-
Notifications
You must be signed in to change notification settings - Fork 122
Operations by Collection
Operation ID | Description |
---|---|
PostAggregatesAlertsV1 | retrieves aggregate values for Alerts across all CIDs |
PostAggregatesAlertsV2 | retrieves aggregate values for Alerts across all CIDs |
PostEntitiesAlertsV1 | retrieves all Alerts given their ids |
PostEntitiesAlertsV2 | retrieves all Alerts given their composite ids |
PatchEntitiesAlertsV2 | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
PatchEntitiesAlertsV3 | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
GetQueriesAlertsV1 | retrieves all Alerts ids that match a given query |
GetQueriesAlertsV2 | retrieves all Alerts ids that match a given query |
Back to Table of Contents
This service collection has been deprecated.
Operation ID | Description |
---|---|
QueryAWSAccounts | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria |
GetAWSSettings | Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts |
GetAWSAccounts | Retrieve a set of AWS Accounts by specifying their IDs |
ProvisionAWSAccounts | Provision AWS Accounts by specifying details about the accounts to provision |
DeleteAWSAccounts | Delete a set of AWS Accounts by specifying their IDs |
UpdateAWSAccounts | Update AWS Accounts by specifying the ID of the account and details to update |
CreateOrUpdateAWSSettings | Create or update Global Settings which are applicable to all provisioned AWS accounts |
VerifyAWSAccountAccess | Performs an Access Verification check on the specified AWS Account IDs |
QueryAWSAccountsForIDs | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
GetCredentialsMixin0 | Retrieve the registry credentials. |
CreateInventory | Create inventory from data received from a snapshot. |
RegisterCspmSnapshotAccount | Register an account for snapshot scanning. |
Back to Table of Contents
Operation ID | Description |
---|---|
getCombinedAssessmentsQuery | Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria |
getRuleDetails | Get rules details for provided one or more rule IDs |
Back to Table of Contents
Operation ID | Description |
---|---|
getEvaluationLogicMixin0 | Get details on evaluation logic items by providing one or more finding IDs. |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadContainerAlertsCount | Search Container Alerts by the provided search criteria |
SearchAndReadContainerAlerts | Search Container Alerts by the provided search criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadDetectionsCountBySeverity | Aggregate counts of detections by severity |
ReadDetectionsCountByType | Aggregate counts of detections by detection type |
ReadDetectionsCount | Aggregate count of detections |
ReadCombinedDetections | Retrieve image assessment detections identified by the provided filter criteria |
ReadDetections | Retrieve image assessment detection entities identified by the provided filter criteria |
SearchDetections | Retrieve image assessment detection entities identified by the provided filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
AggregateImageAssessmentHistory | Image assessment history |
AggregateImageCountByBaseOS | Aggregate count of images grouped by Base OS distribution |
AggregateImageCountByState | Aggregate count of images grouped by state |
AggregateImageCount | Aggregate count of images |
GetCombinedImages | Get image assessment results by providing an FQL filter and paging details |
CombinedImageByVulnerabilityCount | Retrieve top x images with the most vulnerabilities |
CombinedImageDetail | Retrieve image entities identified by the provided filter criteria |
ReadCombinedImagesExport | Retrieve images with an option to expand aggregated vulnerabilities/detections |
CombinedImageIssuesSummary | Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities |
CombinedImageVulnerabilitySummary | aggregates information about vulnerabilities for an image |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadPackagesCountByZeroDay | Retrieve packages count affected by zero day vulnerabilities |
ReadPackagesByFixableVulnCount | Retrieve top x app packages with the most fixable vulnerabilities |
ReadPackagesByVulnCount | Retrieve top x packages with the most vulnerabilities |
ReadPackagesCombinedExport | Retrieve packages identified by the provided filter criteria for the purpose of export |
ReadPackagesCombined | Retrieve packages identified by the provided filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadVulnerabilityCountByActivelyExploited | Aggregate count of vulnerabilities grouped by actively exploited |
ReadVulnerabilityCountByCPSRating | Aggregate count of vulnerabilities grouped by csp_rating |
ReadVulnerabilityCountByCVSSScore | Aggregate count of vulnerabilities grouped by cvss score |
ReadVulnerabilityCountBySeverity | Aggregate count of vulnerabilities grouped by severity |
ReadVulnerabilityCount | Aggregate count of vulnerabilities |
ReadVulnerabilitiesByImageCount | Retrieve top x vulnerabilities with the most impacted images |
ReadVulnerabilitiesPublicationDate | Retrieve top x vulnerabilities with the most recent publication date |
ReadCombinedVulnerabilitiesDetails | Retrieve vulnerability details related to an image |
ReadCombinedVulnerabilitiesInfo | Retrieve vulnerability and package related info for this customer |
ReadCombinedVulnerabilities | Retrieve vulnerability and aggregate data filtered by the provided FQL |
Back to Table of Contents
Operation ID | Description |
---|---|
GetCSPMAwsAccount | Returns information about the current status of an AWS account. |
CreateCSPMAwsAccount | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
DeleteCSPMAwsAccount | Deletes an existing AWS account or organization in our system. |
PatchCSPMAwsAccount | Patches a existing account in our system for a customer. |
GetCSPMAwsConsoleSetupURLs | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
GetCSPMAwsAccountScriptsAttachment | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
GetCSPMAzureAccount | Return information about Azure account registration |
CreateCSPMAzureAccount | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
DeleteCSPMAzureAccount | Deletes an Azure subscription from the system. |
UpdateCSPMAzureAccountClientID | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
UpdateCSPMAzureTenantDefaultSubscriptionID | Update an Azure default subscription_id in our system for given tenant_id . |
AzureDownloadCertificate | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
GetCSPMAzureUserScriptsAttachment | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
GetBehaviorDetections | Get list of detected behaviors |
GetConfigurationDetections | Get list of active misconfigurations |
GetConfigurationDetectionEntities | Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections. |
GetConfigurationDetectionIDsV2 | Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections. |
GetIOAEvents | For CSPM IOA events, gets list of IOA events. |
GetIOAUsers | For CSPM IOA users, gets list of IOA users. |
GetCSPMPolicy | Given a policy ID, returns detailed policy information. |
GetCSPMPoliciesDetails | Given an array of policy IDs, returns detailed policies information. |
GetCSPMPolicySettings | Returns information about current policy settings. |
UpdateCSPMPolicySettings | Updates a policy setting - can be used to override policy severity or to disable a policy entirely. |
GetCSPMScanSchedule | Returns scan schedule configuration for one or more cloud platforms. |
UpdateCSPMScanSchedule | Updates scan schedule configuration for one or more cloud platforms. |
Back to Table of Contents
Operation ID | Description |
---|---|
get_patterns | Get pattern severities by ID. |
get_platformsMixin0 | Get platforms by ID. |
get_rule_groupsMixin0 | Get rule groups by ID. |
create_rule_groupMixin0 | Create a rule group for a platform with a name and an optional description. Returns the rule group. |
delete_rule_groupsMixin0 | Delete rule groups by ID. |
update_rule_groupMixin0 | Update a rule group. The following properties can be modified: name, description, enabled. |
get_rule_types | Get rule types by ID. |
get_rules_get | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version] . |
get_rulesMixin0 | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version] . The max number of IDs is constrained by URL size. |
create_rule | Create a rule within a rule group. Returns the rule. |
delete_rules | Delete rules from a rule group by ID. |
update_rules | Update rules within a rule group. Return the updated rules. |
validate | Validates field values and checks for matches if a test string is provided. |
query_patterns | Get all pattern severity IDs. |
query_platformsMixin0 | Get all platform IDs. |
query_rule_groups_full | Find all rule groups matching the query with optional filter. |
query_rule_groupsMixin0 | Finds all rule group IDs matching the query with optional filter. |
query_rule_types | Get all rule type IDs. |
query_rulesMixin0 | Finds all rule IDs matching the query with optional filter. |
Back to Table of Contents
Operation ID | Description |
---|---|
ListObjects | List the object keys in the specified collection in alphabetical order. |
SearchObjects | Search for objects that match the specified filter criteria (returns metadata, not actual objects). |
GetObject | Get the bytes for the specified object. |
PutObject | Put the specified new object at the given key or overwrite an existing object at the given key. |
DeleteObject | Delete the specified object. |
GetObjectMetadata | Get the metadata for the specified object. |
Back to Table of Contents
This service collection has been deprecated.
Operation ID | Description |
---|---|
GetD4CAwsAccount | Returns information about the current status of an AWS account. |
CreateD4CAwsAccount | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
DeleteD4CAwsAccount | Deletes an existing AWS account or organization in our system. |
GetD4CAwsConsoleSetupURLs | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
GetD4CAWSAccountScriptsAttachment | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
GetDiscoverCloudAzureAccount | Return information about Azure account registration |
GetDiscoverCloudAzureTenantIDs | Return available tenant IDs for Discover for Cloud. |
CreateDiscoverCloudAzureAccount | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
UpdateDiscoverCloudAzureAccountClientID | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
GetDiscoverCloudAzureUserScriptsAttachment | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
GetDiscoverCloudAzureUserScripts | Return a script for customer to run in their cloud environment to grant us access to their Azure environment |
GetDiscoverCloudCGPAccount | Returns information about the current status of an GCP account. |
CreateDiscoverCloudGCPAccount | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
DiscoverCloudAzureDownloadCertificate | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
GetDiscoverCloudGCPUserScriptsAttachment | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
GetDiscoverCloudGCPUserScripts | Return a script for customer to run in their cloud environment to grant us access to their GCP environment |
Back to Table of Contents
Operation ID | Description |
---|---|
GetAggregateDetects | Get detect aggregates as specified via json in request body. |
UpdateDetectsByIdsV2 | Modify the state, assignee, and visibility of detections |
GetDetectSummaries | View information about detections |
QueryDetects | Search for detection IDs that match a given query |
Back to Table of Contents
Operation ID | Description |
---|---|
queryCombinedDeviceControlPolicyMembers | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedDeviceControlPolicies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria |
getDefaultDeviceControlPolicies | Retrieve the configuration for the Default Device Control Policy. |
updateDefaultDeviceControlPolicies | Update the configuration for the Default Device Control Policy. |
performDeviceControlPoliciesAction | Perform the specified action on the Device Control Policies specified in the request |
setDeviceControlPoliciesPrecedence | Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
getDeviceControlPolicies | Retrieve a set of Device Control Policies by specifying their IDs |
createDeviceControlPolicies | Create Device Control Policies by specifying details about the policy to create |
deleteDeviceControlPolicies | Delete a set of Device Control Policies by specifying their IDs |
updateDeviceControlPolicies | Update Device Control Policies by specifying the ID of the policy and details to update |
queryDeviceControlPolicyMembers | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
queryDeviceControlPolicies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
get_accounts | Get details on accounts by providing one or more IDs. |
get_applications | Get details on applications by providing one or more IDs. |
get_hosts | Get details on assets by providing one or more IDs. |
get_iot_hosts | Get details on IoT assets by providing one or more IDs. |
get_logins | Get details on logins by providing one or more IDs. |
query_accounts | Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_applications | Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of applications IDs which match the filter criteria. |
query_hosts | Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_iot_hosts | Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
query_logins | Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
refreshActiveStreamSession | Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response. |
listAvailableStreamsOAuth2 | Discover all event streams in your environment |
Back to Table of Contents
Operation ID | Description |
---|---|
GetCombinedImages | Gets image assessment results by providing a FQL filter and paging details. |
GetCredentials | Gets the registry credentials. |
ReadImageVulnerabilities | Retrieve vulnerabilities for a specified image. |
GetImageAssessmentReport | Retrieve an assessment report for an image by specifying repository and tag. |
DeleteImageDetails | Delete image details from the CrowdStrike registry. |
ImageMatchesPolicy | Check if an image matches a policy by specifying repository and tag. |
ReadRegistryEntities | Retrieve registry entities associated with the client ID. |
ReadRegistryEntitiesByUUID | Retrieve registry entities associated with a specific registry entity UUID. |
DeleteRegistryEntities | Delete registry entities by UUID. |
CreateRegistryEntities | Create registry entities using the provided detail. |
UpdateRegistryEntities | Update the registry entity, as identified by the entity UUID, using the provided details. |
Back to Table of Contents
Operation ID | Description |
---|---|
AggregateAlerts | Retrieve aggregate alerts values based on the matched filter |
AggregateAllowList | Retrieve aggregate allowlist ticket values based on the matched filter |
AggregateBlockList | Retrieve aggregate blocklist ticket values based on the matched filter |
AggregateDetections | Retrieve aggregate detection values based on the matched filter |
AggregateDeviceCountCollection | Retrieve aggregate host/devices count based on the matched filter |
AggregateEscalations | Retrieve aggregate escalation ticket values based on the matched filter |
AggregateFCIncidents | Retrieve aggregate incident values based on the matched filter |
AggregateRemediations | Retrieve aggregate remediation ticket values based on the matched filter |
QueryAlertIdsByFilter | Retrieve alert IDs that match the provided filter criteria with scrolling enabled |
QueryAllowListFilter | Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled |
QueryBlockListFilter | Retrieve block listtickets that match the provided filter criteria with scrolling enabled |
QueryDetectionIdsByFilter | Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled |
GetDeviceCountCollectionQueriesByFilter | Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled |
QueryEscalationsFilter | Retrieve escalation tickets that match the provided filter criteria with scrolling enabled |
QueryIncidentIdsByFilter | Retrieve incidents that match the provided filter criteria with scrolling enabled |
QueryRemediationsFilter | Retrieve remediation tickets that match the provided filter criteria with scrolling enabled |
Back to Table of Contents
Operation ID | Description |
---|---|
GetArtifacts | Download IOC packs, PCAP files, and other analysis artifacts. |
GetMemoryDumpExtractedStrings | Get extracted strings from a memory dump. |
GetMemoryDumpHexDump | Get the hex view of a memory dump. |
GetMemoryDump | Get memory dump content, as a binary. |
GetSummaryReports | Get a short summary version of a sandbox report. |
GetReports | Get a full sandbox report. |
DeleteReport | Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. |
GetSubmissions | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
Submit | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
QueryReports | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
QuerySubmissions | Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. |
GetSampleV2 | Retrieves the file associated with the given ID (SHA256) |
UploadSampleV2 | Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
DeleteSampleV2 | Removes a sample, including file, meta and submissions from the collection |
QuerySampleV1 | Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
Back to Table of Contents
Operation ID | Description |
---|---|
fdrschema_combined_event_get | Fetches the combined schema. |
fdrschema_entities_event_get | Fetch event schema by ID. |
fdrschema_queries_event_get | Get list of event IDs given a particular query. |
fdrschema_entities_field_get | Fetch field schema by ID. |
fdrschema_queries_field_get | Get list of field IDs given a particular query. |
Back to Table of Contents
Operation ID | Description |
---|---|
getChanges | Retrieve information on changes. |
queryChanges | Returns one or more change IDs. |
updatePolicyHostGroups | Manage host groups assigned to a policy. |
updatePolicyRuleGroups | Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy. |
updatePolicyPrecedence | Updates the policy precedence for all policies of a specific type. |
getPolicies | Retrieves the configuration for one or more policies. |
createPolicies | Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type. |
deletePolicies | Deletes one or more policies. |
updatePolicies | Updates the general information of the provided policy. |
getScheduledExclusions | Retrieves the configuration for one or more scheduled exclusions from the provided policy ID. |
createScheduledExclusions | Creates a new scheduled exclusion configuration for the provided policy ID. |
deleteScheduledExclusions | Deletes one or more scheduled exclusions from the provided policy ID. |
updateScheduledExclusions | Updates the provided scheduled exclusion configuration within the provided polciy. |
updateRuleGroupPrecedence | Updates the rule precedence for all ruels in the identified rule group. |
getRules | Retrieves the configuration for one or more rules. |
createRules | Creates a new rule configuration within the specified rule group. |
deleteRules | Deletes one or more rules from the specified rule group. |
updateRules | Updates the provided rule configuration within the specified rule group. |
getRuleGroups | Retrieves the rule group details for one or more rule groups. |
createRuleGroups | Creates a new rule group of the specified type. |
deleteRuleGroups | Deletes one or more rule groups |
updateRuleGroups | Updates the provided rule group. |
highVolumeQueryChanges | Returns a list of Falcon FileVantage change IDs filtered, sorted and limited by the query parameters provided. It can retrieve an unlimited number of results using multiple requests. |
queryRulesGroups | Retrieve the IDs of all rule groups that are of the provided rule group type. |
queryScheduledExclusions | Retrieve the IDs of all scheduled exclusions contained within the provided policy ID. |
queryPolicies | Retrieve the ids of all policies that are assigned the provided policy type. |
Back to Table of Contents
Operation ID | Description |
---|---|
aggregate_events | Aggregate events for customer |
aggregate_policy_rules | Aggregate rules within a policy for customer |
aggregate_rule_groups | Aggregate rule groups for customer |
aggregate_rules | Aggregate rules for customer |
get_events | Get events entities by ID and optionally version |
get_firewall_fields | Get the firewall field specifications by ID |
get_network_locations_details | Get network locations entities by ID |
update_network_locations_metadata | Updates the network locations metadata such as polling_intervals for the cid |
update_network_locations_precedence | Updates the network locations precedence according to the list of ids provided. |
get_network_locations | Get a summary of network locations entities by ID |
upsert_network_locations | Updates the network locations provided, and return the ID. |
create_network_locations | Create new network locations provided, and return the ID. |
delete_network_locations | Delete network location entities by ID. |
update_network_locations | Updates the network locations provided, and return the ID. |
get_platforms | Get platforms by ID, e.g., windows or mac or droid |
get_policy_containers | Get policy container entities by policy ID |
update_policy_container_v1 | Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting. |
update_policy_container | Update an identified policy container, including local logging functionality. |
get_rule_groups | Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. |
create_rule_group | Create new rule group on a platform for a customer with a name and description, and return the ID |
delete_rule_groups | Delete rule group entities by ID |
update_rule_group | Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
create_rule_group_validation | Validates the request of creating a new rule group on a platform for a customer with a name and description |
update_rule_group_validation | Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
get_rules | Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) |
validate_filepath_pattern | Validates that the test pattern matches the executable filepath glob pattern. |
query_events | Find all event IDs matching the query with filter |
query_firewall_fields | Get the firewall field specification IDs for the provided platform |
query_network_locations | Get a list of network location IDs |
query_platforms | Get the list of platform names |
query_policy_rules | Find all firewall rule IDs matching the query with filter, and return them in precedence order |
query_rule_groups | Find all rule group IDs matching the query with filter |
query_rules | Find all rule IDs matching the query with filter |
Back to Table of Contents
Operation ID | Description |
---|---|
queryCombinedFirewallPolicyMembers | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedFirewallPolicies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria |
performFirewallPoliciesAction | Perform the specified action on the Firewall Policies specified in the request |
setFirewallPoliciesPrecedence | Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
getFirewallPolicies | Retrieve a set of Firewall Policies by specifying their IDs |
createFirewallPolicies | Create Firewall Policies by specifying details about the policy to create |
deleteFirewallPolicies | Delete a set of Firewall Policies by specifying their IDs |
updateFirewallPolicies | Update Firewall Policies by specifying the ID of the policy and details to update |
queryFirewallPolicyMembers | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
queryFirewallPolicies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
ListReposV1 | Lists available repositories and views. |
IngestDataV1 | Ingest data into the application repository. |
CreateSavedSearchesDynamicExecuteV1 | Execute a dynamic saved search. |
GetSavedSearchesExecuteV1 | Get the results of a saved search. |
CreateSavedSearchesExecuteV1 | Execute a saved search. |
CreateSavedSearchesIngestV1 | Populate a saved search. |
GetSavedSearchesJobResultsDownloadV1 | Get the results of a saved search as a file. |
ListViewV1 | List views. |
Back to Table of Contents
Operation ID | Description |
---|---|
queryCombinedGroupMembers | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria |
performGroupAction | Perform the specified action on the Host Groups specified in the request |
getHostGroups | Retrieve a set of Host Groups by specifying their IDs |
createHostGroups | Create Host Groups by specifying details about the group to create |
deleteHostGroups | Delete a set of Host Groups by specifying their IDs |
updateHostGroups | Update Host Groups by specifying the ID of the group and details to update |
queryGroupMembers | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
queryHostGroups | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
QueryDeviceLoginHistory | Retrieve details about recent login sessions for a set of devices. |
QueryDeviceLoginHistoryV2 | Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified |
QueryGetNetworkAddressHistoryV1 | Retrieve history of IP and MAC addresses of devices. |
PerformActionV2 | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
UpdateDeviceTags | Append or remove one or more Falcon Grouping Tags on one or more hosts. |
GetDeviceDetails | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API |
GetDeviceDetailsV1 |
Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500) |
GetDeviceDetailsV2 | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100) |
PostDeviceDetailsV2 | Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000) |
entities_perform_action | Performs the specified action on the provided prevention policy IDs. |
GetOnlineState_V1 | Get the online status for one or more hosts by specifying each host’s unique ID. |
QueryHiddenDevices | Retrieve hidden hosts that match the provided filter criteria. |
QueryDevicesByFilterScroll | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit) |
QueryDevicesByFilter | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
GetSensorAggregates | Get sensor aggregates as specified via json in request body. |
GetSensorDetails | Get details on one or more sensors by provdiing device IDs in a POST body. Supports up to a maximum of 5000 IDs. |
QuerySensorsByFilter | Search for sensors in your environment by hostname, IP, or other criteria. |
api_preempt_proxy_post_graphql | Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents. |
Back to Table of Contents
Operation ID | Description |
---|---|
CrowdScore | Query environment wide CrowdScore and return the entity data |
GetBehaviors | Get details on behaviors by providing behavior IDs |
PerformIncidentAction | Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description |
GetIncidents | Get details on incidents by providing incident IDs |
QueryBehaviors | Search for behaviors by providing a FQL filter, sorting, and paging details |
QueryIncidents | Search for incidents by providing a FQL filter, sorting, and paging details |
Back to Table of Contents
Operation ID | Description |
---|---|
audit_events_read | Gets the details of one or more audit events by id. |
customer_settings_read | Check current installation token settings. |
customer_settings_update | Update installation token settings. |
tokens_read | Gets the details of one or more tokens by id. |
tokens_create | Creates a token. |
tokens_delete | Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead. |
tokens_update | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. |
audit_events_query | Search for audit events by providing a FQL filter and paging details. |
tokens_query | Search for tokens by providing a FQL filter and paging details. |
Back to Table of Contents
Operation ID | Description |
---|---|
QueryIntelActorEntities | Get info about actors that match provided FQL filters. |
QueryIntelIndicatorEntities | Get info about indicators that match provided FQL filters. |
QueryIntelReportEntities | Get info about reports that match provided FQL filters. |
GetIntelActorEntities | Retrieve specific actors using their actor IDs. |
GetIntelIndicatorEntities | Retrieve specific indicators using their indicator IDs. |
GetMitreReport | Export Mitre ATT&CK information for a given actor. |
PostMitreAttacks | Retrieves report and observable IDs associated with the given actor and attacks. |
GetIntelReportPDF | Return a Report PDF attachment |
GetIntelReportEntities | Retrieve specific reports using their report IDs. |
GetIntelRuleFile | Download earlier rule sets. |
GetLatestIntelRuleFile | Download the latest rule set. |
GetIntelRuleEntities | Retrieve details for rule sets for the specified ids. |
GetVulnerabilities | Get vulnerabilities |
QueryIntelActorIds | Get actor IDs that match provided FQL filters. |
QueryMitreAttacks | Gets MITRE tactics and techniques for the given actor. |
QueryIntelIndicatorIds | Get indicators IDs that match provided FQL filters. |
QueryIntelReportIds | Get report IDs that match provided FQL filters. |
QueryIntelRuleIds | Search for rule IDs that match provided filter criteria. |
QueryVulnerabilities | Get vulnerabilities IDs |
Back to Table of Contents
Operation ID | Description |
---|---|
getIOAExclusionsV1 | Get a set of IOA Exclusions by specifying their IDs |
createIOAExclusionsV1 | Create the IOA exclusions |
deleteIOAExclusionsV1 | Delete the IOA exclusions by id |
updateIOAExclusionsV1 | Update the IOA exclusions |
queryIOAExclusionsV1 | Search for IOA exclusions. |
Back to Table of Contents
Operation ID | Description |
---|---|
indicator_get_device_count_v1 | Get the number of devices the indicator has run on |
indicator_aggregate_v1 | Get Indicators aggregates as specified via json in the request body. |
indicator_combined_v1 | Get Combined for Indicators. |
action_get_v1 | Get Actions by ids. |
GetIndicatorsReport | Launch an indicators report creation job |
indicator_get_v1 | Get Indicators by ids. |
indicator_create_v1 | Create Indicators. |
indicator_delete_v1 | Delete Indicators by ids. |
indicator_update_v1 | Update Indicators. |
action_query_v1 | Query Actions. |
indicator_get_devices_ran_on_v1 | Get the IDs of devices the indicator has run on |
indicator_get_processes_ran_on_v1 | Get the number of processes the indicator has run on |
indicator_search_v1 | Search for Indicators. |
DevicesCount | Number of hosts in your customer account that have observed a given custom IOC |
DevicesRanOn | Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails |
ProcessesRanOn | Search for processes associated with a custom IOC |
entities_processes | For the provided ProcessID retrieve the process details |
ioc_type_query_v1 | Query IOC Types. |
platform_query_v1 | Query Platforms. |
severity_query_v1 | Query Severities. |
Back to Table of Contents
This service collection has been deprecated.
Operation ID | Description |
---|---|
DevicesCount | Number of hosts in your customer account that have observed a given custom IOC |
GetIOC |
This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used. |
CreateIOC |
This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used. |
DeleteIOC |
This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used. |
UpdateIOC |
This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used. |
DevicesRanOn | Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails |
QueryIOCs |
This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used. |
ProcessesRanOn | Search for processes associated with a custom IOC |
entities_processes | For the provided ProcessID retrieve the process details |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadClustersByDateRangeCount | Retrieve clusters by date range counts |
ReadClustersByKubernetesVersionCount | Bucket clusters by kubernetes version |
ReadClustersByStatusCount | Bucket clusters by status |
ReadClusterCount | Retrieve cluster counts |
ReadContainersByDateRangeCount | Retrieve containers by date range counts |
ReadContainerCountByRegistry | Retrieve top container image registries |
FindContainersCountAffectedByZeroDayVulnerabilities | Retrieve containers count affected by zero day vulnerabilities |
ReadVulnerableContainerImageCount | Retrieve count of vulnerable images running on containers |
ReadContainerCount | Retrieve container counts |
FindContainersByContainerRunTimeVersion | Retrieve containers by container_runtime_version |
GroupContainersByManaged | Group the containers by Managed |
ReadContainerImageDetectionsCountByDate | Retrieve count of image assessment detections on running containers over a period of time |
ReadContainerImagesByState | Retrieve count of image states running on containers |
ReadContainersSensorCoverage | Bucket containers by agent type and calculate sensor coverage |
ReadContainerVulnerabilitiesBySeverityCount | Retrieve container vulnerabilities by severity counts |
ReadDeploymentsByDateRangeCount | Retrieve deployments by date range counts |
ReadDeploymentCount | Retrieve deployment counts |
ReadClusterEnrichment | Retrieve cluster enrichment data |
ReadContainerEnrichment | Retrieve container enrichment data |
ReadDeploymentEnrichment | Retrieve deployment enrichment data |
ReadNodeEnrichment | Retrieve node enrichment data |
ReadPodEnrichment | Retrieve pod enrichment data |
ReadDistinctContainerImageCount | Retrieve count of distinct images running on containers |
ReadContainerImagesByMostUsed | Bucket container by image-digest |
ReadKubernetesIomByDateRange | Returns the count of Kubernetes IOMs by the date. by default it's for 7 days. |
ReadKubernetesIomCount | Returns the total count of Kubernetes IOMs over the past seven days |
ReadNodesByCloudCount | Bucket nodes by cloud providers |
ReadNodesByContainerEngineVersionCount | Bucket nodes by their container engine version |
ReadNodesByDateRangeCount | Retrieve nodes by date range counts |
ReadNodeCount | Retrieve node counts |
ReadPodsByDateRangeCount | Retrieve pods by date range counts |
ReadPodCount | Retrieve pod counts |
ReadClusterCombined | Retrieve kubernetes clusters identified by the provided filter criteria |
ReadRunningContainerImages | Retrieve images on running containers |
ReadContainerCombined | Retrieve containers identified by the provided filter criteria |
ReadDeploymentCombined | Retrieve kubernetes deployments identified by the provided filter criteria |
SearchAndReadKubernetesIomEntities | Search Kubernetes IOM by the provided search criteria |
ReadNodeCombined | Retrieve kubernetes nodes identified by the provided filter criteria |
ReadPodCombined | Retrieve kubernetes pods identified by the provided filter criteria |
ReadKubernetesIomEntities | Retrieve Kubernetes IOM entities identified by the provided IDs |
SearchKubernetesIoms | Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query |
GetAWSAccountsMixin0 | Provides a list of AWS accounts. |
CreateAWSAccount | Creates a new AWS account in our system for a customer and generates the installation script |
DeleteAWSAccountsMixin0 | Delete AWS accounts. |
UpdateAWSAccount | Updates the AWS account per the query parameters provided |
ListAzureAccounts | Provides the azure subscriptions registered to Kubernetes Protection |
CreateAzureSubscription | Creates a new Azure Subscription in our system |
DeleteAzureSubscription | Deletes a new Azure Subscription in our system |
GetLocations | Provides the cloud locations acknowledged by the Kubernetes Protection service |
GetCombinedCloudClusters | Return a combined list of provisioned cloud accounts and known kubernetes clusters. |
GetAzureTenantConfig | Return the azure tenant config. |
GetStaticScripts | Gets static bash scripts that are used during registration. |
GetAzureTenantIDs | Provides all the azure subscriptions and tenants. |
GetAzureInstallScript | Provides the script to run for a given tenant id and subscription IDs. |
GetHelmValuesYaml | Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart |
RegenerateAPIKey | Regenerate API key for docker registry integrations |
GetClusters | Provides the clusters acknowledged by the Kubernetes Protection service |
TriggerScan | Triggers a dry run or a full scan of a customer's kubernetes footprint |
PatchAzureServicePrincipal | Adds the client ID for the given tenant ID to our system |
Back to Table of Contents
Operation ID | Description |
---|---|
GetMalQueryQuotasV1 | Get information about search and download quotas in your environment |
PostMalQueryFuzzySearchV1 | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
GetMalQueryDownloadV1 | Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time |
GetMalQueryMetadataV1 | Retrieve indexed files metadata by their hash |
GetMalQueryRequestV1 | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
GetMalQueryEntitiesSamplesFetchV1 | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing |
PostMalQueryEntitiesSamplesMultidownloadV1 | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip |
PostMalQueryExactSearchV1 | Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint |
PostMalQueryHuntV1 | Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint |
Back to Table of Contents
Operation ID | Description |
---|---|
AggregateCases | Retrieve aggregate case values based on the matched filter |
GetCaseActivityByIds | Retrieve activities for given id's |
CaseAddActivity | Add an activity to case. Only activities of type comment are allowed via API |
CaseDownloadAttachment | retrieves an attachment for the case, given the attachment id |
CaseAddAttachment | Upload an attachment for the case. |
CreateCase | create a new case |
CreateCaseV2 | create a new case |
UpdateCase | update an existing case |
GetCaseEntitiesByIDs | Retrieve message center cases |
QueryActivityByCaseID | Retrieve activities id's for a case |
QueryCasesIdsByFilter | Retrieve case id's that match the provided filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
getMLExclusionsV1 | Get a set of ML Exclusions by specifying their IDs |
createMLExclusionsV1 | Create the ML exclusions |
deleteMLExclusionsV1 | Delete the ML exclusions by id |
updateMLExclusionsV1 | Update the ML exclusions |
queryMLExclusionsV1 | Search for ML exclusions. |
Back to Table of Contents
Operation ID | Description |
---|---|
RequestDeviceEnrollmentV3 | Trigger on-boarding process for a mobile device. |
Back to Table of Contents
Operation ID | Description |
---|---|
getChildrenV2 | Get link to child customer by child CID(s) |
getChildren | Get link to child customer by child CID(s) |
getCIDGroupMembersBy | Get CID group members by CID group ID. |
getCIDGroupMembersByV2 | Get CID group members by CID Group ID. |
addCIDGroupMembers | Add new CID Group member. |
deleteCIDGroupMembers | Delete CID Group members entry. |
getCIDGroupById | Get CID groups by ID. |
getCIDGroupMembersByV2 | Get CID group members by CID Group ID. |
createCIDGroups | Create new CID Group(s). Maximum 500 CID Group(s) allowed. |
deleteCIDGroups | Delete CID groups by ID. |
updateCIDGroups | Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected. |
getCIDGroupByIdV2 | Get CID Groups by ID. |
getRolesByID | Get MSSP Role assignment(s). MSSP Role assignment is of the format :. |
addRole | Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. |
deletedRoles | Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified). |
getUserGroupMembersByID | Get user group members by user group ID. |
addUserGroupMembers | Add new User Group member. Maximum 500 members allowed per User Group. |
deleteUserGroupMembers | Delete User Group members entry. |
getUserGroupMembersByIDV2 | Get user group members by user group ID. |
getUserGroupsByID | Get user groups by ID. |
getUserGroupsByIDV2 | Get user groups by ID. |
createUserGroups | Create new User Group(s). Maximum 500 User Group(s) allowed per customer. |
deleteUserGroups | Delete user groups by ID. |
updateUserGroups | Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected. |
queryChildren | Query for customers linked as children |
queryCIDGroupMembers | Query a CID groups members by associated CID. |
queryCIDGroups | Query CID Groups. |
queryRoles | Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional. |
queryUserGroupMembers | Query User Group member by User UUID. |
queryUserGroups | Query User Groups. |
Back to Table of Contents
Operation ID | Description |
---|---|
oauth2RevokeToken | Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan. |
oauth2AccessToken | Generate an OAuth2 access token |
Back to Table of Contents
Operation ID | Description |
---|---|
aggregate_query_scan_host_metadata | Get aggregates on ODS scan-hosts data. |
aggregate_scans | Get aggregates on ODS scan data. |
aggregate_scheduled_scans | Get aggregates on ODS scheduled-scan data. |
get_malicious_files_by_ids | Get malicious files by ids. |
cancel_scans | Cancel ODS scans for the given scan ids. |
get_scan_host_metadata_by_ids | Get scan hosts by ids. |
get_scans_by_scan_ids | Get Scans by IDs. |
create_scan | Create ODS scan and start or schedule scan for the given scan request. |
get_scans_by_scan_ids_v2 | Get Scans by IDs. |
get_scheduled_scans_by_scan_ids | Get ScheduledScans by IDs. |
schedule_scan | Create ODS scan and start or schedule scan for the given scan request. |
delete_scheduled_scans | Delete ODS scheduled-scans for the given scheduled-scan ids. |
query_malicious_files | Query malicious files. |
query_scan_host_metadata | Query scan hosts. |
query_scans | Query Scans. |
query_scheduled_scans | Query ScheduledScans. |
Back to Table of Contents
Operation ID | Description |
---|---|
AggregatesDetectionsGlobalCounts | Get the total number of detections pushed across all customers |
AggregatesEventsCollections | Get OverWatch detection event collection info by providing an aggregate query |
AggregatesEvents | Get aggregate OverWatch detection event info by providing an aggregate query |
AggregatesIncidentsGlobalCounts | Get the total number of incidents pushed across all customers |
AggregatesOWEventsGlobalCounts | Get the total number of OverWatch events across all customers |
Back to Table of Contents
Operation ID | Description |
---|---|
queryCombinedPreventionPolicyMembers | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria |
performPreventionPoliciesAction | Perform the specified action on the Prevention Policies specified in the request |
setPreventionPoliciesPrecedence | Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
getPreventionPolicies | Retrieve a set of Prevention Policies by specifying their IDs |
createPreventionPolicies | Create Prevention Policies by specifying details about the policy to create |
deletePreventionPolicies | Delete a set of Prevention Policies by specifying their IDs |
updatePreventionPolicies | Update Prevention Policies by specifying the ID of the policy and details to update |
queryPreventionPolicyMembers | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
queryPreventionPolicies | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
ActionUpdateCount | Returns count of potentially affected quarantined files for each action. |
GetAggregateFiles | Get quarantine file aggregates as specified via json in request body. |
GetQuarantineFiles | Get quarantine file metadata for specified ids. |
UpdateQuarantinedDetectsByIds | Apply action by quarantine file ids |
QueryQuarantineFiles | Get quarantine file ids that match the provided filter criteria. |
UpdateQfByQuery | Apply quarantine file actions by query. |
Back to Table of Contents
Operation ID | Description |
---|---|
GetScansAggregates | Get scans aggregations as specified via json in request body. |
GetScans | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
ScanSamples | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
QuerySubmissionsMixin0 | Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
RTR_AggregateSessions | Get aggregates on session data. |
BatchActiveResponderCmd | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. |
BatchCmd | Batch executes a RTR read-only command across the hosts mapped to the given batch ID. |
BatchGetCmdStatus | Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. |
BatchGetCmd | Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results. |
BatchInitSessions | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
BatchRefreshSessions | Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. |
RTR_CheckActiveResponderCommandStatus | Get status of an executed active-responder command on a single host. |
RTR_ExecuteActiveResponderCommand | Execute an active responder command on a single host. |
RTR_CheckCommandStatus | Get status of an executed command on a single host. |
RTR_ExecuteCommand | Execute a command on a single host. |
RTR_GetExtractedFileContents | Get RTR extracted file contents for specified session and sha256. |
RTR_ListFiles | Get a list of files for the specified RTR session. |
RTR_ListFilesV2 | Get a list of files for the specified RTR session. (Expanded output detail) |
RTR_DeleteFile | Delete a RTR session file. |
RTR_DeleteFileV2 | Delete a RTR session file. (Expanded output detail. Use with RTR_ListFilesV2.) |
RTR_ListQueuedSessions | Get queued session metadata by session ID. |
RTR_DeleteQueuedSession | Delete a queued session command |
RTR_PulseSession | Refresh a session timeout on a single host. |
RTR_ListSessions | Get session metadata by session id. |
RTR_InitSession | Initialize a new session with the RTR cloud. |
RTR_DeleteSession | Delete a session. |
RTR_ListAllSessions | Get a list of session_ids. |
Back to Table of Contents
Operation ID | Description |
---|---|
BatchAdminCmd | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
RTR_GetFalconScripts | Get Falcon scripts with metadata and content of script |
RTR_GetPut_Files | Get put-files based on the ID's given. These are used for the RTR put command. |
RTR_GetPut_FilesV2 | Get put-files based on the ID's given. These are used for the RTR put command. |
RTR_CreatePut_Files | Upload a new put-file to use for the RTR put command. |
RTR_DeletePut_Files | Delete a put-file based on the ID given. Can only delete one file at a time. |
RTR_GetScripts | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
RTR_GetScriptsV2 | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
RTR_DeleteScripts | Delete a custom-script based on the ID given. Can only delete one script at a time. |
RTR_UpdateScripts | Upload a new scripts to replace an existing one. |
RTR_ListFalconScripts | Get a list of Falcon script IDs available to the user to run |
RTR_ListPut_Files | Get a list of put-file ID's that are available to the user for the put command. |
RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
Back to Table of Contents
Operation ID | Description |
---|---|
RTRAuditSessions | Get all RTR sessions created for a customer during a specified time period. |
Back to Table of Contents
Operation ID | Description |
---|---|
AggregateNotificationsExposedDataRecordsV1 | Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [notification_id created_date rule.id rule.name rule.topic source_category site author] |
AggregateNotificationsV1 | Get notification aggregates as specified via JSON in request body. |
PreviewRuleV1 | Preview rules notification count and distribution. This will return aggregations on: channel, count, site. |
GetActionsV1 | Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint. |
CreateActionsV1 | Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule. |
DeleteActionV1 | Delete an action from a monitoring rule based on the action ID. |
UpdateActionV1 | Update an action for a monitoring rule. |
GetFileContentForExportJobsV1 | Download the file associated with a job ID. |
GetExportJobsV1 | Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1. |
CreateExportJobsV1 | Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1. |
DeleteExportJobsV1 | Delete export jobs (and their associated file(s)) based on their IDs. |
GetNotificationsDetailedTranslatedV1 | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request |
GetNotificationsDetailedV1 | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. |
GetNotificationsExposedDataRecordsV1 | Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints |
GetNotificationsTranslatedV1 | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English. |
GetNotificationsV1 | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. |
DeleteNotificationsV1 | Delete notifications based on IDs. Notifications cannot be recovered after they are deleted. |
UpdateNotificationsV1 | Update notification status or assignee. Accepts bulk requests |
GetRulesV1 | Get monitoring rules rules by provided IDs. |
CreateRulesV1 | Create monitoring rules. |
DeleteRulesV1 | Delete monitoring rules. |
UpdateRulesV1 | Update monitoring rules. |
QueryActionsV1 | Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1. |
QueryNotificationsExposedDataRecordsV1 | Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1 |
QueryNotificationsV1 | Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1. |
QueryRulesV1 | Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1. |
Back to Table of Contents
Operation ID | Description |
---|---|
report_executions_download_get | Get report entity download |
report_executions_retry | This endpoint will be used to retry report executions |
report_executions_get | Retrieve report details for the provided report IDs. |
report_executions_query | Find all report execution IDs matching the query with filter |
Back to Table of Contents
Operation ID | Description |
---|---|
queryCombinedRTResponsePolicyMembers | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedRTResponsePolicies | Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria |
performRTResponsePoliciesAction | Perform the specified action on the Response Policies specified in the request |
setRTResponsePoliciesPrecedence | Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
getRTResponsePolicies | Retrieve a set of Response Policies by specifying their IDs |
createRTResponsePolicies | Create Response Policies by specifying details about the policy to create |
deleteRTResponsePolicies | Delete a set of Response Policies by specifying their IDs |
updateRTResponsePolicies | Update Response Policies by specifying the ID of the policy and details to update |
queryRTResponsePolicyMembers | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
queryRTResponsePolicies | Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
ArchiveListV1 | Retrieves the archives files in chunks. |
ArchiveGetV1 | Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully. |
ArchiveUploadV1 | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. |
This method is deprecated in favor of /archives/entities/archives/v2
|
|
ArchiveDeleteV1 | Delete an archive that was uploaded previously |
ArchiveUploadV2 | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. |
ExtractionListV1 | Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
ExtractionGetV1 | Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
ExtractionCreateV1 | Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis. |
GetSampleV3 | Retrieves the file associated with the given ID (SHA256) |
UploadSampleV3 | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
DeleteSampleV3 | Removes a sample, including file, meta and submissions from the collection |
Back to Table of Contents
Operation ID | Description |
---|---|
scheduled_reports_launch | Launch scheduled reports executions for the provided report IDs. |
scheduled_reports_get | Retrieve scheduled reports for the provided report IDs. |
scheduled_reports_query | Find all report IDs matching the query with filter |
Back to Table of Contents
Operation ID | Description |
---|---|
GetCombinedSensorInstallersByQuery | Get sensor installer details by provided query |
DownloadSensorInstallerById | Download sensor installer by SHA256 ID |
GetSensorInstallersEntities | Get sensor installer details by provided SHA256 IDs |
GetSensorInstallersCCIDByQuery | Get CCID to use with sensor installers |
GetSensorInstallersByQuery | Get sensor installer IDs by provided query |
Back to Table of Contents
Operation ID | Description |
---|---|
revealUninstallToken | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id' |
queryCombinedSensorUpdateBuilds | Retrieve available builds for use with Sensor Update Policies |
queryCombinedSensorUpdateKernels | Retrieve kernel compatibility info for Sensor Update Builds |
queryCombinedSensorUpdatePolicyMembers | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
queryCombinedSensorUpdatePolicies | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
queryCombinedSensorUpdatePoliciesV2 | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
performSensorUpdatePoliciesAction | Perform the specified action on the Sensor Update Policies specified in the request |
setSensorUpdatePoliciesPrecedence | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
getSensorUpdatePolicies | Retrieve a set of Sensor Update Policies by specifying their IDs |
createSensorUpdatePolicies | Create Sensor Update Policies by specifying details about the policy to create |
deleteSensorUpdatePolicies | Delete a set of Sensor Update Policies by specifying their IDs |
updateSensorUpdatePolicies | Update Sensor Update Policies by specifying the ID of the policy and details to update |
getSensorUpdatePoliciesV2 | Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs |
createSensorUpdatePoliciesV2 | Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection |
updateSensorUpdatePoliciesV2 | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection |
querySensorUpdateKernelsDistinct | Retrieve kernel compatibility info for Sensor Update Builds |
querySensorUpdatePolicyMembers | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
querySensorUpdatePolicies | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
getSensorVisibilityExclusionsV1 | Get a set of Sensor Visibility Exclusions by specifying their IDs |
createSVExclusionsV1 | Create the sensor visibility exclusions |
deleteSensorVisibilityExclusionsV1 | Delete the sensor visibility exclusions by id |
updateSensorVisibilityExclusionsV1 | Update the sensor visibility exclusions |
querySensorVisibilityExclusionsV1 | Search for sensor visibility exclusions. |
Back to Table of Contents
Operation ID | Description |
---|---|
combinedQueryEvaluationLogic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria. |
getEvaluationLogic | Get details on evaluation logic items by providing one or more IDs. |
queryEvaluationLogic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
combinedQueryVulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria |
getRemediationsV2 | Get details on remediation by providing one or more IDs |
getVulnerabilities | Get details on vulnerabilities by providing one or more IDs |
queryVulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
GetEventsBody | Get event body for the provided event ID |
GetEventsEntities | Get events entities for specified ids. |
QueryEvents | Get events ids that match the provided filter criteria. |
GetRulesEntities | Get rules entities for specified ids. |
QueryRules | Get rules ids that match the provided filter criteria. |
Back to Table of Contents
Operation ID | Description |
---|---|
ReadUnidentifiedContainersByDateRangeCount | Returns the count of Unidentified Containers over the last 7 days |
ReadUnidentifiedContainersCount | Returns the total count of Unidentified Containers over a time period |
SearchAndReadUnidentifiedContainers | Search Unidentified Containers by the provided search criteria |
Back to Table of Contents
Operation ID | Description |
---|---|
combinedUserRolesV1 | Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer. |
entitiesRolesV1 | Get info about a role |
userActionV1 | Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload. |
userRolesActionV1 | Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke |
retrieveUsersGETV1 | Get info about users including their name, UID and CID by providing user UUIDs |
createUserV1 | Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1' |
deleteUserV1 | Delete a user permanently. |
updateUserV1 | Modify an existing user's first or last name. |
queriesRolesV1 | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1 . |
queryUserV1 | List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1 . |
GetRoles | Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role |
GrantUserRoleIds | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user |
RevokeUserRoleIds | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user |
GetAvailableRoleIds | Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1 . |
GetUserRoleIds | Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1 . |
retrieveUser | Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user |
CreateUser | Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1 |
DeleteUser | Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently |
UpdateUser | Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name |
RetrieveEmailsByCID | Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account |
RetrieveUserUUIDsByCID | Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1 . |
RetrieveUserUUID | Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address) |
Back to Table of Contents
Operation ID | Description |
---|---|
WorkflowExecute | Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s). |
WorkflowExecutionsAction | Allows a user to resume/retry a failed workflow execution. |
WorkflowExecutionResults | Get execution result of a given execution. |
WorkflowSystemDefinitionsDeProvision | Deprovisions a system definition that was previously provisioned on the target CID. |
WorkflowSystemDefinitionsPromote | Promote a version of a system definition. |
WorkflowSystemDefinitionsProvision | Provisions a system definition onto the target CID by using the template and provided parameters. |
Back to Table of Contents
Operation ID | Description |
---|---|
getAssessmentV1 | Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID). |
getAuditV1 | Get the Zero Trust Assessment audit report for one customer ID (CID). |
getAssessmentsByScoreV1 | Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores. |
Back to Table of Contents
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust