All Operations - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Total Service Collections Total Operations Documentation Version Page Updated

Alphabetical list of all CrowdStrike OAuth2 API operations

Operation ID Service Collection Description
action_get_v1 IOC Get Actions by ids.
action_query_v1 IOC Query Actions.
ActionUpdateCount Quarantine Returns count of potentially affected quarantined files for each action.
addCIDGroupMembers MSSP (Flight Control) Add new CID group member.
addRole MSSP (Flight Control) Create a link between user group and CID group, with zero or more additional roles. The call does not replace any existing link between them. User group ID and CID group ID have to be specified in request.
addUserGroupMembers MSSP (Flight Control) Add new user group member. Maximum 500 members allowed per user group.
aggregate_events Firewall Management Aggregate events for customer
aggregate_external_assets Exposure Management Returns external assets aggregates.
aggregate_policy_rules Firewall Management Aggregate rules within a policy for customer
aggregate_query_scan_host_metadata ODS Get aggregates on ODS scan-hosts data.
aggregate_rule_groups Firewall Management Aggregate rule groups for customer
aggregate_rules Firewall Management Aggregate rules for customer
aggregate_scans ODS Get aggregates on ODS scan data.
aggregate_scheduled_scans ODS Get aggregates on ODS scheduled-scan data.
AggregateAlerts Falcon Complete Dashboard Retrieve aggregate alerts values based on the matched filter
AggregateAllowList Falcon Complete Dashboard Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList Falcon Complete Dashboard Retrieve aggregate blocklist ticket values based on the matched filter
AggregateCases Message Center Retrieve aggregate case values based on the matched filter
AggregateDetections Falcon Complete Dashboard Retrieve aggregate detection values based on the matched filter
AggregateDeviceCountCollection Falcon Complete Dashboard Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations Falcon Complete Dashboard Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents Falcon Complete Dashboard Retrieve aggregate incident values based on the matched filter
AggregateImageAssessmentHistory Container Images Image assessment history
AggregateImageCount Container Images Aggregate count of images
AggregateImageCountByBaseOS Container Images Aggregate count of images grouped by Base OS distribution
AggregateImageCountByState Container Images Aggregate count of images grouped by state
AggregateNotificationsExposedDataRecordsV1 Recon Get notification exposed data record aggregates as specified via JSON in request body. The valid aggregation fields are: [cid notification_id created_date rule.id rule.name rule.topic source_category site author file.name credential_status bot.operating_system.hardware_id bot.bot_id]
AggregateNotificationsV1 Recon Get notification aggregates as specified via JSON in request body.
AggregatePreventionPolicy Falcon Complete Dashboard Retrieve prevention policies aggregate values based on the matched filter
AggregateRemediations Falcon Complete Dashboard Retrieve aggregate remediation ticket values based on the matched filter
AggregatesDetectionsGlobalCounts Overwatch Dashboard Get the total number of detections pushed across all customers
AggregateSensorUpdatePolicy Falcon Complete Dashboard Retrieve sensor update policies aggregate values
AggregateSupportIssues Falcon Complete Dashboard Retrieve support issue aggregate values
AggregatesEvents Overwatch Dashboard Get aggregate OverWatch detection event info by providing an aggregate query
AggregatesEventsCollections Overwatch Dashboard Get OverWatch detection event collection info by providing an aggregate query
AggregatesIncidentsGlobalCounts Overwatch Dashboard Get the total number of incidents pushed across all customers
AggregatesOWEventsGlobalCounts Overwatch Dashboard Get the total number of OverWatch events across all customers
AggregateTotalDeviceCounts Falcon Complete Dashboard Retrieve aggregate total host/devices based on the matched filter
api_preempt_proxy_post_graphql Identity Protection Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
ArchiveDeleteV1 Sample Uploads Delete an archive that was uploaded previously
ArchiveGetV1 Sample Uploads Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully.
ArchiveListV1 Sample Uploads Retrieves the archives files in chunks.
ArchiveUploadV1 Sample Uploads Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis. This method is deprecated in favor of /archives/entities/archives/v2
ArchiveUploadV2 Sample Uploads Uploads an archive and extracts files list from it. Operation is asynchronous use /archives/entities/archives/v1 to check the status. After uploading, use /archives/entities/extractions/v1 to copy the file to internal storage making it available for content analysis.
audit_events_query Installation Tokens Search for audit events by providing a FQL filter and paging details.
audit_events_read Installation Tokens Gets the details of one or more audit events by id.
AzureDownloadCertificate CSPM Registration Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
BatchActiveResponderCmd Real Time Response Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchAdminCmd Real Time Response Admin Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
BatchCmd Real Time Response Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmd Real Time Response Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.
BatchGetCmdStatus Real Time Response Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchInitSessions Real Time Response Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessions Real Time Response Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
blob_download_external_assets Exposure Management Download the entire contents of the blob. The relative link to this endpoint is returned in the get_external_assets request.
blob_preview_external_assets Exposure Management Download a preview of the blob. The relative link to this endpoint is returned in the get_external_assets request.
cancel_scans ODS Cancel ODS scans for the given scan ids.
CaseAddActivity Message Center Add an activity to case. Only activities of type comment are allowed via API
CaseAddAttachment Message Center Upload an attachment for the case.
CaseDownloadAttachment Message Center retrieves an attachment for the case, given the attachment id
cb_exclusions_create_v1 Certificate Based Exclusions Create new Certificate Based Exclusions.
cb_exclusions_delete_v1 Certificate Based Exclusions Delete the exclusions by id
cb_exclusions_get_v1) Certificate Based Exclusions Find all exclusion IDs matching the query with filter
cb_exclusions_update_v1 Certificate Based Exclusions Updates existing Certificate Based Exclusions
cb_exclusions_query_v1 Certificate Based Exclusions Search for cert-based exclusions.
certificates_get_v1 Certificate Based Exclusions Retrieves certificate signing information for a file
combined_applications Discover Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
CombinedBaseImages Container Images Retrieve base images identified by the provided filter criteria
combined_edges_get ThreatGraph Retrieve edges for a given vertex id. One edge type must be specified
combined_hosts Discover Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
CombinedImageByVulnerabilityCount Container Images Retrieve top x images with the most vulnerabilities
CombinedImageDetail Container Images Retrieve image entities identified by the provided filter criteria
CombinedImageIssuesSummary Container Images Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummary Container Images aggregates information about vulnerabilities for an image
combinedQueryEvaluationLogic Spotlight Evaluation Logic Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
combinedQueryVulnerabilities Spotlight Vulnerabilities Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria
combined_ran_on_get ThreatGraph Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get ThreatGraph Retrieve summary for a given vertex ID
combinedUserRolesV1 User Management Get User Grant(s). This endpoint lists both direct as well as flight control grants between a User and a Customer.
ConnectCSPMGCPAccount CSPM Registration Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
ConnectD4CGCPAccount D4C Registration Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
create_network_locations Firewall Management Create new network locations provided, and return the ID.
create_rule Custom IOA Create a rule within a rule group. Returns the rule.
create_rule_group Firewall Management Create new rule group on a platform for a customer with a name and description, and return the ID
create_rule_group_validation Firewall Management Validates the request of creating a new rule group on a platform for a customer with a name and description
create_rule_groupMixin0 Custom IOA Create a rule group for a platform with a name and an optional description. Returns the rule group.
create_scan ODS Create ODS scan and start or schedule scan for the given scan request.
CreateActionsV1 Recon Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
CreateAWSAccount Kubernetes Protection Creates a new AWS account in our system for a customer and generates the installation script
CreateAzureSubscription Kubernetes Protection Creates a new Azure Subscription in our system
CreateBaseImagesEntities Container Images Creates base images using the provided details
CreateCase Message Center create a new case
CreateCaseV2 Message Center create a new case
createCIDGroups MSSP (Flight Control) Create new CID groups. Name is a required field but description is an optional field. Maximum 500 CID groups allowed.
CreateCSPMAwsAccount CSPM Registration Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
CreateCSPMAzureAccount CSPM Registration Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateCSPMGCPAccount CSPM Registration Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
CreateD4CAwsAccount D4C Registration Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
CreateD4CGCPAccount D4C Registration Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
CreateDeploymentEntity Cloud Snapshots Launch a snapshot scan for a given cloud asset.
createDeviceControlPolicies Device Control Policies Create Device Control Policies by specifying details about the policy to create
CreateDiscoverCloudAzureAccount D4C Registration Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
CreateExecutorNode ASPM Create a new relay node
CreateExportJobsV1 Recon Launch asynchronous export job. Use the job ID to poll the status of the job using GET /entities/exports/v1.
createFirewallPolicies Firewall Policies Create Firewall Policies by specifying details about the policy to create
createHostGroups Host Group Create Host Groups by specifying details about the group to create
CreateIntegration ASPM Create a new integration
CreateIntegrationTask ASPM Create new integration task.
createIOAExclusionsV1 IOA Exclusions Create the IOA exclusions
CreateMigrationV1 Host Migration Create a device migration job.
createMLExclusionsV1 ML Exclusions Create the ML exclusions
CreateOrUpdateAWSSettings Cloud Connect AWS Create or update Global Settings which are applicable to all provisioned AWS accounts
createPolicies Filevantage Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
CreatePolicies Image Assessment Policies Create Image Assessment policies
CreatePolicyGroups Image Assessment Policies Create Image Assessment Policy Group entities
createPreventionPolicies Prevention Policy Create Prevention Policies by specifying details about the policy to create
CreateRegistryEntities Falcon Container Image Create a registry entity using the provided details
createRTResponsePolicies Response Policies Create Response Policies by specifying details about the policy to create
createRuleGroups Filevantage Creates a new rule group of the specified type.
createRules Filevantage Creates a new rule configuration within the specified rule group.
CreateRulesV1 Recon Create monitoring rules.
CreateSavedSearchesDynamicExecuteAltV1 Foundry Logscale Execute a dynamic saved search
CreateSavedSearchesDynamicExecuteV1 Foundry Logscale Execute a dynamic saved search
CreateSavedSearchesExecuteAltV1 Foundry Logscale Execute a saved search
CreateSavedSearchesExecuteV1 Foundry Logscale Execute a saved search
CreateSavedSearchesIngestAltV1 Foundry Logscale Populate a saved search
CreateSavedSearchesIngestV1 Foundry Logscale Populate a saved search
createScheduledExclusions Filevantage Creates a new scheduled exclusion configuration for the provided policy id.
createSensorUpdatePolicies Sensor Update Policy Create Sensor Update Policies by specifying details about the policy to create
createSensorUpdatePoliciesV2 Sensor Update Policy Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection
createSVExclusionsV1 Sensor Visibility Exclusions Create the sensor visibility exclusions
CreateUser User Management Deprecated : Please use POST /user-management/entities/users/v1. Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1
createUserGroups MSSP (Flight Control) Create new user groups. Name is a required field but description is an optional field. Maximum 500 user groups allowed per customer.
createUserV1 User Management Create a new user. After creating a user, assign one or more roles with POST '/user-management/entities/user-role-actions/v1'
CrowdScore Incidents Query environment wide CrowdScore and return the entity data
customer_settings_read Installation Tokens Check current installation token settings.
customer_settings_update Installation Tokens Settings Update installation token settings.
delete_external_assets Exposure Management Delete multiple external assets.
delete_network_locations Firewall Management Delete network location entities by ID.
delete_policy_rules Identity Protection Delete policy rules.
delete_rule_groups Firewall Management Delete rule group entities by ID
delete_rule_groupsMixin0 Custom IOA Delete rule groups by ID.
delete_rules Custom IOA Delete rules from a rule group by ID.
delete_scheduled_scans ODS Delete ODS scheduled-scans for the given scheduled-scan ids.
DeleteActionV1 Recon Delete an action from a monitoring rule based on the action ID.
DeleteAWSAccounts Cloud Connect AWS Delete a set of AWS Accounts by specifying their IDs
DeleteAWSAccountsMixin0 Kubernetes Protection Delete AWS accounts.
DeleteAzureSubscription Kubernetes Protection Deletes a new Azure Subscription in our system
DeleteBaseImages Container Images Deletes base images by base image UUID
deleteCIDGroupMembers MSSP (Flight Control) Deprecated : Please use DELETE /entities/cid-group-members/v2. Delete CID group members.
deleteCIDGroupMembersV2 MSSP (Flight Control) Delete CID group members. Prevents removal of a cid group a cid group if it is only part of one cid group.
deleteCIDGroups MSSP (Flight Control) Delete CID groups by ID.
DeleteCSPMAwsAccount CSPM Registration Deletes an existing AWS account or organization in our system.
DeleteCSPMAzureAccount CSPM Registration Deletes an Azure subscription from the system.
DeleteD4CAwsAccount D4C Registration Deletes an existing AWS account or organization in our system.
DeleteCSPMAzureManagementGroup CSPM Registration Deletes Azure management groups from the system.
DeleteCSPMGCPAccount CSPM Registration Deletes a GCP account from the system.
DeleteD4CGCPAccount D4C Registration Deletes a GCP account from the system.
deleteDeviceControlPolicies Device Control Policies Delete a set of Device Control Policies by specifying their IDs
deletedRoles MSSP (Flight Control) Delete links or additional roles between user groups and CID groups. User group ID and CID group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID group is dissolved completely (if no roles specified).
DeleteExportJobsV1 Recon Delete export jobs (and their associated file(s)) based on their IDs.
DeleteExecutorNode ASPM Delete a relay node
DeleteFile Quick Scan Pro Deletes file by its sha256 identifier.
deleteFirewallPolicies Firewall Policies Delete a set of Firewall Policies by specifying their IDs
deleteHostGroups Host Group Delete a set of Host Groups by specifying their IDs
DeleteIntegration ASPM Delete an existing integration by its ID
DeleteIntegrationTask ASPM Delete an existing integration task by its ID
deleteIOAExclusionsV1 IOA Exclusions Delete the IOA exclusions by id
deleteMLExclusionsV1 ML Exclusions Delete the ML exclusions by id
DeleteNotificationsV1 Recon Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
DeleteObject Custom Storage Delete the specified object
DeleteVersionedObject Custom Storage Delete the specified versioned object.
deletePolicies Filevantage Deletes 1 or more policies.
DeletePolicy Image Assessment Policies Delete Image Assessment Policy by policy UUID
DeletePolicyGroup Image Assessment Policies Delete Image Assessment Policy Group entities
deletePreventionPolicies Prevention Policy Delete a set of Prevention Policies by specifying their IDs
DeleteRegistryEntities Falcon Container Image Delete the registry entity identified by the entity UUID
DeleteReport Falcon Intelligence Sandbox Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
deleteRTResponsePolicies Response Policies Delete a set of Response Policies by specifying their IDs
deleteRuleGroups Filevantage Deletes 1 or more rule groups
deleteRules Filevantage Deletes 1 or more rules from the specified rule group.
DeleteRulesV1 Recon Delete monitoring rules.
DeleteSampleV2 Falcon Intelligence Sandbox Removes a sample, including file, meta and submissions from the collection
DeleteSampleV3 Sample Uploads Removes a sample, including file, meta and submissions from the collection
DeleteScanResult Quick Scan Pro Deletes the result of an QuickScan Pro scan.
deleteScheduledExclusions Filevantage Deletes 1 or more scheduled exclusions from the provided policy id.
deleteSensorUpdatePolicies Sensor Update Policy Delete a set of Sensor Update Policies by specifying their IDs
deleteSensorVisibilityExclusionsV1 Sensor Visibility Exclusions Delete the sensor visibility exclusions by id
DeleteTags ASPM Remove existing tags
DeleteUser User Management Deprecated : Please use DELETE /user-management/entities/users/v1. Delete a user permanently
deleteUserGroupMembers MSSP (Flight Control) Delete user group members entry.
deleteUserGroups MSSP (Flight Control) Delete user groups by ID.
deleteUserV1 User Management Delete a user permanently.
DevicesCount IOCs Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn IOCs Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
DiscoverCloudAzureDownloadCertificate D4C Registration Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
DownloadFile Downloads Retrieve a pre-signed URL for the requested file.
DownloadSensorInstallerById Sensor Download Download sensor installer by SHA256 ID
DownloadSensorInstallerByIdV2 Sensor Download Download sensor installer by SHA256 ID
entities_perform_action Hosts Performs the specified action on the provided group IDs.
entities_processes IOCs For the provided ProcessID retrieve the process details
entities_vertices_get ThreatGraph Retrieve metadata for a given vertex ID
entities_vertices_getv2 ThreatGraph Retrieve metadata for a given vertex ID
entitiesRolesV1 User Management Get info about a role
EnumerateFile Downloads Enumerate a list of files available for CID.
ExecuteCommand API Integrations Execute a command.
ExecuteCommandProxy API Integrations Execute a command and proxy the response directly.
ExecuteQuery ASPM Execute a query. The syntax used is identical to that of the query page.
extAggregateClusterAssessments Compliance Assessments Get the assessments for each cluster.
extAggregateFailedContainersByRulesPath Compliance Assessments Get the containers grouped into rules on which they failed.
extAggregateFailedContainersCountBySeverity Compliance Assessments Get the failed containers count grouped into severity levels.
extAggregateFailedImagesByRulesPath Compliance Assessments Get the images grouped into rules on which they failed.
extAggregateFailedImagesCountBySeverity Compliance Assessments Get the failed images count grouped into severity levels.
extAggregateFailedRulesByClusters Compliance Assessments Get the failed rules for each cluster grouped into severity levels.
extAggregateFailedRulesByImages Compliance Assessments Get images with failed rules, rule count grouped by severity for each image.
extAggregateFailedRulesCountBySeverity Compliance Assessments Get the failed rules count grouped into severity levels.
extAggregateRulesByStatus Compliance Assessments Get the rules grouped by their statuses.
extAggregateImageAssessments Compliance Assessments Get the assessments for each image.
extAggregateRulesAssessments Compliance Assessments Get the assessments for each rule.
ExtractionCreateV1 Sample Uploads Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
ExtractionGetV1 Sample Uploads Retrieves the files extraction operation statuses. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
ExtractionListV1 Sample Uploads Retrieves the files extractions in chunks. Status done means that all files were processed successfully. Status error means that at least one of the file could not be processed.
fdrschema_combined_event_get Event Schema Fetch combined schema
fdrschema_entities_event_get Event Schema Fetch event schema by ID
fdrschema_entities_field_get Field Schema Fetch field schema by ID
fdrschema_queries_event_get Event Schema Get list of event IDs given a particular query.
fdrschema_queries_field_get Field Schema Get list of field IDs given a particular query.
FindContainersByContainerRunTimeVersion Kubernetes Protection Retrieve containers by container_runtime_version
FindContainersCountAffectedByZeroDayVulnerabilities Kubernetes Protection Retrieve containers count affected by zero day vulnerabilities
get_accounts Discover Get details on accounts by providing one or more IDs.
get_applications Discover Get details on applications by providing one or more IDs.
get_data_scanner_tasks DataScanner Retrieve pending tasks.
get_events Firewall Management Get events entities by ID and optionally version
get_firewall_fields Firewall Management Get the firewall field specifications by ID
get_hosts Discover Get details on assets by providing one or more IDs.
get_image_registry_credentials DataScanner Retrieves image registry credentials.
get_iot_hosts Discover Get details on IoT assets by providing one or more IDs.
get_logins Discover Get details on logins by providing one or more IDs.
get_malicious_files_by_ids ODS Get malicious files by ids.
get_network_locations Firewall Management Get a summary of network locations entities by ID
get_network_locations_details Firewall Management Get network locations entities by ID
get_patterns Custom IOA Get pattern severities by ID.
get_platforms Firewall Management Get platforms by ID, e.g., windows or mac or droid
get_platformsMixin0 Custom IOA Get platforms by ID.
get_policy_containers Firewall Management Get policy container entities by policy ID
get_policy_rules Identity Protection Get policy rules.
get_policy_rules_query Identity Protection Query policy rule IDs.
get_rule_groups Firewall Management Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
get_rule_groupsMixin0 Custom IOA Get rule groups by ID.
get_rule_types Custom IOA Get rule types by ID.
get_rules Firewall Management Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
get_rules_get Custom IOA Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version].
get_rulesMixin0 Custom IOA Get rules by ID and optionally with cid and/or version in the following format: [cid:]ID[:version]. The max number of IDs is constrained by URL size.
get_scan_host_metadata_by_ids ODS Get scan hosts by ids.
get_scans_by_scan_ids ODS Get Scans by IDs.
get_scans_by_scan_ids_v2 ODS Get Scans by IDs.
get_scheduled_scans_by_scan_ids ODS Get ScheduledScans by IDs.
GetActionsV1 Recon Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
getActionsMixin0 FileVantage Retrieve the processing results for one or more actions.
GetAggregateDetects Detects Get detect aggregates as specified via json in request body.
GetAggregateFiles Quarantine Get quarantine file aggregates as specified via json in request body.
GetArtifacts Falcon Intelligence Sandbox Download IOC packs, PCAP files, memory dumps, and other analysis artifacts.
getAssessmentsByScoreV1 Zero Trust Assessment Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.
getAssessmentV1 Zero Trust Assessment Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1 Zero Trust Assessment Get the Zero Trust Assessment audit report for one customer ID (CID).
GetAvailableRoleIds User Management Deprecated : Please use GET /user-management/queries/roles/v1. Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetAWSAccounts Cloud Connect AWS Retrieve a set of AWS Accounts by specifying their IDs
GetAWSAccountsMixin0 Kubernetes Protection Provides a list of AWS accounts.
GetAWSSettings Cloud Connect AWS Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAzureInstallScript Kubernetes Protection Provides the script to run for a given tenant id and subscription IDs
GetAzureTenantConfig Kubernetes Protection Gets the Azure tenant Config
GetAzureTenantIDs Kubernetes Protection Provides all the azure subscriptions and tenants
GetBehaviorDetections CSPM Registration Get list of detected behaviors
GetBehaviors Incidents Get details on behaviors by providing behavior IDs
GetCaseActivityByIds Message Center Retrieve activities for given id's
GetCaseEntitiesByIDs Message Center Retrieve message center cases
getChanges Filevantage Retrieve information on changes
getChildren MSSP (Flight Control) Get link to child customer by child CID(s)
getChildrenV2 MSSP (Flight Control) Get link to child customer by child CID(s)
getCIDGroupById MSSP (Flight Control) Deprecated : Please use GET /mssp/entities/cid-groups/v2. Get CID groups by ID.
getCIDGroupByIdV2 MSSP (Flight Control) Get CID Groups by ID.
getCIDGroupMembersBy MSSP (Flight Control) Deprecated : Please use GET /mssp/entities/cid-group-members/v2. Get CID group members by CID group ID.
getCIDGroupMembersByV2 MSSP (Flight Control) Get CID group members by CID Group ID.
GetClusters Kubernetes Protection Provides the clusters acknowledged by the Kubernetes Protection service
getCombinedAssessmentsQuery Configuration Assessment Search for assessments in your environment by providing a FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
GetCombinedCloudClusters Kubernetes Protection Returns a combined list of provisioned cloud accounts and known kubernetes clusters
GetCombinedImages Container Images Get image assessment results by providing a FQL filter and paging details
GetCombinedPluginConfigs API Integrations Queries for config resources and returns details
GetCombinedSensorInstallersByQuery Sensor Download Get sensor installer details by provided query
GetCombinedSensorInstallersByQueryV2 Sensor Download Get sensor installer details by provided query
GetConfigurationDetectionEntities CSPM Registration Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2 CSPM Registration Get list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetConfigurationDetections CSPM Registration Get list of active misconfigurations
getContents FileVantage Retrieves the content captured for the provided change ID.
GetCredentials Falcon Container Gets the registry credentials
GetCredentialsIAC Cloud Snapshots Retrieve the registry credentials (external endpoint).
GetCredentialsMixin0 Provision Gets the registry credentials
GetCSPMAwsAccount CSPM Registration Returns information about the current status of an AWS account.
GetCSPMAwsAccountScriptsAttachment CSPM Registration Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAwsConsoleSetupURLs CSPM Registration Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAzureAccount CSPM Registration Return information about Azure account registration
GetCSPMAzureManagementGroup CSPM Registration Return information about Azure management group registration
CreateCSPMAzureManagementGroup CSPM Registration Creates a new management group in our system for a customer.
GetCSPMAzureUserScriptsAttachment CSPM Registration Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetCSPMCGPAccount CSPM Registration Returns information about the current status of an GCP account.
GetCSPMGCPServiceAccountsExt CSPM Registration Returns the service account id and client email for external clients.
GetCSPMGCPValidateAccountsExt CSPM Registration Run a synchronous health check.
GetCSPMGCPUserScriptsAttachment CSPM Registration Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMPoliciesDetails CSPM Registration Given an array of policy IDs, returns detailed policies information.
GetCSPMPolicy CSPM Registration Given a policy ID, returns detailed policy information.
GetCSPMPolicySettings CSPM Registration Returns information about current policy settings.
GetCSPMScanSchedule CSPM Registration Returns scan schedule configuration for one or more cloud platforms.
GetD4CAwsAccount D4C Registration Returns information about the current status of an AWS account.
GetD4CAWSAccountScriptsAttachment D4C Registration Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetD4CAwsConsoleSetupURLs D4C Registration Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CCGPAccount D4C Registration Returns information about the current status of an GCP account.
GetD4CGCPUserScripts D4C Registration Return a script for customer to run in their cloud environment to grant us access to their GCP environment
GetD4CGCPServiceAccountsExt D4C Registration Returns the service account id and client email for external clients.
GetD4CGCPUserScriptsAttachment D4C Registration Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
getDefaultDeviceControlPolicies Device Control Policies Retrieve the configuration for a Default Device Control Policy
GetDeliverySettings Delivery Settings Get Delivery Settings.
GetDetectSummaries Detects View information about detections
getDeviceControlPolicies Device Control Policies Retrieve a set of Device Control Policies by specifying their IDs
GetDeviceCountCollectionQueriesByFilter Falcon Complete Dashboard Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
GetDeviceDetailsV2 Hosts Get details on one or more hosts by providing host IDs as a query parameter. Supports up to a maximum 100 IDs.
GetDiscoverCloudAzureAccount D4C Registration Return information about Azure account registration
GetDiscoverCloudAzureTenantIDs D4C Registration Return available tenant ids for discover for cloud
GetDiscoverCloudAzureUserScripts D4C Registration Return a script for customer to run in their cloud environment to grant us access to their Azure environment
GetDiscoverCloudAzureUserScriptsAttachment D4C Registration Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetDriftIndicatorsValuesByDate Drift Indicators Returns the count of Drift Indicators by the date. by default it's for 7 days.
GetExecutorNodes ASPM Get all the relay nodes
getEvaluationLogic Spotlight Evaluation Logic Get details on evaluation logic items by providing one or more IDs.
getEvaluationLogicMixin0 Configuration Assessment Evaluation Logic Get details on evaluation logic items by providing one or more finding IDs.
GetEventsBody Tailored Intelligence Get event body for the provided event ID
GetEventsEntities Tailored Intelligence Get events entities for specified ids.
GetExportJobsV1 Recon Get the status of export jobs based on their IDs. Export jobs can be launched by calling POST /entities/exports/v1. When a job is complete, use the job ID to download the file(s) associated with it using GET entities/export-files/v1.
get_external_assets Exposure Management Get details on external assets by providing one or more IDs.
GetFileContentForExportJobsV1 Recon Download the file associated with a job ID.
getFirewallPolicies Firewall Policies Retrieve a set of Firewall Policies by specifying their IDs
GetHelmValuesYaml Kubernetes Protection Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
GetHorizonD4CScripts D4C Registration Returns static install scripts for Horizon.
getHostGroups Host Group Retrieve a set of Host Groups by specifying their IDs
GetHostMigrationIDsV1 Host Migration Query host migration IDs.
GetHostMigrationsV1 Host Migration Get host migration details.
GetIncidents Incidents Get details on incidents by providing incident IDs
GetIndicatorsReport IOC Launch an indicators report creation job
GetIntegrations ASPM Get a list of all the integrations
GetIntegrationTasks ASPM Get all the integration tasks
GetIntegrationTypes ASPM Get all the integration types
GetIntelActorEntities Intel Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities Intel Retrieve specific indicators using their indicator IDs.
GetIntelReportEntities Intel Retrieve specific reports using their report IDs.
GetIntelReportPDF Intel Return a Report PDF attachment
GetIntelRuleEntities Intel Retrieve details for rule sets for the specified ids.
GetIntelRuleFile Intel Download earlier rule sets.
getIOAExclusionsV1 IOA Exclusions Get a set of IOA Exclusions by specifying their IDs
GetLatestIntelRuleFile Intel Download the latest rule set.
GetLocations Kubernetes Protection Provides the cloud locations acknowledged by the Kubernetes Protection service
GetMalQueryDownloadV1 MalQuery Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryEntitiesSamplesFetchV1 MalQuery Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
GetMalQueryMetadataV1 MalQuery Retrieve indexed files metadata by their hash
GetMalQueryQuotasV1 MalQuery Get information about search and download quotas in your environment
GetMalQueryRequestV1 MalQuery Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalwareEntities Intel Get malware entities for specified IDs.
GetMemoryDump Falcon Intelligence Sandbox Get memory dump content, as binary
GetMemoryDumpExtractedStrings Falcon Intelligence Sandbox Get extracted strings from a memory dump
GetMemoryDumpHexDump Falcon Intelligence Sandbox Get hex view of a memory dump
GetMigrationDestinationsV1 Host Migration Get destinations for a migration.
GetMigrationIDsV1 Host Migration Query migration jobs.
GetMigrationsV1 Host Migration Get migration job details.
GetMitreReport Intel Export Mitre ATT&CK information for a given actor.
getMLExclusionsV1 ML Exclusions Get a set of ML Exclusions by specifying their IDs
GetNotificationsDetailedTranslatedV1 Recon Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request
GetNotificationsDetailedV1 Recon Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1 Recon Get notifications exposed data records based on their IDs. IDs can be retrieved using the GET /queries/notifications-exposed-data-records/v1 endpoint. The associate notification can be fetched using the /entities/notifications/v* endpoints
GetNotificationsTranslatedV1 Recon Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1 Recon Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
GetObject Custom Storage Get the bytes for the specified object
GetVersionedObject Custom Storage Get the bytes for the specified object.
GetObjectMetadata Custom Storage Get the metadata for the specified object
GetVersionedObjectMetadata Custom Storage Get the metadata for the specified object.
GetOnlineState_V1 Hosts Get the online status for one or more hosts by specifying each host’s unique ID.

Successful requests return an HTTP 200 response and the status for each host identified by a state of online, offline, or unknown for each host, identified by host id.

Make a GET request to /devices/queries/devices/v1 to get a list of host IDs.
getPolicies Filevantage Retrieves the configuration for 1 or more policies.
getPreventionPolicies Prevention Policy Retrieve a set of Prevention Policies by specifying their IDs
GetQuarantineFiles Quarantine Get quarantine file metadata for specified ids.
GetQueriesAlertsV1 Alerts retrieves all Alerts ids that match a given query
GetQueriesAlertsV2 Alerts retrieves all Alerts ids that match a given query
getRemediationsV2 Spotlight Vulnerabilities Get details on remediation by providing one or more IDs
GetReports Falcon Intelligence Sandbox Get a full sandbox report.
GetRoles User Management Deprecated : Please use GET /user-management/entities/roles/v1. Get info about a role
getRolesByID MSSP (Flight Control) Get link between user group and CID group by ID. Link ID is a string consisting of multiple components, but should be treated as opaque.
GetRuntimeDetectionsCombinedV2 Container Detections Retrieve image assessment detections identified by the provided filter criteria.
getRTResponsePolicies Response Policies Retrieve a set of Response Policies by specifying their IDs
getRuleDetails Configuration Assessment Get rules details for provided one or more rule IDs
getRuleGroups Filevantage Retrieves the rule group details for 1 or more rule groups.
getRules Filevantage Retrieves the configuration for 1 or more rules.
GetRulesEntities Tailored Intelligence Get rules entities for specified ids.
GetRulesV1 Recon Get monitoring rules based on their IDs. IDs can be retrieved using the GET /queries/rules/v1 endpoint.
GetSampleV2 Falcon Intelligence Sandbox Retrieves the file associated with the given ID (SHA256)
GetSampleV3 Sample Uploads Retrieves the file associated with the given ID (SHA256)
GetSavedSearchesExecuteAltV1 Foundry Logscale Get the results of a saved search
GetSavedSearchesExecuteV1 Foundry Logscale Get the results of a saved search
GetSavedSearchesJobResultsDownloadAltV1 Foundry Logscale Get the results of a saved search as a file
GetSavedSearchesJobResultsDownloadV1 Foundry Logscale Get the results of a saved search as a file
GetScanResult Quick Scan Pro Gets the result of an QuickScan Pro scan.
GetScans Quick Scan Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
GetScansAggregates Quick Scan Get scans aggregations as specified via json in request body.
GetScanReport Cloud Snapshots Retrieve the scan report for an instance.
getScheduledExclusions Filevantage Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id.
GetSensorAggregates Identity Entities Get sensor aggregates as specified via json in request body.
GetSensorDetails Identity Entities Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
GetSensorInstallersByQuery Sensor Download Get sensor installer IDs by provided query
GetSensorInstallersByQueryV2 Sensor Download Get sensor installer IDs by provided query
GetSensorInstallersCCIDByQuery Sensor Download Get CCID to use with sensor installers
GetSensorInstallersEntities Sensor Download Get sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV2 Sensor Download Get sensor installer details by provided SHA256 IDs
getSensorUpdatePolicies Sensor Update Policy Retrieve a set of Sensor Update Policies by specifying their IDs
getSensorUpdatePoliciesV2 Sensor Update Policy Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs
GetSensorUsageWeekly Sensor Usage Fetches weekly average. Each data point represents the average of how many unique AIDs were seen per week for the previous 28 days.
getSensorVisibilityExclusionsV1 Sensor Visibility Exclusions Get a set of Sensor Visibility Exclusions by specifying their IDs
GetServicesCount ASPM Get the total amount of existing services
GetServiceViolationTypes ASPM Get the different types of violation
GetStaticScripts Kubernetes Protection Gets static bash scripts that are used during registration
GetSubmissions Falcon Intelligence Sandbox Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
GetSummaryReports Falcon Intelligence Sandbox Get a short summary version of a sandbox report.
GetTags ASPM Get all tags
getUserGroupMembersByID MSSP (Flight Control) Deprecated : Please use GET /mssp/entities/user-group-members/v2. Get user group members by user group ID.
getUserGroupMembersByIDV2 MSSP (Flight Control) Get user group members by user group ID.
getUserGroupsByID MSSP (Flight Control) Deprecated : Please use GET /entities/user-groups/v2. Get user groups by ID.
getUserGroupsByIDV2 MSSP (Flight Control) Get user groups by ID.
GetUserRoleIds User Management Deprecated : Please use GET /user-management/combined/user-roles/v1. Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.
GetVulnerabilities Intel Get vulnerabilities
getVulnerabilities Spotlight Vulnerabilities Get details on vulnerabilities by providing one or more IDs
GrantUserRoleIds User Management Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Assign one or more roles to a user
GroupContainersByManaged Kubernetes Protection Group the containers by Managed
handle DataScanner Produces the input message into the corresponding Kafka topic.
highVolumeQueryChanges Filevantage Returns 1 or more change ids
HostMigrationsActionsV1 Host Migration Perform an action on host migrations.
HostMigrationAggregatesV1 Host Migration Get host migration aggregates as specified via json in request body.
indicator_aggregate_v1 IOC Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1 IOC Get Combined for Indicators.
indicator_create_v1 IOC Create Indicators.
indicator_delete_v1 IOC Delete Indicators by ids.
indicator_get_device_count_v1 IOC Get the number of devices the indicator has run on
indicator_get_devices_ran_on_v1 IOC Get the IDs of devices the indicator has run on
indicator_get_processes_ran_on_v1 IOC Get the number of processes the indicator has run on
indicator_get_v1 IOC Get Indicators by ids.
indicator_search_v1 IOC Search for Indicators.
indicator_update_v1 IOC Update Indicators.
IngestDataV1 Foundry Logscale Ingest data into the application repository
IngestDataAsyncV1 Foundry Logscale Ingest data into the application repository asynchronously
ioc_type_query_v1 IOC Query IOC Types.
LaunchScan Quick Scan Pro Starts scanning a file uploaded through UploadFileMixin0Mixin93.
listAvailableStreamsOAuth2 Event Streams Discover all event streams in your environment
ListAzureAccounts Kubernetes Protection Provides the azure subscriptions registered to Kubernetes Protection
ListObjects Custom Storage List the object keys in the specified collection in alphabetical order
ListObjectsByVersion Custom Storage List the object keys in the specified collection in alphabetical order.
ListReposV1 Foundry Logscale Lists available repositories and views
ListViewV1 Foundry Logscale List views
MigrationsActionsV1 Host Migration Perform an action on a migration job.
MigrationAggregatesV1 Host Migration Get migration aggregates as specified via json in request body.
oauth2AccessToken OAuth2 Generate an OAuth2 access token
oauth2RevokeToken OAuth2 Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
PatchAzureServicePrincipal Kubernetes Protection Adds the client ID for the given tenant ID to our system
PatchCSPMAwsAccount CSPM Registration Patches a existing account in our system for a customer.
PatchEntitiesAlertsV2 Alerts Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
PatchEntitiesAlertsV3 Alerts Perform actions on detections identified by detection ID(s) in request. Each action has a name and a description which describes what the action does. If a request adds and removes tag in a single request, the order of processing would be to remove tags before adding new ones in.
patch_external_assets Exposure Management Update the details of external assets.
PerformActionV2 Hosts Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
performDeviceControlPoliciesAction Device Control Policies Perform the specified action on the Device Control Policies specified in the request
performFirewallPoliciesAction Firewall Policies Perform the specified action on the Firewall Policies specified in the request
performGroupAction Host Group Perform the specified action on the Host Groups specified in the request
PerformIncidentAction Incidents Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
performPreventionPoliciesAction Prevention Policy Perform the specified action on the Prevention Policies specified in the request
performRTResponsePoliciesAction Response Policies Perform the specified action on the Response Policies specified in the request
performSensorUpdatePoliciesAction Sensor Update Policy Perform the specified action on the Sensor Update Policies specified in the request
platform_query_v1 IOC Query Platforms.
post_policy_rules Identity Protection Create policy rules.
PostAggregatesAlertsV1 Alerts retrieves aggregate values for Alerts across all CIDs
PostAggregatesAlertsV2 Alerts retrieves aggregate values for Alerts across all CIDs
PostDeliverySettings Delivery Settings Create Delivery Settings.
PostDeviceDetailsV2 Hosts Get details on one or more hosts by providing host IDs in a POST body. Supports up to a maximum 5000 IDs.
PostEntitiesAlertsV1 Alerts retrieves all Alerts given their ids
PostEntitiesAlertsV2 Alerts retrieves all Alerts given their composite ids
PostMalQueryEntitiesSamplesMultidownloadV1 MalQuery Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1 MalQuery Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryFuzzySearchV1 MalQuery Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
PostMalQueryHuntV1 MalQuery Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint
PostMitreAttacks Intel Retrieves report and observable IDs associated with the given actor and attacks
PreviewRuleV1 Recon Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
ProcessesRanOn IOCs Search for processes associated with a custom IOC
ProvisionAWSAccounts Cloud Connect AWS Provision AWS Accounts by specifying details about the accounts to provision
PutObject Custom Storage Put the specified new object at the given key or overwrite an existing object at the given key
PutObjectByVersion Custom Storage Put the specified new object at the given key or overwrite an existing object at the given key.
queries_edgetypes_get ThreatGraph Show all available edge types
queriesRolesV1 User Management Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /user-management/entities/roles/v1.
query_accounts Discover Search for accounts in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of account IDs which match the filter criteria.
query_applications Discover Search for applications in your environment by providing a FQL filter and paging details. returns a set of application IDs which match the filter criteria.
query_events Firewall Management Find all event IDs matching the query with filter
query_firewall_fields Firewall Management Get the firewall field specification IDs for the provided platform
query_hosts Discover Search for assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts Discover Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts_v2 Discover Search for IoT assets in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins Discover Search for logins in your environment by providing an FQL (Falcon Query Language) filter and paging details. Returns a set of login IDs which match the filter criteria.
query_malicious_files ODS Query malicious files.
query_network_locations Firewall Management Get a list of network location IDs
query_patterns Custom IOA Get all pattern severity IDs.
query_platforms Firewall Management Get the list of platform names
query_platformsMixin0 Custom IOA Get all platform IDs.
query_policy_rules Firewall Management Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups Firewall Management Find all rule group IDs matching the query with filter
query_rule_groups_full Custom IOA Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0 Custom IOA Finds all rule group IDs matching the query with optional filter.
query_rule_types Custom IOA Get all rule type IDs.
query_rules Firewall Management Find all rule IDs matching the query with filter
query_rulesMixin0 Custom IOA Finds all rule IDs matching the query with optional filter.
query_scan_host_metadata ODS Query scan hosts.
query_scans ODS Query Scans.
query_scheduled_scans ODS Query ScheduledScans.
QueryActionsV1 Recon Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
queryActionsMixin0 FileVantage Returns one or more action IDs.
QueryActivityByCaseID Message Center Retrieve activities id's for a case
QueryAlertIdsByFilter Falcon Complete Dashboard Retrieve Alerts Ids that match the provided FQL filter criteria with scrolling enabled
QueryAllowListFilter Falcon Complete Dashboard Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryAWSAccounts Cloud Connect AWS Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
QueryAWSAccountsForIDs Cloud Connect AWS Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria
QueryBehaviors Incidents Search for behaviors by providing a FQL filter, sorting, and paging details
QueryBlockListFilter Falcon Complete Dashboard Retrieve block listtickets that match the provided filter criteria with scrolling enabled
QueryCasesIdsByFilter Message Center Retrieve case id's that match the provided filter criteria
queryChanges Filevantage Returns 1 or more change ids
queryChildren MSSP (Flight Control) Query for customers linked as children
queryCIDGroupMembers MSSP (Flight Control) Query a CID groups members by associated CID.
queryCIDGroups MSSP (Flight Control) Query CID groups.
queryCombinedDeviceControlPolicies Device Control Policies Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria
queryCombinedDeviceControlPolicyMembers Device Control Policies Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPolicies Firewall Policies Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
queryCombinedFirewallPolicyMembers Firewall Policies Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedGroupMembers Host Group Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroups Host Group Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
queryCombinedPreventionPolicies Prevention Policy Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
queryCombinedPreventionPolicyMembers Prevention Policy Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePolicies Response Policies Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
queryCombinedRTResponsePolicyMembers Response Policies Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedSensorUpdateBuilds Sensor Update Policy Retrieve available builds for use with Sensor Update Policies
queryCombinedSensorUpdateKernels Sensor Update Policy Retrieve kernel compatibility info for Sensor Update Builds
queryCombinedSensorUpdatePolicies Sensor Update Policy Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePoliciesV2 Sensor Update Policy Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria
queryCombinedSensorUpdatePolicyMembers Sensor Update Policy Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
QueryDetectionIdsByFilter Falcon Complete Dashboard Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled
QueryDetects Detects Search for detection IDs that match a given query
queryDeviceControlPolicies Device Control Policies Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria
queryDeviceControlPolicyMembers Device Control Policies Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryDeviceLoginHistory Hosts Retrieve details about recent login sessions for a set of devices.
QueryDeviceLoginHistoryV2 Hosts Retrieve details about recent interactive login sessions for a set of devices powered by the Host Timeline. A max of 10 device ids can be specified
QueryDevicesByFilter Hosts Search for hosts in your environment by platform, hostname, IP, and other criteria.
QueryDevicesByFilterScroll Hosts Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
QueryEscalationsFilter Falcon Complete Dashboard Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
queryEvaluationLogic Spotlight Evaluation Logic Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.
QueryEvents Tailored Intelligence Get events ids that match the provided filter criteria.
query_external_assets Exposure Management Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the blob_download_external_assets, blob_preview_external_assets and get_external_assets endpoints
queryFirewallPolicies Firewall Policies Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria
queryFirewallPolicyMembers Firewall Policies Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryGetNetworkAddressHistoryV1 Hosts Retrieve history of IP and MAC addresses of devices.
queryGroupMembers Host Group Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryHiddenDevices Hosts Retrieve hidden hosts that match the provided filter criteria.
queryHostGroups Host Group Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria
QueryIncidentIdsByFilter Falcon Complete Dashboard Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryIncidents Incidents Search for incidents by providing a FQL filter, sorting, and paging details
QueryIntelActorEntities Intel Get info about actors that match provided FQL filters.
QueryIntelActorIds Intel Get actor IDs that match provided FQL filters.
QueryIntelIndicatorEntities Intel Get info about indicators that match provided FQL filters.
QueryIntelIndicatorIds Intel Get indicators IDs that match provided FQL filters.
QueryIntelReportEntities Intel Get info about reports that match provided FQL filters.
QueryIntelReportIds Intel Get report IDs that match provided FQL filters.
QueryIntelRuleIds Intel Search for rule IDs that match provided filter criteria.
queryIOAExclusionsV1 IOA Exclusions Search for IOA exclusions.
QueryMalware Intel Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware Intel Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks Intel Gets MITRE tactics and techniques for the given actor, returning concatenation of id and tactic and technique ids, example: fancy-bear_TA0011_T1071
queryMLExclusionsV1 ML Exclusions Search for ML exclusions.
QueryNotificationsExposedDataRecordsV1 Recon Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications-exposed-data-records/v1
QueryNotificationsV1 Recon Query notifications based on provided criteria. Use the IDs from this response to get the notification +entities on GET /entities/notifications/v1, GET /entities/notifications-detailed/v1, +GET /entities/notifications-translated/v1 or GET /entities/notifications-detailed-translated/v1.
queryPolicies Filevantage Retrieve the ids of all policies that are assigned the provided policy type.
queryPreventionPolicies Prevention Policy Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria
queryPreventionPolicyMembers Prevention Policy Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
QueryQuarantineFiles Quarantine Get quarantine file ids that match the provided filter criteria.
QueryRemediationsFilter Falcon Complete Dashboard Retrieve remediation tickets that match the provided filter criteria with scrolling enabled
QueryReports Falcon Intelligence Sandbox Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
queryRoles MSSP (Flight Control) Query links between user groups and CID groups. At least one of CID group ID or user group ID should also be provided. Role ID is optional.
queryRTResponsePolicies Response Policies Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
queryRTResponsePolicyMembers Response Policies Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRuleGroups Filevantage Retrieve the ids of all rule groups that are of the provided rule group type.
QueryRules Tailored Intelligence Get rules ids that match the provided filter criteria.
QueryRulesV1 Recon Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.
QuerySampleV1 Falcon Intelligence Sandbox Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
QueryScanResults Quick Scan Pro Gets QuickScan Pro scan jobs for a given FQL filter.
queryScheduledExclusions Filevantage Retrieve the ids of all scheduled exclusions contained within the provided policy id.
QuerySensorsByFilter Identity Entities Search for sensors in your environment by hostname, IP, and other criteria.
querySensorUpdateKernelsDistinct Sensor Update Policy Retrieve kernel compatibility info for Sensor Update Builds
querySensorUpdatePolicies Sensor Update Policy Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria
querySensorUpdatePolicyMembers Sensor Update Policy Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
querySensorVisibilityExclusionsV1 Sensor Visibility Exclusions Search for sensor visibility exclusions.
QuerySubmissions Falcon Intelligence Sandbox Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
QuerySubmissionsMixin0 Quick Scan Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.
queryUserGroupMembers MSSP (Flight Control) Query user group member by user UUID.
queryUserGroups MSSP (Flight Control) Query user groups.
queryUserV1 User Management List user IDs for all users in your customer account. For more information on each user, provide the user ID to /user-management/entities/users/GET/v1.
QueryVulnerabilities Intel Get vulnerabilities IDs
queryVulnerabilities Spotlight Vulnerabilities Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria
ReadClusterCombined Kubernetes Protection Retrieve kubernetes clusters identified by the provided filter criteria
ReadClusterCount Kubernetes Protection Retrieve cluster counts
ReadClusterEnrichment Kubernetes Protection Retrieve cluster enrichment data
ReadClustersByDateRangeCount Kubernetes Protection Retrieve clusters by date range counts
ReadClustersByKubernetesVersionCount Kubernetes Protection Bucket clusters by kubernetes version
ReadClustersByStatusCount Kubernetes Protection Bucket clusters by status
ReadCombinedDetections Container Detections Retrieve image assessment detections identified by the provided filter criteria
ReadCombinedImagesExport Container Images Retrieve images with an option to expand aggregated vulnerabilities/detections
ReadCombinedVulnerabilities Container Vulnerabilities Retrieve vulnerability and aggregate data filtered by the provided FQL
ReadCombinedVulnerabilitiesDetails Container Vulnerabilities Retrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfo Container Vulnerabilities Retrieve vulnerability and package related info for this customer
ReadContainerAlertsCount Container Alerts Search Container Alerts by the provided search criteria
ReadContainerAlertsCountBySeverity Container Alerts Get Container Alert counts by severity
ReadContainerCombined Kubernetes Protection Retrieve containers identified by the provided filter criteria
ReadContainerCount Kubernetes Protection Retrieve container counts
ReadContainerCountByRegistry Kubernetes Protection Retrieve top container image registries
ReadContainerImageDetectionsCountByDate Kubernetes Protection Retrieve count of image assessment detections on running containers over a period of time
ReadContainerEnrichment Kubernetes Protection Retrieve container enrichment data
ReadContainerImagesByMostUsed Kubernetes Protection Bucket container by image-digest
ReadContainerImagesByState Kubernetes Protection Retrieve count of image states running on containers
ReadContainersByDateRangeCount Kubernetes Protection Retrieve containers by date range counts
ReadContainersSensorCoverage Kubernetes Protection Bucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCount Kubernetes Protection Retrieve container vulnerabilities by severity counts
ReadDeploymentCombined Kubernetes Protection Retrieve kubernetes deployments identified by the provided filter criteria
ReadDeploymentsCombined Cloud Snapshots Search for snapshot jobs identified by the provided filter.
ReadDeploymentCount Kubernetes Protection Retrieve deployment counts
ReadDeploymentEnrichment Kubernetes Protection Retrieve deployment enrichment data
ReadDeploymentsEntities Cloud Snapshots Retrieve snapshot jobs identified by the provided IDs.
ReadDeploymentsByDateRangeCount Kubernetes Protection Retrieve deployments by date range counts
ReadDetections Container Detections Retrieve image assessment detection entities identified by the provided filter criteria
ReadDetectionsCount Container Detections Aggregate count of detections
ReadDetectionsCountBySeverity Container Detections Aggregate counts of detections by severity
ReadDetectionsCountByType Container Detections Aggregate counts of detections by detection type
ReadDistinctContainerImageCount Kubernetes Protection Retrieve count of distinct images running on containers
ReadDriftIndicatorsCount Drift Indicators Returns the total count of Drift indicators over a time period
ReadDriftIndicatorEntities Drift Indicators Retrieve Drift Indicator entities identified by the provided IDs
ReadImageVulnerabilities Falcon Container Cli Retrieve known vulnerabilities for the provided image
ReadKubernetesIomByDateRange Kubernetes Protection Returns the count of Kubernetes IOMs by the date. by default it's for 7 days.
ReadKubernetesIomCount Kubernetes Protection Returns the total count of Kubernetes IOMs over the past seven days
ReadKubernetesIomEntities Kubernetes Protection Retrieve Kubernetes IOM entities identified by the provided IDs
ReadNamespaceCount Kubernetes Protection Retrieve namespace counts
ReadNamespacesByDateRangeCount Kubernetes Protection Retrieve namespaces by date range counts
ReadNodeCombined Kubernetes Protection Retrieve kubernetes nodes identified by the provided filter criteria
ReadNodeCount Kubernetes Protection Retrieve node counts
ReadNodeEnrichment Kubernetes Protection Retrieve node enrichment data
ReadNodesByCloudCount Kubernetes Protection Bucket nodes by cloud providers
ReadNodesByContainerEngineVersionCount Kubernetes Protection Bucket nodes by their container engine version
ReadNodesByDateRangeCount Kubernetes Protection Retrieve nodes by date range counts
ReadPackagesByFixableVulnCount Container Packages Retrieve top x app packages with the most fixable vulnerabilities
ReadPackagesByVulnCount Container Packages Retrieve top x packages with the most vulnerabilities
ReadPackagesCombined Container Packages Retrieve packages identified by the provided filter criteria
ReadPackagesCombinedExport Container Packages Retrieve packages identified by the provided filter criteria for the purpose of export
ReadPackagesCountByZeroDay Container Packages Retrieve packages count affected by zero day vulnerabilities
ReadPodEnrichment Kubernetes Protection Retrieve pod enrichment data
ReadPolicies Image Assessment Policies Get all Image Assessment policies
ReadPolicyExclusions Image Assessment Policies Retrieve Image Assessment Policy Exclusion entities
ReadPolicyGroups Image Assessment Policies Retrieve Image Assessment Policy Group entities
ReadPodCombined Kubernetes Protection Retrieve kubernetes pods identified by the provided filter criteria
ReadPodCount Kubernetes Protection Retrieve pod counts
ReadPodsByDateRangeCount Kubernetes Protection Retrieve pods by date range counts
ReadRegistryEntities Falcon Container Image Retrieve registry entities identified by the customer id
ReadRegistryEntitiesByUUID Falcon Container Image Retrieve the registry entity identified by the entity UUID
ReadRunningContainerImages Kubernetes Protection Retrieve images on running containers
ReadUnidentifiedContainersByDateRangeCount Unidentified Containers Returns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCount Unidentified Containers Returns the total count of Unidentified Containers over a time period
ReadVulnerabilitiesByImageCount Container Vulnerabilities Retrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDate Container Vulnerabilities Retrieve top x vulnerabilities with the most recent publication date
ReadVulnerabilityCount Container Vulnerabilities Aggregate count of vulnerabilities
ReadVulnerabilityCountByActivelyExploited Container Vulnerabilities Aggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRating Container Vulnerabilities Aggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScore Container Vulnerabilities Aggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverity Container Vulnerabilities Aggregate count of vulnerabilities grouped by severity
ReadVulnerableContainerImageCount Kubernetes Protection Retrieve count of vulnerable images running on containers
refreshActiveStreamSession Event Streams Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
RegenerateAPIKey Kubernetes Protection Regenerate API key for docker registry integrations
RegisterCspmSnapshotAccount Cloud Snapshots Register an account for snapshot scanning.
report_executions_download_get Report Executions Get report entity download
report_executions_get Report Executions Retrieve report details for the provided report IDs.
report_executions_query Report Executions Find all report execution IDs matching the query with filter
report_executions_retry Report Executions This endpoint will be used to retry report executions
RequestDeviceEnrollmentV3 Mobile Enrollment Trigger on-boarding process for a mobile device
RequestDeviceEnrollmentV4 Mobile Enrollment Trigger on-boarding process for a mobile device.
RetrieveEmailsByCID User Management Deprecated : Please use POST /user-management/entities/users/GET/v1. List the usernames (usually an email address) for all users in your customer account
retrieveUser User Management Deprecated : Please use POST /user-management/entities/users/GET/v1. Get info about a user
retrieveUsersGETV1 User Management Get info about users including their name, UID and CID by providing user UUIDs
RetrieveUserUUID User Management Deprecated : Please use GET /user-management/queries/users/v1. Get a user's ID by providing a username (usually an email address)
RetrieveUserUUIDsByCID User Management Deprecated : Please use GET /user-management/queries/users/v1. List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.
revealUninstallToken Sensor Update Policy Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'
RevokeUserRoleIds User Management Deprecated : Please use POST /user-management/entities/user-role-actions/v1. Revoke one or more roles from a user
RTR_AggregateSessions Real Time Response Get aggregates on session data.
RTR_CheckActiveResponderCommandStatus Real Time Response Get status of an executed active-responder command on a single host.
RTR_CheckAdminCommandStatus Real Time Response Admin Get status of an executed RTR administrator command on a single host.
RTR_CheckCommandStatus Real Time Response Get status of an executed command on a single host.
RTR_CreatePut_Files Real Time Response Admin Upload a new put-file to use for the RTR put command.
RTR_CreateScripts Real Time Response Admin Upload a new custom-script to use for the RTR runscript command.
RTR_DeleteFile Real Time Response Delete a RTR session file.
RTR_DeleteFileV2 Real Time Response Delete a RTR session file.
RTR_DeletePut_Files Real Time Response Admin Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_DeleteQueuedSession Real Time Response Delete a queued session command
RTR_DeleteScripts Real Time Response Admin Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_DeleteSession Real Time Response Delete a session.
RTR_ExecuteActiveResponderCommand Real Time Response Execute an active responder command on a single host.
RTR_ExecuteAdminCommand Real Time Response Admin Execute a RTR administrator command on a single host.
RTR_ExecuteCommand Real Time Response Execute a command on a single host.
RTR_GetExtractedFileContents Real Time Response Get RTR extracted file contents for specified session and sha256.
RTR_GetFalconScripts Real Time Response Admin Get Falcon scripts with metadata and content of script
RTR_GetPut_Files Real Time Response Admin Get put-files based on the ID's given. These are used for the RTR put command.
RTR_GetPut_FilesV2 Real Time Response Admin Get put-files based on the ID's given. These are used for the RTR put command.
RTR_GetScripts Real Time Response Admin Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_GetScriptsV2 Real Time Response Admin Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
RTR_InitSession Real Time Response Initialize a new session with the RTR cloud.
RTR_ListAllSessions Real Time Response Get a list of session_ids.
RTR_ListFalconScripts Real Time Response Admin Get a list of Falcon script IDs available to the user to run
RTR_ListFiles Real Time Response Get a list of files for the specified RTR session.
RTR_ListFilesV2 Real Time Response Get a list of files for the specified RTR session.
RTR_ListPut_Files Real Time Response Admin Get a list of put-file ID's that are available to the user for the put command.
RTR_ListQueuedSessions Real Time Response Get queued session metadata by session ID.
RTR_ListScripts Real Time Response Admin Get a list of custom-script ID's that are available to the user for the runscript command.
RTR_ListSessions Real Time Response Get session metadata by session id.
RTR_PulseSession Real Time Response Refresh a session timeout on a single host.
RTR_UpdateScripts Real Time Response Admin Upload a new scripts to replace an existing one.
RTRAuditSessions Real Time Response Audit Get all the RTR sessions created for a customer in a specified duration
RunIntegrationTask ASPM Run an integration task by its ID
ScanSamples Quick Scan Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
schedule_scan ODS Create ODS scan and start or schedule scan for the given scan request.
scheduled_reports_get Scheduled Reports Retrieve scheduled reports for the provided report IDs.
scheduled_reports_launch Scheduled Reports Launch scheduled reports executions for the provided report IDs.
scheduled_reports_query Scheduled Reports Find all report IDs matching the query with filter
SearchAndReadContainerAlerts Container Alerts Search Container Alerts by the provided search criteria
SearchAndReadDriftIndicatorEntities Drift Indicators Retrieve Drift Indicators by the provided search criteria
SearchAndReadKubernetesIomEntities Kubernetes Protection Search Kubernetes IOM by the provided search criteria
SearchAndReadUnidentifiedContainers Unidentified Containers Search Unidentified Containers by the provided search criteria
SearchDetections Container Detections Retrieve image assessment detection entities identified by the provided filter criteria
SearchDriftIndicators Drift Indicators Retrieve all drift indicators that match the given query
SearchKubernetesIoms Kubernetes Protection Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
SearchObjects Custom Storage Search for objects that match the specified filter criteria (returns metadata, not actual objects)
SearchObjectsByVersion Custom Storage Search for objects that match the specified filter criteria (returns metadata, not actual objects).
ServiceNowGetDeployments ASPM Get ServiceNow deployments.
ServiceNowGetServices ASPM Get ServiceNow services.
setDeviceControlPoliciesPrecedence Device Control Policies Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setFirewallPoliciesPrecedence Firewall Policies Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setPreventionPoliciesPrecedence Prevention Policy Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setRTResponsePoliciesPrecedence Response Policies Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
setSensorUpdatePoliciesPrecedence Sensor Update Policy Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
severity_query_v1 IOC Query Severities.
signalChangesExternal FileVantage Initiates workflows for the provided change IDs.
startActions FileVantage Initiates the specified action on the provided change IDs.
Submit Falcon Intelligence Sandbox Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
tokens_create Installation Tokens Creates a token.
tokens_delete Installation Tokens Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
tokens_query Installation Tokens Search for tokens by providing a FQL filter and paging details.
tokens_read Installation Tokens Gets the details of one or more tokens by id.
tokens_update Installation Tokens Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
TriggerScan Kubernetes Protection Triggers a dry run or a full scan of a customer's kubernetes footprint
update_network_locations Firewall Management Updates the network locations provided, and return the ID.
update_network_locations_metadata Firewall Management Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence Firewall Management Updates the network locations precedence according to the list of ids provided.
update_policy_container Firewall Management Update an identified policy container, including local logging functionality.
update_policy_container_v1 Firewall Management Update an identified policy container. WARNING: This endpoint is deprecated in favor of v2, using this endpoint could disable your local logging setting.
update_data_scanner_tasks DataScanner Reports back on task status.
update_rule_group Firewall Management Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_group_validation Firewall Management Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
update_rule_groupMixin0 Custom IOA Update a rule group. The following properties can be modified: name, description, enabled.
update_rules Custom IOA Update rules within a rule group. Return the updated rules.
update_rules_v2 Custom IOA Update name, description, enabled or field_values for individual rules within a rule group. The v1 flavor of this call requires the caller to specify the complete state for all the rules in the rule group, instead the v2 flavor will accept the subset of rules in the rule group and apply the attribute updates to the subset of rules in the rule group. Returns the updated rules.
UpdateActionV1 Recon Update an action for a monitoring rule.
UpdateAWSAccount Kubernetes Protection Updates the AWS account per the query parameters provided
UpdateAWSAccounts Cloud Connect AWS Update AWS Accounts by specifying the ID of the account and details to update
updateCIDGroups MSSP (Flight Control) Update existing CID groups. CID group ID is expected for each CID group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. CID group member(s) remain unaffected.
UpdateCSPMAzureAccountClientID CSPM Registration Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateCSPMAzureTenantDefaultSubscriptionID CSPM Registration Update an Azure default subscription_id in our system for given tenant_id
UpdateCSPMGCPAccount CSPM Registration Patches a existing account in our system for a customer.
UpdateCSPMGCPServiceAccountsExt CSPM Registration Updates an existing GCP service account.
UpdateCSPMPolicySettings CSPM Registration Updates a policy setting - can be used to override policy severity or to disable a policy entirely.
UpdateCSPMScanSchedule CSPM Registration Updates scan schedule configuration for one or more cloud platforms.
UpdateD4CCPServiceAccountsExt D4C Registration Updates an existing GCP service account.
updateDefaultDeviceControlPolicies Device Control Policies Update the configuration for a Default Device Control Policy
UpdateDetectsByIdsV2 Detects Modify the state, assignee, and visibility of detections
updateDeviceControlPolicies Device Control Policies Update Device Control Policies by specifying the ID of the policy and details to update
UpdateDeviceTags Hosts Append or remove one or more Falcon Grouping Tags on one or more hosts. Tags must be of the form FalconGroupingTags/
UpdateDiscoverCloudAzureAccountClientID D4C Registration Update an Azure service account in our system by with the user-created client_id created with the public key we've provided
UpdateExecutorNode ASPM Update an existing relay node
updateFirewallPolicies Firewall Policies Update Firewall Policies by specifying the ID of the policy and details to update
updateHostGroups Host Group Update Host Groups by specifying the ID of the group and details to update
updateIOAExclusionsV1 IOA Exclusions Update the IOA exclusions
UpdateIntegration ASPM Update an existing integration by its ID
UpdateIntegrationTask ASPM Update an existing integration task by its ID
updateMLExclusionsV1 ML Exclusions Update the ML exclusions
UpdateNotificationsV1 Recon Update notification status or assignee. Accepts bulk requests
updatePolicies Filevantage Updates the general information of the provided policy.
UpdatePolicies Image Assessment Policies Update Image Assessment Policy entities
UpdatePolicyExclusions Image Assessment Policies Update Image Assessment Policy Exclusion entities
UpdatePolicyGroups Image Assessment Policies Update Image Assessment Policy Group entities
updatePolicyHostGroups Filevantage Manage host groups assigned to a policy.
updatePolicyPrecedence Filevantage Updates the policy precedence for all policies of a specific type.
UpdatePolicyPrecedence Image Assessment Policies Update Image Assessment Policy precedence
updatePolicyRuleGroups Filevantage Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
updatePreventionPolicies Prevention Policy Update Prevention Policies by specifying the ID of the policy and details to update
UpdateQfByQuery Quarantine Apply quarantine file actions by query.
UpdateQuarantinedDetectsByIds Quarantine Apply action by quarantine file ids
UpdateRegistryEntities Falcon Container Image Update the registry entity, as identified by the entity UUID, using the provided details
updateRTResponsePolicies Response Policies Update Response Policies by specifying the ID of the policy and details to update
updateRuleGroupPrecedence Filevantage Updates the rule precedence for all rules in the identified rule group.
updateRuleGroups Filevantage Updates the provided rule group.
updateRules Filevantage Updates the provided rule configuration within the specified rule group.
UpdateRulesV1 Recon Update monitoring rules.
updateScheduledExclusions Filevantage Updates the provided scheduled exclusion configuration within the provided policy.
updateSensorUpdatePolicies Sensor Update Policy Update Sensor Update Policies by specifying the ID of the policy and details to update
updateSensorUpdatePoliciesV2 Sensor Update Policy Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection
updateSensorVisibilityExclusionsV1 Sensor Visibility Exclusions Update the sensor visibility exclusions
UpdateUser User Management Deprecated : Please use PATCH /user-management/entities/users/v1. Modify an existing user's first or last name
updateUserGroups MSSP (Flight Control) Update existing user group(s). User group ID is expected for each user group definition provided in request body. Name is a required field but description is an optional field. Empty description will override existing value. User group member(s) remain unaffected.
updateUserV1 User Management Modify an existing user's first or last name.
UploadFileMixin0Mixin93 Quick Scan Pro Uploads a file to be further analyzed with QuickScan Pro. The samples expire after 90 days.
UploadSampleV2 Falcon Intelligence Sandbox Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
UploadSampleV3 Sample Uploads Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
upsert_network_locations Firewall Management Updates the network locations provided, and return the ID.
UpsertBusinessApplications ASPM Create or Update Business Applications
UpsertTags ASPM Create new or update existing tag. You can update unique tags table or regular tags table.
userActionV1 User Management Apply actions to one or more User. Available action names: reset_2fa, reset_password. User UUIDs can be provided in ids param as part of request payload.
userRolesActionV1 User Management Grant or Revoke one or more role(s) to a user against a CID. User UUID, CID and Role ID(s) can be provided in request payload. Available Action(s) : grant, revoke
ValidateCSPMGCPServiceAccountExt CSPM Registration Validates credentials for a service account
validate Custom IOA Validates field values and checks for matches if a test string is provided.
validate_filepath_pattern Firewall Management Validates that the test pattern matches the executable filepath glob pattern.
VerifyAWSAccountAccess Cloud Connect AWS Performs an Access Verification check on the specified AWS Account IDs
WorkflowActivitiesCombined Workflows Search workflow activities based on the provided filter
WorkflowDefinitionsCombined Workflows Search workflow definitions based on the provided filter
WorkflowDefinitionsExport Workflows Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport Workflows Imports a workflow definition based on the provided model
WorkflowDefinitionsUpdate Workflows Updates a workflow definition based on the provided model.
WorkflowExecute Workflows Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowExecuteInternal Workflows Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s).
WorkflowMockExecute Workflows Executes an on-demand Workflow with mocks.
WorkflowExecutionResults Workflows Get execution result of a given execution
WorkflowExecutionsAction Workflows Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionsCombined Workflows Search workflow executions based on the provided filter
WorkflowGetHumanInputV1 Workflows Gets one or more specific human inputs by their IDs.
WorkflowTriggersCombined Workflows Search workflow triggers based on the provided filter
WorkflowUpdateHumanInputV1 Workflows Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
WorkflowSystemDefinitionsDeProvision Workflows Deprovisions a system definition that was previously provisioned on the target CID
WorkflowSystemDefinitionsPromote Workflows Promotes a version of a system definition for a customer. The customer must already have been provisioned. This allows the caller to apply an updated template version to a specific cid and expects all parameters to be supplied. If the template supports multi-instance the customer scope definition ID must be supplied to determine which customer workflow should be updated.
WorkflowSystemDefinitionsProvision Workflows Provisions a system definition onto the target CID by using the template and provided parameters
⚠️ **GitHub.com Fallback** ⚠️