CrowdStrike Falcon CrowdStrike Subreddit

All Operations by Service Collection

Total Service Collections Total Operations Documentation Version Page Updated

Table of Contents

AlertsCloud Connect AWS
Deprecated
Cloud SnapshotsConfiguration Assessment
Configuration Assessment Evaluation LogicContainer AlertsContainer DetectionsContainer Images
Container PackagesContainer VulnerabilitiesCSPM RegistrationCustom IOA
Custom StorageD4C Registration
Deprecated
DetectsDevice Control Policies
DiscoverDrift IndicatorsEvent StreamsFalcon Complete Dashboard
Falcon ContainerFalcon Intelligence SandboxFDRFileVantage
Firewall ManagementFirewall PoliciesFoundry LogScaleHost Group
HostsIdentity ProtectionImage Assessment PoliciesIncidents
Installation TokensIntelIOA ExclusionsIOC
IOCs
Deprecated
Kubernetes ProtectionMalqueryMessage Center
ML ExclusionsMobile EnrollmentMSSP (Flight Control)OAuth2
ODSOverwatch DashboardPrevention PoliciesQuarantine
Quick ScanReal Time ResponseReal Time Response AdminReal Time Response Audit
ReconReport ExecutionsResponse PoliciesSample Uploads
Scheduled ReportsSensor DownloadSensor Update PoliciesSensor Visibility Exclusions
Spotlight Evaluation LogicSpotlight VulnerabilitiesTailored IntelligenceUnidentified Containers
User ManagementWorkflowsZero Trust Assessment 

Alerts

Operation IDDescription
PostAggregatesAlertsV1retrieves aggregate values for Alerts across all CIDs
PostAggregatesAlertsV2retrieves aggregate values for Alerts across all CIDs
PostEntitiesAlertsV1retrieves all Alerts given their ids
PostEntitiesAlertsV2retrieves all Alerts given their composite ids
PatchEntitiesAlertsV2Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
PatchEntitiesAlertsV3Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
GetQueriesAlertsV1retrieves all Alerts ids that match a given query
GetQueriesAlertsV2retrieves all Alerts ids that match a given query

Back to Table of Contents

Cloud Connect AWS

Deprecated This service collection has been deprecated.

Operation IDDescription
QueryAWSAccountsSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
GetAWSSettingsRetrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAWSAccountsRetrieve a set of AWS Accounts by specifying their IDs
ProvisionAWSAccountsProvision AWS Accounts by specifying details about the accounts to provision
DeleteAWSAccountsDelete a set of AWS Accounts by specifying their IDs
UpdateAWSAccountsUpdate AWS Accounts by specifying the ID of the account and details to update
CreateOrUpdateAWSSettingsCreate or update Global Settings which are applicable to all provisioned AWS accounts
VerifyAWSAccountAccessPerforms an Access Verification check on the specified AWS Account IDs
QueryAWSAccountsForIDsSearch for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

Back to Table of Contents

Cloud Snapshots

Operation IDDescription
GetCredentialsMixin0Retrieve the registry credentials.
CreateInventoryCreate inventory from data received from a snapshot.
RegisterCspmSnapshotAccountRegister an account for snapshot scanning.

Back to Table of Contents

Configuration Assessment

Operation IDDescription
getCombinedAssessmentsQuerySearch for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
getRuleDetailsGet rules details for provided one or more rule IDs

Back to Table of Contents

Configuration Assessment Evaluation Logic

Operation IDDescription
getEvaluationLogicMixin0Get details on evaluation logic items by providing one or more finding IDs.

Back to Table of Contents

Container Alerts

Operation IDDescription
ReadContainerAlertsCountBySeverityGet Container Alerts by severity
ReadContainerAlertsCountSearch Container Alerts by the provided search criteria
SearchAndReadContainerAlertsSearch Container Alerts by the provided search criteria

Back to Table of Contents

Container Detections

Operation IDDescription
ReadDetectionsCountBySeverityAggregate counts of detections by severity
ReadDetectionsCountByTypeAggregate counts of detections by detection type
ReadDetectionsCountAggregate count of detections
ReadCombinedDetectionsRetrieve image assessment detections identified by the provided filter criteria
ReadDetectionsRetrieve image assessment detection entities identified by the provided filter criteria
SearchDetectionsRetrieve image assessment detection entities identified by the provided filter criteria

Back to Table of Contents

Container Images

Operation IDDescription
AggregateImageAssessmentHistoryImage assessment history
AggregateImageCountByBaseOSAggregate count of images grouped by Base OS distribution
AggregateImageCountByStateAggregate count of images grouped by state
AggregateImageCountAggregate count of images
GetCombinedImagesGet image assessment results by providing an FQL filter and paging details
CombinedImageByVulnerabilityCountRetrieve top x images with the most vulnerabilities
CombinedImageDetailRetrieve image entities identified by the provided filter criteria
ReadCombinedImagesExportRetrieve images with an option to expand aggregated vulnerabilities/detections
CombinedImageIssuesSummaryRetrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummaryaggregates information about vulnerabilities for an image

Back to Table of Contents

Container Packages

Operation IDDescription
ReadPackagesCountByZeroDayRetrieve packages count affected by zero day vulnerabilities
ReadPackagesByFixableVulnCountRetrieve top x app packages with the most fixable vulnerabilities
ReadPackagesByVulnCountRetrieve top x packages with the most vulnerabilities
ReadPackagesCombinedExportRetrieve packages identified by the provided filter criteria for the purpose of export
ReadPackagesCombinedRetrieve packages identified by the provided filter criteria

Back to Table of Contents

Container Vulnerabilities

Operation IDDescription
ReadVulnerabilityCountByActivelyExploitedAggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRatingAggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScoreAggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverityAggregate count of vulnerabilities grouped by severity
ReadVulnerabilityCountAggregate count of vulnerabilities
ReadVulnerabilitiesByImageCountRetrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDateRetrieve top x vulnerabilities with the most recent publication date
ReadCombinedVulnerabilitiesDetailsRetrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfoRetrieve vulnerability and package related info for this customer
ReadCombinedVulnerabilitiesRetrieve vulnerability and aggregate data filtered by the provided FQL

Back to Table of Contents

CSPM Registration

Operation IDDescription
GetCSPMAwsAccountReturns information about the current status of an AWS account.
CreateCSPMAwsAccountCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteCSPMAwsAccountDeletes an existing AWS account or organization in our system.
PatchCSPMAwsAccountPatches a existing account in our system for a customer.
GetCSPMAwsConsoleSetupURLsReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAwsAccountScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAzureAccountReturn information about Azure account registration
CreateCSPMAzureAccountCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
DeleteCSPMAzureAccountDeletes an Azure subscription from the system.
UpdateCSPMAzureAccountClientIDUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionIDUpdate an Azure default subscription_id in our system for given tenant_id.
AzureDownloadCertificateReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetCSPMAzureUserScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetBehaviorDetectionsGet list of detected behaviors
GetConfigurationDetectionsGet list of active misconfigurations
GetConfigurationDetectionEntitiesGet misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetIOAEventsFor CSPM IOA events, gets list of IOA events.
GetIOAUsersFor CSPM IOA users, gets list of IOA users.
GetCSPMPolicyGiven a policy ID, returns detailed policy information.
GetCSPMPoliciesDetailsGiven an array of policy IDs, returns detailed policies information.
GetCSPMPolicySettingsReturns information about current policy settings.
UpdateCSPMPolicySettingsUpdates a policy setting - can be used to override policy severity or to disable a policy entirely.
GetCSPMScanScheduleReturns scan schedule configuration for one or more cloud platforms.
UpdateCSPMScanScheduleUpdates scan schedule configuration for one or more cloud platforms.
GetCSPMAzureManagementGroupReturn information about Azure management group registration
CreateCSPMAzureManagementGroupCreates a new management group in our system for a customer.
GetCSPMCGPAccountReturns information about the current status of an GCP account.
CreateCSPMGCPAccountCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DeleteCSPMGCPAccountDeletes a GCP account from the system.
UpdateCSPMGCPAccountPatches a existing account in our system for a customer.
ConnectCSPMGCPAccountCreates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetCSPMGCPServiceAccountsExtReturns the service account id and client email for external clients.
GetCSPMGCPUserScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment

Back to Table of Contents

Custom IOA

Operation IDDescription
get_patternsGet pattern severities by ID.
get_platformsMixin0Get platforms by ID.
get_rule_groupsMixin0Get rule groups by ID.
create_rule_groupMixin0Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0Delete rule groups by ID.
update_rule_groupMixin0Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_typesGet rule types by ID.
get_rules_getGet rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version].
get_rulesMixin0Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size.
create_ruleCreate a rule within a rule group. Returns the rule.
delete_rulesDelete rules from a rule group by ID.
update_rulesUpdate rules within a rule group. Return the updated rules.
validateValidates field values and checks for matches if a test string is provided.
query_patternsGet all pattern severity IDs.
query_platformsMixin0Get all platform IDs.
query_rule_groups_fullFind all rule groups matching the query with optional filter.
query_rule_groupsMixin0Finds all rule group IDs matching the query with optional filter.
query_rule_typesGet all rule type IDs.
query_rulesMixin0Finds all rule IDs matching the query with optional filter.

Back to Table of Contents

Custom Storage

Operation IDDescription
ListObjectsList the object keys in the specified collection in alphabetical order.
SearchObjectsSearch for objects that match the specified filter criteria (returns metadata, not actual objects).
GetObjectGet the bytes for the specified object.
PutObjectPut the specified new object at the given key or overwrite an existing object at the given key.
DeleteObjectDelete the specified object.
GetObjectMetadataGet the metadata for the specified object.

Back to Table of Contents

D4C Registration

Deprecated This service collection has been deprecated.

Operation IDDescription
GetD4CAwsAccountReturns information about the current status of an AWS account.
CreateD4CAwsAccountCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteD4CAwsAccountDeletes an existing AWS account or organization in our system.
GetD4CAwsConsoleSetupURLsReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CAWSAccountScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetDiscoverCloudAzureAccountReturn information about Azure account registration
GetDiscoverCloudAzureTenantIDsReturn available tenant IDs for Discover for Cloud.
CreateDiscoverCloudAzureAccountCreates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
UpdateDiscoverCloudAzureAccountClientIDUpdate an Azure service account in our system by with the user-created client_id created with the public key we've provided
GetDiscoverCloudAzureUserScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetDiscoverCloudAzureUserScriptsReturn a script for customer to run in their cloud environment to grant us access to their Azure environment
GetDiscoverCloudCGPAccountReturns information about the current status of an GCP account.
CreateDiscoverCloudGCPAccountCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DiscoverCloudAzureDownloadCertificateReturns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetDiscoverCloudGCPUserScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetDiscoverCloudGCPUserScriptsReturn a script for customer to run in their cloud environment to grant us access to their GCP environment
DeleteD4CGCPAccountDeletes a GCP account from the system.
<a href='D4C-Registration#connectd4cgcpaccount" title='ConnectD4CGCPAccount'>ConnectD4CGCPAccountCreates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetD4CGCPServiceAccountsExtReturns the service account id and client email for external clients.
GetD4CGCPUserScriptsAttachmentReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment

Back to Table of Contents

Detects

Operation IDDescription
GetAggregateDetectsGet detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2Modify the state, assignee, and visibility of detections
GetDetectSummariesView information about detections
QueryDetectsSearch for detection IDs that match a given query

Back to Table of Contents

Device Control Policies

Operation IDDescription
queryCombinedDeviceControlPolicyMembersSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedDeviceControlPoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
getDefaultDeviceControlPoliciesRetrieve the configuration for the Default Device Control Policy.
updateDefaultDeviceControlPoliciesUpdate the configuration for the Default Device Control Policy.
performDeviceControlPoliciesActionPerform the specified action on the Device Control Policies specified in the request
setDeviceControlPoliciesPrecedenceSets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getDeviceControlPoliciesRetrieve a set of Device Control Policies by specifying their IDs
createDeviceControlPoliciesCreate Device Control Policies by specifying details about the policy to create
deleteDeviceControlPoliciesDelete a set of Device Control Policies by specifying their IDs
updateDeviceControlPoliciesUpdate Device Control Policies by specifying the ID of the policy and details to update
queryDeviceControlPolicyMembersSearch for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryDeviceControlPoliciesSearch for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria

Back to Table of Contents

Discover

Operation IDDescription
get_accountsGet details on accounts by providing one or more IDs.
get_applicationsGet details on applications by providing one or more IDs.
get_hostsGet details on assets by providing one or more IDs.
get_iot_hostsGet details on IoT assets by providing one or more IDs.
get_loginsGet details on logins by providing one or more IDs.
query_accountsSearch for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applicationsSearch for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of applications IDs which match the filter criteria.
query_hostsSearch for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hostsSearch for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_loginsSearch for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Back to Table of Contents

Event Streams

Operation IDDescription
refreshActiveStreamSessionRefresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
listAvailableStreamsOAuth2Discover all event streams in your environment

Back to Table of Contents

Falcon Container

Operation IDDescription
GetCombinedImagesGets image assessment results by providing a FQL filter and paging details.
GetCredentialsGets the registry credentials.
ReadImageVulnerabilitiesRetrieve vulnerabilities for a specified image.
GetImageAssessmentReportRetrieve an assessment report for an image by specifying repository and tag.
DeleteImageDetailsDelete image details from the CrowdStrike registry.
ImageMatchesPolicyCheck if an image matches a policy by specifying repository and tag.
ReadRegistryEntitiesRetrieve registry entities associated with the client ID.
ReadRegistryEntitiesByUUIDRetrieve registry entities associated with a specific registry entity UUID.
DeleteRegistryEntitiesDelete registry entities by UUID.
CreateRegistryEntitiesCreate registry entities using the provided detail.
UpdateRegistryEntitiesUpdate the registry entity, as identified by the entity UUID, using the provided details.

Back to Table of Contents

Falcon Complete Dashboard

Operation IDDescription
AggregateAlertsRetrieve aggregate alerts values based on the matched filter
AggregateAllowListRetrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockListRetrieve aggregate blocklist ticket values based on the matched filter
AggregateDetectionsRetrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollectionRetrieve aggregate host/devices count based on the matched filter
AggregateEscalationsRetrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidentsRetrieve aggregate incident values based on the matched filter
AggregateRemediationsRetrieve aggregate remediation ticket values based on the matched filter
QueryAlertIdsByFilterRetrieve alert IDs that match the provided filter criteria with scrolling enabled
QueryAllowListFilterRetrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilterRetrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryDetectionIdsByFilterRetrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilterRetrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilterRetrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilterRetrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilterRetrieve remediation tickets that match the provided filter criteria with scrolling enabled

Back to Table of Contents

Falcon Intelligence Sandbox

Operation IDDescription
GetArtifactsDownload IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStringsGet extracted strings from a memory dump.
GetMemoryDumpHexDumpGet the hex view of a memory dump.
GetMemoryDumpGet memory dump content, as a binary.
GetSummaryReportsGet a short summary version of a sandbox report.
GetReportsGet a full sandbox report.
DeleteReportDelete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissionsCheck the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
SubmitSubmit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReportsFind sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissionsFind submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2Retrieves the file associated with the given ID (SHA256)
UploadSampleV2Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2Removes a sample, including file, meta and submissions from the collection
QuerySampleV1Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

Back to Table of Contents

FDR

Operation IDDescription
fdrschema_combined_event_getFetches the combined schema.
fdrschema_entities_event_getFetch event schema by ID.
fdrschema_queries_event_getGet list of event IDs given a particular query.
fdrschema_entities_field_getFetch field schema by ID.
fdrschema_queries_field_getGet list of field IDs given a particular query.

Back to Table of Contents

FileVantage

Operation IDDescription
getChangesRetrieve information on changes.
queryChangesReturns one or more change IDs.
updatePolicyHostGroupsManage host groups assigned to a policy.
updatePolicyRuleGroupsManage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
updatePolicyPrecedenceUpdates the policy precedence for all policies of a specific type.
getPoliciesRetrieves the configuration for one or more policies.
createPoliciesCreates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
deletePoliciesDeletes one or more policies.
updatePoliciesUpdates the general information of the provided policy.
getScheduledExclusionsRetrieves the configuration for one or more scheduled exclusions from the provided policy ID.
createScheduledExclusionsCreates a new scheduled exclusion configuration for the provided policy ID.
deleteScheduledExclusionsDeletes one or more scheduled exclusions from the provided policy ID.
updateScheduledExclusionsUpdates the provided scheduled exclusion configuration within the provided polciy.
updateRuleGroupPrecedenceUpdates the rule precedence for all ruels in the identified rule group.
getRulesRetrieves the configuration for one or more rules.
createRulesCreates a new rule configuration within the specified rule group.
deleteRulesDeletes one or more rules from the specified rule group.
updateRulesUpdates the provided rule configuration within the specified rule group.
getRuleGroupsRetrieves the rule group details for one or more rule groups.
createRuleGroupsCreates a new rule group of the specified type.
deleteRuleGroupsDeletes one or more rule groups
updateRuleGroupsUpdates the provided rule group.
highVolumeQueryChangesReturns a list of Falcon FileVantage change IDs filtered, sorted and limited by the query parameters provided. It can retrieve an unlimited number of results using multiple requests.
queryRulesGroupsRetrieve the IDs of all rule groups that are of the provided rule group type.
queryScheduledExclusionsRetrieve the IDs of all scheduled exclusions contained within the provided policy ID.
queryPoliciesRetrieve the ids of all policies that are assigned the provided policy type.

Back to Table of Contents

Firewall Management

Operation IDDescription
aggregate_eventsAggregate events for customer
aggregate_policy_rulesAggregate rules within a policy for customer
aggregate_rule_groupsAggregate rule groups for customer
aggregate_rulesAggregate rules for customer
get_eventsGet events entities by ID and optionally version
get_firewall_fieldsGet the firewall field specifications by ID
get_network_locations_detailsGet network locations entities by ID
update_network_locations_metadataUpdates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedenceUpdates the network locations precedence according to the list of ids provided.
get_network_locationsGet a summary of network locations entities by ID
upsert_network_locationsUpdates the network locations provided, and return the ID.
create_network_locationsCreate new network locations provided, and return the ID.
delete_network_locationsDelete network location entities by ID.
update_network_locationsUpdates the network locations provided, and return the ID.
get_platformsGet platforms by ID, e.g., windows or mac or droid
get_policy_containersGet policy container entities by policy ID
update_policy_container_v1Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting.
update_policy_containerUpdate an identified policy container, including local logging functionality.
get_rule_groupsGet rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_groupCreate new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groupsDelete rule group entities by ID
update_rule_groupUpdate name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validationValidates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validationValidates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rulesGet rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_patternValidates that the test pattern matches the executable filepath glob pattern.
query_eventsFind all event IDs matching the query with filter
query_firewall_fieldsGet the firewall field specification IDs for the provided platform
query_network_locationsGet a list of network location IDs
query_platformsGet the list of platform names
query_policy_rulesFind all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groupsFind all rule group IDs matching the query with filter
query_rulesFind all rule IDs matching the query with filter

Back to Table of Contents

Firewall Policies

Operation IDDescription
queryCombinedFirewallPolicyMembersSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
performFirewallPoliciesActionPerform the specified action on the Firewall Policies specified in the request
setFirewallPoliciesPrecedenceSets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getFirewallPoliciesRetrieve a set of Firewall Policies by specifying their IDs
createFirewallPoliciesCreate Firewall Policies by specifying details about the policy to create
deleteFirewallPoliciesDelete a set of Firewall Policies by specifying their IDs
updateFirewallPoliciesUpdate Firewall Policies by specifying the ID of the policy and details to update
queryFirewallPolicyMembersSearch for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryFirewallPoliciesSearch for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria

Back to Table of Contents

Foundry LogScale

Operation IDDescription
ListReposV1Lists available repositories and views.
IngestDataV1Ingest data into the application repository.
CreateSavedSearchesDynamicExecuteV1Execute a dynamic saved search.
GetSavedSearchesExecuteV1Get the results of a saved search.
CreateSavedSearchesExecuteV1Execute a saved search.
CreateSavedSearchesIngestV1Populate a saved search.
GetSavedSearchesJobResultsDownloadV1Get the results of a saved search as a file.
ListViewV1List views.

Back to Table of Contents

Host Group

Operation IDDescription
queryCombinedGroupMembersSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroupsSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
performGroupActionPerform the specified action on the Host Groups specified in the request
getHostGroupsRetrieve a set of Host Groups by specifying their IDs
createHostGroupsCreate Host Groups by specifying details about the group to create
deleteHostGroupsDelete a set of Host Groups by specifying their IDs
updateHostGroupsUpdate Host Groups by specifying the ID of the group and details to update
queryGroupMembersSearch for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryHostGroupsSearch for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria

Back to Table of Contents

Hosts

Operation IDDescription
QueryDeviceLoginHistoryRetrieve details about recent login sessions for a set of devices.
QueryDeviceLoginHistoryV2Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified
QueryGetNetworkAddressHistoryV1Retrieve history of IP and MAC addresses of devices.
PerformActionV2Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
UpdateDeviceTagsAppend or remove one or more Falcon Grouping Tags on one or more hosts.
GetDeviceDetailsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API
GetDeviceDetailsV1
Deprecated
Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500)
GetDeviceDetailsV2Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100)
PostDeviceDetailsV2Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000)
entities_perform_actionPerforms the specified action on the provided prevention policy IDs.
GetOnlineState_V1Get the online status for one or more hosts by specifying each host’s unique ID.
QueryHiddenDevicesRetrieve hidden hosts that match the provided filter criteria.
QueryDevicesByFilterScrollSearch for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryDevicesByFilterSearch for hosts in your environment by platform, hostname, IP, and other criteria.

Back to Table of Contents

Identity Protection

Operation IDDescription
GetSensorAggregatesGet sensor aggregates as specified via json in request body.
GetSensorDetailsGet details on one or more sensors by provdiing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
QuerySensorsByFilterSearch for sensors in your environment by hostname, IP, or other criteria.
api_preempt_proxy_post_graphqlIdentity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Back to Table of Contents

Image Assessment Policies

Operation IDDescription
ReadPoliciesGet all Image Assessment policies
CreatePoliciesCreate Image Assessment policies
DeletePolicyDelete Image Assessment Policy by policy UUID
UpdatePoliciesUpdate Image Assessment Policy entities
ReadPolicyExclusionsRetrieve Image Assessment Policy Exclusion entities
UpdatePolicyExclusionsUpdate Image Assessment Policy Exclusion entities
ReadPolicyGroupsRetrieve Image Assessment Policy Group entities
CreatePolicyGroupsCreate Image Assessment Policy Group entities
DeletePolicyGroupDelete Image Assessment Policy Group entities
UpdatePolicyGroupsUpdate Image Assessment Policy Group entities
UpdatePolicyPrecedenceUpdate Image Assessment Policy precedence

Back to Table of Contents

Incidents

Operation IDDescription
CrowdScoreQuery environment wide CrowdScore and return the entity data
GetBehaviorsGet details on behaviors by providing behavior IDs
PerformIncidentActionPerform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
GetIncidentsGet details on incidents by providing incident IDs
QueryBehaviorsSearch for behaviors by providing a FQL filter, sorting, and paging details
QueryIncidentsSearch for incidents by providing a FQL filter, sorting, and paging details

Back to Table of Contents

Installation Tokens

Operation IDDescription
audit_events_readGets the details of one or more audit events by id.
customer_settings_readCheck current installation token settings.
customer_settings_updateUpdate installation token settings.
tokens_readGets the details of one or more tokens by id.
tokens_createCreates a token.
tokens_deleteDeletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_updateUpdates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_querySearch for audit events by providing a FQL filter and paging details.
tokens_querySearch for tokens by providing a FQL filter and paging details.

Back to Table of Contents

Intel

Operation IDDescription
QueryIntelActorEntitiesGet info about actors that match provided FQL filters.
QueryIntelIndicatorEntitiesGet info about indicators that match provided FQL filters.
QueryIntelReportEntitiesGet info about reports that match provided FQL filters.
GetIntelActorEntitiesRetrieve specific actors using their actor IDs.
GetIntelIndicatorEntitiesRetrieve specific indicators using their indicator IDs.
GetMitreReportExport Mitre ATT&CK information for a given actor.
PostMitreAttacksRetrieves report and observable IDs associated with the given actor and attacks.
GetIntelReportPDFReturn a Report PDF attachment
GetIntelReportEntitiesRetrieve specific reports using their report IDs.
GetIntelRuleFileDownload earlier rule sets.
GetLatestIntelRuleFileDownload the latest rule set.
GetIntelRuleEntitiesRetrieve details for rule sets for the specified ids.
GetVulnerabilitiesGet vulnerabilities
QueryIntelActorIdsGet actor IDs that match provided FQL filters.
QueryMitreAttacksGets MITRE tactics and techniques for the given actor.
QueryIntelIndicatorIdsGet indicators IDs that match provided FQL filters.
QueryIntelReportIdsGet report IDs that match provided FQL filters.
QueryIntelRuleIdsSearch for rule IDs that match provided filter criteria.
QueryVulnerabilitiesGet vulnerabilities IDs

Back to Table of Contents

IOA Exclusions

Operation IDDescription
getIOAExclusionsV1Get a set of IOA Exclusions by specifying their IDs
createIOAExclusionsV1Create the IOA exclusions
deleteIOAExclusionsV1Delete the IOA exclusions by id
updateIOAExclusionsV1Update the IOA exclusions
queryIOAExclusionsV1Search for IOA exclusions.

Back to Table of Contents

IOC

Operation IDDescription
indicator_get_device_count_v1Get the number of devices the indicator has run on
indicator_aggregate_v1Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1Get Combined for Indicators.
action_get_v1Get Actions by ids.
GetIndicatorsReportLaunch an indicators report creation job
indicator_get_v1Get Indicators by ids.
indicator_create_v1Create Indicators.
indicator_delete_v1Delete Indicators by ids.
indicator_update_v1Update Indicators.
action_query_v1Query Actions.
indicator_get_devices_ran_on_v1Get the IDs of devices the indicator has run on
indicator_get_processes_ran_on_v1Get the number of processes the indicator has run on
indicator_search_v1Search for Indicators.
DevicesCountNumber of hosts in your customer account that have observed a given custom IOC
DevicesRanOnFind hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
ProcessesRanOnSearch for processes associated with a custom IOC
entities_processesFor the provided ProcessID retrieve the process details
ioc_type_query_v1Query IOC Types.
platform_query_v1Query Platforms.
severity_query_v1Query Severities.

Back to Table of Contents

IOCs

Deprecated This service collection has been deprecated.

Operation IDDescription
DevicesCountNumber of hosts in your customer account that have observed a given custom IOC
GetIOC
Deprecated
This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC
Deprecated
This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC
Deprecated
This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC
Deprecated
This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOnFind hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
QueryIOCs
Deprecated
This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOnSearch for processes associated with a custom IOC
entities_processesFor the provided ProcessID retrieve the process details

Back to Table of Contents

Kubernetes Protection

Operation IDDescription
ReadClustersByDateRangeCountRetrieve clusters by date range counts
ReadClustersByKubernetesVersionCountBucket clusters by kubernetes version
ReadClustersByStatusCountBucket clusters by status
ReadClusterCountRetrieve cluster counts
ReadContainersByDateRangeCountRetrieve containers by date range counts
ReadContainerCountByRegistryRetrieve top container image registries
FindContainersCountAffectedByZeroDayVulnerabilitiesRetrieve containers count affected by zero day vulnerabilities
ReadVulnerableContainerImageCountRetrieve count of vulnerable images running on containers
ReadContainerCountRetrieve container counts
FindContainersByContainerRunTimeVersionRetrieve containers by container_runtime_version
GroupContainersByManagedGroup the containers by Managed
ReadContainerImageDetectionsCountByDateRetrieve count of image assessment detections on running containers over a period of time
ReadContainerImagesByStateRetrieve count of image states running on containers
ReadContainersSensorCoverageBucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCountRetrieve container vulnerabilities by severity counts
ReadDeploymentsByDateRangeCountRetrieve deployments by date range counts
ReadDeploymentCountRetrieve deployment counts
ReadClusterEnrichmentRetrieve cluster enrichment data
ReadContainerEnrichmentRetrieve container enrichment data
ReadDeploymentEnrichmentRetrieve deployment enrichment data
ReadNodeEnrichmentRetrieve node enrichment data
ReadPodEnrichmentRetrieve pod enrichment data
ReadDistinctContainerImageCountRetrieve count of distinct images running on containers
ReadContainerImagesByMostUsedBucket container by image-digest
ReadKubernetesIomByDateRangeReturns the count of Kubernetes IOMs by the date. by default it's for 7 days.
ReadKubernetesIomCountReturns the total count of Kubernetes IOMs over the past seven days
ReadNodesByCloudCountBucket nodes by cloud providers
ReadNodesByContainerEngineVersionCountBucket nodes by their container engine version
ReadNodesByDateRangeCountRetrieve nodes by date range counts
ReadNodeCountRetrieve node counts
ReadPodsByDateRangeCountRetrieve pods by date range counts
ReadPodCountRetrieve pod counts
ReadClusterCombinedRetrieve kubernetes clusters identified by the provided filter criteria
ReadRunningContainerImagesRetrieve images on running containers
ReadContainerCombinedRetrieve containers identified by the provided filter criteria
ReadDeploymentCombinedRetrieve kubernetes deployments identified by the provided filter criteria
SearchAndReadKubernetesIomEntitiesSearch Kubernetes IOM by the provided search criteria
ReadNodeCombinedRetrieve kubernetes nodes identified by the provided filter criteria
ReadPodCombinedRetrieve kubernetes pods identified by the provided filter criteria
ReadKubernetesIomEntitiesRetrieve Kubernetes IOM entities identified by the provided IDs
SearchKubernetesIomsSearch Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
GetAWSAccountsMixin0Provides a list of AWS accounts.
CreateAWSAccountCreates a new AWS account in our system for a customer and generates the installation script
DeleteAWSAccountsMixin0Delete AWS accounts.
UpdateAWSAccountUpdates the AWS account per the query parameters provided
ListAzureAccountsProvides the azure subscriptions registered to Kubernetes Protection
CreateAzureSubscriptionCreates a new Azure Subscription in our system
DeleteAzureSubscriptionDeletes a new Azure Subscription in our system
GetLocationsProvides the cloud locations acknowledged by the Kubernetes Protection service
GetCombinedCloudClustersReturn a combined list of provisioned cloud accounts and known kubernetes clusters.
GetAzureTenantConfigReturn the azure tenant config.
GetStaticScriptsGets static bash scripts that are used during registration.
GetAzureTenantIDsProvides all the azure subscriptions and tenants.
GetAzureInstallScriptProvides the script to run for a given tenant id and subscription IDs.
GetHelmValuesYamlProvides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
RegenerateAPIKeyRegenerate API key for docker registry integrations
GetClustersProvides the clusters acknowledged by the Kubernetes Protection service
TriggerScanTriggers a dry run or a full scan of a customer's kubernetes footprint
PatchAzureServicePrincipalAdds the client ID for the given tenant ID to our system

Back to Table of Contents

MalQuery

Operation IDDescription
GetMalQueryQuotasV1Get information about search and download quotas in your environment
PostMalQueryFuzzySearchV1Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
GetMalQueryDownloadV1Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryMetadataV1Retrieve indexed files metadata by their hash
GetMalQueryRequestV1Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalQueryEntitiesSamplesFetchV1Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
PostMalQueryEntitiesSamplesMultidownloadV1Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryHuntV1Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

Back to Table of Contents

Message Center

Operation IDDescription
AggregateCasesRetrieve aggregate case values based on the matched filter
GetCaseActivityByIdsRetrieve activities for given id's
CaseAddActivityAdd an activity to case. Only activities of type comment are allowed via API
CaseDownloadAttachmentretrieves an attachment for the case, given the attachment id
CaseAddAttachmentUpload an attachment for the case.
CreateCasecreate a new case
CreateCaseV2create a new case
UpdateCaseupdate an existing case
GetCaseEntitiesByIDsRetrieve message center cases
QueryActivityByCaseIDRetrieve activities id's for a case
QueryCasesIdsByFilterRetrieve case id's that match the provided filter criteria

Back to Table of Contents

ML Exclusions

Operation IDDescription
getMLExclusionsV1Get a set of ML Exclusions by specifying their IDs
createMLExclusionsV1Create the ML exclusions
deleteMLExclusionsV1Delete the ML exclusions by id
updateMLExclusionsV1Update the ML exclusions
queryMLExclusionsV1Search for ML exclusions.

Back to Table of Contents

Mobile Enrollment

Operation IDDescription
RequestDeviceEnrollmentV3Trigger on-boarding process for a mobile device.

Back to Table of Contents

MSSP (Flight Control)

Operation IDDescription
getChildrenV2Get link to child customer by child CID(s)
getChildrenGet link to child customer by child CID(s)
getCIDGroupMembersByGet CID group members by CID group ID.
getCIDGroupMembersByV2Get CID group members by CID Group ID.
addCIDGroupMembersAdd new CID Group member.
deleteCIDGroupMembersDelete CID Group members entry.
getCIDGroupByIdGet CID groups by ID.
getCIDGroupMembersByV2Get CID group members by CID Group ID.
createCIDGroupsCreate new CID Group(s). Maximum 500 CID Group(s) allowed.
deleteCIDGroupsDelete CID groups by ID.
updateCIDGroupsUpdate existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
getCIDGroupByIdV2Get CID Groups by ID.
getRolesByIDGet MSSP Role assignment(s). MSSP Role assignment is of the format :.
addRoleAssign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
deletedRolesDelete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
getUserGroupMembersByIDGet user group members by user group ID.
addUserGroupMembersAdd new User Group member. Maximum 500 members allowed per User Group.
deleteUserGroupMembersDelete User Group members entry.
getUserGroupMembersByIDV2Get user group members by user group ID.
getUserGroupsByIDGet user groups by ID.
getUserGroupsByIDV2Get user groups by ID.
createUserGroupsCreate new User Group(s). Maximum 500 User Group(s) allowed per customer.
deleteUserGroupsDelete user groups by ID.
updateUserGroupsUpdate existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
queryChildrenQuery for customers linked as children
queryCIDGroupMembersQuery a CID groups members by associated CID.
queryCIDGroupsQuery CID Groups.
queryRolesQuery links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queryUserGroupMembersQuery User Group member by User UUID.
queryUserGroupsQuery User Groups.

Back to Table of Contents

OAuth2

Operation IDDescription
oauth2RevokeTokenRevoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
oauth2AccessTokenGenerate an OAuth2 access token

Back to Table of Contents

ODS (On Demand Scan)

Operation IDDescription
aggregate_query_scan_host_metadataGet aggregates on ODS scan-hosts data.
aggregate_scansGet aggregates on ODS scan data.
aggregate_scheduled_scansGet aggregates on ODS scheduled-scan data.
get_malicious_files_by_idsGet malicious files by ids.
cancel_scansCancel ODS scans for the given scan ids.
get_scan_host_metadata_by_idsGet scan hosts by ids.
get_scans_by_scan_idsGet Scans by IDs.
create_scanCreate ODS scan and start or schedule scan for the given scan request.
get_scans_by_scan_ids_v2Get Scans by IDs.
get_scheduled_scans_by_scan_idsGet ScheduledScans by IDs.
schedule_scanCreate ODS scan and start or schedule scan for the given scan request.
delete_scheduled_scansDelete ODS scheduled-scans for the given scheduled-scan ids.
query_malicious_filesQuery malicious files.
query_scan_host_metadataQuery scan hosts.
query_scansQuery Scans.
query_scheduled_scansQuery ScheduledScans.

Back to Table of Contents

Overwatch Dashboard

Operation IDDescription
AggregatesDetectionsGlobalCountsGet the total number of detections pushed across all customers
AggregatesEventsCollectionsGet OverWatch detection event collection info by providing an aggregate query
AggregatesEventsGet aggregate OverWatch detection event info by providing an aggregate query
AggregatesIncidentsGlobalCountsGet the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCountsGet the total number of OverWatch events across all customers

Back to Table of Contents

Prevention Policies

Operation IDDescription
queryCombinedPreventionPolicyMembersSearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedPreventionPoliciesSearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
performPreventionPoliciesActionPerform the specified action on the Prevention Policies specified in the request
setPreventionPoliciesPrecedenceSets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getPreventionPoliciesRetrieve a set of Prevention Policies by specifying their IDs
createPreventionPoliciesCreate Prevention Policies by specifying details about the policy to create
deletePreventionPoliciesDelete a set of Prevention Policies by specifying their IDs
updatePreventionPoliciesUpdate Prevention Policies by specifying the ID of the policy and details to update
queryPreventionPolicyMembersSearch for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryPreventionPoliciesSearch for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria

Back to Table of Contents

Quarantine

Operation IDDescription
ActionUpdateCountReturns count of potentially affected quarantined files for each action.
GetAggregateFilesGet quarantine file aggregates as specified via json in request body.
GetQuarantineFilesGet quarantine file metadata for specified ids.
UpdateQuarantinedDetectsByIdsApply action by quarantine file ids
QueryQuarantineFilesGet quarantine file ids that match the provided filter criteria.
UpdateQfByQueryApply quarantine file actions by query.

Back to Table of Contents

Quick Scan

Operation IDDescription
GetScansAggregatesGet scans aggregations as specified via json in request body.
GetScansCheck the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
ScanSamplesSubmit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
QuerySubmissionsMixin0Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.

Back to Table of Contents

Real Time Response

Operation IDDescription
RTR_AggregateSessionsGet aggregates on session data.
BatchActiveResponderCmdBatch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchCmdBatch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdStatusRetrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchGetCmdBatch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
BatchInitSessionsBatch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessionsBatch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
RTR_CheckActiveResponderCommandStatusGet status of an executed active-responder command on a single host.
RTR_ExecuteActiveResponderCommandExecute an active responder command on a single host.
RTR_CheckCommandStatusGet status of an executed command on a single host.
RTR_ExecuteCommandExecute a command on a single host.
RTR_GetExtractedFileContentsGet RTR extracted file contents for specified session and sha256.
RTR_ListFilesGet a list of files for the specified RTR session.
RTR_ListFilesV2Get a list of files for the specified RTR session.
(Expanded output detail)
RTR_DeleteFileDelete a RTR session file.
RTR_DeleteFileV2Delete a RTR session file.
(Expanded output detail. Use with RTR_ListFilesV2.)
RTR_ListQueuedSessionsGet queued session metadata by session ID.
RTR_DeleteQueuedSessionDelete a queued session command
RTR_PulseSessionRefresh a session timeout on a single host.
RTR_ListSessionsGet session metadata by session id.
RTR_InitSessionInitialize a new session with the RTR cloud.
RTR_DeleteSessionDelete a session.
RTR_ListAllSessionsGet a list of session_ids.

Back to Table of Contents

Real Time Response Admin

Operation IDDescription
BatchAdminCmdBatch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatusGet status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommandExecute a RTR administrator command on a single host.
RTR_GetFalconScriptsGet Falcon scripts with metadata and content of script
RTR_GetPut_FilesGet put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2Get put-files based on the ID's given. These are used for the RTR put command.
RTR_CreatePut_FilesUpload a new put-file to use for the RTR put command.
RTR_DeletePut_FilesDelete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScriptsGet custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_CreateScriptsUpload a new custom-script to use for the RTR runscript command.
RTR_DeleteScriptsDelete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScriptsUpload a new scripts to replace an existing one.
RTR_ListFalconScriptsGet a list of Falcon script IDs available to the user to run
RTR_ListPut_FilesGet a list of put-file ID's that are available to the user for the put command.
RTR_ListScriptsGet a list of custom-script ID's that are available to the user for the runscript command.

Back to Table of Contents

Real Time Response Audit

Operation IDDescription
RTRAuditSessionsGet all RTR sessions created for a customer during a specified time period.

Back to Table of Contents

Recon

Operation IDDescription
AggregateNotificationsExposedDataRecordsV1Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [notification_id created_date rule.id rule.name rule.topic source_category site author]
AggregateNotificationsV1Get notification aggregates as specified via JSON in request body.
PreviewRuleV1Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
CreateActionsV1Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1Delete an action from a monitoring rule based on the action ID.
UpdateActionV1Update an action for a monitoring rule.
GetFileContentForExportJobsV1Download the file associated with a job ID.
GetExportJobsV1Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
CreateExportJobsV1Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
DeleteExportJobsV1Delete export jobs (and their associated file(s)) based on their IDs.
GetNotificationsDetailedTranslatedV1Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints
GetNotificationsTranslatedV1Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
DeleteNotificationsV1Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1Update notification status or assignee. Accepts bulk requests
GetRulesV1Get monitoring rules rules by provided IDs.
CreateRulesV1Create monitoring rules.
DeleteRulesV1Delete monitoring rules.
UpdateRulesV1Update monitoring rules.
QueryActionsV1Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
QueryNotificationsExposedDataRecordsV1Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1
QueryNotificationsV1Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
QueryRulesV1Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

Back to Table of Contents

Report Executions

Operation IDDescription
report_executions_download_getGet report entity download
report_executions_retryThis endpoint will be used to retry report executions
report_executions_getRetrieve report details for the provided report IDs.
report_executions_queryFind all report execution IDs matching the query with filter

Back to Table of Contents

Response Policies

Operation IDDescription
queryCombinedRTResponsePolicyMembersSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePoliciesSearch for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
performRTResponsePoliciesActionPerform the specified action on the Response Policies specified in the request
setRTResponsePoliciesPrecedenceSets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getRTResponsePoliciesRetrieve a set of Response Policies by specifying their IDs
createRTResponsePoliciesCreate Response Policies by specifying details about the policy to create
deleteRTResponsePoliciesDelete a set of Response Policies by specifying their IDs
updateRTResponsePoliciesUpdate Response Policies by specifying the ID of the policy and details to update
queryRTResponsePolicyMembersSearch for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRTResponsePoliciesSearch for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

Back to Table of Contents

Sample Uploads

Operation IDDescription
ArchiveListV1Retrieves the archives files in chunks.
ArchiveGetV1Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully.
ArchiveUploadV1Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
This method is deprecated in favor of /archives/entities/archives/v2
ArchiveDeleteV1Delete an archive that was uploaded previously
ArchiveUploadV2Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
ExtractionListV1Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionGetV1Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionCreateV1Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
GetSampleV3Retrieves the file associated with the given ID (SHA256)
UploadSampleV3Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
DeleteSampleV3Removes a sample, including file, meta and submissions from the collection

Back to Table of Contents

Scheduled Reports

Operation IDDescription
scheduled_reports_launchLaunch scheduled reports executions for the provided report IDs.
scheduled_reports_getRetrieve scheduled reports for the provided report IDs.
scheduled_reports_queryFind all report IDs matching the query with filter

Back to Table of Contents

Sensor Download

Operation IDDescription
GetCombinedSensorInstallersByQueryGet sensor installer details by provided query
DownloadSensorInstallerByIdDownload sensor installer by SHA256 ID
GetSensorInstallersEntitiesGet sensor installer details by provided SHA256 IDs
GetSensorInstallersCCIDByQueryGet CCID to use with sensor installers
GetSensorInstallersByQueryGet sensor installer IDs by provided query

Back to Table of Contents

Sensor Update Policies

Operation IDDescription
revealUninstallTokenReveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
queryCombinedSensorUpdateBuildsRetrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernelsRetrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePolicyMembersSearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdatePoliciesSearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
performSensorUpdatePoliciesActionPerform the specified action on the Sensor Update Policies specified in the request
setSensorUpdatePoliciesPrecedenceSets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getSensorUpdatePoliciesRetrieve a set of Sensor Update Policies by specifying their IDs
createSensorUpdatePoliciesCreate Sensor Update Policies by specifying details about the policy to create
deleteSensorUpdatePoliciesDelete a set of Sensor Update Policies by specifying their IDs
updateSensorUpdatePoliciesUpdate Sensor Update Policies by specifying the ID of the policy and details to update
getSensorUpdatePoliciesV2Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
createSensorUpdatePoliciesV2Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
updateSensorUpdatePoliciesV2Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
querySensorUpdateKernelsDistinctRetrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePolicyMembersSearch for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorUpdatePoliciesSearch for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria

Back to Table of Contents

Sensor Visibility Exclusions

Operation IDDescription
getSensorVisibilityExclusionsV1Get a set of Sensor Visibility Exclusions by specifying their IDs
createSVExclusionsV1Create the sensor visibility exclusions
deleteSensorVisibilityExclusionsV1Delete the sensor visibility exclusions by id
updateSensorVisibilityExclusionsV1Update the sensor visibility exclusions
querySensorVisibilityExclusionsV1Search for sensor visibility exclusions.

Back to Table of Contents

Spotlight Evaluation Logic

Operation IDDescription
combinedQueryEvaluationLogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
getEvaluationLogicGet details on evaluation logic items by providing one or more IDs.
queryEvaluationLogicSearch for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

Back to Table of Contents

Spotlight Vulnerabilities

Operation IDDescription
combinedQueryVulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
getRemediationsV2Get details on remediation by providing one or more IDs
getVulnerabilitiesGet details on vulnerabilities by providing one or more IDs
queryVulnerabilitiesSearch for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria

Back to Table of Contents

Tailored Intelligence

Operation IDDescription
GetEventsBodyGet event body for the provided event ID
GetEventsEntitiesGet events entities for specified ids.
QueryEventsGet events ids that match the provided filter criteria.
GetRulesEntitiesGet rules entities for specified ids.
QueryRulesGet rules ids that match the provided filter criteria.

Back to Table of Contents

Unidentified Containers

Operation IDDescription
ReadUnidentifiedContainersByDateRangeCountReturns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCountReturns the total count of Unidentified Containers over a time period
SearchAndReadUnidentifiedContainersSearch Unidentified Containers by the provided search criteria

Back to Table of Contents

User Management

Operation IDDescription
combinedUserRolesV1Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.
entitiesRolesV1Get info about a role
userActionV1Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload.
userRolesActionV1Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke
retrieveUsersGETV1Get info about users including their name, UID and CID by providing user UUIDs
createUserV1Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1'
deleteUserV1Delete a user permanently.
updateUserV1Modify an existing user's first or last name.
queriesRolesV1Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1.
queryUserV1List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1.
GetRolesDeprecated : Please use GET /user-management/entities/roles/v1. Get info about a role
GrantUserRoleIdsDeprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user
RevokeUserRoleIdsDeprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user
GetAvailableRoleIdsDeprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetUserRoleIdsDeprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.
retrieveUserDeprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user
CreateUserDeprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
DeleteUserDeprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently
UpdateUserDeprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name
RetrieveEmailsByCIDDeprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account
RetrieveUserUUIDsByCIDDeprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.
RetrieveUserUUIDDeprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address)

Back to Table of Contents

Workflows

Operation IDDescription
WorkflowExecuteExecutes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowExecutionsActionAllows a user to resume/retry a failed workflow execution.
WorkflowExecutionResultsGet execution result of a given execution.
WorkflowSystemDefinitionsDeProvisionDeprovisions a system definition that was previously provisioned on the target CID.
WorkflowSystemDefinitionsPromotePromote a version of a system definition.
WorkflowSystemDefinitionsProvisionProvisions a system definition onto the target CID by using the template and provided parameters.
WorkflowDefinitionsCombinedSearch workflow definitions based on the provided filter
WorkflowExecutionsCombinedSearch workflow executions based on the provided filter
WorkflowDefinitionsExportExports a workflow definition for the given definition ID
WorkflowDefinitionsImportImports a workflow definition based on the provided model
WorkflowDefinitionsUpdateUpdates a workflow definition based on the provided model.
WorkflowGetHumanInputV1Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

Back to Table of Contents

Zero Trust Assessment

Operation IDDescription
getAssessmentV1Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1Get the Zero Trust Assessment audit report for one customer ID (CID).
getAssessmentsByScoreV1Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.

Back to Table of Contents