Operations by Collection

All Operations by Service Collection

Total Service Collections Total Operations Documentation Version Page Updated


Alerts	API Integrations	Cloud Connect AWS	Cloud Snapshots
Configuration Assessment	Configuration Assessment Evaluation Logic	Container Alerts	Container Detections
Container Images	Container Packages	Container Vulnerabilities	CSPM Registration
Custom IOA	Custom Storage	D4C Registration	Detects
Device Control Policies	Discover	Drift Indicators	Event Streams
Exposure Management	Falcon Complete Dashboard	Falcon Container	Falcon Intelligence Sandbox
FDR	FileVantage	Firewall Management	Firewall Policies
Foundry LogScale	Host Group	Hosts	Identity Protection
Image Assessment Policies	Incidents	Installation Tokens	Intel
IOA Exclusions	IOC	IOCs	Kubernetes Protection
Malquery	Message Center	ML Exclusions	Mobile Enrollment
MSSP (Flight Control)	OAuth2	ODS	Overwatch Dashboard
Prevention Policies	Quarantine	Quick Scan	Real Time Response
Real Time Response Admin	Real Time Response Audit	Recon	Report Executions
Response Policies	Sample Uploads	Scheduled Reports	Sensor Download
Sensor Update Policies	Sensor Visibility Exclusions	Spotlight Evaluation Logic	Spotlight Vulnerabilities
Tailored Intelligence	ThreatGraph	Unidentified Containers	User Management
Workflows	Zero Trust Assessment

Alerts

Operation ID	Description
PostAggregatesAlertsV1	retrieves aggregate values for Alerts across all CIDs
PostAggregatesAlertsV2	retrieves aggregate values for Alerts across all CIDs
PostEntitiesAlertsV1	retrieves all Alerts given their ids
PostEntitiesAlertsV2	retrieves all Alerts given their composite ids
PatchEntitiesAlertsV2	Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
PatchEntitiesAlertsV3	Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
GetQueriesAlertsV1	retrieves all Alerts ids that match a given query
GetQueriesAlertsV2	retrieves all Alerts ids that match a given query

API Integrations

Operation ID	Description
GetCombinedPluginConfigs	Queries for config resources and returns details
ExecuteCommand	Execute a command.

Cloud Connect AWS

Operation ID	Description
QueryAWSAccounts	Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
GetAWSSettings	Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAWSAccounts	Retrieve a set of AWS Accounts by specifying their IDs
ProvisionAWSAccounts	Provision AWS Accounts by specifying details about the accounts to provision
DeleteAWSAccounts	Delete a set of AWS Accounts by specifying their IDs
UpdateAWSAccounts	Update AWS Accounts by specifying the ID of the account and details to update
CreateOrUpdateAWSSettings	Create or update Global Settings which are applicable to all provisioned AWS accounts
VerifyAWSAccountAccess	Performs an Access Verification check on the specified AWS Account IDs
QueryAWSAccountsForIDs	Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

Cloud Snapshots

Operation ID	Description
GetCredentialsMixin0	Retrieve the registry credentials.
CreateDeploymentEntity	Launch a snapshot scan for a given cloud asset.
ReadDeploymentsCombined	Search for snapshot jobs identified by the provided filter.
ReadDeploymentsEntities	Retrieve snapshot jobs identified by the provided IDs.
RegisterCspmSnapshotAccount	Register an account for snapshot scanning.
GetScanReport	Retrieve the scan report for an instance.

Configuration Assessment

Operation ID	Description
getCombinedAssessmentsQuery	Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
getRuleDetails	Get rules details for provided one or more rule IDs

Configuration Assessment Evaluation Logic

Operation ID	Description
getEvaluationLogicMixin0	Get details on evaluation logic items by providing one or more finding IDs.

Container Alerts

Operation ID	Description
ReadContainerAlertsCountBySeverity	Get Container Alerts by severity
ReadContainerAlertsCount	Search Container Alerts by the provided search criteria
SearchAndReadContainerAlerts	Search Container Alerts by the provided search criteria

Container Detections

Operation ID	Description
GetRuntimeDetectionsCombinedV2	Retrieve image assessment detections identified by the provided filter criteria.
ReadDetectionsCountBySeverity	Aggregate counts of detections by severity
ReadDetectionsCountByType	Aggregate counts of detections by detection type
ReadDetectionsCount	Aggregate count of detections
ReadCombinedDetections	Retrieve image assessment detections identified by the provided filter criteria
ReadDetections	Retrieve image assessment detection entities identified by the provided filter criteria
SearchDetections	Retrieve image assessment detection entities identified by the provided filter criteria

Container Images

Operation ID	Description
AggregateImageAssessmentHistory	Image assessment history
AggregateImageCountByBaseOS	Aggregate count of images grouped by Base OS distribution
AggregateImageCountByState	Aggregate count of images grouped by state
AggregateImageCount	Aggregate count of images
GetCombinedImages	Get image assessment results by providing an FQL filter and paging details
CombinedImageByVulnerabilityCount	Retrieve top x images with the most vulnerabilities
CombinedImageDetail	Retrieve image entities identified by the provided filter criteria
ReadCombinedImagesExport	Retrieve images with an option to expand aggregated vulnerabilities/detections
CombinedImageIssuesSummary	Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummary	aggregates information about vulnerabilities for an image

Container Packages

Operation ID	Description
ReadPackagesCountByZeroDay	Retrieve packages count affected by zero day vulnerabilities
ReadPackagesByFixableVulnCount	Retrieve top x app packages with the most fixable vulnerabilities
ReadPackagesByVulnCount	Retrieve top x packages with the most vulnerabilities
ReadPackagesCombinedExport	Retrieve packages identified by the provided filter criteria for the purpose of export
ReadPackagesCombined	Retrieve packages identified by the provided filter criteria

Container Vulnerabilities

Operation ID	Description
ReadVulnerabilityCountByActivelyExploited	Aggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRating	Aggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScore	Aggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverity	Aggregate count of vulnerabilities grouped by severity
ReadVulnerabilityCount	Aggregate count of vulnerabilities
ReadVulnerabilitiesByImageCount	Retrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDate	Retrieve top x vulnerabilities with the most recent publication date
ReadCombinedVulnerabilitiesDetails	Retrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfo	Retrieve vulnerability and package related info for this customer
ReadCombinedVulnerabilities	Retrieve vulnerability and aggregate data filtered by the provided FQL

CSPM Registration

Operation ID	Description
GetCSPMAwsAccount	Returns information about the current status of an AWS account.
CreateCSPMAwsAccount	Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteCSPMAwsAccount	Deletes an existing AWS account or organization in our system.
PatchCSPMAwsAccount	Patches a existing account in our system for a customer.
GetCSPMAwsConsoleSetupURLs	Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAwsAccountScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAzureAccount	Return information about Azure account registration
CreateCSPMAzureAccount	Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
DeleteCSPMAzureAccount	Deletes an Azure subscription from the system.
UpdateCSPMAzureAccountClientID	Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionID	Update an Azure default subscription_id in our system for given `tenant_id`.
AzureDownloadCertificate	Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetCSPMAzureUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetBehaviorDetections	Get list of detected behaviors
GetConfigurationDetections	Get list of active misconfigurations
GetConfigurationDetectionEntities	Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2	Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetIOAEvents	For CSPM IOA events, gets list of IOA events.
GetIOAUsers	For CSPM IOA users, gets list of IOA users.
GetCSPMPolicy	Given a policy ID, returns detailed policy information.
GetCSPMPoliciesDetails	Given an array of policy IDs, returns detailed policies information.
GetCSPMPolicySettings	Returns information about current policy settings.
UpdateCSPMPolicySettings	Updates a policy setting - can be used to override policy severity or to disable a policy entirely.
GetCSPMScanSchedule	Returns scan schedule configuration for one or more cloud platforms.
UpdateCSPMScanSchedule	Updates scan schedule configuration for one or more cloud platforms.
GetCSPMAzureManagementGroup	Return information about Azure management group registration
DeleteCSPMAzureManagementGroup	Deletes Azure management groups from the system.
CreateCSPMAzureManagementGroup	Creates a new management group in our system for a customer.
GetCSPMCGPAccount	Returns information about the current status of an GCP account.
CreateCSPMGCPAccount	Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DeleteCSPMGCPAccount	Deletes a GCP account from the system.
UpdateCSPMGCPAccount	Patches a existing account in our system for a customer.
ConnectCSPMGCPAccount	Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetCSPMGCPServiceAccountsExt	Returns the service account id and client email for external clients.
UpdateCSPMGCPServiceAccountsExt	Updates an existing GCP service account.
GetCSPMGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMGCPValidateAccountsExt	Run a synchronous health check.
ValidateCSPMGCPServiceAccountExt	Validates credentials for a service account

Custom IOA

Operation ID	Description
get_patterns	Get pattern severities by ID.
get_platformsMixin0	Get platforms by ID.
get_rule_groupsMixin0	Get rule groups by ID.
create_rule_groupMixin0	Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0	Delete rule groups by ID.
update_rule_groupMixin0	Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_types	Get rule types by ID.
get_rules_get	Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`.
get_rulesMixin0	Get rules by ID and optionally with cid and/or version in the following format: `[cid:]ID[:version]`. The max number of IDs is constrained by URL size.
create_rule	Create a rule within a rule group. Returns the rule.
delete_rules	Delete rules from a rule group by ID.
update_rules	Update rules within a rule group. Return the updated rules.
update_rules_v2	Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
validate	Validates field values and checks for matches if a test string is provided.
query_patterns	Get all pattern severity IDs.
query_platformsMixin0	Get all platform IDs.
query_rule_groups_full	Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0	Finds all rule group IDs matching the query with optional filter.
query_rule_types	Get all rule type IDs.
query_rulesMixin0	Finds all rule IDs matching the query with optional filter.

Custom Storage

Operation ID	Description
ListObjects	List the object keys in the specified collection in alphabetical order.
SearchObjects	Search for objects that match the specified filter criteria (returns metadata, not actual objects).
GetObject	Get the bytes for the specified object.
PutObject	Put the specified new object at the given key or overwrite an existing object at the given key.
DeleteObject	Delete the specified object.
GetObjectMetadata	Get the metadata for the specified object.

D4C Registration

Operation ID	Description
GetD4CAwsAccount	Returns information about the current status of an AWS account.
CreateD4CAwsAccount	Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteD4CAwsAccount	Deletes an existing AWS account or organization in our system.
GetD4CAwsConsoleSetupURLs	Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CAWSAccountScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetDiscoverCloudAzureAccount	Return information about Azure account registration
GetDiscoverCloudAzureTenantIDs	Return available tenant IDs for Discover for Cloud.
CreateDiscoverCloudAzureAccount	Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
UpdateDiscoverCloudAzureAccountClientID	Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
GetDiscoverCloudAzureUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetDiscoverCloudAzureUserScripts	Return a script for customer to run in their cloud environment to grant us access to their Azure environment
GetDiscoverCloudCGPAccount	Returns information about the current status of an GCP account.
CreateDiscoverCloudGCPAccount	Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DiscoverCloudAzureDownloadCertificate	Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetDiscoverCloudGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetDiscoverCloudGCPUserScripts	Return a script for customer to run in their cloud environment to grant us access to their GCP environment
DeleteD4CGCPAccount	Deletes a GCP account from the system.
ConnectD4CGCPAccount	Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetD4CGCPServiceAccountsExt	Returns the service account id and client email for external clients.
UpdateD4CCPServiceAccountsExt	Updates an existing GCP service account.
GetD4CGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment

Detects

Operation ID	Description
GetAggregateDetects	Get detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2	Modify the state, assignee, and visibility of detections
GetDetectSummaries	View information about detections
QueryDetects	Search for detection IDs that match a given query

Device Control Policies

Operation ID	Description
queryCombinedDeviceControlPolicyMembers	Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedDeviceControlPolicies	Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
getDefaultDeviceControlPolicies	Retrieve the configuration for the Default Device Control Policy.
updateDefaultDeviceControlPolicies	Update the configuration for the Default Device Control Policy.
performDeviceControlPoliciesAction	Perform the specified action on the Device Control Policies specified in the request
setDeviceControlPoliciesPrecedence	Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getDeviceControlPolicies	Retrieve a set of Device Control Policies by specifying their IDs
createDeviceControlPolicies	Create Device Control Policies by specifying details about the policy to create
deleteDeviceControlPolicies	Delete a set of Device Control Policies by specifying their IDs
updateDeviceControlPolicies	Update Device Control Policies by specifying the ID of the policy and details to update
queryDeviceControlPolicyMembers	Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryDeviceControlPolicies	Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria

Discover

Operation ID	Description
get_accounts	Get details on accounts by providing one or more IDs.
get_applications	Get details on applications by providing one or more IDs.
get_hosts	Get details on assets by providing one or more IDs.
get_iot_hosts	Get details on IoT assets by providing one or more IDs.
get_logins	Get details on logins by providing one or more IDs.
query_accounts	Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications	Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of applications IDs which match the filter criteria.
query_hosts	Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts	Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts_v2	Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins	Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Drift Indicators

| GetDriftIndicatorsValuesByDate | Returns the count of Drift Indicators by the date. by default it's for 7 days. | | ReadDriftIndicatorsCount | Returns the total count of Drift indicators over a time period | | SearchAndReadDriftIndicatorEntities | Retrieve Drift Indicators by the provided search criteria | | SearchDriftIndicators | Retrieve all drift indicators that match the given query |

Event Streams

Operation ID	Description
refreshActiveStreamSession	Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
listAvailableStreamsOAuth2	Discover all event streams in your environment

Exposure Management

Operation ID	Description
aggregate_external_assets	Returns external assets aggregates.
blob_download_external_assets	Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request.
blob_preview_external_assets	Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request.
get_external_assets	Get details on external assets by providing one or more IDs.
patch_external_assets	Update the details of external assets.
query_external_assets	Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints

Falcon Container

Operation ID	Description
GetCombinedImages	Gets image assessment results by providing a FQL filter and paging details.
GetCredentials	Gets the registry credentials.
ReadImageVulnerabilities	Retrieve vulnerabilities for a specified image.
GetImageAssessmentReport	Retrieve an assessment report for an image by specifying repository and tag.
DeleteImageDetails	Delete image details from the CrowdStrike registry.
ImageMatchesPolicy	Check if an image matches a policy by specifying repository and tag.
ReadRegistryEntities	Retrieve registry entities associated with the client ID.
ReadRegistryEntitiesByUUID	Retrieve registry entities associated with a specific registry entity UUID.
DeleteRegistryEntities	Delete registry entities by UUID.
CreateRegistryEntities	Create registry entities using the provided detail.
UpdateRegistryEntities	Update the registry entity, as identified by the entity UUID, using the provided details.

Falcon Complete Dashboard

Operation ID	Description
AggregateAlerts	Retrieve aggregate alerts values based on the matched filter
AggregateAllowList	Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList	Retrieve aggregate blocklist ticket values based on the matched filter
AggregateDetections	Retrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollection	Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations	Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents	Retrieve aggregate incident values based on the matched filter
AggregateRemediations	Retrieve aggregate remediation ticket values based on the matched filter
AggregatePreventionPolicy	Retrieve aggregate prevention policy values based on the matched filter
AggregateSensorUpdatePolicy	Retrieve aggregate sensor update policy values based on the matched filter
AggregateSupport Issues	Retrieve aggregate support issue values based on the matched filter
QueryAlertIdsByFilter	Retrieve alert IDs that match the provided filter criteria with scrolling enabled
QueryAllowListFilter	Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilter	Retrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryDetectionIdsByFilter	Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilter	Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilter	Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilter	Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilter	Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

Falcon Intelligence Sandbox

Operation ID	Description
GetArtifacts	Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings	Get extracted strings from a memory dump.
GetMemoryDumpHexDump	Get the hex view of a memory dump.
GetMemoryDump	Get memory dump content, as a binary.
GetSummaryReports	Get a short summary version of a sandbox report.
GetReports	Get a full sandbox report.
DeleteReport	Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions	Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit	Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports	Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions	Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2	Retrieves the file associated with the given ID (SHA256)
UploadSampleV2	Upload a file for sandbox analysis. After uploading, use `/falconx/entities/submissions/v1` to start analyzing the file.
DeleteSampleV2	Removes a sample, including file, meta and submissions from the collection
QuerySampleV1	Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

FDR

Operation ID	Description
fdrschema_combined_event_get	Fetches the combined schema.
fdrschema_entities_event_get	Fetch event schema by ID.
fdrschema_queries_event_get	Get list of event IDs given a particular query.
fdrschema_entities_field_get	Fetch field schema by ID.
fdrschema_queries_field_get	Get list of field IDs given a particular query.

FileVantage

Operation ID	Description
getActionsMixin0	Retrieve the processing results for one or more actions.
startActions	Initiates the specified action on the provided change IDs.
getContents	Retrieves the content captured for the provided change ID.
getChanges	Retrieve information on changes.
queryChanges	Returns one or more change IDs.
updatePolicyHostGroups	Manage host groups assigned to a policy.
updatePolicyRuleGroups	Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
updatePolicyPrecedence	Updates the policy precedence for all policies of a specific type.
getPolicies	Retrieves the configuration for one or more policies.
createPolicies	Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
deletePolicies	Deletes one or more policies.
updatePolicies	Updates the general information of the provided policy.
getScheduledExclusions	Retrieves the configuration for one or more scheduled exclusions from the provided policy ID.
createScheduledExclusions	Creates a new scheduled exclusion configuration for the provided policy ID.
deleteScheduledExclusions	Deletes one or more scheduled exclusions from the provided policy ID.
updateScheduledExclusions	Updates the provided scheduled exclusion configuration within the provided polciy.
updateRuleGroupPrecedence	Updates the rule precedence for all ruels in the identified rule group.
getRules	Retrieves the configuration for one or more rules.
createRules	Creates a new rule configuration within the specified rule group.
deleteRules	Deletes one or more rules from the specified rule group.
updateRules	Updates the provided rule configuration within the specified rule group.
getRuleGroups	Retrieves the rule group details for one or more rule groups.
createRuleGroups	Creates a new rule group of the specified type.
deleteRuleGroups	Deletes one or more rule groups
updateRuleGroups	Updates the provided rule group.
signalChangesExternal	Initiates workflows for the provided change IDs.
highVolumeQueryChanges	Returns a list of Falcon FileVantage change IDs filtered, sorted and limited by the query parameters provided. It can retrieve an unlimited number of results using multiple requests.
queryActionsMixin0	Returns one or more action IDs.
queryRulesGroups	Retrieve the IDs of all rule groups that are of the provided rule group type.
queryScheduledExclusions	Retrieve the IDs of all scheduled exclusions contained within the provided policy ID.
queryPolicies	Retrieve the ids of all policies that are assigned the provided policy type.

Firewall Management

Operation ID	Description
aggregate_events	Aggregate events for customer
aggregate_policy_rules	Aggregate rules within a policy for customer
aggregate_rule_groups	Aggregate rule groups for customer
aggregate_rules	Aggregate rules for customer
get_events	Get events entities by ID and optionally version
get_firewall_fields	Get the firewall field specifications by ID
get_network_locations_details	Get network locations entities by ID
update_network_locations_metadata	Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence	Updates the network locations precedence according to the list of ids provided.
get_network_locations	Get a summary of network locations entities by ID
upsert_network_locations	Updates the network locations provided, and return the ID.
create_network_locations	Create new network locations provided, and return the ID.
delete_network_locations	Delete network location entities by ID.
update_network_locations	Updates the network locations provided, and return the ID.
get_platforms	Get platforms by ID, e.g., windows or mac or droid
get_policy_containers	Get policy container entities by policy ID
update_policy_container_v1	Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting.
update_policy_container	Update an identified policy container, including local logging functionality.
get_rule_groups	Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group	Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups	Delete rule group entities by ID
update_rule_group	Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation	Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation	Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules	Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern	Validates that the test pattern matches the executable filepath glob pattern.
query_events	Find all event IDs matching the query with filter
query_firewall_fields	Get the firewall field specification IDs for the provided platform
query_network_locations	Get a list of network location IDs
query_platforms	Get the list of platform names
query_policy_rules	Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups	Find all rule group IDs matching the query with filter
query_rules	Find all rule IDs matching the query with filter

Firewall Policies

Operation ID	Description
queryCombinedFirewallPolicyMembers	Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPolicies	Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
performFirewallPoliciesAction	Perform the specified action on the Firewall Policies specified in the request
setFirewallPoliciesPrecedence	Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getFirewallPolicies	Retrieve a set of Firewall Policies by specifying their IDs
createFirewallPolicies	Create Firewall Policies by specifying details about the policy to create
deleteFirewallPolicies	Delete a set of Firewall Policies by specifying their IDs
updateFirewallPolicies	Update Firewall Policies by specifying the ID of the policy and details to update
queryFirewallPolicyMembers	Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryFirewallPolicies	Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria

Foundry LogScale

Operation ID	Description
ListReposV1	Lists available repositories and views.
IngestDataV1	Ingest data into the application repository.
IngestDataAsyncV1	Ingest data into the application repository asynchronously.
CreateSavedSearchesDynamicExecuteV1	Execute a dynamic saved search.
GetSavedSearchesExecuteV1	Get the results of a saved search.
CreateSavedSearchesExecuteV1	Execute a saved search.
CreateSavedSearchesIngestV1	Populate a saved search.
GetSavedSearchesJobResultsDownloadV1	Get the results of a saved search as a file.
ListViewV1	List views.

Host Group

Operation ID	Description
queryCombinedGroupMembers	Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroups	Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
performGroupAction	Perform the specified action on the Host Groups specified in the request
getHostGroups	Retrieve a set of Host Groups by specifying their IDs
createHostGroups	Create Host Groups by specifying details about the group to create
deleteHostGroups	Delete a set of Host Groups by specifying their IDs
updateHostGroups	Update Host Groups by specifying the ID of the group and details to update
queryGroupMembers	Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryHostGroups	Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria

Hosts

Operation ID	Description
QueryDeviceLoginHistory	Retrieve details about recent login sessions for a set of devices.
QueryDeviceLoginHistoryV2	Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified
QueryGetNetworkAddressHistoryV1	Retrieve history of IP and MAC addresses of devices.
PerformActionV2	Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
UpdateDeviceTags	Append or remove one or more Falcon Grouping Tags on one or more hosts.
GetDeviceDetails	Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API
GetDeviceDetailsV1	Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 500)
GetDeviceDetailsV2	Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 100)
PostDeviceDetailsV2	Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API. (Max: 5000)
entities_perform_action	Performs the specified action on the provided prevention policy IDs.
GetOnlineState_V1	Get the online status for one or more hosts by specifying each host’s unique ID.
QueryHiddenDevices	Retrieve hidden hosts that match the provided filter criteria.
QueryDevicesByFilterScroll	Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryDevicesByFilter	Search for hosts in your environment by platform, hostname, IP, and other criteria.

Identity Protection

Operation ID	Description
GetSensorAggregates	Get sensor aggregates as specified via json in request body.
GetSensorDetails	Get details on one or more sensors by provdiing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
QuerySensorsByFilter	Search for sensors in your environment by hostname, IP, or other criteria.
api_preempt_proxy_post_graphql	Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Image Assessment Policies

Operation ID	Description
ReadPolicies	Get all Image Assessment policies
CreatePolicies	Create Image Assessment policies
DeletePolicy	Delete Image Assessment Policy by policy UUID
UpdatePolicies	Update Image Assessment Policy entities
ReadPolicyExclusions	Retrieve Image Assessment Policy Exclusion entities
UpdatePolicyExclusions	Update Image Assessment Policy Exclusion entities
ReadPolicyGroups	Retrieve Image Assessment Policy Group entities
CreatePolicyGroups	Create Image Assessment Policy Group entities
DeletePolicyGroup	Delete Image Assessment Policy Group entities
UpdatePolicyGroups	Update Image Assessment Policy Group entities
UpdatePolicyPrecedence	Update Image Assessment Policy precedence

Incidents

Operation ID	Description
CrowdScore	Query environment wide CrowdScore and return the entity data
GetBehaviors	Get details on behaviors by providing behavior IDs
PerformIncidentAction	Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
GetIncidents	Get details on incidents by providing incident IDs
QueryBehaviors	Search for behaviors by providing a FQL filter, sorting, and paging details
QueryIncidents	Search for incidents by providing a FQL filter, sorting, and paging details

Installation Tokens

Operation ID	Description
audit_events_read	Gets the details of one or more audit events by id.
customer_settings_read	Check current installation token settings.
customer_settings_update	Update installation token settings.
tokens_read	Gets the details of one or more tokens by id.
tokens_create	Creates a token.
tokens_delete	Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_update	Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query	Search for audit events by providing a FQL filter and paging details.
tokens_query	Search for tokens by providing a FQL filter and paging details.

Intel

Operation ID	Description
QueryIntelActorEntities	Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities	Get info about indicators that match provided FQL filters.
QueryIntelReportEntities	Get info about reports that match provided FQL filters.
GetIntelActorEntities	Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities	Retrieve specific indicators using their indicator IDs.
GetMalwareEntities	Get malware entities for specified IDs.
GetMitreReport	Export Mitre ATT&CK information for a given actor.
PostMitreAttacks	Retrieves report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF	Return a Report PDF attachment
GetIntelReportEntities	Retrieve specific reports using their report IDs.
GetIntelRuleFile	Download earlier rule sets.
GetLatestIntelRuleFile	Download the latest rule set.
GetIntelRuleEntities	Retrieve details for rule sets for the specified ids.
GetVulnerabilities	Get vulnerabilities
QueryIntelActorIds	Get actor IDs that match provided FQL filters.
QueryMalware	Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware	Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks	Gets MITRE tactics and techniques for the given actor.
QueryIntelIndicatorIds	Get indicators IDs that match provided FQL filters.
QueryIntelReportIds	Get report IDs that match provided FQL filters.
QueryIntelRuleIds	Search for rule IDs that match provided filter criteria.
QueryVulnerabilities	Get vulnerabilities IDs

IOA Exclusions

Operation ID	Description
getIOAExclusionsV1	Get a set of IOA Exclusions by specifying their IDs
createIOAExclusionsV1	Create the IOA exclusions
deleteIOAExclusionsV1	Delete the IOA exclusions by id
updateIOAExclusionsV1	Update the IOA exclusions
queryIOAExclusionsV1	Search for IOA exclusions.

IOC

Operation ID	Description
indicator_get_device_count_v1	Get the number of devices the indicator has run on
indicator_aggregate_v1	Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1	Get Combined for Indicators.
action_get_v1	Get Actions by ids.
GetIndicatorsReport	Launch an indicators report creation job
indicator_get_v1	Get Indicators by ids.
indicator_create_v1	Create Indicators.
indicator_delete_v1	Delete Indicators by ids.
indicator_update_v1	Update Indicators.
action_query_v1	Query Actions.
indicator_get_devices_ran_on_v1	Get the IDs of devices the indicator has run on
indicator_get_processes_ran_on_v1	Get the number of processes the indicator has run on
indicator_search_v1	Search for Indicators.
DevicesCount	Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn	Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
ProcessesRanOn	Search for processes associated with a custom IOC
entities_processes	For the provided ProcessID retrieve the process details
ioc_type_query_v1	Query IOC Types.
platform_query_v1	Query Platforms.
severity_query_v1	Query Severities.

IOCs

Operation ID	Description
DevicesCount	Number of hosts in your customer account that have observed a given custom IOC
GetIOC	This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC	This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC	This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC	This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn	Find hosts that have observed a given custom IOC. For details about those hosts, use GetDeviceDetails
QueryIOCs	This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn	Search for processes associated with a custom IOC
entities_processes	For the provided ProcessID retrieve the process details

Kubernetes Protection

Operation ID	Description
ReadClustersByDateRangeCount	Retrieve clusters by date range counts
ReadClustersByKubernetesVersionCount	Bucket clusters by kubernetes version
ReadClustersByStatusCount	Bucket clusters by status
ReadClusterCount	Retrieve cluster counts
ReadContainersByDateRangeCount	Retrieve containers by date range counts
ReadContainerCountByRegistry	Retrieve top container image registries
FindContainersCountAffectedByZeroDayVulnerabilities	Retrieve containers count affected by zero day vulnerabilities
ReadVulnerableContainerImageCount	Retrieve count of vulnerable images running on containers
ReadContainerCount	Retrieve container counts
FindContainersByContainerRunTimeVersion	Retrieve containers by container_runtime_version
GroupContainersByManaged	Group the containers by Managed
ReadContainerImageDetectionsCountByDate	Retrieve count of image assessment detections on running containers over a period of time
ReadContainerImagesByState	Retrieve count of image states running on containers
ReadContainersSensorCoverage	Bucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCount	Retrieve container vulnerabilities by severity counts
ReadDeploymentsByDateRangeCount	Retrieve deployments by date range counts
ReadDeploymentCount	Retrieve deployment counts
ReadClusterEnrichment	Retrieve cluster enrichment data
ReadNodeEnrichment	Retrieve node enrichment data
ReadDistinctContainerImageCount	Retrieve count of distinct images running on containers
ReadContainerImagesByMostUsed	Bucket container by image-digest
ReadKubernetesIomByDateRange	Returns the count of Kubernetes IOMs by the date. by default it's for 7 days.
ReadKubernetesIomCount	Returns the total count of Kubernetes IOMs over the past seven days
ReadNodesByCloudCount	Bucket nodes by cloud providers
ReadNodesByContainerEngineVersionCount	Bucket nodes by their container engine version
ReadNodesByDateRangeCount	Retrieve nodes by date range counts
ReadNodeCount	Retrieve node counts
ReadPodsByDateRangeCount	Retrieve pods by date range counts
ReadPodCount	Retrieve pod counts
ReadClusterCombined	Retrieve kubernetes clusters identified by the provided filter criteria
ReadRunningContainerImages	Retrieve images on running containers
ReadContainerCombined	Retrieve containers identified by the provided filter criteria
ReadDeploymentCombined	Retrieve kubernetes deployments identified by the provided filter criteria
SearchAndReadKubernetesIomEntities	Search Kubernetes IOM by the provided search criteria
ReadNodeCombined	Retrieve kubernetes nodes identified by the provided filter criteria
ReadPodCombined	Retrieve kubernetes pods identified by the provided filter criteria
ReadKubernetesIomEntities	Retrieve Kubernetes IOM entities identified by the provided IDs
SearchKubernetesIoms	Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
GetAWSAccountsMixin0	Provides a list of AWS accounts.
CreateAWSAccount	Creates a new AWS account in our system for a customer and generates the installation script
DeleteAWSAccountsMixin0	Delete AWS accounts.
UpdateAWSAccount	Updates the AWS account per the query parameters provided
ListAzureAccounts	Provides the azure subscriptions registered to Kubernetes Protection
CreateAzureSubscription	Creates a new Azure Subscription in our system
DeleteAzureSubscription	Deletes a new Azure Subscription in our system
GetLocations	Provides the cloud locations acknowledged by the Kubernetes Protection service
GetCombinedCloudClusters	Return a combined list of provisioned cloud accounts and known kubernetes clusters.
GetAzureTenantConfig	Return the azure tenant config.
GetStaticScripts	Gets static bash scripts that are used during registration.
GetAzureTenantIDs	Provides all the azure subscriptions and tenants.
GetAzureInstallScript	Provides the script to run for a given tenant id and subscription IDs.
GetHelmValuesYaml	Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
RegenerateAPIKey	Regenerate API key for docker registry integrations
GetClusters	Provides the clusters acknowledged by the Kubernetes Protection service
TriggerScan	Triggers a dry run or a full scan of a customer's kubernetes footprint
PatchAzureServicePrincipal	Adds the client ID for the given tenant ID to our system

MalQuery

Operation ID	Description
GetMalQueryQuotasV1	Get information about search and download quotas in your environment
PostMalQueryFuzzySearchV1	Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
GetMalQueryDownloadV1	Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryMetadataV1	Retrieve indexed files metadata by their hash
GetMalQueryRequestV1	Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalQueryEntitiesSamplesFetchV1	Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
PostMalQueryEntitiesSamplesMultidownloadV1	Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1	Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryHuntV1	Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

Message Center

Operation ID	Description
AggregateCases	Retrieve aggregate case values based on the matched filter
GetCaseActivityByIds	Retrieve activities for given id's
CaseAddActivity	Add an activity to case. Only activities of type comment are allowed via API
CaseDownloadAttachment	retrieves an attachment for the case, given the attachment id
CaseAddAttachment	Upload an attachment for the case.
CreateCase	create a new case
CreateCaseV2	create a new case
UpdateCase	update an existing case
GetCaseEntitiesByIDs	Retrieve message center cases
QueryActivityByCaseID	Retrieve activities id's for a case
QueryCasesIdsByFilter	Retrieve case id's that match the provided filter criteria

ML Exclusions

Operation ID	Description
getMLExclusionsV1	Get a set of ML Exclusions by specifying their IDs
createMLExclusionsV1	Create the ML exclusions
deleteMLExclusionsV1	Delete the ML exclusions by id
updateMLExclusionsV1	Update the ML exclusions
queryMLExclusionsV1	Search for ML exclusions.

Mobile Enrollment

Operation ID	Description
RequestDeviceEnrollmentV3	Trigger on-boarding process for a mobile device.
RequestDeviceEnrollmentV4	Trigger on-boarding process for a mobile device.

MSSP (Flight Control)

Operation ID	Description
getChildrenV2	Get link to child customer by child CID(s)
getChildren	Get link to child customer by child CID(s)
getCIDGroupMembersBy	Get CID group members by CID group ID.
getCIDGroupMembersByV2	Get CID group members by CID Group ID.
addCIDGroupMembers	Add new CID Group member.
deleteCIDGroupMembers	Delete CID Group members entry.
getCIDGroupById	Get CID groups by ID.
getCIDGroupMembersByV2	Get CID group members by CID Group ID.
createCIDGroups	Create new CID Group(s). Maximum 500 CID Group(s) allowed.
deleteCIDGroups	Delete CID groups by ID.
updateCIDGroups	Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
getCIDGroupByIdV2	Get CID Groups by ID.
getRolesByID	Get MSSP Role assignment(s). MSSP Role assignment is of the format :.
addRole	Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
deletedRoles	Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
getUserGroupMembersByID	Get user group members by user group ID.
addUserGroupMembers	Add new User Group member. Maximum 500 members allowed per User Group.
deleteUserGroupMembers	Delete User Group members entry.
getUserGroupMembersByIDV2	Get user group members by user group ID.
getUserGroupsByID	Get user groups by ID.
getUserGroupsByIDV2	Get user groups by ID.
createUserGroups	Create new User Group(s). Maximum 500 User Group(s) allowed per customer.
deleteUserGroups	Delete user groups by ID.
updateUserGroups	Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
queryChildren	Query for customers linked as children
queryCIDGroupMembers	Query a CID groups members by associated CID.
queryCIDGroups	Query CID Groups.
queryRoles	Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queryUserGroupMembers	Query User Group member by User UUID.
queryUserGroups	Query User Groups.

OAuth2

Operation ID	Description
oauth2RevokeToken	Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
oauth2AccessToken	Generate an OAuth2 access token

ODS (On Demand Scan)

Operation ID	Description
aggregate_query_scan_host_metadata	Get aggregates on ODS scan-hosts data.
aggregate_scans	Get aggregates on ODS scan data.
aggregate_scheduled_scans	Get aggregates on ODS scheduled-scan data.
get_malicious_files_by_ids	Get malicious files by ids.
cancel_scans	Cancel ODS scans for the given scan ids.
get_scan_host_metadata_by_ids	Get scan hosts by ids.
get_scans_by_scan_ids	Get Scans by IDs.
create_scan	Create ODS scan and start or schedule scan for the given scan request.
get_scans_by_scan_ids_v2	Get Scans by IDs.
get_scheduled_scans_by_scan_ids	Get ScheduledScans by IDs.
schedule_scan	Create ODS scan and start or schedule scan for the given scan request.
delete_scheduled_scans	Delete ODS scheduled-scans for the given scheduled-scan ids.
query_malicious_files	Query malicious files.
query_scan_host_metadata	Query scan hosts.
query_scans	Query Scans.
query_scheduled_scans	Query ScheduledScans.

Overwatch Dashboard

Operation ID	Description
AggregatesDetectionsGlobalCounts	Get the total number of detections pushed across all customers
AggregatesEventsCollections	Get OverWatch detection event collection info by providing an aggregate query
AggregatesEvents	Get aggregate OverWatch detection event info by providing an aggregate query
AggregatesIncidentsGlobalCounts	Get the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCounts	Get the total number of OverWatch events across all customers

Prevention Policies

Operation ID	Description
queryCombinedPreventionPolicyMembers	Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedPreventionPolicies	Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
performPreventionPoliciesAction	Perform the specified action on the Prevention Policies specified in the request
setPreventionPoliciesPrecedence	Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getPreventionPolicies	Retrieve a set of Prevention Policies by specifying their IDs
createPreventionPolicies	Create Prevention Policies by specifying details about the policy to create
deletePreventionPolicies	Delete a set of Prevention Policies by specifying their IDs
updatePreventionPolicies	Update Prevention Policies by specifying the ID of the policy and details to update
queryPreventionPolicyMembers	Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryPreventionPolicies	Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria

Quarantine

Operation ID	Description
ActionUpdateCount	Returns count of potentially affected quarantined files for each action.
GetAggregateFiles	Get quarantine file aggregates as specified via json in request body.
GetQuarantineFiles	Get quarantine file metadata for specified ids.
UpdateQuarantinedDetectsByIds	Apply action by quarantine file ids
QueryQuarantineFiles	Get quarantine file ids that match the provided filter criteria.
UpdateQfByQuery	Apply quarantine file actions by query.

Quick Scan

Operation ID	Description
GetScansAggregates	Get scans aggregations as specified via json in request body.
GetScans	Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
ScanSamples	Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
QuerySubmissionsMixin0	Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.

Real Time Response

Operation ID	Description
RTR_AggregateSessions	Get aggregates on session data.
BatchActiveResponderCmd	Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchCmd	Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdStatus	Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchGetCmd	Batch executes `get` command across hosts to retrieve files. After this call is made `GET /real-time-response/combined/batch-get-command/v1` is used to query for the results.
BatchInitSessions	Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessions	Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
RTR_CheckActiveResponderCommandStatus	Get status of an executed active-responder command on a single host.
RTR_ExecuteActiveResponderCommand	Execute an active responder command on a single host.
RTR_CheckCommandStatus	Get status of an executed command on a single host.
RTR_ExecuteCommand	Execute a command on a single host.
RTR_GetExtractedFileContents	Get RTR extracted file contents for specified session and sha256.
RTR_ListFiles	Get a list of files for the specified RTR session.
RTR_ListFilesV2	Get a list of files for the specified RTR session. (Expanded output detail)
RTR_DeleteFile	Delete a RTR session file.
RTR_DeleteFileV2	Delete a RTR session file. (Expanded output detail. Use with RTR_ListFilesV2.)
RTR_ListQueuedSessions	Get queued session metadata by session ID.
RTR_DeleteQueuedSession	Delete a queued session command
RTR_PulseSession	Refresh a session timeout on a single host.
RTR_ListSessions	Get session metadata by session id.
RTR_InitSession	Initialize a new session with the RTR cloud.
RTR_DeleteSession	Delete a session.
RTR_ListAllSessions	Get a list of session_ids.

Real Time Response Admin

Operation ID	Description
BatchAdminCmd	Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatus	Get status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommand	Execute a RTR administrator command on a single host.
RTR_GetFalconScripts	Get Falcon scripts with metadata and content of script
RTR_GetPut_Files	Get put-files based on the ID's given. These are used for the RTR `put` command.
RTR_GetPut_FilesV2	Get put-files based on the ID's given. These are used for the RTR `put` command.
RTR_CreatePut_Files	Upload a new put-file to use for the RTR `put` command.
RTR_DeletePut_Files	Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScripts	Get custom-scripts based on the ID's given. These are used for the RTR `runscript` command.
RTR_GetScriptsV2	Get custom-scripts based on the ID's given. These are used for the RTR `runscript` command.
RTR_CreateScripts	Upload a new custom-script to use for the RTR `runscript` command.
RTR_DeleteScripts	Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScripts	Upload a new scripts to replace an existing one.
RTR_ListFalconScripts	Get a list of Falcon script IDs available to the user to run
RTR_ListPut_Files	Get a list of put-file ID's that are available to the user for the `put` command.
RTR_ListScripts	Get a list of custom-script ID's that are available to the user for the `runscript` command.

Real Time Response Audit

Operation ID	Description
RTRAuditSessions	Get all RTR sessions created for a customer during a specified time period.

Recon

Operation ID	Description
AggregateNotificationsExposedDataRecordsV1	Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [notification_id created_date rule.id rule.name rule.topic source_category site author]
AggregateNotificationsV1	Get notification aggregates as specified via JSON in request body.
PreviewRuleV1	Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1	Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
CreateActionsV1	Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1	Delete an action from a monitoring rule based on the action ID.
UpdateActionV1	Update an action for a monitoring rule.
GetFileContentForExportJobsV1	Download the file associated with a job ID.
GetExportJobsV1	Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
CreateExportJobsV1	Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
DeleteExportJobsV1	Delete export jobs (and their associated file(s)) based on their IDs.
GetNotificationsDetailedTranslatedV1	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1	Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints
GetNotificationsTranslatedV1	Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1	Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
DeleteNotificationsV1	Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1	Update notification status or assignee. Accepts bulk requests
GetRulesV1	Get monitoring rules rules by provided IDs.
CreateRulesV1	Create monitoring rules.
DeleteRulesV1	Delete monitoring rules.
UpdateRulesV1	Update monitoring rules.
QueryActionsV1	Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
QueryNotificationsExposedDataRecordsV1	Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1
QueryNotificationsV1	Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
QueryRulesV1	Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

Report Executions

Operation ID	Description
report_executions_download_get	Get report entity download
report_executions_retry	This endpoint will be used to retry report executions
report_executions_get	Retrieve report details for the provided report IDs.
report_executions_query	Find all report execution IDs matching the query with filter

Response Policies

Operation ID	Description
queryCombinedRTResponsePolicyMembers	Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePolicies	Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
performRTResponsePoliciesAction	Perform the specified action on the Response Policies specified in the request
setRTResponsePoliciesPrecedence	Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getRTResponsePolicies	Retrieve a set of Response Policies by specifying their IDs
createRTResponsePolicies	Create Response Policies by specifying details about the policy to create
deleteRTResponsePolicies	Delete a set of Response Policies by specifying their IDs
updateRTResponsePolicies	Update Response Policies by specifying the ID of the policy and details to update
queryRTResponsePolicyMembers	Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRTResponsePolicies	Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

Sample Uploads

Operation ID	Description
ArchiveListV1	Retrieves the archives files in chunks.
ArchiveGetV1	Retrieves the archives upload operation statuses. Status `done` means that archive was processed successfully. Status `error` means that archive was not processed successfully.
ArchiveUploadV1	Uploads an archive and extracts files list from it. Operation is asynchronous use `/archives/entities/archives/v1` to check the status. After uploading, use `/archives/entities/extractions/v1` to copy the file to internal storage making it available for content analysis.
This method is deprecated in favor of `/archives/entities/archives/v2`
ArchiveDeleteV1	Delete an archive that was uploaded previously
ArchiveUploadV2	Uploads an archive and extracts files list from it. Operation is asynchronous use `/archives/entities/archives/v1` to check the status. After uploading, use `/archives/entities/extractions/v1` to copy the file to internal storage making it available for content analysis.
ExtractionListV1	Retrieves the files extractions in chunks. Status `done` means that all files were processed successfully. Status `error` means that at least one of the file could not be processed.
ExtractionGetV1	Retrieves the files extraction operation statuses. Status `done` means that all files were processed successfully. Status `error` means that at least one of the file could not be processed.
ExtractionCreateV1	Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
GetSampleV3	Retrieves the file associated with the given ID (SHA256)
UploadSampleV3	Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
DeleteSampleV3	Removes a sample, including file, meta and submissions from the collection

Scheduled Reports

Operation ID	Description
scheduled_reports_launch	Launch scheduled reports executions for the provided report IDs.
scheduled_reports_get	Retrieve scheduled reports for the provided report IDs.
scheduled_reports_query	Find all report IDs matching the query with filter

Sensor Download

Operation ID	Description
GetCombinedSensorInstallersByQuery	Get sensor installer details by provided query
GetCombinedSensorInstallersByQueryV2	Get sensor installer details by provided query
DownloadSensorInstallerById	Download sensor installer by SHA256 ID
DownloadSensorInstallerByIdV2	Download sensor installer by SHA256 ID
GetSensorInstallersEntities	Get sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV2	Get sensor installer details by provided SHA256 IDs
GetSensorInstallersCCIDByQuery	Get CCID to use with sensor installers
GetSensorInstallersByQuery	Get sensor installer IDs by provided query
GetSensorInstallersByQueryV2	Get sensor installer IDs by provided query

Sensor Update Policies

Operation ID	Description
revealUninstallToken	Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
queryCombinedSensorUpdateBuilds	Retrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernels	Retrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePolicyMembers	Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdatePolicies	Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2	Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
performSensorUpdatePoliciesAction	Perform the specified action on the Sensor Update Policies specified in the request
setSensorUpdatePoliciesPrecedence	Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getSensorUpdatePolicies	Retrieve a set of Sensor Update Policies by specifying their IDs
createSensorUpdatePolicies	Create Sensor Update Policies by specifying details about the policy to create
deleteSensorUpdatePolicies	Delete a set of Sensor Update Policies by specifying their IDs
updateSensorUpdatePolicies	Update Sensor Update Policies by specifying the ID of the policy and details to update
getSensorUpdatePoliciesV2	Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
createSensorUpdatePoliciesV2	Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
updateSensorUpdatePoliciesV2	Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
querySensorUpdateKernelsDistinct	Retrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePolicyMembers	Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorUpdatePolicies	Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria

Sensor Visibility Exclusions

Operation ID	Description
getSensorVisibilityExclusionsV1	Get a set of Sensor Visibility Exclusions by specifying their IDs
createSVExclusionsV1	Create the sensor visibility exclusions
deleteSensorVisibilityExclusionsV1	Delete the sensor visibility exclusions by id
updateSensorVisibilityExclusionsV1	Update the sensor visibility exclusions
querySensorVisibilityExclusionsV1	Search for sensor visibility exclusions.

Spotlight Evaluation Logic

Operation ID	Description
combinedQueryEvaluationLogic	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
getEvaluationLogic	Get details on evaluation logic items by providing one or more IDs.
queryEvaluationLogic	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

Spotlight Vulnerabilities

Operation ID	Description
combinedQueryVulnerabilities	Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
getRemediationsV2	Get details on remediation by providing one or more IDs
getVulnerabilities	Get details on vulnerabilities by providing one or more IDs
queryVulnerabilities	Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria

Tailored Intelligence

Operation ID	Description
GetEventsBody	Get event body for the provided event ID
GetEventsEntities	Get events entities for specified ids.
QueryEvents	Get events ids that match the provided filter criteria.
GetRulesEntities	Get rules entities for specified ids.
QueryRules	Get rules ids that match the provided filter criteria.

ThreatGraph

Operation ID	Description
combined_edges_get	Retrieve edges for a given vertex id. One edge type must be specified
combined_ran_on_get	Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get	Retrieve summary for a given vertex ID
entities_vertices_get	Retrieve metadata for a given vertex ID
entities_vertices_getv2	Retrieve metadata for a given vertex ID
queries_edgetypes_get	Show all available edge types

Unidentified Containers

Operation ID	Description
ReadUnidentifiedContainersByDateRangeCount	Returns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCount	Returns the total count of Unidentified Containers over a time period
SearchAndReadUnidentifiedContainers	Search Unidentified Containers by the provided search criteria

User Management

Operation ID	Description
combinedUserRolesV1	Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.
entitiesRolesV1	Get info about a role
userActionV1	Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in `ids` param as part of request payload.
userRolesActionV1	Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke
retrieveUsersGETV1	Get info about users including their name, UID and CID by providing user UUIDs
createUserV1	Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1'
deleteUserV1	Delete a user permanently.
updateUserV1	Modify an existing user's first or last name.
queriesRolesV1	Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to `/user-management/entities/roles/v1`.
queryUserV1	List user IDs for all users in your customer account. For more information on each user, provide the user ID to `/user-management/entities/users/GET/v1`.
GetRoles	Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role
GrantUserRoleIds	Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user
RevokeUserRoleIds	Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user
GetAvailableRoleIds	Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.
GetUserRoleIds	Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.
retrieveUser	Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user
CreateUser	Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
DeleteUser	Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently
UpdateUser	Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name
RetrieveEmailsByCID	Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account
RetrieveUserUUIDsByCID	Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to `/users/entities/user/v1`.
RetrieveUserUUID	Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address)

Workflows

Operation ID	Description
WorkflowExecute	Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowExecuteInternal	Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowMockExecute	Executes an on-demand Workflow with mocks.
WorkflowExecutionsAction	Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionResults	Get execution result of a given execution.
WorkflowSystemDefinitionsDeProvision	Deprovisions a system definition that was previously provisioned on the target CID.
WorkflowSystemDefinitionsPromote	Promote a version of a system definition.
WorkflowSystemDefinitionsProvision	Provisions a system definition onto the target CID by using the template and provided parameters.
WorkflowActivitiesCombined	Search workflow activities based on the provided filter
WorkflowDefinitionsCombined	Search workflow definitions based on the provided filter
WorkflowExecutionsCombined	Search workflow executions based on the provided filter
WorkflowTriggersCombined	Search workflow triggers based on the provided filter
WorkflowDefinitionsExport	Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport	Imports a workflow definition based on the provided model
WorkflowDefinitionsUpdate	Updates a workflow definition based on the provided model.
WorkflowGetHumanInputV1	Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1	Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

Zero Trust Assessment

Operation ID	Description
getAssessmentV1	Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1	Get the Zero Trust Assessment audit report for one customer ID (CID).
getAssessmentsByScoreV1	Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.

Home
Discussions Board
Glossary of Terms
Installation, Upgrades and Removal
Samples Collection
Using FalconPy
API Operations
Service Collections
Documentation Support
- Report broken link
- Report documentation error
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust

CrowdStrike Falcon