All Operations
| Operation ID | Service Collection | Description |
|---|---|---|
| action_get_v1 | IOC | Get Actions by ids. |
| action_query_v1 | IOC | Query Actions. |
| ActionUpdateCount | Quarantine | Returns count of potentially affected quarantined files for each action. |
| addCIDGroupMembers | MSSP (Flight Control) | Add new CID group member. |
| addRole | MSSP (Flight Control) | Create a link between user group and CID group, with zero or more additional roles. The call does not replace any existing link between them. User group ID and CID group ID have to be specified in request. |
| addUserGroupMembers | MSSP (Flight Control) | Add new user group member. Maximum 500 members allowed per user group. |
| aggregate_events | Firewall Management | Aggregate events for customer |
| aggregate_external_assets | Exposure Management | Returns external assets aggregates. |
| aggregate_policy_rules | Firewall Management | Aggregate rules within a policy for customer |
| aggregate_query_scan_host_metadata | ODS | Get aggregates on ODS scan-hosts data. |
| aggregate_rule_groups | Firewall Management | Aggregate rule groups for customer |
| aggregate_rules | Firewall Management | Aggregate rules for customer |
| aggregate_scans | ODS | Get aggregates on ODS scan data. |
| aggregate_scheduled_scans | ODS | Get aggregates on ODS scheduled-scan data. |
| AggregateAlerts | Falcon Complete Dashboard | Retrieve aggregate alerts values based on the matched filter |
| AggregateAllowList | Falcon Complete Dashboard | Retrieve aggregate allowlist ticket values based on the matched filter |
| AggregateBlockList | Falcon Complete Dashboard | Retrieve aggregate blocklist ticket values based on the matched filter |
| AggregateCases | Message Center | Retrieve aggregate case values based on the matched filter |
| AggregateDetections | Falcon Complete Dashboard | Retrieve aggregate detection values based on the matched filter |
| AggregateDeviceCountCollection | Falcon Complete Dashboard | Retrieve aggregate host/devices count based on the matched filter |
| AggregateEscalations | Falcon Complete Dashboard | Retrieve aggregate escalation ticket values based on the matched filter |
| AggregateFCIncidents | Falcon Complete Dashboard | Retrieve aggregate incident values based on the matched filter |
| AggregateImageAssessmentHistory | Container Images | Image assessment history |
| AggregateImageCount | Container Images | Aggregate count of images |
| AggregateImageCountByBaseOS | Container Images | Aggregate count of images grouped by Base OS distribution |
| AggregateImageCountByState | Container Images | Aggregate count of images grouped by state |
| AggregateNotificationsExposedDataRecordsV1 | Recon | Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [cid notification_id created_date rule.id rule.name rule.topic source_category site author file.name credential_status bot.operating_system.hardware_id bot.bot_id] |
| AggregateNotificationsV1 | Recon | Get notification aggregates as specified via JSON in request body. |
| AggregatePreventionPolicy | Falcon Complete Dashboard | Retrieve prevention policies aggregate values based on the matched filter |
| AggregateRemediations | Falcon Complete Dashboard | Retrieve aggregate remediation ticket values based on the matched filter |
| AggregatesDetectionsGlobalCounts | Overwatch Dashboard | Get the total number of detections pushed across all customers |
| AggregateSensorUpdatePolicy | Falcon Complete Dashboard | Retrieve sensor update policies aggregate values |
| AggregateSupportIssues | Falcon Complete Dashboard | Retrieve support issue aggregate values |
| AggregatesEvents | Overwatch Dashboard | Get aggregate OverWatch detection event info by providing an aggregate query |
| AggregatesEventsCollections | Overwatch Dashboard | Get OverWatch detection event collection info by providing an aggregate query |
| AggregatesIncidentsGlobalCounts | Overwatch Dashboard | Get the total number of incidents pushed across all customers |
| AggregatesOWEventsGlobalCounts | Overwatch Dashboard | Get the total number of OverWatch events across all customers |
| AggregateTotalDeviceCounts | Falcon Complete Dashboard | Retrieve aggregate total host/devices based on the matched filter |
| api_preempt_proxy_post_graphql | Identity Protection | Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents. |
| ArchiveDeleteV1 | Sample Uploads | Delete an archive that was uploaded previously |
| ArchiveGetV1 | Sample Uploads | Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully. |
| ArchiveListV1 | Sample Uploads | Retrieves the archives files in chunks. |
| ArchiveUploadV1 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. This method is deprecated in favor of /archives/entities/archives/v2
|
| ArchiveUploadV2 | Sample Uploads | Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. |
| audit_events_query | Installation Tokens | Search for audit events by providing a FQL filter and paging details. |
| audit_events_read | Installation Tokens | Gets the details of one or more audit events by id. |
| AzureDownloadCertificate | CSPM Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| BatchActiveResponderCmd | Real Time Response | Batch executes a RTR active-responder command across the hosts mapped to the given batch ID. |
| BatchAdminCmd | Real Time Response Admin | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| BatchCmd | Real Time Response | Batch executes a RTR read-only command across the hosts mapped to the given batch ID. |
| BatchGetCmd | Real Time Response | Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results. |
| BatchGetCmdStatus | Real Time Response | Retrieves the status of the specified batch get command. Will return successful files when they are finished processing. |
| BatchInitSessions | Real Time Response | Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host. |
| BatchRefreshSessions | Real Time Response | Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed. |
| blob_download_external_assets | Exposure Management | Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request. |
| blob_preview_external_assets | Exposure Management | Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request. |
| cancel_scans | ODS | Cancel ODS scans for the given scan ids. |
| CaseAddActivity | Message Center | Add an activity to case. Only activities of type comment are allowed via API |
| CaseAddAttachment | Message Center | Upload an attachment for the case. |
| CaseDownloadAttachment | Message Center | retrieves an attachment for the case, given the attachment id |
| combined_edges_get | ThreatGraph | Retrieve edges for a given vertex id. One edge type must be specified |
| CombinedImageByVulnerabilityCount | Container Images | Retrieve top x images with the most vulnerabilities |
| CombinedImageDetail | Container Images | Retrieve image entities identified by the provided filter criteria |
| CombinedImageIssuesSummary | Container Images | Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities |
| CombinedImageVulnerabilitySummary | Container Images | aggregates information about vulnerabilities for an image |
| combinedQueryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria. |
| combinedQueryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria |
| combined_ran_on_get | ThreatGraph | Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment. |
| combined_summary_get | ThreatGraph | Retrieve summary for a given vertex ID |
| combinedUserRolesV1 | User Management | Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer. |
| ConnectCSPMGCPAccount | CSPM Registration | Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id |
| ConnectD4CGCPAccount | D4C Registration | Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id |
| create_network_locations | Firewall Management | Create new network locations provided, and return the ID. |
| create_rule | Custom IOA | Create a rule within a rule group. Returns the rule. |
| create_rule_group | Firewall Management | Create new rule group on a platform for a customer with a name and description, and return the ID |
| create_rule_group_validation | Firewall Management | Validates the request of creating a new rule group on a platform for a customer with a name and description |
| create_rule_groupMixin0 | Custom IOA | Create a rule group for a platform with a name and an optional description. Returns the rule group. |
| create_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
| CreateActionsV1 | Recon | Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule. |
| CreateAWSAccount | Kubernetes Protection | Creates a new AWS account in our system for a customer and generates the installation script |
| CreateAzureSubscription | Kubernetes Protection | Creates a new Azure Subscription in our system |
| CreateCase | Message Center | create a new case |
| CreateCaseV2 | Message Center | create a new case |
| createCIDGroups | MSSP (Flight Control) | Create new CID groups. Name is a required field but description is an optional field. Maximum 500 CID groups allowed. |
| CreateCSPMAwsAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
| CreateCSPMAzureAccount | CSPM Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
| CreateCSPMGCPAccount | CSPM Registration | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
| CreateD4CAwsAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access. |
| CreateD4CGCPAccount | D4C Registration | Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access. |
| CreateDeploymentEntity | Cloud Snapshots | Launch a snapshot scan for a given cloud asset. |
| createDeviceControlPolicies | Device Control Policies | Create Device Control Policies by specifying details about the policy to create |
| CreateDiscoverCloudAzureAccount | D4C Registration | Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access. |
| CreateExportJobsV1 | Recon | Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1. |
| createFirewallPolicies | Firewall Policies | Create Firewall Policies by specifying details about the policy to create |
| createHostGroups | Host Group | Create Host Groups by specifying details about the group to create |
| createIOAExclusionsV1 | IOA Exclusions | Create the IOA exclusions |
| createMLExclusionsV1 | ML Exclusions | Create the ML exclusions |
| CreateOrUpdateAWSSettings | Cloud Connect AWS | Create or update Global Settings which are applicable to all provisioned AWS accounts |
| createPolicies | Filevantage | Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type. |
| CreatePolicies | Image Assessment Policies | Create Image Assessment policies |
| CreatePolicyGroups | Image Assessment Policies | Create Image Assessment Policy Group entities |
| createPreventionPolicies | Prevention Policy | Create Prevention Policies by specifying details about the policy to create |
| CreateRegistryEntities | Falcon Container Image | Create a registry entity using the provided details |
| createRTResponsePolicies | Response Policies | Create Response Policies by specifying details about the policy to create |
| createRuleGroups | Filevantage | Creates a new rule group of the specified type. |
| createRules | Filevantage | Creates a new rule configuration within the specified rule group. |
| CreateRulesV1 | Recon | Create monitoring rules. |
| CreateSavedSearchesDynamicExecuteAltV1 | Foundry Logscale | Execute a dynamic saved search |
| CreateSavedSearchesDynamicExecuteV1 | Foundry Logscale | Execute a dynamic saved search |
| CreateSavedSearchesExecuteAltV1 | Foundry Logscale | Execute a saved search |
| CreateSavedSearchesExecuteV1 | Foundry Logscale | Execute a saved search |
| CreateSavedSearchesIngestAltV1 | Foundry Logscale | Populate a saved search |
| CreateSavedSearchesIngestV1 | Foundry Logscale | Populate a saved search |
| createScheduledExclusions | Filevantage | Creates a new scheduled exclusion configuration for the provided policy id. |
| createSensorUpdatePolicies | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create |
| createSensorUpdatePoliciesV2 | Sensor Update Policy | Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection |
| createSVExclusionsV1 | Sensor Visibility Exclusions | Create the sensor visibility exclusions |
| CreateUser | User Management | Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1 |
| createUserGroups | MSSP (Flight Control) | Create new user groups. Name is a required field but description is an optional field. Maximum 500 user groups allowed per customer. |
| createUserV1 | User Management | Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1' |
| CrowdScore | Incidents | Query environment wide CrowdScore and return the entity data |
| customer_settings_read | Installation Tokens | Check current installation token settings. |
| customer_settings_update | Installation Tokens Settings | Update installation token settings. |
| delete_network_locations | Firewall Management | Delete network location entities by ID. |
| delete_rule_groups | Firewall Management | Delete rule group entities by ID |
| delete_rule_groupsMixin0 | Custom IOA | Delete rule groups by ID. |
| delete_rules | Custom IOA | Delete rules from a rule group by ID. |
| delete_scheduled_scans | ODS | Delete ODS scheduled-scans for the given scheduled-scan ids. |
| DeleteActionV1 | Recon | Delete an action from a monitoring rule based on the action ID. |
| DeleteAWSAccounts | Cloud Connect AWS | Delete a set of AWS Accounts by specifying their IDs |
| DeleteAWSAccountsMixin0 | Kubernetes Protection | Delete AWS accounts. |
| DeleteAzureSubscription | Kubernetes Protection | Deletes a new Azure Subscription in our system |
| deleteCIDGroupMembers | MSSP (Flight Control) | Deprecated : Please use DELETE /entities/cid-group-members/v2. Delete CID group members. |
| deleteCIDGroupMembersV2 | MSSP (Flight Control) | Delete CID group members. Prevents removal of a cid group a cid group if it is only part of one cid group. |
| deleteCIDGroups | MSSP (Flight Control) | Delete CID groups by ID. |
| DeleteCSPMAwsAccount | CSPM Registration | Deletes an existing AWS account or organization in our system. |
| DeleteCSPMAzureAccount | CSPM Registration | Deletes an Azure subscription from the system. |
| DeleteD4CAwsAccount | D4C Registration | Deletes an existing AWS account or organization in our system. |
| DeleteCSPMAzureManagementGroup | CSPM Registration | Deletes Azure management groups from the system. |
| DeleteCSPMGCPAccount | CSPM Registration | Deletes a GCP account from the system. |
| DeleteD4CGCPAccount | D4C Registration | Deletes a GCP account from the system. |
| deleteDeviceControlPolicies | Device Control Policies | Delete a set of Device Control Policies by specifying their IDs |
| deletedRoles | MSSP (Flight Control) | Delete links or additional roles between user groups and CID groups. User group ID and CID group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID group is dissolved completely (if no roles specified). |
| DeleteExportJobsV1 | Recon | Delete export jobs (and their associated file(s)) based on their IDs. |
| deleteFirewallPolicies | Firewall Policies | Delete a set of Firewall Policies by specifying their IDs |
| deleteHostGroups | Host Group | Delete a set of Host Groups by specifying their IDs |
| deleteIOAExclusionsV1 | IOA Exclusions | Delete the IOA exclusions by id |
| deleteMLExclusionsV1 | ML Exclusions | Delete the ML exclusions by id |
| DeleteNotificationsV1 | Recon | Delete notifications based on IDs. Notifications cannot be recovered after they are deleted. |
| DeleteObject | Custom Storage | Delete the specified object |
| deletePolicies | Filevantage | Deletes 1 or more policies. |
| DeletePolicy | Image Assessment Policies | Delete Image Assessment Policy by policy UUID |
| DeletePolicyGroup | Image Assessment Policies | Delete Image Assessment Policy Group entities |
| deletePreventionPolicies | Prevention Policy | Delete a set of Prevention Policies by specifying their IDs |
| DeleteRegistryEntities | Falcon Container Image | Delete the registry entity identified by the entity UUID |
| DeleteReport | Falcon Intelligence Sandbox | Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. |
| deleteRTResponsePolicies | Response Policies | Delete a set of Response Policies by specifying their IDs |
| deleteRuleGroups | Filevantage | Deletes 1 or more rule groups |
| deleteRules | Filevantage | Deletes 1 or more rules from the specified rule group. |
| DeleteRulesV1 | Recon | Delete monitoring rules. |
| DeleteSampleV2 | Falcon Intelligence Sandbox | Removes a sample, including file, meta and submissions from the collection |
| DeleteSampleV3 | Sample Uploads | Removes a sample, including file, meta and submissions from the collection |
| deleteScheduledExclusions | Filevantage | Deletes 1 or more scheduled exclusions from the provided policy id. |
| deleteSensorUpdatePolicies | Sensor Update Policy | Delete a set of Sensor Update Policies by specifying their IDs |
| deleteSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Delete the sensor visibility exclusions by id |
| DeleteUser | User Management | Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently |
| deleteUserGroupMembers | MSSP (Flight Control) | Delete user group members entry. |
| deleteUserGroups | MSSP (Flight Control) | Delete user groups by ID. |
| deleteUserV1 | User Management | Delete a user permanently. |
| DevicesCount | IOCs | Number of hosts in your customer account that have observed a given custom IOC |
| DevicesRanOn | IOCs | Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1 |
| DiscoverCloudAzureDownloadCertificate | D4C Registration | Returns JSON object(s) that contain the base64 encoded certificate for a service principal. |
| DownloadSensorInstallerById | Sensor Download | Download sensor installer by SHA256 ID |
| DownloadSensorInstallerByIdV2 | Sensor Download | Download sensor installer by SHA256 ID |
| entities_perform_action | Hosts | Performs the specified action on the provided group IDs. |
| entities_processes | IOCs | For the provided ProcessID retrieve the process details |
| entities_vertices_get | ThreatGraph | Retrieve metadata for a given vertex ID |
| entities_vertices_getv2 | ThreatGraph | Retrieve metadata for a given vertex ID |
| entitiesRolesV1 | User Management | Get info about a role |
| ExecuteCommand | API Integrations | Execute a command. |
| ExtractionCreateV1 | Sample Uploads | Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis. |
| ExtractionGetV1 | Sample Uploads | Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
| ExtractionListV1 | Sample Uploads | Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed. |
| fdrschema_combined_event_get | Event Schema | Fetch combined schema |
| fdrschema_entities_event_get | Event Schema | Fetch event schema by ID |
| fdrschema_entities_field_get | Field Schema | Fetch field schema by ID |
| fdrschema_queries_event_get | Event Schema | Get list of event IDs given a particular query. |
| fdrschema_queries_field_get | Field Schema | Get list of field IDs given a particular query. |
| FindContainersByContainerRunTimeVersion | Kubernetes Protection | Retrieve containers by container_runtime_version |
| FindContainersCountAffectedByZeroDayVulnerabilities | Kubernetes Protection | Retrieve containers count affected by zero day vulnerabilities |
| get_accounts | Discover | Get details on accounts by providing one or more IDs. |
| get_applications | Discover | Get details on applications by providing one or more IDs. |
| get_events | Firewall Management | Get events entities by ID and optionally version |
| get_firewall_fields | Firewall Management | Get the firewall field specifications by ID |
| get_hosts | Discover | Get details on assets by providing one or more IDs. |
| get_iot_hosts | Discover | Get details on IoT assets by providing one or more IDs. |
| get_logins | Discover | Get details on logins by providing one or more IDs. |
| get_malicious_files_by_ids | ODS | Get malicious files by ids. |
| get_network_locations | Firewall Management | Get a summary of network locations entities by ID |
| get_network_locations_details | Firewall Management | Get network locations entities by ID |
| get_patterns | Custom IOA | Get pattern severities by ID. |
| get_platforms | Firewall Management | Get platforms by ID, e.g., windows or mac or droid |
| get_platformsMixin0 | Custom IOA | Get platforms by ID. |
| get_policy_containers | Firewall Management | Get policy container entities by policy ID |
| get_rule_groups | Firewall Management | Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order. |
| get_rule_groupsMixin0 | Custom IOA | Get rule groups by ID. |
| get_rule_types | Custom IOA | Get rule types by ID. |
| get_rules | Firewall Management | Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string) |
| get_rules_get | Custom IOA | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. |
| get_rulesMixin0 | Custom IOA | Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size. |
| get_scan_host_metadata_by_ids | ODS | Get scan hosts by ids. |
| get_scans_by_scan_ids | ODS | Get Scans by IDs. |
| get_scans_by_scan_ids_v2 | ODS | Get Scans by IDs. |
| get_scheduled_scans_by_scan_ids | ODS | Get ScheduledScans by IDs. |
| GetActionsV1 | Recon | Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint. |
| getActionsMixin0 | FileVantage | Retrieve the processing results for one or more actions. |
| GetAggregateDetects | Detects | Get detect aggregates as specified via json in request body. |
| GetAggregateFiles | Quarantine | Get quarantine file aggregates as specified via json in request body. |
| GetArtifacts | Falcon Intelligence Sandbox | Download IOC packs, PCAP files, memory dumps, and other analysis artifacts. |
| getAssessmentsByScoreV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores. |
| getAssessmentV1 | Zero Trust Assessment | Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID). |
| getAuditV1 | Zero Trust Assessment | Get the Zero Trust Assessment audit report for one customer ID (CID). |
| GetAvailableRoleIds | User Management | Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1. |
| GetAWSAccounts | Cloud Connect AWS | Retrieve a set of AWS Accounts by specifying their IDs |
| GetAWSAccountsMixin0 | Kubernetes Protection | Provides a list of AWS accounts. |
| GetAWSSettings | Cloud Connect AWS | Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts |
| GetAzureInstallScript | Kubernetes Protection | Provides the script to run for a given tenant id and subscription IDs |
| GetAzureTenantConfig | Kubernetes Protection | Gets the Azure tenant Config |
| GetAzureTenantIDs | Kubernetes Protection | Provides all the azure subscriptions and tenants |
| GetBehaviorDetections | CSPM Registration | Get list of detected behaviors |
| GetBehaviors | Incidents | Get details on behaviors by providing behavior IDs |
| GetCaseActivityByIds | Message Center | Retrieve activities for given id's |
| GetCaseEntitiesByIDs | Message Center | Retrieve message center cases |
| getChanges | Filevantage | Retrieve information on changes |
| getChildren | MSSP (Flight Control) | Get link to child customer by child CID(s) |
| getChildrenV2 | MSSP (Flight Control) | Get link to child customer by child CID(s) |
| getCIDGroupById | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-groups/v2. Get CID groups by ID. |
| getCIDGroupByIdV2 | MSSP (Flight Control) | Get CID Groups by ID. |
| getCIDGroupMembersBy | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/cid-group-members/v2. Get CID group members by CID group ID. |
| getCIDGroupMembersByV2 | MSSP (Flight Control) | Get CID group members by CID Group ID. |
| GetClusters | Kubernetes Protection | Provides the clusters acknowledged by the Kubernetes Protection service |
| getCombinedAssessmentsQuery | Configuration Assessment | Search for assessments in your environment by providing a FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria |
| GetCombinedCloudClusters | Kubernetes Protection | Returns a combined list of provisioned cloud accounts and known kubernetes clusters |
| GetCombinedImages | Container Images | Get image assessment results by providing a FQL filter and paging details |
| GetCombinedPluginConfigs | API Integrations | Queries for config resources and returns details |
| GetCombinedSensorInstallersByQuery | Sensor Download | Get sensor installer details by provided query |
| GetCombinedSensorInstallersByQueryV2 | Sensor Download | Get sensor installer details by provided query |
| GetConfigurationDetectionEntities | CSPM Registration | Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections. |
| GetConfigurationDetectionIDsV2 | CSPM Registration | Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections. |
| GetConfigurationDetections | CSPM Registration | Get list of active misconfigurations |
| getContents | FileVantage | Retrieves the content captured for the provided change ID. |
| GetCredentials | Falcon Container | Gets the registry credentials |
| GetCredentialsMixin0 | Provision | Gets the registry credentials |
| GetCSPMAwsAccount | CSPM Registration | Returns information about the current status of an AWS account. |
| GetCSPMAwsAccountScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
| GetCSPMAwsConsoleSetupURLs | CSPM Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
| GetCSPMAzureAccount | CSPM Registration | Return information about Azure account registration |
| GetCSPMAzureManagementGroup | CSPM Registration | Return information about Azure management group registration |
| CreateCSPMAzureManagementGroup | CSPM Registration | Creates a new management group in our system for a customer. |
| GetCSPMAzureUserScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
| GetCSPMCGPAccount | CSPM Registration | Returns information about the current status of an GCP account. |
| GetCSPMGCPServiceAccountsExt | CSPM Registration | Returns the service account id and client email for external clients. |
| GetCSPMGCPValidateAccountsExt | CSPM Registration | Run a synchronous health check. |
| GetCSPMGCPUserScriptsAttachment | CSPM Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
| GetCSPMPoliciesDetails | CSPM Registration | Given an array of policy IDs, returns detailed policies information. |
| GetCSPMPolicy | CSPM Registration | Given a policy ID, returns detailed policy information. |
| GetCSPMPolicySettings | CSPM Registration | Returns information about current policy settings. |
| GetCSPMScanSchedule | CSPM Registration | Returns scan schedule configuration for one or more cloud platforms. |
| GetD4CAwsAccount | D4C Registration | Returns information about the current status of an AWS account. |
| GetD4CAWSAccountScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment. |
| GetD4CAwsConsoleSetupURLs | D4C Registration | Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment. |
| GetD4CCGPAccount | D4C Registration | Returns information about the current status of an GCP account. |
| GetD4CGCPUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment |
| GetD4CGCPServiceAccountsExt | D4C Registration | Returns the service account id and client email for external clients. |
| GetD4CGCPUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment |
| getDefaultDeviceControlPolicies | Device Control Policies | Retrieve the configuration for a Default Device Control Policy |
| GetDetectSummaries | Detects | View information about detections |
| getDeviceControlPolicies | Device Control Policies | Retrieve a set of Device Control Policies by specifying their IDs |
| GetDeviceCountCollectionQueriesByFilter | Falcon Complete Dashboard | Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled |
| GetDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing host IDs as a query parameter. Supports up to a maximum 100 IDs. |
| GetDiscoverCloudAzureAccount | D4C Registration | Return information about Azure account registration |
| GetDiscoverCloudAzureTenantIDs | D4C Registration | Return available tenant ids for discover for cloud |
| GetDiscoverCloudAzureUserScripts | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment |
| GetDiscoverCloudAzureUserScriptsAttachment | D4C Registration | Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment |
| GetDriftIndicatorsValuesByDate | Drift Indicators | Returns the count of Drift Indicators by the date. by default it's for 7 days. |
| getEvaluationLogic | Spotlight Evaluation Logic | Get details on evaluation logic items by providing one or more IDs. |
| getEvaluationLogicMixin0 | Configuration Assessment Evaluation Logic | Get details on evaluation logic items by providing one or more finding IDs. |
| GetEventsBody | Tailored Intelligence | Get event body for the provided event ID |
| GetEventsEntities | Tailored Intelligence | Get events entities for specified ids. |
| GetExportJobsV1 | Recon | Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1. |
| get_external_assets | Exposure Management | Get details on external assets by providing one or more IDs. |
| GetFileContentForExportJobsV1 | Recon | Download the file associated with a job ID. |
| getFirewallPolicies | Firewall Policies | Retrieve a set of Firewall Policies by specifying their IDs |
| GetHelmValuesYaml | Kubernetes Protection | Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart |
| GetHorizonD4CScripts | D4C Registration | Returns static install scripts for Horizon. |
| getHostGroups | Host Group | Retrieve a set of Host Groups by specifying their IDs |
| GetIncidents | Incidents | Get details on incidents by providing incident IDs |
| GetIndicatorsReport | IOC | Launch an indicators report creation job |
| GetIntelActorEntities | Intel | Retrieve specific actors using their actor IDs. |
| GetIntelIndicatorEntities | Intel | Retrieve specific indicators using their indicator IDs. |
| GetIntelReportEntities | Intel | Retrieve specific reports using their report IDs. |
| GetIntelReportPDF | Intel | Return a Report PDF attachment |
| GetIntelRuleEntities | Intel | Retrieve details for rule sets for the specified ids. |
| GetIntelRuleFile | Intel | Download earlier rule sets. |
| getIOAExclusionsV1 | IOA Exclusions | Get a set of IOA Exclusions by specifying their IDs |
| GetLatestIntelRuleFile | Intel | Download the latest rule set. |
| GetLocations | Kubernetes Protection | Provides the cloud locations acknowledged by the Kubernetes Protection service |
| GetMalQueryDownloadV1 | MalQuery | Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time |
| GetMalQueryEntitiesSamplesFetchV1 | MalQuery | Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing |
| GetMalQueryMetadataV1 | MalQuery | Retrieve indexed files metadata by their hash |
| GetMalQueryQuotasV1 | MalQuery | Get information about search and download quotas in your environment |
| GetMalQueryRequestV1 | MalQuery | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
| GetMalwareEntities | Intel | Get malware entities for specified IDs. |
| GetMemoryDump | Falcon Intelligence Sandbox | Get memory dump content, as binary |
| GetMemoryDumpExtractedStrings | Falcon Intelligence Sandbox | Get extracted strings from a memory dump |
| GetMemoryDumpHexDump | Falcon Intelligence Sandbox | Get hex view of a memory dump |
| GetMitreReport | Intel | Export Mitre ATT&CK information for a given actor. |
| getMLExclusionsV1 | ML Exclusions | Get a set of ML Exclusions by specifying their IDs |
| GetNotificationsDetailedTranslatedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request |
| GetNotificationsDetailedV1 | Recon | Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. |
| GetNotificationsExposedDataRecordsV1 | Recon | Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints |
| GetNotificationsTranslatedV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English. |
| GetNotificationsV1 | Recon | Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. |
| GetObject | Custom Storage | Get the bytes for the specified object |
| GetObjectMetadata | Custom Storage | Get the metadata for the specified object |
| GetOnlineState_V1 | Hosts | Get the online status for one or more hosts by specifying each host’s unique ID. Successful requests return an HTTP 200 response and the status for each host identified by a state of online, offline, or unknown for each host, identified by host id.Make a GET request to /devices/queries/devices/v1 to get a list of host IDs. |
| getPolicies | Filevantage | Retrieves the configuration for 1 or more policies. |
| getPreventionPolicies | Prevention Policy | Retrieve a set of Prevention Policies by specifying their IDs |
| GetQuarantineFiles | Quarantine | Get quarantine file metadata for specified ids. |
| GetQueriesAlertsV1 | Alerts | retrieves all Alerts ids that match a given query |
| GetQueriesAlertsV2 | Alerts | retrieves all Alerts ids that match a given query |
| getRemediationsV2 | Spotlight Vulnerabilities | Get details on remediation by providing one or more IDs |
| GetReports | Falcon Intelligence Sandbox | Get a full sandbox report. |
| GetRoles | User Management | Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role |
| getRolesByID | MSSP (Flight Control) | Get link between user group and CID group by ID. Link ID is a string consisting of multiple components, but should be treated as opaque. |
| GetRuntimeDetectionsCombinedV2 | Container Detections | Retrieve image assessment detections identified by the provided filter criteria. |
| getRTResponsePolicies | Response Policies | Retrieve a set of Response Policies by specifying their IDs |
| getRuleDetails | Configuration Assessment | Get rules details for provided one or more rule IDs |
| getRuleGroups | Filevantage | Retrieves the rule group details for 1 or more rule groups. |
| getRules | Filevantage | Retrieves the configuration for 1 or more rules. |
| GetRulesEntities | Tailored Intelligence | Get rules entities for specified ids. |
| GetRulesV1 | Recon | Get monitoring rules based on their IDs. IDs can be retrieved using the GET /queries/rules/v1 endpoint. |
| GetSampleV2 | Falcon Intelligence Sandbox | Retrieves the file associated with the given ID (SHA256) |
| GetSampleV3 | Sample Uploads | Retrieves the file associated with the given ID (SHA256) |
| GetSavedSearchesExecuteAltV1 | Foundry Logscale | Get the results of a saved search |
| GetSavedSearchesExecuteV1 | Foundry Logscale | Get the results of a saved search |
| GetSavedSearchesJobResultsDownloadAltV1 | Foundry Logscale | Get the results of a saved search as a file |
| GetSavedSearchesJobResultsDownloadV1 | Foundry Logscale | Get the results of a saved search as a file |
| GetScans | Quick Scan | Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
| GetScansAggregates | Quick Scan | Get scans aggregations as specified via json in request body. |
| GetScanReport | Cloud Snapshots | Retrieve the scan report for an instance. |
| getScheduledExclusions | Filevantage | Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id. |
| GetSensorAggregates | Identity Entities | Get sensor aggregates as specified via json in request body. |
| GetSensorDetails | Identity Entities | Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs. |
| GetSensorInstallersByQuery | Sensor Download | Get sensor installer IDs by provided query |
| GetSensorInstallersByQueryV2 | Sensor Download | Get sensor installer IDs by provided query |
| GetSensorInstallersCCIDByQuery | Sensor Download | Get CCID to use with sensor installers |
| GetSensorInstallersEntities | Sensor Download | Get sensor installer details by provided SHA256 IDs |
| GetSensorInstallersEntitiesV2 | Sensor Download | Get sensor installer details by provided SHA256 IDs |
| getSensorUpdatePolicies | Sensor Update Policy | Retrieve a set of Sensor Update Policies by specifying their IDs |
| getSensorUpdatePoliciesV2 | Sensor Update Policy | Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs |
| getSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Get a set of Sensor Visibility Exclusions by specifying their IDs |
| GetStaticScripts | Kubernetes Protection | Gets static bash scripts that are used during registration |
| GetSubmissions | Falcon Intelligence Sandbox | Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| GetSummaryReports | Falcon Intelligence Sandbox | Get a short summary version of a sandbox report. |
| getUserGroupMembersByID | MSSP (Flight Control) | Deprecated : Please use GET /mssp/entities/user-group-members/v2. Get user group members by user group ID. |
| getUserGroupMembersByIDV2 | MSSP (Flight Control) | Get user group members by user group ID. |
| getUserGroupsByID | MSSP (Flight Control) | Deprecated : Please use GET /entities/user-groups/v2. Get user groups by ID. |
| getUserGroupsByIDV2 | MSSP (Flight Control) | Get user groups by ID. |
| GetUserRoleIds | User Management | Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1. |
| GetVulnerabilities | Intel | Get vulnerabilities |
| getVulnerabilities | Spotlight Vulnerabilities | Get details on vulnerabilities by providing one or more IDs |
| GrantUserRoleIds | User Management | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user |
| GroupContainersByManaged | Kubernetes Protection | Group the containers by Managed |
| highVolumeQueryChanges | Filevantage | Returns 1 or more change ids |
| indicator_aggregate_v1 | IOC | Get Indicators aggregates as specified via json in the request body. |
| indicator_combined_v1 | IOC | Get Combined for Indicators. |
| indicator_create_v1 | IOC | Create Indicators. |
| indicator_delete_v1 | IOC | Delete Indicators by ids. |
| indicator_get_device_count_v1 | IOC | Get the number of devices the indicator has run on |
| indicator_get_devices_ran_on_v1 | IOC | Get the IDs of devices the indicator has run on |
| indicator_get_processes_ran_on_v1 | IOC | Get the number of processes the indicator has run on |
| indicator_get_v1 | IOC | Get Indicators by ids. |
| indicator_search_v1 | IOC | Search for Indicators. |
| indicator_update_v1 | IOC | Update Indicators. |
| IngestDataV1 | Foundry Logscale | Ingest data into the application repository |
| IngestDataAsyncV1 | Foundry Logscale | Ingest data into the application repository asynchronously |
| ioc_type_query_v1 | IOC | Query IOC Types. |
| listAvailableStreamsOAuth2 | Event Streams | Discover all event streams in your environment |
| ListAzureAccounts | Kubernetes Protection | Provides the azure subscriptions registered to Kubernetes Protection |
| ListObjects | Custom Storage | List the object keys in the specified collection in alphabetical order |
| ListReposV1 | Foundry Logscale | Lists available repositories and views |
| ListViewV1 | Foundry Logscale | List views |
| oauth2AccessToken | OAuth2 | Generate an OAuth2 access token |
| oauth2RevokeToken | OAuth2 | Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan. |
| PatchAzureServicePrincipal | Kubernetes Protection | Adds the client ID for the given tenant ID to our system |
| PatchCSPMAwsAccount | CSPM Registration | Patches a existing account in our system for a customer. |
| PatchEntitiesAlertsV2 | Alerts | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
| PatchEntitiesAlertsV3 | Alerts | Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in. |
| patch_external_assets | Exposure Management | Update the details of external assets. |
| PerformActionV2 | Hosts | Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host. |
| performDeviceControlPoliciesAction | Device Control Policies | Perform the specified action on the Device Control Policies specified in the request |
| performFirewallPoliciesAction | Firewall Policies | Perform the specified action on the Firewall Policies specified in the request |
| performGroupAction | Host Group | Perform the specified action on the Host Groups specified in the request |
| PerformIncidentAction | Incidents | Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description |
| performPreventionPoliciesAction | Prevention Policy | Perform the specified action on the Prevention Policies specified in the request |
| performRTResponsePoliciesAction | Response Policies | Perform the specified action on the Response Policies specified in the request |
| performSensorUpdatePoliciesAction | Sensor Update Policy | Perform the specified action on the Sensor Update Policies specified in the request |
| platform_query_v1 | IOC | Query Platforms. |
| PostAggregatesAlertsV1 | Alerts | retrieves aggregate values for Alerts across all CIDs |
| PostAggregatesAlertsV2 | Alerts | retrieves aggregate values for Alerts across all CIDs |
| PostDeviceDetailsV2 | Hosts | Get details on one or more hosts by providing host IDs in a POST body. Supports up to a maximum 5000 IDs. |
| PostEntitiesAlertsV1 | Alerts | retrieves all Alerts given their ids |
| PostEntitiesAlertsV2 | Alerts | retrieves all Alerts given their composite ids |
| PostMalQueryEntitiesSamplesMultidownloadV1 | MalQuery | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip |
| PostMalQueryExactSearchV1 | MalQuery | Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint |
| PostMalQueryFuzzySearchV1 | MalQuery | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
| PostMalQueryHuntV1 | MalQuery | Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint |
| PostMitreAttacks | Intel | Retrieves report and observable IDs associated with the given actor and attacks |
| PreviewRuleV1 | Recon | Preview rules notification count and distribution. This will return aggregations on: channel, count, site. |
| ProcessesRanOn | IOCs | Search for processes associated with a custom IOC |
| ProvisionAWSAccounts | Cloud Connect AWS | Provision AWS Accounts by specifying details about the accounts to provision |
| PutObject | Custom Storage | Put the specified new object at the given key or overwrite an existing object at the given key |
| queries_edgetypes_get | ThreatGraph | Show all available edge types |
| queriesRolesV1 | User Management | Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1. |
| query_accounts | Discover | Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria. |
| query_applications | Discover | Search for applications in your environment by providing a FQL filter and paging details. returns a set of application IDs which match the filter criteria. |
| query_events | Firewall Management | Find all event IDs matching the query with filter |
| query_firewall_fields | Firewall Management | Get the firewall field specification IDs for the provided platform |
| query_hosts | Discover | Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_iot_hosts | Discover | Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_iot_hosts_v2 | Discover | Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria. |
| query_logins | Discover | Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria. |
| query_malicious_files | ODS | Query malicious files. |
| query_network_locations | Firewall Management | Get a list of network location IDs |
| query_patterns | Custom IOA | Get all pattern severity IDs. |
| query_platforms | Firewall Management | Get the list of platform names |
| query_platformsMixin0 | Custom IOA | Get all platform IDs. |
| query_policy_rules | Firewall Management | Find all firewall rule IDs matching the query with filter, and return them in precedence order |
| query_rule_groups | Firewall Management | Find all rule group IDs matching the query with filter |
| query_rule_groups_full | Custom IOA | Find all rule groups matching the query with optional filter. |
| query_rule_groupsMixin0 | Custom IOA | Finds all rule group IDs matching the query with optional filter. |
| query_rule_types | Custom IOA | Get all rule type IDs. |
| query_rules | Firewall Management | Find all rule IDs matching the query with filter |
| query_rulesMixin0 | Custom IOA | Finds all rule IDs matching the query with optional filter. |
| query_scan_host_metadata | ODS | Query scan hosts. |
| query_scans | ODS | Query Scans. |
| query_scheduled_scans | ODS | Query ScheduledScans. |
| QueryActionsV1 | Recon | Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1. |
| queryActionsMixin0 | FileVantage | Returns one or more action IDs. |
| QueryActivityByCaseID | Message Center | Retrieve activities id's for a case |
| QueryAlertIdsByFilter | Falcon Complete Dashboard | Retrieve Alerts Ids that match the provided FQL filter criteria with scrolling enabled |
| QueryAllowListFilter | Falcon Complete Dashboard | Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled |
| QueryAWSAccounts | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria |
| QueryAWSAccountsForIDs | Cloud Connect AWS | Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria |
| QueryBehaviors | Incidents | Search for behaviors by providing a FQL filter, sorting, and paging details |
| QueryBlockListFilter | Falcon Complete Dashboard | Retrieve block listtickets that match the provided filter criteria with scrolling enabled |
| QueryCasesIdsByFilter | Message Center | Retrieve case id's that match the provided filter criteria |
| queryChanges | Filevantage | Returns 1 or more change ids |
| queryChildren | MSSP (Flight Control) | Query for customers linked as children |
| queryCIDGroupMembers | MSSP (Flight Control) | Query a CID groups members by associated CID. |
| queryCIDGroups | MSSP (Flight Control) | Query CID groups. |
| queryCombinedDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria |
| queryCombinedDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria |
| queryCombinedFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria |
| queryCombinedPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria |
| queryCombinedPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria |
| queryCombinedRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| queryCombinedSensorUpdateBuilds | Sensor Update Policy | Retrieve available builds for use with Sensor Update Policies |
| queryCombinedSensorUpdateKernels | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
| queryCombinedSensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
| queryCombinedSensorUpdatePoliciesV2 | Sensor Update Policy | Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria |
| queryCombinedSensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria |
| QueryDetectionIdsByFilter | Falcon Complete Dashboard | Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled |
| QueryDetects | Detects | Search for detection IDs that match a given query |
| queryDeviceControlPolicies | Device Control Policies | Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria |
| queryDeviceControlPolicyMembers | Device Control Policies | Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryDeviceLoginHistory | Hosts | Retrieve details about recent login sessions for a set of devices. |
| QueryDeviceLoginHistoryV2 | Hosts | Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified |
| QueryDevicesByFilter | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria. |
| QueryDevicesByFilterScroll | Hosts | Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit) |
| QueryEscalationsFilter | Falcon Complete Dashboard | Retrieve escalation tickets that match the provided filter criteria with scrolling enabled |
| queryEvaluationLogic | Spotlight Evaluation Logic | Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria. |
| QueryEvents | Tailored Intelligence | Get events ids that match the provided filter criteria. |
| query_external_assets | Exposure Management | Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints |
| queryFirewallPolicies | Firewall Policies | Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria |
| queryFirewallPolicyMembers | Firewall Policies | Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryGetNetworkAddressHistoryV1 | Hosts | Retrieve history of IP and MAC addresses of devices. |
| queryGroupMembers | Host Group | Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryHiddenDevices | Hosts | Retrieve hidden hosts that match the provided filter criteria. |
| queryHostGroups | Host Group | Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria |
| QueryIncidentIdsByFilter | Falcon Complete Dashboard | Retrieve incidents that match the provided filter criteria with scrolling enabled |
| QueryIncidents | Incidents | Search for incidents by providing a FQL filter, sorting, and paging details |
| QueryIntelActorEntities | Intel | Get info about actors that match provided FQL filters. |
| QueryIntelActorIds | Intel | Get actor IDs that match provided FQL filters. |
| QueryIntelIndicatorEntities | Intel | Get info about indicators that match provided FQL filters. |
| QueryIntelIndicatorIds | Intel | Get indicators IDs that match provided FQL filters. |
| QueryIntelReportEntities | Intel | Get info about reports that match provided FQL filters. |
| QueryIntelReportIds | Intel | Get report IDs that match provided FQL filters. |
| QueryIntelRuleIds | Intel | Search for rule IDs that match provided filter criteria. |
| queryIOAExclusionsV1 | IOA Exclusions | Search for IOA exclusions. |
| QueryMalware | Intel | Get malware family names that match provided FQL filters. |
| QueryMitreAttacksForMalware | Intel | Gets MITRE tactics and techniques for the given malware. |
| QueryMitreAttacks | Intel | Gets MITRE tactics and techniques for the given actor, returning concatenation of id and tactic and technique ids, example: fancy-bear_TA0011_T1071 |
| queryMLExclusionsV1 | ML Exclusions | Search for ML exclusions. |
| QueryNotificationsExposedDataRecordsV1 | Recon | Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1 |
| QueryNotificationsV1 | Recon | Query notifications based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, +GET /entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1. |
| queryPolicies | Filevantage | Retrieve the ids of all policies that are assigned the provided policy type. |
| queryPreventionPolicies | Prevention Policy | Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria |
| queryPreventionPolicyMembers | Prevention Policy | Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| QueryQuarantineFiles | Quarantine | Get quarantine file ids that match the provided filter criteria. |
| QueryRemediationsFilter | Falcon Complete Dashboard | Retrieve remediation tickets that match the provided filter criteria with scrolling enabled |
| QueryReports | Falcon Intelligence Sandbox | Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
| queryRoles | MSSP (Flight Control) | Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional. |
| queryRTResponsePolicies | Response Policies | Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria. |
| queryRTResponsePolicyMembers | Response Policies | Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| queryRuleGroups | Filevantage | Retrieve the ids of all rule groups that are of the provided rule group type. |
| QueryRules | Tailored Intelligence | Get rules ids that match the provided filter criteria. |
| QueryRulesV1 | Recon | Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1. |
| QuerySampleV1 | Falcon Intelligence Sandbox | Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
| queryScheduledExclusions | Filevantage | Retrieve the ids of all scheduled exclusions contained within the provided policy id. |
| QuerySensorsByFilter | Identity Entities | Search for sensors in your environment by hostname, IP, and other criteria. |
| querySensorUpdateKernelsDistinct | Sensor Update Policy | Retrieve kernel compatibility info for Sensor Update Builds |
| querySensorUpdatePolicies | Sensor Update Policy | Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria |
| querySensorUpdatePolicyMembers | Sensor Update Policy | Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria |
| querySensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Search for sensor visibility exclusions. |
| QuerySubmissions | Falcon Intelligence Sandbox | Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. |
| QuerySubmissionsMixin0 | Quick Scan | Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria. |
| queryUserGroupMembers | MSSP (Flight Control) | Query user group member by user UUID. |
| queryUserGroups | MSSP (Flight Control) | Query user groups. |
| queryUserV1 | User Management | List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1. |
| QueryVulnerabilities | Intel | Get vulnerabilities IDs |
| queryVulnerabilities | Spotlight Vulnerabilities | Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria |
| ReadClusterCombined | Kubernetes Protection | Retrieve kubernetes clusters identified by the provided filter criteria |
| ReadClusterCount | Kubernetes Protection | Retrieve cluster counts |
| ReadClusterEnrichment | Kubernetes Protection | Retrieve cluster enrichment data |
| ReadClustersByDateRangeCount | Kubernetes Protection | Retrieve clusters by date range counts |
| ReadClustersByKubernetesVersionCount | Kubernetes Protection | Bucket clusters by kubernetes version |
| ReadClustersByStatusCount | Kubernetes Protection | Bucket clusters by status |
| ReadCombinedDetections | Container Detections | Retrieve image assessment detections identified by the provided filter criteria |
| ReadCombinedImagesExport | Container Images | Retrieve images with an option to expand aggregated vulnerabilities/detections |
| ReadCombinedVulnerabilities | Container Vulnerabilities | Retrieve vulnerability and aggregate data filtered by the provided FQL |
| ReadCombinedVulnerabilitiesDetails | Container Vulnerabilities | Retrieve vulnerability details related to an image |
| ReadCombinedVulnerabilitiesInfo | Container Vulnerabilities | Retrieve vulnerability and package related info for this customer |
| ReadContainerAlertsCount | Container Alerts | Search Container Alerts by the provided search criteria |
| ReadContainerAlertsCountBySeverity | Container Alerts | Get Container Alert counts by severity |
| ReadContainerCombined | Kubernetes Protection | Retrieve containers identified by the provided filter criteria |
| ReadContainerCount | Kubernetes Protection | Retrieve container counts |
| ReadContainerCountByRegistry | Kubernetes Protection | Retrieve top container image registries |
| ReadContainerImageDetectionsCountByDate | Kubernetes Protection | Retrieve count of image assessment detections on running containers over a period of time |
| ReadContainerImagesByMostUsed | Kubernetes Protection | Bucket container by image-digest |
| ReadContainerImagesByState | Kubernetes Protection | Retrieve count of image states running on containers |
| ReadContainersByDateRangeCount | Kubernetes Protection | Retrieve containers by date range counts |
| ReadContainersSensorCoverage | Kubernetes Protection | Bucket containers by agent type and calculate sensor coverage |
| ReadContainerVulnerabilitiesBySeverityCount | Kubernetes Protection | Retrieve container vulnerabilities by severity counts |
| ReadDeploymentCombined | Kubernetes Protection | Retrieve kubernetes deployments identified by the provided filter criteria |
| ReadDeploymentsCombined | Cloud Snapshots | Search for snapshot jobs identified by the provided filter. |
| ReadDeploymentCount | Kubernetes Protection | Retrieve deployment counts |
| ReadDeploymentsEntities | Cloud Snapshots | Retrieve snapshot jobs identified by the provided IDs. |
| ReadDeploymentsByDateRangeCount | Kubernetes Protection | Retrieve deployments by date range counts |
| ReadDetections | Container Detections | Retrieve image assessment detection entities identified by the provided filter criteria |
| ReadDetectionsCount | Container Detections | Aggregate count of detections |
| ReadDetectionsCountBySeverity | Container Detections | Aggregate counts of detections by severity |
| ReadDetectionsCountByType | Container Detections | Aggregate counts of detections by detection type |
| ReadDistinctContainerImageCount | Kubernetes Protection | Retrieve count of distinct images running on containers |
| ReadDriftIndicatorsCount | Drift Indicators | Returns the total count of Drift indicators over a time period |
| ReadImageVulnerabilities | Falcon Container Cli | Retrieve known vulnerabilities for the provided image |
| ReadKubernetesIomByDateRange | Kubernetes Protection | Returns the count of Kubernetes IOMs by the date. by default it's for 7 days. |
| ReadKubernetesIomCount | Kubernetes Protection | Returns the total count of Kubernetes IOMs over the past seven days |
| ReadKubernetesIomEntities | Kubernetes Protection | Retrieve Kubernetes IOM entities identified by the provided IDs |
| ReadNodeCombined | Kubernetes Protection | Retrieve kubernetes nodes identified by the provided filter criteria |
| ReadNodeCount | Kubernetes Protection | Retrieve node counts |
| ReadNodeEnrichment | Kubernetes Protection | Retrieve node enrichment data |
| ReadNodesByCloudCount | Kubernetes Protection | Bucket nodes by cloud providers |
| ReadNodesByContainerEngineVersionCount | Kubernetes Protection | Bucket nodes by their container engine version |
| ReadNodesByDateRangeCount | Kubernetes Protection | Retrieve nodes by date range counts |
| ReadPackagesByFixableVulnCount | Container Packages | Retrieve top x app packages with the most fixable vulnerabilities |
| ReadPackagesByVulnCount | Container Packages | Retrieve top x packages with the most vulnerabilities |
| ReadPackagesCombined | Container Packages | Retrieve packages identified by the provided filter criteria |
| ReadPackagesCombinedExport | Container Packages | Retrieve packages identified by the provided filter criteria for the purpose of export |
| ReadPackagesCountByZeroDay | Container Packages | Retrieve packages count affected by zero day vulnerabilities |
| ReadPolicies | Image Assessment Policies | Get all Image Assessment policies |
| ReadPolicyExclusions | Image Assessment Policies | Retrieve Image Assessment Policy Exclusion entities |
| ReadPolicyGroups | Image Assessment Policies | Retrieve Image Assessment Policy Group entities |
| ReadPodCombined | Kubernetes Protection | Retrieve kubernetes pods identified by the provided filter criteria |
| ReadPodCount | Kubernetes Protection | Retrieve pod counts |
| ReadPodsByDateRangeCount | Kubernetes Protection | Retrieve pods by date range counts |
| ReadRegistryEntities | Falcon Container Image | Retrieve registry entities identified by the customer id |
| ReadRegistryEntitiesByUUID | Falcon Container Image | Retrieve the registry entity identified by the entity UUID |
| ReadRunningContainerImages | Kubernetes Protection | Retrieve images on running containers |
| ReadUnidentifiedContainersByDateRangeCount | Unidentified Containers | Returns the count of Unidentified Containers over the last 7 days |
| ReadUnidentifiedContainersCount | Unidentified Containers | Returns the total count of Unidentified Containers over a time period |
| ReadVulnerabilitiesByImageCount | Container Vulnerabilities | Retrieve top x vulnerabilities with the most impacted images |
| ReadVulnerabilitiesPublicationDate | Container Vulnerabilities | Retrieve top x vulnerabilities with the most recent publication date |
| ReadVulnerabilityCount | Container Vulnerabilities | Aggregate count of vulnerabilities |
| ReadVulnerabilityCountByActivelyExploited | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by actively exploited |
| ReadVulnerabilityCountByCPSRating | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by csp_rating |
| ReadVulnerabilityCountByCVSSScore | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by cvss score |
| ReadVulnerabilityCountBySeverity | Container Vulnerabilities | Aggregate count of vulnerabilities grouped by severity |
| ReadVulnerableContainerImageCount | Kubernetes Protection | Retrieve count of vulnerable images running on containers |
| refreshActiveStreamSession | Event Streams | Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response. |
| RegenerateAPIKey | Kubernetes Protection | Regenerate API key for docker registry integrations |
| RegisterCspmSnapshotAccount | Cloud Snapshots | Register an account for snapshot scanning. |
| report_executions_download_get | Report Executions | Get report entity download |
| report_executions_get | Report Executions | Retrieve report details for the provided report IDs. |
| report_executions_query | Report Executions | Find all report execution IDs matching the query with filter |
| report_executions_retry | Report Executions | This endpoint will be used to retry report executions |
| RequestDeviceEnrollmentV3 | Mobile Enrollment | Trigger on-boarding process for a mobile device |
| RequestDeviceEnrollmentV4 | Mobile Enrollment | Trigger on-boarding process for a mobile device. |
| RetrieveEmailsByCID | User Management | Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account |
| retrieveUser | User Management | Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user |
| retrieveUsersGETV1 | User Management | Get info about users including their name, UID and CID by providing user UUIDs |
| RetrieveUserUUID | User Management | Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address) |
| RetrieveUserUUIDsByCID | User Management | Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1. |
| revealUninstallToken | Sensor Update Policy | Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id' |
| RevokeUserRoleIds | User Management | Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user |
| RTR_AggregateSessions | Real Time Response | Get aggregates on session data. |
| RTR_CheckActiveResponderCommandStatus | Real Time Response | Get status of an executed active-responder command on a single host. |
| RTR_CheckAdminCommandStatus | Real Time Response Admin | Get status of an executed RTR administrator command on a single host. |
| RTR_CheckCommandStatus | Real Time Response | Get status of an executed command on a single host. |
| RTR_CreatePut_Files | Real Time Response Admin | Upload a new put-file to use for the RTR put command. |
| RTR_CreateScripts | Real Time Response Admin | Upload a new custom-script to use for the RTR runscript command. |
| RTR_DeleteFile | Real Time Response | Delete a RTR session file. |
| RTR_DeleteFileV2 | Real Time Response | Delete a RTR session file. |
| RTR_DeletePut_Files | Real Time Response Admin | Delete a put-file based on the ID given. Can only delete one file at a time. |
| RTR_DeleteQueuedSession | Real Time Response | Delete a queued session command |
| RTR_DeleteScripts | Real Time Response Admin | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_DeleteSession | Real Time Response | Delete a session. |
| RTR_ExecuteActiveResponderCommand | Real Time Response | Execute an active responder command on a single host. |
| RTR_ExecuteAdminCommand | Real Time Response Admin | Execute a RTR administrator command on a single host. |
| RTR_ExecuteCommand | Real Time Response | Execute a command on a single host. |
| RTR_GetExtractedFileContents | Real Time Response | Get RTR extracted file contents for specified session and sha256. |
| RTR_GetFalconScripts | Real Time Response Admin | Get Falcon scripts with metadata and content of script |
| RTR_GetPut_Files | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
| RTR_GetPut_FilesV2 | Real Time Response Admin | Get put-files based on the ID's given. These are used for the RTR put command. |
| RTR_GetScripts | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
| RTR_GetScriptsV2 | Real Time Response Admin | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
| RTR_InitSession | Real Time Response | Initialize a new session with the RTR cloud. |
| RTR_ListAllSessions | Real Time Response | Get a list of session_ids. |
| RTR_ListFalconScripts | Real Time Response Admin | Get a list of Falcon script IDs available to the user to run |
| RTR_ListFiles | Real Time Response | Get a list of files for the specified RTR session. |
| RTR_ListFilesV2 | Real Time Response | Get a list of files for the specified RTR session. |
| RTR_ListPut_Files | Real Time Response Admin | Get a list of put-file ID's that are available to the user for the put command. |
| RTR_ListQueuedSessions | Real Time Response | Get queued session metadata by session ID. |
| RTR_ListScripts | Real Time Response Admin | Get a list of custom-script ID's that are available to the user for the runscript command. |
| RTR_ListSessions | Real Time Response | Get session metadata by session id. |
| RTR_PulseSession | Real Time Response | Refresh a session timeout on a single host. |
| RTR_UpdateScripts | Real Time Response Admin | Upload a new scripts to replace an existing one. |
| RTRAuditSessions | Real Time Response Audit | Get all the RTR sessions created for a customer in a specified duration |
| ScanSamples | Quick Scan | Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute |
| schedule_scan | ODS | Create ODS scan and start or schedule scan for the given scan request. |
| scheduled_reports_get | Scheduled Reports | Retrieve scheduled reports for the provided report IDs. |
| scheduled_reports_launch | Scheduled Reports | Launch scheduled reports executions for the provided report IDs. |
| scheduled_reports_query | Scheduled Reports | Find all report IDs matching the query with filter |
| SearchAndReadContainerAlerts | Container Alerts | Search Container Alerts by the provided search criteria |
| SearchAndReadDriftIndicatorEntities | Drift Indicators | Retrieve Drift Indicators by the provided search criteria |
| SearchAndReadKubernetesIomEntities | Kubernetes Protection | Search Kubernetes IOM by the provided search criteria |
| SearchAndReadUnidentifiedContainers | Unidentified Containers | Search Unidentified Containers by the provided search criteria |
| SearchDetections | Container Detections | Retrieve image assessment detection entities identified by the provided filter criteria |
| SearchDriftIndicators | Drift Indicators | Retrieve all drift indicators that match the given query |
| SearchKubernetesIoms | Kubernetes Protection | Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query |
| SearchObjects | Custom Storage | Search for objects that match the specified filter criteria (returns metadata, not actual objects) |
| setDeviceControlPoliciesPrecedence | Device Control Policies | Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setFirewallPoliciesPrecedence | Firewall Policies | Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setPreventionPoliciesPrecedence | Prevention Policy | Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setRTResponsePoliciesPrecedence | Response Policies | Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| setSensorUpdatePoliciesPrecedence | Sensor Update Policy | Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence |
| severity_query_v1 | IOC | Query Severities. |
| signalChangesExternal | FileVantage | Initiates workflows for the provided change IDs. |
| startActions | FileVantage | Initiates the specified action on the provided change IDs. |
| Submit | Falcon Intelligence Sandbox | Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| tokens_create | Installation Tokens | Creates a token. |
| tokens_delete | Installation Tokens | Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead. |
| tokens_query | Installation Tokens | Search for tokens by providing a FQL filter and paging details. |
| tokens_read | Installation Tokens | Gets the details of one or more tokens by id. |
| tokens_update | Installation Tokens | Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore. |
| TriggerScan | Kubernetes Protection | Triggers a dry run or a full scan of a customer's kubernetes footprint |
| update_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
| update_network_locations_metadata | Firewall Management | Updates the network locations metadata such as polling_intervals for the cid |
| update_network_locations_precedence | Firewall Management | Updates the network locations precedence according to the list of ids provided. |
| update_policy_container | Firewall Management | Update an identified policy container, including local logging functionality. |
| update_policy_container_v1 | Firewall Management | Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting. |
| update_rule_group | Firewall Management | Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
| update_rule_group_validation | Firewall Management | Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules |
| update_rule_groupMixin0 | Custom IOA | Update a rule group. The following properties can be modified: name, description, enabled. |
| update_rules | Custom IOA | Update rules within a rule group. Return the updated rules. |
| update_rules_v2 | Custom IOA | Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules. |
| UpdateActionV1 | Recon | Update an action for a monitoring rule. |
| UpdateAWSAccount | Kubernetes Protection | Updates the AWS account per the query parameters provided |
| UpdateAWSAccounts | Cloud Connect AWS | Update AWS Accounts by specifying the ID of the account and details to update |
| updateCIDGroups | MSSP (Flight Control) | Update existing CID groups. CID group ID is expected for each CID group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. CID group member(s) remain unaffected. |
| UpdateCSPMAzureAccountClientID | CSPM Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
| UpdateCSPMAzureTenantDefaultSubscriptionID | CSPM Registration | Update an Azure default subscription_id in our system for given tenant_id |
| UpdateCSPMGCPAccount | CSPM Registration | Patches a existing account in our system for a customer. |
| UpdateCSPMGCPServiceAccountsExt | CSPM Registration | Updates an existing GCP service account. |
| UpdateCSPMPolicySettings | CSPM Registration | Updates a policy setting - can be used to override policy severity or to disable a policy entirely. |
| UpdateCSPMScanSchedule | CSPM Registration | Updates scan schedule configuration for one or more cloud platforms. |
| UpdateD4CCPServiceAccountsExt | D4C Registration | Updates an existing GCP service account. |
| updateDefaultDeviceControlPolicies | Device Control Policies | Update the configuration for a Default Device Control Policy |
| UpdateDetectsByIdsV2 | Detects | Modify the state, assignee, and visibility of detections |
| updateDeviceControlPolicies | Device Control Policies | Update Device Control Policies by specifying the ID of the policy and details to update |
| UpdateDeviceTags | Hosts | Append or remove one or more Falcon Grouping Tags on one or more hosts. Tags must be of the form FalconGroupingTags/ |
| UpdateDiscoverCloudAzureAccountClientID | D4C Registration | Update an Azure service account in our system by with the user-created client_id created with the public key we've provided |
| updateFirewallPolicies | Firewall Policies | Update Firewall Policies by specifying the ID of the policy and details to update |
| updateHostGroups | Host Group | Update Host Groups by specifying the ID of the group and details to update |
| updateIOAExclusionsV1 | IOA Exclusions | Update the IOA exclusions |
| updateMLExclusionsV1 | ML Exclusions | Update the ML exclusions |
| UpdateNotificationsV1 | Recon | Update notification status or assignee. Accepts bulk requests |
| updatePolicies | Filevantage | Updates the general information of the provided policy. |
| UpdatePolicies | Image Assessment Policies | Update Image Assessment Policy entities |
| UpdatePolicyExclusions | Image Assessment Policies | Update Image Assessment Policy Exclusion entities |
| UpdatePolicyGroups | Image Assessment Policies | Update Image Assessment Policy Group entities |
| updatePolicyHostGroups | Filevantage | Manage host groups assigned to a policy. |
| updatePolicyPrecedence | Filevantage | Updates the policy precedence for all policies of a specific type. |
| UpdatePolicyPrecedence | Image Assessment Policies | Update Image Assessment Policy precedence |
| updatePolicyRuleGroups | Filevantage | Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy. |
| updatePreventionPolicies | Prevention Policy | Update Prevention Policies by specifying the ID of the policy and details to update |
| UpdateQfByQuery | Quarantine | Apply quarantine file actions by query. |
| UpdateQuarantinedDetectsByIds | Quarantine | Apply action by quarantine file ids |
| UpdateRegistryEntities | Falcon Container Image | Update the registry entity, as identified by the entity UUID, using the provided details |
| updateRTResponsePolicies | Response Policies | Update Response Policies by specifying the ID of the policy and details to update |
| updateRuleGroupPrecedence | Filevantage | Updates the rule precedence for all rules in the identified rule group. |
| updateRuleGroups | Filevantage | Updates the provided rule group. |
| updateRules | Filevantage | Updates the provided rule configuration within the specified rule group. |
| UpdateRulesV1 | Recon | Update monitoring rules. |
| updateScheduledExclusions | Filevantage | Updates the provided scheduled exclusion configuration within the provided policy. |
| updateSensorUpdatePolicies | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update |
| updateSensorUpdatePoliciesV2 | Sensor Update Policy | Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection |
| updateSensorVisibilityExclusionsV1 | Sensor Visibility Exclusions | Update the sensor visibility exclusions |
| UpdateUser | User Management | Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name |
| updateUserGroups | MSSP (Flight Control) | Update existing user group(s). User group ID is expected for each user group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. User group member(s) remain unaffected. |
| updateUserV1 | User Management | Modify an existing user's first or last name. |
| UploadSampleV2 | Falcon Intelligence Sandbox | Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
| UploadSampleV3 | Sample Uploads | Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint. |
| upsert_network_locations | Firewall Management | Updates the network locations provided, and return the ID. |
| userActionV1 | User Management | Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload. |
| userRolesActionV1 | User Management | Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke |
| ValidateCSPMGCPServiceAccountExt | CSPM Registration | Validates credentials for a service account |
| validate | Custom IOA | Validates field values and checks for matches if a test string is provided. |
| validate_filepath_pattern | Firewall Management | Validates that the test pattern matches the executable filepath glob pattern. |
| VerifyAWSAccountAccess | Cloud Connect AWS | Performs an Access Verification check on the specified AWS Account IDs |
| WorkflowActivitiesCombined | Workflows | Search workflow activities based on the provided filter |
| WorkflowDefinitionsCombined | Workflows | Search workflow definitions based on the provided filter |
| WorkflowDefinitionsExport | Workflows | Exports a workflow definition for the given definition ID |
| WorkflowDefinitionsImport | Workflows | Imports a workflow definition based on the provided model |
| WorkflowDefinitionsUpdate | Workflows | Updates a workflow definition based on the provided model. |
| WorkflowExecute | Workflows | Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s) |
| WorkflowExecuteInternal | Workflows | Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s). |
| WorkflowMockExecute | Workflows | Executes an on-demand Workflow with mocks. |
| WorkflowExecutionResults | Workflows | Get execution result of a given execution |
| WorkflowExecutionsAction | Workflows | Allows a user to resume/retry a failed workflow execution. |
| WorkflowExecutionsCombined | Workflows | Search workflow executions based on the provided filter |
| WorkflowGetHumanInputV1 | Workflows | Gets one or more specific human inputs by their IDs. |
| WorkflowTriggersCombined | Workflows | Search workflow triggers based on the provided filter |
| WorkflowUpdateHumanInputV1 | Workflows | Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted. |
| WorkflowSystemDefinitionsDeProvision | Workflows | Deprovisions a system definition that was previously provisioned on the target CID |
| WorkflowSystemDefinitionsPromote | Workflows | Promotes a version of a system definition for a customer. The customer must already have been provisioned. This allows the caller to apply an updated template version to a specific cid and expects all parameters to be supplied. If the template supports multi-instance the customer scope definition ID must be supplied to determine which customer workflow should be updated. |
| WorkflowSystemDefinitionsProvision | Workflows | Provisions a system definition onto the target CID by using the template and provided parameters |
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
