performRTResponsePoliciesActionResponse PoliciesPerform the specified action on the Response Policies specified in the request
performSensorUpdatePoliciesActionSensor Update PolicyPerform the specified action on the Sensor Update Policies specified in the request
PostAggregateAlertsV1AlertsRetrieve aggregates for Alerts across all CIDs.
PostDeviceDetailsV2HostsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000)
PostEntitiesAlertsV1AlertsRetrieve all Alerts given their IDs.
PostMalQueryEntitiesSamplesMultidownloadV1MalQuerySchedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1MalQuerySearch Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryFuzzySearchV1MalQuerySearch Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
PostMalQueryHuntV1MalQuerySchedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint
PreviewRuleV1ReconPreview rules notification count and distribution. This will return aggregations on: channel, count, site.
ProcessesRanOnIOCSearch for processes associated with a custom IOC
ProvisionAWSAccountsCloud Connect AWSProvision AWS Accounts by specifying details about the accounts to provision
query_accountsDiscoverSearch for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_eventsFirewall ManagementFind all event IDs matching the query with filter
query_firewall_fieldsFirewall ManagementGet the firewall field specification IDs for the provided platform
query_hostsDiscoverSearch for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_loginsDiscoverSearch for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_patternsCustom IOAGet all pattern severity IDs.
query_platformsFirewall ManagementGet the list of platform names
query_platformsMixin0Custom IOAGet all platform IDs.
query_policy_rulesFirewall ManagementFind all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groupsFirewall ManagementFind all rule group IDs matching the query with filter
query_rule_groups_fullCustom IOAFind all rule groups matching the query with optional filter.
query_rule_groupsMixin0Custom IOAFinds all rule group IDs matching the query with optional filter.
query_rule_typesCustom IOAGet all rule type IDs.
query_rulesFirewall ManagementFind all rule IDs matching the query with filter
query_rulesMixin0Custom IOAFinds all rule IDs matching the query with optional filter.
QueryActionsV1ReconQuery actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
QueryActivityByCaseIDMessage CenterRetrieve activities id's for a case
QueryAllowListFilterFalcon Complete DashboardRetrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryAWSAccountsCloud Connect AWSSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
QueryAWSAccountsForIDsCloud Connect AWSSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria
QueryBehaviorsIncidentsSearch for behaviors by providing a FQL filter, sorting, and paging details
QueryBlockListFilterFalcon Complete DashboardRetrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryCasesIdsByFilterMessage CenterRetrieve case id's that match the provided filter criteria
queryChangesFileVantageReturns one or more change IDs
queryChildrenMSSP (Flight Control)Query for customers linked as children
queryCIDGroupMembersMSSP (Flight Control)Query a CID groups members by associated CID.
queryCIDGroupsMSSP (Flight Control)Query CID Groups.
queryCombinedDeviceControlPoliciesDevice Control PoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
queryCombinedDeviceControlPolicyMembersDevice Control PoliciesSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPoliciesFirewall PoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
queryCombinedFirewallPolicyMembersFirewall PoliciesSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedGroupMembersHost GroupSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroupsHost GroupSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
queryCombinedPreventionPoliciesPrevention PolicySearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
queryCombinedPreventionPolicyMembersPrevention PolicySearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePoliciesResponse PoliciesSearch for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
queryCombinedRTResponsePolicyMembersResponse PoliciesSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdateBuildsSensor Update PolicyRetrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernelsSensor Update PolicyRetrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePoliciesSensor Update PolicySearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2Sensor Update PolicySearch for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePolicyMembersSensor Update PolicySearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
QueryDetectionIdsByFilterFalcon Complete DashboardRetrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
QueryDetectsDetectsSearch for detection IDs that match a given query
queryDeviceControlPoliciesDevice Control PoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria
queryDeviceControlPolicyMembersDevice Control PoliciesSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryDeviceLoginHistoryHostsRetrieve details about recent login sessions for a set of devices.
QueryDevicesByFilterHostsSearch for hosts in your environment by platform, hostname, IP, and other criteria.
QueryDevicesByFilterScrollHostsSearch for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryEscalationsFilterFalcon Complete DashboardRetrieve escalation tickets that match the provided filter criteria with scrolling enabled
queryEvaluationLogicSpotlight Evaluation LogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.
queryFirewallPoliciesFirewall PoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria
queryFirewallPolicyMembersFirewall PoliciesSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryGetNetworkAddressHistoryV1HostsRetrieve history of IP and MAC addresses of devices.
queryGroupMembersHost GroupSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryHiddenDevicesHostsRetrieve hidden hosts that match the provided filter criteria.
queryHostGroupsHost GroupSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria
QueryIncidentIdsByFilterFalcon Complete DashboardRetrieve incidents that match the provided filter criteria with scrolling enabled
QueryIncidentsIncidentsSearch for incidents by providing a FQL filter, sorting, and paging details
QueryIntelActorEntitiesIntelGet info about actors that match provided FQL filters.
QueryIntelActorIdsIntelGet actor IDs that match provided FQL filters.
QueryIntelIndicatorEntitiesIntelGet info about indicators that match provided FQL filters.
QueryIntelIndicatorIdsIntelGet indicators IDs that match provided FQL filters.
QueryIntelReportEntitiesIntelGet info about reports that match provided FQL filters.
QueryIntelReportIdsIntelGet report IDs that match provided FQL filters.
QueryIntelRuleIdsIntelSearch for rule IDs that match provided filter criteria.
queryIOAExclusionsV1IOA ExclusionsSearch for IOA exclusions.
QueryIOCs
Deprecated
IOCsThis operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
queryMLExclusionsV1ML ExclusionsSearch for ML exclusions.
QueryNotificationsV1ReconQuery notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
queryPreventionPoliciesPrevention PolicySearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria
queryPreventionPolicyMembersPrevention PolicySearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryQuarantineFilesQuarantineGet quarantine file ids that match the provided filter criteria.
QueryRemediationsFilterFalcon Complete DashboardRetrieve remediation tickets that match the provided filter criteria with scrolling enabled
QueryReportsFalcon X SandboxFind sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
queryRolesMSSP (Flight Control)Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queriesRolesV1User ManagementShow role IDs for all roles available in your customer account. Supports Flight Control.
queryRTResponsePoliciesResponse PoliciesSearch for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
queryRTResponsePolicyMembersResponse PoliciesSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryRulesV1ReconQuery monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.
QuerySampleV1Falcon X SandboxRetrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
querySensorUpdateKernelsDistinctSensor Update PolicyRetrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePoliciesSensor Update PolicySearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria
querySensorUpdatePolicyMembersSensor Update PolicySearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorVisibilityExclusionsV1Sensor Visibility ExclusionsSearch for sensor visibility exclusions.
QuerySubmissionsFalcon X SandboxFind submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
QuerySubmissionsMixin0Quick ScanFind IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.
queryUserGroupMembersMSSP (Flight Control)Query User Group member by User UUID.
queryUserGroupsMSSP (Flight Control)Query User Groups.
queryUserV1User ManagementList user IDs for all users in your customer account.
queryVulnerabilitiesSpotlight VulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria
refreshActiveStreamSessionEvent StreamsRefresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
RegenerateAPIKeyKubernetes ProtectionRegenerate API key for docker registry integrations
report_executions_download_getReport ExecutionsGet report entity download
report_executions_getReport ExecutionsRetrieve report details for the provided report IDs.
report_executions_queryReport ExecutionsFind all report execution IDs matching the query with filter
report_executions_retryReport ExecutionsThis endpoint will be used to retry report executions
RequestDeviceEnrollmentV3Mobile EnrollmentTrigger on-boarding process for a mobile device.
RetrieveEmailsByCIDUser ManagementList the usernames (usually an email address) for all users in your customer account
RetrieveUserUser ManagementGet info about a user
retrieveUsersGETV1User ManagementGet info about users including their name, UID and CID by providing user UUIDs.
RetrieveUserUUIDUser ManagementGet a user's ID by providing a username (usually an email address)
RetrieveUserUUIDsByCIDUser ManagementList user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.
revealUninstallTokenSensor Update PolicyReveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
RevokeUserRoleIdsUser ManagementRevoke one or more roles from a user
RTR_AggregateSessionsReal Time ResponseGet aggregates on session data.
RTR_CheckActiveResponderCommandStatusReal Time ResponseGet status of an executed active-responder command on a single host.
RTR_CheckAdminCommandStatusReal Time Response AdminGet status of an executed RTR administrator command on a single host.
RTR_CheckCommandStatusReal Time ResponseGet status of an executed command on a single host.
RTR_CreatePut_FilesReal Time Response AdminUpload a new put-file to use for the RTR put command.
RTR_CreateScriptsReal Time Response AdminUpload a new custom-script to use for the RTR runscript command.
RTR_DeleteFileReal Time ResponseDelete a RTR session file.
RTR_DeleteFileV2Real Time ResponseDelete a RTR session file.
(Expanded output, use with RTR_ListFilesV2)
RTR_DeletePut_FilesReal Time Response AdminDelete a put-file based on the ID given. Can only delete one file at a time.
RTR_DeleteQueuedSessionReal Time ResponseDelete a queued session command
RTR_DeleteScriptsReal Time Response AdminDelete a custom-script based on the ID given. Can only delete one script at a time.
RTR_DeleteSessionReal Time ResponseDelete a session.
RTR_ExecuteActiveResponderCommandReal Time ResponseExecute an active responder command on a single host.
RTR_ExecuteAdminCommandReal Time Response AdminExecute a RTR administrator command on a single host.
RTR_ExecuteCommandReal Time ResponseExecute a command on a single host.
RTR_GetExtractedFileContentsReal Time ResponseGet RTR extracted file contents for specified session and sha256.
RTR_GetPut_FilesReal Time Response AdminGet put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2Real Time Response AdminGet put-files based on the ID's given. These are used for the RTR put command.
RTR_GetScriptsReal Time Response AdminGet custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2Real Time Response AdminGet custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_InitSessionReal Time ResponseInitialize a new session with the RTR cloud.
RTR_ListAllSessionsReal Time ResponseGet a list of session_ids.
RTR_ListFilesReal Time ResponseGet a list of files for the specified RTR session.
RTR_ListFilesV2Real Time ResponseGet a list of files for the specified RTR session.
(Expanded output detail)
RTR_ListPut_FilesReal Time Response AdminGet a list of put-file ID's that are available to the user for the put command.
RTR_ListQueuedSessionsReal Time ResponseGet queued session metadata by session ID.
RTR_ListScriptsReal Time Response AdminGet a list of custom-script ID's that are available to the user for the runscript command.
RTR_ListSessionsReal Time ResponseGet session metadata by session id.
RTR_PulseSessionReal Time ResponseRefresh a session timeout on a single host.
RTR_UpdateScriptsReal Time Response AdminUpload a new scripts to replace an existing one.
ScanSamplesQuick ScanSubmit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
scheduled_reports_getScheduled ReportsRetrieve scheduled reports for the provided report IDs.
scheduled_reports_launchScheduled ReportsLaunch scheduled reports executions for the provided report IDs.
scheduled_reports_queryScheduled ReportsFind all report IDs matching the query with filter
setDeviceControlPoliciesPrecedenceDevice Control PoliciesSets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setFirewallPoliciesPrecedenceFirewall PoliciesSets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setPreventionPoliciesPrecedencePrevention PolicySets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setRTResponsePoliciesPrecedenceResponse PoliciesSets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setSensorUpdatePoliciesPrecedenceSensor Update PolicySets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
SubmitFalcon X SandboxSubmit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
tokens_createInstallation TokensCreates a token.
tokens_deleteInstallation TokensDeletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_queryInstallation TokensSearch for tokens by providing a FQL filter and paging details.
tokens_readInstallation TokensGets the details of one or more tokens by id.
tokens_updateInstallation TokensUpdates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
TriggerScanKubernetes ProtectionTriggers a dry run or a full scan of a customer's kubernetes footprint
update_policy_containerFirewall ManagementUpdate an identified policy container
update_rule_groupFirewall ManagementUpdate name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_groupMixin0Custom IOAUpdate a rule group. The following properties can be modified: name, description, enabled.
update_rulesCustom IOAUpdate rules within a rule group. Return the updated rules.
UpdateActionV1ReconUpdate an action for a monitoring rule.
UpdateAWSAccountKubernetes ProtectionUpdates the AWS account per the query parameters provided
UpdateAWSAccountsCloud Connect AWSUpdate AWS Accounts by specifying the ID of the account and details to update
UpdateCaseMessage Centerupdate an existing case
updateCIDGroupsMSSP (Flight Control)Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
UpdateCSPMAzureAccountClientIDD4C RegistrationUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureAccountClientIDCSPM RegistrationUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionIDCSPM RegistrationUpdate an Azure default subscription_id in our system for given tenant_id
UpdateCSPMPolicySettingsCSPM RegistrationUpdates a policy setting - can be used to override policy severity or to disable a policy entirely.
UpdateCSPMScanScheduleCSPM RegistrationUpdates scan schedule configuration for one or more cloud platforms.
UpdateDetectsByIdsV2DetectsModify the state, assignee, and visibility of detections
updateDeviceControlPoliciesDevice Control PoliciesUpdate Device Control Policies by specifying the ID of the policy and details to update
UpdateDeviceTagsHostsAppend or remove one or more Falcon Grouping Tags on one or more hosts.
updateFirewallPoliciesFirewall PoliciesUpdate Firewall Policies by specifying the ID of the policy and details to update
updateHostGroupsHost GroupUpdate Host Groups by specifying the ID of the group and details to update
updateIOAExclusionsV1IOA ExclusionsUpdate the IOA exclusions
UpdateIOC
Deprecated
IOCsThis operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
updateMLExclusionsV1ML ExclusionsUpdate the ML exclusions
UpdateNotificationsV1ReconUpdate notification status or assignee. Accepts bulk requests
updatePreventionPoliciesPrevention PolicyUpdate Prevention Policies by specifying the ID of the policy and details to update
UpdateQfByQueryQuarantineApply quarantine file actions by query.
UpdateQuarantinedDetectsByIdsQuarantineApply action by quarantine file ids
updateRTResponsePoliciesResponse PoliciesUpdate Response Policies by specifying the ID of the policy and details to update
UpdateRulesV1ReconUpdate monitoring rules.
updateSensorUpdatePoliciesSensor Update PolicyUpdate Sensor Update Policies by specifying the ID of the policy and details to update
updateSensorUpdatePoliciesV2Sensor Update PolicyUpdate Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
updateSensorVisibilityExclusionsV1Sensor Visibility ExclusionsUpdate the sensor visibility exclusions
UpdateUserUser ManagementModify an existing user's first or last name
updateUserV1User ManagementModify an existing user's first or last name. Supports Flight Control.
updateUserGroupsMSSP (Flight Control)Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
UploadSampleV2Falcon X SandboxUpload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
UploadSampleV3Sample UploadsUpload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
userActionV1User ManagementApply actions to one or more users.
userRolesActionV1User ManagementGrant or Revoke one or more role(s) to a user against a CID.
validateCustom IOAValidates field values and checks for matches if a test string is provided.
VerifyAWSAccountAccessCloud Connect AWSPerforms an Access Verification check on the specified AWS Account IDs