Skip to content

Operations by Collection

Joshua Hiller edited this page Jul 15, 2024 · 58 revisions

CrowdStrike Falcon CrowdStrike Subreddit

All Operations by Service Collection

Total Service Collections Total Operations Documentation Version Page Updated

Table of Contents

Alerts API Integrations Cloud Connect AWS
Deprecated
Cloud Snapshots
Configuration Assessment Configuration Assessment Evaluation Logic Container Alerts Container Detections
Container Images Container Packages Container Vulnerabilities CSPM Registration
Custom IOA Custom Storage D4C Registration
Deprecated
Detects
Device Control Policies Discover Drift Indicators Event Streams
Exposure Management Falcon Complete Dashboard Falcon Container Falcon Intelligence Sandbox
FDR FileVantage Firewall Management Firewall Policies
Foundry LogScale Host Group Hosts Identity Protection
Image Assessment Policies Incidents Installation Tokens Intel
IOA Exclusions IOC IOCs
Deprecated
Kubernetes Protection
Malquery Message Center ML Exclusions Mobile Enrollment
MSSP (Flight Control) OAuth2 ODS Overwatch Dashboard
Prevention Policies Quarantine Quick Scan Real Time Response
Real Time Response Admin Real Time Response Audit Recon Report Executions
Response Policies Sample Uploads Scheduled Reports Sensor Download
Sensor Update Policies Sensor Visibility Exclusions Spotlight Evaluation Logic Spotlight Vulnerabilities
Tailored Intelligence ThreatGraph Unidentified Containers User Management
Workflows Zero Trust Assessment    

Alerts

Operation ID Description
PostAggregatesAlertsV1 retrieves aggregate values for Alerts across all CIDs
PostAggregatesAlertsV2 retrieves aggregate values for Alerts across all CIDs
PostEntitiesAlertsV1 retrieves all Alerts given their ids
PostEntitiesAlertsV2 retrieves all Alerts given their composite ids
PatchEntitiesAlertsV2 Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
PatchEntitiesAlertsV3 Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
GetQueriesAlertsV1 retrieves all Alerts ids that match a given query
GetQueriesAlertsV2 retrieves all Alerts ids that match a given query

Back to Table of Contents

API Integrations

Operation ID Description
GetCombinedPluginConfigs Queries for config resources and returns details
ExecuteCommand Execute a command.

Back to Table of Contents

Cloud Connect AWS

Deprecated This service collection has been deprecated.

Operation ID Description
QueryAWSAccounts Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
GetAWSSettings Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAWSAccounts Retrieve a set of AWS Accounts by specifying their IDs
ProvisionAWSAccounts Provision AWS Accounts by specifying details about the accounts to provision
DeleteAWSAccounts Delete a set of AWS Accounts by specifying their IDs
UpdateAWSAccounts Update AWS Accounts by specifying the ID of the account and details to update
CreateOrUpdateAWSSettings Create or update Global Settings which are applicable to all provisioned AWS accounts
VerifyAWSAccountAccess Performs an Access Verification check on the specified AWS Account IDs
QueryAWSAccountsForIDs Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

Back to Table of Contents

Cloud Snapshots

Operation ID Description
GetCredentialsMixin0 Retrieve the registry credentials.
CreateDeploymentEntity Launch a snapshot scan for a given cloud asset.
ReadDeploymentsCombined Search for snapshot jobs identified by the provided filter.
ReadDeploymentsEntities Retrieve snapshot jobs identified by the provided IDs.
RegisterCspmSnapshotAccount Register an account for snapshot scanning.
GetScanReport Retrieve the scan report for an instance.

Back to Table of Contents

Configuration Assessment

Operation ID Description
getCombinedAssessmentsQuery Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
getRuleDetails Get rules details for provided one or more rule IDs

Back to Table of Contents

Configuration Assessment Evaluation Logic

Operation ID Description
getEvaluationLogicMixin0 Get details on evaluation logic items by providing one or more finding IDs.

Back to Table of Contents

Container Alerts

Operation ID Description
ReadContainerAlertsCountBySeverity Get Container Alerts by severity
ReadContainerAlertsCount Search Container Alerts by the provided search criteria
SearchAndReadContainerAlerts Search Container Alerts by the provided search criteria

Back to Table of Contents

Container Detections

Operation ID Description
GetRuntimeDetectionsCombinedV2 Retrieve image assessment detections identified by the provided filter criteria.
ReadDetectionsCountBySeverity Aggregate counts of detections by severity
ReadDetectionsCountByType Aggregate counts of detections by detection type
ReadDetectionsCount Aggregate count of detections
ReadCombinedDetections Retrieve image assessment detections identified by the provided filter criteria
ReadDetections Retrieve image assessment detection entities identified by the provided filter criteria
SearchDetections Retrieve image assessment detection entities identified by the provided filter criteria

Back to Table of Contents

Container Images

Operation ID Description
AggregateImageAssessmentHistory Image assessment history
AggregateImageCountByBaseOS Aggregate count of images grouped by Base OS distribution
AggregateImageCountByState Aggregate count of images grouped by state
AggregateImageCount Aggregate count of images
GetCombinedImages Get image assessment results by providing an FQL filter and paging details
CombinedImageByVulnerabilityCount Retrieve top x images with the most vulnerabilities
CombinedImageDetail Retrieve image entities identified by the provided filter criteria
ReadCombinedImagesExport Retrieve images with an option to expand aggregated vulnerabilities/detections
CombinedImageIssuesSummary Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummary aggregates information about vulnerabilities for an image

Back to Table of Contents

Container Packages

Operation ID Description
ReadPackagesCountByZeroDay Retrieve packages count affected by zero day vulnerabilities
ReadPackagesByFixableVulnCount Retrieve top x app packages with the most fixable vulnerabilities
ReadPackagesByVulnCount Retrieve top x packages with the most vulnerabilities
ReadPackagesCombinedExport Retrieve packages identified by the provided filter criteria for the purpose of export
ReadPackagesCombined Retrieve packages identified by the provided filter criteria

Back to Table of Contents

Container Vulnerabilities

Operation ID Description
ReadVulnerabilityCountByActivelyExploited Aggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRating Aggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScore Aggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverity Aggregate count of vulnerabilities grouped by severity
ReadVulnerabilityCount Aggregate count of vulnerabilities
ReadVulnerabilitiesByImageCount Retrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDate Retrieve top x vulnerabilities with the most recent publication date
ReadCombinedVulnerabilitiesDetails Retrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfo Retrieve vulnerability and package related info for this customer
ReadCombinedVulnerabilities Retrieve vulnerability and aggregate data filtered by the provided FQL

Back to Table of Contents

CSPM Registration

Operation ID Description
GetCSPMAwsAccount Returns information about the current status of an AWS account.
CreateCSPMAwsAccount Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteCSPMAwsAccount Deletes an existing AWS account or organization in our system.
PatchCSPMAwsAccount Patches a existing account in our system for a customer.
GetCSPMAwsConsoleSetupURLs Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAwsAccountScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAzureAccount Return information about Azure account registration
CreateCSPMAzureAccount Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
DeleteCSPMAzureAccount Deletes an Azure subscription from the system.
UpdateCSPMAzureAccountClientID Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionID Update an Azure default subscription_id in our system for given tenant_id.
AzureDownloadCertificate Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetCSPMAzureUserScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetBehaviorDetections Get list of detected behaviors
GetConfigurationDetections Get list of active misconfigurations
GetConfigurationDetectionEntities Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2 Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetIOAEvents For CSPM IOA events, gets list of IOA events.
GetIOAUsers For CSPM IOA users, gets list of IOA users.
GetCSPMPolicy Given a policy ID, returns detailed policy information.
GetCSPMPoliciesDetails Given an array of policy IDs, returns detailed policies information.
GetCSPMPolicySettings Returns information about current policy settings.
UpdateCSPMPolicySettings Updates a policy setting - can be used to override policy severity or to disable a policy entirely.
GetCSPMScanSchedule Returns scan schedule configuration for one or more cloud platforms.
UpdateCSPMScanSchedule Updates scan schedule configuration for one or more cloud platforms.
GetCSPMAzureManagementGroup Return information about Azure management group registration
DeleteCSPMAzureManagementGroup Deletes Azure management groups from the system.
CreateCSPMAzureManagementGroup Creates a new management group in our system for a customer.
GetCSPMCGPAccount Returns information about the current status of an GCP account.
CreateCSPMGCPAccount Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DeleteCSPMGCPAccount Deletes a GCP account from the system.
UpdateCSPMGCPAccount Patches a existing account in our system for a customer.
ConnectCSPMGCPAccount Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetCSPMGCPServiceAccountsExt Returns the service account id and client email for external clients.
UpdateCSPMGCPServiceAccountsExt Updates an existing GCP service account.
GetCSPMGCPUserScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMGCPValidateAccountsExt Run a synchronous health check.
ValidateCSPMGCPServiceAccountExt Validates credentials for a service account

Back to Table of Contents

Custom IOA

Operation ID Description
get_patterns Get pattern severities by ID.
get_platformsMixin0 Get platforms by ID.
get_rule_groupsMixin0 Get rule groups by ID.
create_rule_groupMixin0 Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0 Delete rule groups by ID.
update_rule_groupMixin0 Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_types Get rule types by ID.
get_rules_get Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version].
get_rulesMixin0 Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size.
create_rule Create a rule within a rule group. Returns the rule.
delete_rules Delete rules from a rule group by ID.
update_rules Update rules within a rule group. Return the updated rules.
update_rules_v2 Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
validate Validates field values and checks for matches if a test string is provided.
query_patterns Get all pattern severity IDs.
query_platformsMixin0 Get all platform IDs.
query_rule_groups_full Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0 Finds all rule group IDs matching the query with optional filter.
query_rule_types Get all rule type IDs.
query_rulesMixin0 Finds all rule IDs matching the query with optional filter.

Back to Table of Contents

Custom Storage

Operation ID Description
ListObjects List the object keys in the specified collection in alphabetical order.
SearchObjects Search for objects that match the specified filter criteria (returns metadata, not actual objects).
GetObject Get the bytes for the specified object.
PutObject Put the specified new object at the given key or overwrite an existing object at the given key.
DeleteObject Delete the specified object.
GetObjectMetadata Get the metadata for the specified object.

Back to Table of Contents

D4C Registration

Deprecated This service collection has been deprecated.

Operation ID Description
GetD4CAwsAccount Returns information about the current status of an AWS account.
CreateD4CAwsAccount Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteD4CAwsAccount Deletes an existing AWS account or organization in our system.
GetD4CAwsConsoleSetupURLs Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CAWSAccountScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetDiscoverCloudAzureAccount Return information about Azure account registration
GetDiscoverCloudAzureTenantIDs Return available tenant IDs for Discover for Cloud.
CreateDiscoverCloudAzureAccount Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
UpdateDiscoverCloudAzureAccountClientID Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
GetDiscoverCloudAzureUserScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetDiscoverCloudAzureUserScripts Return a script for customer to run in their cloud environment to grant us access to their Azure environment
GetDiscoverCloudCGPAccount Returns information about the current status of an GCP account.
CreateDiscoverCloudGCPAccount Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DiscoverCloudAzureDownloadCertificate Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetDiscoverCloudGCPUserScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetDiscoverCloudGCPUserScripts Return a script for customer to run in their cloud environment to grant us access to their GCP environment
DeleteD4CGCPAccount Deletes a GCP account from the system.
ConnectD4CGCPAccount Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetD4CGCPServiceAccountsExt Returns the service account id and client email for external clients.
UpdateD4CCPServiceAccountsExt Updates an existing GCP service account.
GetD4CGCPUserScriptsAttachment Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment

Back to Table of Contents

Detects

Operation ID Description
GetAggregateDetects Get detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2 Modify the state, assignee, and visibility of detections
GetDetectSummaries View information about detections
QueryDetects Search for detection IDs that match a given query

Back to Table of Contents

Device Control Policies

Operation ID Description
queryCombinedDeviceControlPolicyMembers Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedDeviceControlPolicies Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
getDefaultDeviceControlPolicies Retrieve the configuration for the Default Device Control Policy.
updateDefaultDeviceControlPolicies Update the configuration for the Default Device Control Policy.
performDeviceControlPoliciesAction Perform the specified action on the Device Control Policies specified in the request
setDeviceControlPoliciesPrecedence Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getDeviceControlPolicies Retrieve a set of Device Control Policies by specifying their IDs
createDeviceControlPolicies Create Device Control Policies by specifying details about the policy to create
deleteDeviceControlPolicies Delete a set of Device Control Policies by specifying their IDs
updateDeviceControlPolicies Update Device Control Policies by specifying the ID of the policy and details to update
queryDeviceControlPolicyMembers Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryDeviceControlPolicies Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria

Back to Table of Contents

Discover

Operation ID Description
get_accounts Get details on accounts by providing one or more IDs.
get_applications Get details on applications by providing one or more IDs.
get_hosts Get details on assets by providing one or more IDs.
get_iot_hosts Get details on IoT assets by providing one or more IDs.
get_logins Get details on logins by providing one or more IDs.
query_accounts Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of applications IDs which match the filter criteria.
query_hosts Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts_v2 Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Back to Table of Contents

Drift Indicators

| GetDriftIndicatorsValuesByDate | Returns the count of Drift Indicators by the date. by default it's for 7 days. | | ReadDriftIndicatorsCount | Returns the total count of Drift indicators over a time period | | SearchAndReadDriftIndicatorEntities | Retrieve Drift Indicators by the provided search criteria | | SearchDriftIndicators | Retrieve all drift indicators that match the given query |

Back to Table of Contents

Event Streams

Operation ID Description
refreshActiveStreamSession Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
listAvailableStreamsOAuth2 Discover all event streams in your environment

Back to Table of Contents

Exposure Management

Operation ID Description
aggregate_external_assets Returns external assets aggregates.
blob_download_external_assets Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request.
blob_preview_external_assets Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request.
get_external_assets Get details on external assets by providing one or more IDs.
patch_external_assets Update the details of external assets.
query_external_assets Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints

Back to Table of Contents

Falcon Container

Operation ID Description
GetCombinedImages Gets image assessment results by providing a FQL filter and paging details.
GetCredentials Gets the registry credentials.
ReadImageVulnerabilities Retrieve vulnerabilities for a specified image.
GetImageAssessmentReport Retrieve an assessment report for an image by specifying repository and tag.
DeleteImageDetails Delete image details from the CrowdStrike registry.
ImageMatchesPolicy Check if an image matches a policy by specifying repository and tag.
ReadRegistryEntities Retrieve registry entities associated with the client ID.
ReadRegistryEntitiesByUUID Retrieve registry entities associated with a specific registry entity UUID.
DeleteRegistryEntities Delete registry entities by UUID.
CreateRegistryEntities Create registry entities using the provided detail.
UpdateRegistryEntities Update the registry entity, as identified by the entity UUID, using the provided details.

Back to Table of Contents

Falcon Complete Dashboard

Operation ID Description
AggregateAlerts Retrieve aggregate alerts values based on the matched filter
AggregateAllowList Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList Retrieve aggregate blocklist ticket values based on the matched filter
AggregateDetections Retrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollection Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents Retrieve aggregate incident values based on the matched filter
AggregateRemediations Retrieve aggregate remediation ticket values based on the matched filter
AggregatePreventionPolicy Retrieve aggregate prevention policy values based on the matched filter
AggregateSensorUpdatePolicy Retrieve aggregate sensor update policy values based on the matched filter
AggregateSupport Issues Retrieve aggregate support issue values based on the matched filter
QueryAlertIdsByFilter Retrieve alert IDs that match the provided filter criteria with scrolling enabled
QueryAllowListFilter Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilter Retrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryDetectionIdsByFilter Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilter Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilter Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilter Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilter Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

Back to Table of Contents

Falcon Intelligence Sandbox

Operation ID Description
GetArtifacts Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings Get extracted strings from a memory dump.
GetMemoryDumpHexDump Get the hex view of a memory dump.
GetMemoryDump Get memory dump content, as a binary.
GetSummaryReports Get a short summary version of a sandbox report.
GetReports Get a full sandbox report.
DeleteReport Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2 Retrieves the file associated with the given ID (SHA256)
UploadSampleV2 Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2 Removes a sample, including file, meta and submissions from the collection
QuerySampleV1 Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

Back to Table of Contents

FDR

Operation ID Description
fdrschema_combined_event_get Fetches the combined schema.
fdrschema_entities_event_get Fetch event schema by ID.
fdrschema_queries_event_get Get list of event IDs given a particular query.
fdrschema_entities_field_get Fetch field schema by ID.
fdrschema_queries_field_get Get list of field IDs given a particular query.

Back to Table of Contents

FileVantage

Operation ID Description
getActionsMixin0 Retrieve the processing results for one or more actions.
startActions Initiates the specified action on the provided change IDs.
getContents Retrieves the content captured for the provided change ID.
getChanges Retrieve information on changes.
queryChanges Returns one or more change IDs.
updatePolicyHostGroups Manage host groups assigned to a policy.
updatePolicyRuleGroups Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
updatePolicyPrecedence Updates the policy precedence for all policies of a specific type.
getPolicies Retrieves the configuration for one or more policies.
createPolicies Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
deletePolicies Deletes one or more policies.
updatePolicies Updates the general information of the provided policy.
getScheduledExclusions Retrieves the configuration for one or more scheduled exclusions from the provided policy ID.
createScheduledExclusions Creates a new scheduled exclusion configuration for the provided policy ID.
deleteScheduledExclusions Deletes one or more scheduled exclusions from the provided policy ID.
updateScheduledExclusions Updates the provided scheduled exclusion configuration within the provided polciy.
updateRuleGroupPrecedence Updates the rule precedence for all ruels in the identified rule group.
getRules Retrieves the configuration for one or more rules.
createRules Creates a new rule configuration within the specified rule group.
deleteRules Deletes one or more rules from the specified rule group.
updateRules Updates the provided rule configuration within the specified rule group.
getRuleGroups Retrieves the rule group details for one or more rule groups.
createRuleGroups Creates a new rule group of the specified type.
deleteRuleGroups Deletes one or more rule groups
updateRuleGroups Updates the provided rule group.
signalChangesExternal Initiates workflows for the provided change IDs.
highVolumeQueryChanges Returns a list of Falcon FileVantage change IDs filtered, sorted and limited by the query parameters provided. It can retrieve an unlimited number of results using multiple requests.
queryActionsMixin0 Returns one or more action IDs.
queryRulesGroups Retrieve the IDs of all rule groups that are of the provided rule group type.
queryScheduledExclusions Retrieve the IDs of all scheduled exclusions contained within the provided policy ID.
queryPolicies Retrieve the ids of all policies that are assigned the provided policy type.

Back to Table of Contents

Firewall Management

Operation ID Description
aggregate_events Aggregate events for customer
aggregate_policy_rules Aggregate rules within a policy for customer
aggregate_rule_groups Aggregate rule groups for customer
aggregate_rules Aggregate rules for customer
get_events Get events entities by ID and optionally version
get_firewall_fields Get the firewall field specifications by ID
get_network_locations_details Get network locations entities by ID
update_network_locations_metadata Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence Updates the network locations precedence according to the list of ids provided.
get_network_locations Get a summary of network locations entities by ID
upsert_network_locations Updates the network locations provided, and return the ID.
create_network_locations Create new network locations provided, and return the ID.
delete_network_locations Delete network location entities by ID.
update_network_locations Updates the network locations provided, and return the ID.
get_platforms Get platforms by ID, e.g., windows or mac or droid
get_policy_containers Get policy container entities by policy ID
update_policy_container_v1 Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting.
update_policy_container Update an identified policy container, including local logging functionality.
get_rule_groups Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups Delete rule group entities by ID
update_rule_group Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern Validates that the test pattern matches the executable filepath glob pattern.
query_events Find all event IDs matching the query with filter
query_firewall_fields Get the firewall field specification IDs for the provided platform
query_network_locations Get a list of network location IDs
query_platforms Get the list of platform names
query_policy_rules Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups Find all rule group IDs matching the query with filter
query_rules Find all rule IDs matching the query with filter

Back to Table of Contents

Firewall Policies

Operation ID Description
queryCombinedFirewallPolicyMembers Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPolicies Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
performFirewallPoliciesAction Perform the specified action on the Firewall Policies specified in the request
setFirewallPoliciesPrecedence Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getFirewallPolicies Retrieve a set of Firewall Policies by specifying their IDs
createFirewallPolicies Create Firewall Policies by specifying details about the policy to create
deleteFirewallPolicies Delete a set of Firewall Policies by specifying their IDs
updateFirewallPolicies Update Firewall Policies by specifying the ID of the policy and details to update
queryFirewallPolicyMembers Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryFirewallPolicies Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria

Back to Table of Contents

Foundry LogScale

Operation ID Description
ListReposV1 Lists available repositories and views.
IngestDataV1 Ingest data into the application repository.
IngestDataAsyncV1 Ingest data into the application repository asynchronously.
CreateSavedSearchesDynamicExecuteV1 Execute a dynamic saved search.
GetSavedSearchesExecuteV1 Get the results of a saved search.
CreateSavedSearchesExecuteV1 Execute a saved search.
CreateSavedSearchesIngestV1 Populate a saved search.
GetSavedSearchesJobResultsDownloadV1 Get the results of a saved search as a file.
ListViewV1 List views.

Back to Table of Contents

Host Group

Operation ID Description
queryCombinedGroupMembers Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroups Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
performGroupAction Perform the specified action on the Host Groups specified in the request
getHostGroups Retrieve a set of Host Groups by specifying their IDs
createHostGroups Create Host Groups by specifying details about the group to create
deleteHostGroups Delete a set of Host Groups by specifying their IDs
updateHostGroups Update Host Groups by specifying the ID of the group and details to update
queryGroupMembers Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryHostGroups Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria

Back to Table of Contents

Hosts

Operation ID Description
QueryDeviceLoginHistory Retrieve details about recent login sessions for a set of devices.
QueryDeviceLoginHistoryV2 Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified
QueryGetNetworkAddressHistoryV1 Retrieve history of IP and MAC addresses of devices.
PerformActionV2 Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
UpdateDeviceTags Append or remove one or more Falcon Grouping Tags on one or more hosts.
GetDeviceDetails Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API
GetDeviceDetailsV1
Deprecated
Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500)
GetDeviceDetailsV2 Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100)
PostDeviceDetailsV2 Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000)
entities_perform_action Performs the specified action on the provided prevention policy IDs.
GetOnlineState_V1 Get the online status for one or more hosts by specifying each host’s unique ID.
QueryHiddenDevices Retrieve hidden hosts that match the provided filter criteria.
QueryDevicesByFilterScroll Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryDevicesByFilter Search for hosts in your environment by platform, hostname, IP, and other criteria.

Back to Table of Contents

Identity Protection

Operation ID Description
GetSensorAggregates Get sensor aggregates as specified via json in request body.
GetSensorDetails Get details on one or more sensors by provdiing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
QuerySensorsByFilter Search for sensors in your environment by hostname, IP, or other criteria.
api_preempt_proxy_post_graphql Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Back to Table of Contents

Image Assessment Policies

Operation ID Description
ReadPolicies Get all Image Assessment policies
CreatePolicies Create Image Assessment policies
DeletePolicy Delete Image Assessment Policy by policy UUID
UpdatePolicies Update Image Assessment Policy entities
ReadPolicyExclusions Retrieve Image Assessment Policy Exclusion entities
UpdatePolicyExclusions Update Image Assessment Policy Exclusion entities
ReadPolicyGroups Retrieve Image Assessment Policy Group entities
CreatePolicyGroups Create Image Assessment Policy Group entities
DeletePolicyGroup Delete Image Assessment Policy Group entities
UpdatePolicyGroups Update Image Assessment Policy Group entities
UpdatePolicyPrecedence Update Image Assessment Policy precedence

Back to Table of Contents

Incidents

Operation ID Description
CrowdScore Query environment wide CrowdScore and return the entity data
GetBehaviors Get details on behaviors by providing behavior IDs
PerformIncidentAction Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
GetIncidents Get details on incidents by providing incident IDs
QueryBehaviors Search for behaviors by providing a FQL filter, sorting, and paging details
QueryIncidents Search for incidents by providing a FQL filter, sorting, and paging details

Back to Table of Contents

Installation Tokens

Operation ID Description
audit_events_read Gets the details of one or more audit events by id.
customer_settings_read Check current installation token settings.
customer_settings_update Update installation token settings.
tokens_read Gets the details of one or more tokens by id.
tokens_create Creates a token.
tokens_delete Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_update Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query Search for audit events by providing a FQL filter and paging details.
tokens_query Search for tokens by providing a FQL filter and paging details.

Back to Table of Contents

Intel

Operation ID Description
QueryIntelActorEntities Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities Get info about indicators that match provided FQL filters.
QueryIntelReportEntities Get info about reports that match provided FQL filters.
GetIntelActorEntities Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities Retrieve specific indicators using their indicator IDs.
GetMalwareEntities Get malware entities for specified IDs.
GetMitreReport Export Mitre ATT&CK information for a given actor.
PostMitreAttacks Retrieves report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF Return a Report PDF attachment
GetIntelReportEntities Retrieve specific reports using their report IDs.
GetIntelRuleFile Download earlier rule sets.
GetLatestIntelRuleFile Download the latest rule set.
GetIntelRuleEntities Retrieve details for rule sets for the specified ids.
GetVulnerabilities Get vulnerabilities
QueryIntelActorIds Get actor IDs that match provided FQL filters.
QueryMalware Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks Gets MITRE tactics and techniques for the given actor.
QueryIntelIndicatorIds Get indicators IDs that match provided FQL filters.
QueryIntelReportIds Get report IDs that match provided FQL filters.
QueryIntelRuleIds Search for rule IDs that match provided filter criteria.
QueryVulnerabilities Get vulnerabilities IDs

Back to Table of Contents

IOA Exclusions

Operation ID Description
getIOAExclusionsV1 Get a set of IOA Exclusions by specifying their IDs
createIOAExclusionsV1 Create the IOA exclusions
deleteIOAExclusionsV1 Delete the IOA exclusions by id
updateIOAExclusionsV1 Update the IOA exclusions
queryIOAExclusionsV1 Search for IOA exclusions.

Back to Table of Contents

IOC

Operation ID Description
indicator_get_device_count_v1 Get the number of devices the indicator has run on
indicator_aggregate_v1 Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1 Get Combined for Indicators.
action_get_v1 Get Actions by ids.
GetIndicatorsReport Launch an indicators report creation job
indicator_get_v1 Get Indicators by ids.
indicator_create_v1 Create Indicators.
indicator_delete_v1 Delete Indicators by ids.
indicator_update_v1 Update Indicators.
action_query_v1 Query Actions.
indicator_get_devices_ran_on_v1 Get the IDs of devices the indicator has run on
indicator_get_processes_ran_on_v1 Get the number of processes the indicator has run on
indicator_search_v1 Search for Indicators.
DevicesCount Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
ProcessesRanOn Search for processes associated with a custom IOC
entities_processes For the provided ProcessID retrieve the process details
ioc_type_query_v1 Query IOC Types.
platform_query_v1 Query Platforms.
severity_query_v1 Query Severities.

Back to Table of Contents

IOCs

Deprecated This service collection has been deprecated.

Operation ID Description
DevicesCount Number of hosts in your customer account that have observed a given custom IOC
GetIOC
Deprecated
This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC
Deprecated
This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC
Deprecated
This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC
Deprecated
This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
QueryIOCs
Deprecated
This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn Search for processes associated with a custom IOC
entities_processes For the provided ProcessID retrieve the process details

Back to Table of Contents

Kubernetes Protection

Operation ID Description
ReadClustersByDateRangeCount Retrieve clusters by date range counts
ReadClustersByKubernetesVersionCount Bucket clusters by kubernetes version
ReadClustersByStatusCount Bucket clusters by status
ReadClusterCount Retrieve cluster counts
ReadContainersByDateRangeCount Retrieve containers by date range counts
ReadContainerCountByRegistry Retrieve top container image registries
FindContainersCountAffectedByZeroDayVulnerabilities Retrieve containers count affected by zero day vulnerabilities
ReadVulnerableContainerImageCount Retrieve count of vulnerable images running on containers
ReadContainerCount Retrieve container counts
FindContainersByContainerRunTimeVersion Retrieve containers by container_runtime_version
GroupContainersByManaged Group the containers by Managed
ReadContainerImageDetectionsCountByDate Retrieve count of image assessment detections on running containers over a period of time
ReadContainerImagesByState Retrieve count of image states running on containers
ReadContainersSensorCoverage Bucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCount Retrieve container vulnerabilities by severity counts
ReadDeploymentsByDateRangeCount Retrieve deployments by date range counts
ReadDeploymentCount Retrieve deployment counts
ReadClusterEnrichment Retrieve cluster enrichment data
ReadNodeEnrichment Retrieve node enrichment data
ReadDistinctContainerImageCount Retrieve count of distinct images running on containers
ReadContainerImagesByMostUsed Bucket container by image-digest
ReadKubernetesIomByDateRange Returns the count of Kubernetes IOMs by the date. by default it's for 7 days.
ReadKubernetesIomCount Returns the total count of Kubernetes IOMs over the past seven days
ReadNodesByCloudCount Bucket nodes by cloud providers
ReadNodesByContainerEngineVersionCount Bucket nodes by their container engine version
ReadNodesByDateRangeCount Retrieve nodes by date range counts
ReadNodeCount Retrieve node counts
ReadPodsByDateRangeCount Retrieve pods by date range counts
ReadPodCount Retrieve pod counts
ReadClusterCombined Retrieve kubernetes clusters identified by the provided filter criteria
ReadRunningContainerImages Retrieve images on running containers
ReadContainerCombined Retrieve containers identified by the provided filter criteria
ReadDeploymentCombined Retrieve kubernetes deployments identified by the provided filter criteria
SearchAndReadKubernetesIomEntities Search Kubernetes IOM by the provided search criteria
ReadNodeCombined Retrieve kubernetes nodes identified by the provided filter criteria
ReadPodCombined Retrieve kubernetes pods identified by the provided filter criteria
ReadKubernetesIomEntities Retrieve Kubernetes IOM entities identified by the provided IDs
SearchKubernetesIoms Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
GetAWSAccountsMixin0 Provides a list of AWS accounts.
CreateAWSAccount Creates a new AWS account in our system for a customer and generates the installation script
DeleteAWSAccountsMixin0 Delete AWS accounts.
UpdateAWSAccount Updates the AWS account per the query parameters provided
ListAzureAccounts Provides the azure subscriptions registered to Kubernetes Protection
CreateAzureSubscription Creates a new Azure Subscription in our system
DeleteAzureSubscription Deletes a new Azure Subscription in our system
GetLocations Provides the cloud locations acknowledged by the Kubernetes Protection service
GetCombinedCloudClusters Return a combined list of provisioned cloud accounts and known kubernetes clusters.
GetAzureTenantConfig Return the azure tenant config.
GetStaticScripts Gets static bash scripts that are used during registration.
GetAzureTenantIDs Provides all the azure subscriptions and tenants.
GetAzureInstallScript Provides the script to run for a given tenant id and subscription IDs.
GetHelmValuesYaml Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
RegenerateAPIKey Regenerate API key for docker registry integrations
GetClusters Provides the clusters acknowledged by the Kubernetes Protection service
TriggerScan Triggers a dry run or a full scan of a customer's kubernetes footprint
PatchAzureServicePrincipal Adds the client ID for the given tenant ID to our system

Back to Table of Contents

MalQuery

Operation ID Description
GetMalQueryQuotasV1 Get information about search and download quotas in your environment
PostMalQueryFuzzySearchV1 Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
GetMalQueryDownloadV1 Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryMetadataV1 Retrieve indexed files metadata by their hash
GetMalQueryRequestV1 Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalQueryEntitiesSamplesFetchV1 Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
PostMalQueryEntitiesSamplesMultidownloadV1 Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1 Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryHuntV1 Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

Back to Table of Contents

Message Center

Operation ID Description
AggregateCases Retrieve aggregate case values based on the matched filter
GetCaseActivityByIds Retrieve activities for given id's
CaseAddActivity Add an activity to case. Only activities of type comment are allowed via API
CaseDownloadAttachment retrieves an attachment for the case, given the attachment id
CaseAddAttachment Upload an attachment for the case.
CreateCase create a new case
CreateCaseV2 create a new case
UpdateCase update an existing case
GetCaseEntitiesByIDs Retrieve message center cases
QueryActivityByCaseID Retrieve activities id's for a case
QueryCasesIdsByFilter Retrieve case id's that match the provided filter criteria

Back to Table of Contents

ML Exclusions

Operation ID Description
getMLExclusionsV1 Get a set of ML Exclusions by specifying their IDs
createMLExclusionsV1 Create the ML exclusions
deleteMLExclusionsV1 Delete the ML exclusions by id
updateMLExclusionsV1 Update the ML exclusions
queryMLExclusionsV1 Search for ML exclusions.

Back to Table of Contents

Mobile Enrollment

Operation ID Description
RequestDeviceEnrollmentV3 Trigger on-boarding process for a mobile device.
RequestDeviceEnrollmentV4 Trigger on-boarding process for a mobile device.

Back to Table of Contents

MSSP (Flight Control)

Operation ID Description
getChildrenV2 Get link to child customer by child CID(s)
getChildren Get link to child customer by child CID(s)
getCIDGroupMembersBy Get CID group members by CID group ID.
getCIDGroupMembersByV2 Get CID group members by CID Group ID.
addCIDGroupMembers Add new CID Group member.
deleteCIDGroupMembers Delete CID Group members entry.
getCIDGroupById Get CID groups by ID.
getCIDGroupMembersByV2 Get CID group members by CID Group ID.
createCIDGroups Create new CID Group(s). Maximum 500 CID Group(s) allowed.
deleteCIDGroups Delete CID groups by ID.
updateCIDGroups Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
getCIDGroupByIdV2 Get CID Groups by ID.
getRolesByID Get MSSP Role assignment(s). MSSP Role assignment is of the format :.
addRole Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
deletedRoles Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
getUserGroupMembersByID Get user group members by user group ID.
addUserGroupMembers Add new User Group member. Maximum 500 members allowed per User Group.
deleteUserGroupMembers Delete User Group members entry.
getUserGroupMembersByIDV2 Get user group members by user group ID.
getUserGroupsByID Get user groups by ID.
getUserGroupsByIDV2 Get user groups by ID.
createUserGroups Create new User Group(s). Maximum 500 User Group(s) allowed per customer.
deleteUserGroups Delete user groups by ID.
updateUserGroups Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
queryChildren Query for customers linked as children
queryCIDGroupMembers Query a CID groups members by associated CID.
queryCIDGroups Query CID Groups.
queryRoles Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queryUserGroupMembers Query User Group member by User UUID.
queryUserGroups Query User Groups.

Back to Table of Contents

OAuth2

Operation ID Description
oauth2RevokeToken Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
oauth2AccessToken Generate an OAuth2 access token

Back to Table of Contents

ODS (On Demand Scan)

Operation ID Description
aggregate_query_scan_host_metadata Get aggregates on ODS scan-hosts data.
aggregate_scans Get aggregates on ODS scan data.
aggregate_scheduled_scans Get aggregates on ODS scheduled-scan data.
get_malicious_files_by_ids Get malicious files by ids.
cancel_scans Cancel ODS scans for the given scan ids.
get_scan_host_metadata_by_ids Get scan hosts by ids.
get_scans_by_scan_ids Get Scans by IDs.
create_scan Create ODS scan and start or schedule scan for the given scan request.
get_scans_by_scan_ids_v2 Get Scans by IDs.
get_scheduled_scans_by_scan_ids Get ScheduledScans by IDs.
schedule_scan Create ODS scan and start or schedule scan for the given scan request.
delete_scheduled_scans Delete ODS scheduled-scans for the given scheduled-scan ids.
query_malicious_files Query malicious files.
query_scan_host_metadata Query scan hosts.
query_scans Query Scans.
query_scheduled_scans Query ScheduledScans.

Back to Table of Contents

Overwatch Dashboard

Operation ID Description
AggregatesDetectionsGlobalCounts Get the total number of detections pushed across all customers
AggregatesEventsCollections Get OverWatch detection event collection info by providing an aggregate query
AggregatesEvents Get aggregate OverWatch detection event info by providing an aggregate query
AggregatesIncidentsGlobalCounts Get the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCounts Get the total number of OverWatch events across all customers

Back to Table of Contents

Prevention Policies

Operation ID Description
queryCombinedPreventionPolicyMembers Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedPreventionPolicies Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
performPreventionPoliciesAction Perform the specified action on the Prevention Policies specified in the request
setPreventionPoliciesPrecedence Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getPreventionPolicies Retrieve a set of Prevention Policies by specifying their IDs
createPreventionPolicies Create Prevention Policies by specifying details about the policy to create
deletePreventionPolicies Delete a set of Prevention Policies by specifying their IDs
updatePreventionPolicies Update Prevention Policies by specifying the ID of the policy and details to update
queryPreventionPolicyMembers Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryPreventionPolicies Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria

Back to Table of Contents

Quarantine

Operation ID Description
ActionUpdateCount Returns count of potentially affected quarantined files for each action.
GetAggregateFiles Get quarantine file aggregates as specified via json in request body.
GetQuarantineFiles Get quarantine file metadata for specified ids.
UpdateQuarantinedDetectsByIds Apply action by quarantine file ids
QueryQuarantineFiles Get quarantine file ids that match the provided filter criteria.
UpdateQfByQuery Apply quarantine file actions by query.

Back to Table of Contents

Quick Scan

Operation ID Description
GetScansAggregates Get scans aggregations as specified via json in request body.
GetScans Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
ScanSamples Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
QuerySubmissionsMixin0 Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.

Back to Table of Contents

Real Time Response

Operation ID Description
RTR_AggregateSessions Get aggregates on session data.
BatchActiveResponderCmd Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchCmd Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdStatus Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchGetCmd Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
BatchInitSessions Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessions Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
RTR_CheckActiveResponderCommandStatus Get status of an executed active-responder command on a single host.
RTR_ExecuteActiveResponderCommand Execute an active responder command on a single host.
RTR_CheckCommandStatus Get status of an executed command on a single host.
RTR_ExecuteCommand Execute a command on a single host.
RTR_GetExtractedFileContents Get RTR extracted file contents for specified session and sha256.
RTR_ListFiles Get a list of files for the specified RTR session.
RTR_ListFilesV2 Get a list of files for the specified RTR session.
(Expanded output detail)
RTR_DeleteFile Delete a RTR session file.
RTR_DeleteFileV2 Delete a RTR session file.
(Expanded output detail. Use with RTR_ListFilesV2.)
RTR_ListQueuedSessions Get queued session metadata by session ID.
RTR_DeleteQueuedSession Delete a queued session command
RTR_PulseSession Refresh a session timeout on a single host.
RTR_ListSessions Get session metadata by session id.
RTR_InitSession Initialize a new session with the RTR cloud.
RTR_DeleteSession Delete a session.
RTR_ListAllSessions Get a list of session_ids.

Back to Table of Contents

Real Time Response Admin

Operation ID Description
BatchAdminCmd Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatus Get status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommand Execute a RTR administrator command on a single host.
RTR_GetFalconScripts Get Falcon scripts with metadata and content of script
RTR_GetPut_Files Get put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2 Get put-files based on the ID's given. These are used for the RTR put command.
RTR_CreatePut_Files Upload a new put-file to use for the RTR put command.
RTR_DeletePut_Files Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScripts Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2 Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_CreateScripts Upload a new custom-script to use for the RTR runscript command.
RTR_DeleteScripts Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScripts Upload a new scripts to replace an existing one.
RTR_ListFalconScripts Get a list of Falcon script IDs available to the user to run
RTR_ListPut_Files Get a list of put-file ID's that are available to the user for the put command.
RTR_ListScripts Get a list of custom-script ID's that are available to the user for the runscript command.

Back to Table of Contents

Real Time Response Audit

Operation ID Description
RTRAuditSessions Get all RTR sessions created for a customer during a specified time period.

Back to Table of Contents

Recon

Operation ID Description
AggregateNotificationsExposedDataRecordsV1 Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [notification_id created_date rule.id rule.name rule.topic source_category site author]
AggregateNotificationsV1 Get notification aggregates as specified via JSON in request body.
PreviewRuleV1 Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1 Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
CreateActionsV1 Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1 Delete an action from a monitoring rule based on the action ID.
UpdateActionV1 Update an action for a monitoring rule.
GetFileContentForExportJobsV1 Download the file associated with a job ID.
GetExportJobsV1 Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
CreateExportJobsV1 Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
DeleteExportJobsV1 Delete export jobs (and their associated file(s)) based on their IDs.
GetNotificationsDetailedTranslatedV1 Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1 Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1 Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints
GetNotificationsTranslatedV1 Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1 Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
DeleteNotificationsV1 Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1 Update notification status or assignee. Accepts bulk requests
GetRulesV1 Get monitoring rules rules by provided IDs.
CreateRulesV1 Create monitoring rules.
DeleteRulesV1 Delete monitoring rules.
UpdateRulesV1 Update monitoring rules.
QueryActionsV1 Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
QueryNotificationsExposedDataRecordsV1 Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1
QueryNotificationsV1 Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
QueryRulesV1 Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

Back to Table of Contents

Report Executions

Operation ID Description
report_executions_download_get Get report entity download
report_executions_retry This endpoint will be used to retry report executions
report_executions_get Retrieve report details for the provided report IDs.
report_executions_query Find all report execution IDs matching the query with filter

Back to Table of Contents

Response Policies

Operation ID Description
queryCombinedRTResponsePolicyMembers Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePolicies Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
performRTResponsePoliciesAction Perform the specified action on the Response Policies specified in the request
setRTResponsePoliciesPrecedence Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getRTResponsePolicies Retrieve a set of Response Policies by specifying their IDs
createRTResponsePolicies Create Response Policies by specifying details about the policy to create
deleteRTResponsePolicies Delete a set of Response Policies by specifying their IDs
updateRTResponsePolicies Update Response Policies by specifying the ID of the policy and details to update
queryRTResponsePolicyMembers Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRTResponsePolicies Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

Back to Table of Contents

Sample Uploads

Operation ID Description
ArchiveListV1 Retrieves the archives files in chunks.
ArchiveGetV1 Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully.
ArchiveUploadV1 Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
This method is deprecated in favor of /archives/entities/archives/v2
ArchiveDeleteV1 Delete an archive that was uploaded previously
ArchiveUploadV2 Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
ExtractionListV1 Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionGetV1 Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionCreateV1 Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
GetSampleV3 Retrieves the file associated with the given ID (SHA256)
UploadSampleV3 Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
DeleteSampleV3 Removes a sample, including file, meta and submissions from the collection

Back to Table of Contents

Scheduled Reports

Operation ID Description
scheduled_reports_launch Launch scheduled reports executions for the provided report IDs.
scheduled_reports_get Retrieve scheduled reports for the provided report IDs.
scheduled_reports_query Find all report IDs matching the query with filter

Back to Table of Contents

Sensor Download

Operation ID Description
GetCombinedSensorInstallersByQuery Get sensor installer details by provided query
GetCombinedSensorInstallersByQueryV2 Get sensor installer details by provided query
DownloadSensorInstallerById Download sensor installer by SHA256 ID
DownloadSensorInstallerByIdV2 Download sensor installer by SHA256 ID
GetSensorInstallersEntities Get sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV2 Get sensor installer details by provided SHA256 IDs
GetSensorInstallersCCIDByQuery Get CCID to use with sensor installers
GetSensorInstallersByQuery Get sensor installer IDs by provided query
GetSensorInstallersByQueryV2 Get sensor installer IDs by provided query

Back to Table of Contents

Sensor Update Policies

Operation ID Description
revealUninstallToken Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
queryCombinedSensorUpdateBuilds Retrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernels Retrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePolicyMembers Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdatePolicies Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2 Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
performSensorUpdatePoliciesAction Perform the specified action on the Sensor Update Policies specified in the request
setSensorUpdatePoliciesPrecedence Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getSensorUpdatePolicies Retrieve a set of Sensor Update Policies by specifying their IDs
createSensorUpdatePolicies Create Sensor Update Policies by specifying details about the policy to create
deleteSensorUpdatePolicies Delete a set of Sensor Update Policies by specifying their IDs
updateSensorUpdatePolicies Update Sensor Update Policies by specifying the ID of the policy and details to update
getSensorUpdatePoliciesV2 Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
createSensorUpdatePoliciesV2 Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
updateSensorUpdatePoliciesV2 Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
querySensorUpdateKernelsDistinct Retrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePolicyMembers Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorUpdatePolicies Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria

Back to Table of Contents

Sensor Visibility Exclusions

Operation ID Description
getSensorVisibilityExclusionsV1 Get a set of Sensor Visibility Exclusions by specifying their IDs
createSVExclusionsV1 Create the sensor visibility exclusions
deleteSensorVisibilityExclusionsV1 Delete the sensor visibility exclusions by id
updateSensorVisibilityExclusionsV1 Update the sensor visibility exclusions
querySensorVisibilityExclusionsV1 Search for sensor visibility exclusions.

Back to Table of Contents

Spotlight Evaluation Logic

Operation ID Description
combinedQueryEvaluationLogic Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
getEvaluationLogic Get details on evaluation logic items by providing one or more IDs.
queryEvaluationLogic Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

Back to Table of Contents

Spotlight Vulnerabilities

Operation ID Description
combinedQueryVulnerabilities Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
getRemediationsV2 Get details on remediation by providing one or more IDs
getVulnerabilities Get details on vulnerabilities by providing one or more IDs
queryVulnerabilities Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria

Back to Table of Contents

Tailored Intelligence

Operation ID Description
GetEventsBody Get event body for the provided event ID
GetEventsEntities Get events entities for specified ids.
QueryEvents Get events ids that match the provided filter criteria.
GetRulesEntities Get rules entities for specified ids.
QueryRules Get rules ids that match the provided filter criteria.

Back to Table of Contents

ThreatGraph

Operation ID Description
combined_edges_get Retrieve edges for a given vertex id. One edge type must be specified
combined_ran_on_get Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get Retrieve summary for a given vertex ID
entities_vertices_get Retrieve metadata for a given vertex ID
entities_vertices_getv2 Retrieve metadata for a given vertex ID
queries_edgetypes_get Show all available edge types

Back to Table of Contents

Unidentified Containers

Operation ID Description
ReadUnidentifiedContainersByDateRangeCount Returns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCount Returns the total count of Unidentified Containers over a time period
SearchAndReadUnidentifiedContainers Search Unidentified Containers by the provided search criteria

Back to Table of Contents

User Management

Operation ID Description
combinedUserRolesV1 Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.
entitiesRolesV1 Get info about a role
userActionV1 Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload.
userRolesActionV1 Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke
retrieveUsersGETV1 Get info about users including their name, UID and CID by providing user UUIDs
createUserV1 Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1'
deleteUserV1 Delete a user permanently.
updateUserV1 Modify an existing user's first or last name.
queriesRolesV1 Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1.
queryUserV1 List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1.
GetRoles Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role
GrantUserRoleIds Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user
RevokeUserRoleIds Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user
GetAvailableRoleIds Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetUserRoleIds Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.
retrieveUser Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user
CreateUser Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
DeleteUser Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently
UpdateUser Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name
RetrieveEmailsByCID Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account
RetrieveUserUUIDsByCID Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.
RetrieveUserUUID Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address)

Back to Table of Contents

Workflows

Operation ID Description
WorkflowExecute Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowExecuteInternal Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowMockExecute Executes an on-demand Workflow with mocks.
WorkflowExecutionsAction Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionResults Get execution result of a given execution.
WorkflowSystemDefinitionsDeProvision Deprovisions a system definition that was previously provisioned on the target CID.
WorkflowSystemDefinitionsPromote Promote a version of a system definition.
WorkflowSystemDefinitionsProvision Provisions a system definition onto the target CID by using the template and provided parameters.
WorkflowActivitiesCombined Search workflow activities based on the provided filter
WorkflowDefinitionsCombined Search workflow definitions based on the provided filter
WorkflowExecutionsCombined Search workflow executions based on the provided filter
WorkflowTriggersCombined Search workflow triggers based on the provided filter
WorkflowDefinitionsExport Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport Imports a workflow definition based on the provided model
WorkflowDefinitionsUpdate Updates a workflow definition based on the provided model.
WorkflowGetHumanInputV1 Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1 Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

Back to Table of Contents

Zero Trust Assessment

Operation ID Description
getAssessmentV1 Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1 Get the Zero Trust Assessment audit report for one customer ID (CID).
getAssessmentsByScoreV1 Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally