Skip to content
CrowdStrike Developer Center

Drift Indicators

The Drift Indicators service collection provides operations for monitoring and investigating container drift activity. Retrieve drift indicator counts by date, query total counts over time, search and read drift indicator entities by criteria, fetch entities by ID, and query for matching indicator IDs.

LanguageLast Update
Pythonv1.4.2
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
GetDriftIndicatorsValuesByDate
get_drift_indicators_by_date		Returns the count of Drift Indicators by the date. by default it’s for 7 days.
ReadDriftIndicatorsCount
read_drift_indicator_counts		Returns the total count of Drift indicators over a time period
SearchAndReadDriftIndicatorEntities
search_and_read_drift_indicators		Retrieve Drift Indicators by the provided search criteria
ReadDriftIndicatorEntities
read_drift_indicator_entities		Retrieve Drift Indicator entities identified by the provided IDs
SearchDriftIndicators
search_drift_indicators		Retrieve all drift indicators that match the given query

GetDriftIndicatorsValuesByDate

Section titled “GetDriftIndicatorsValuesByDate”

Returns the count of Drift Indicators by the date. by default it’s for 7 days.

GET /container-security/aggregates/drift-indicators/count-by-date/v1
Scope Drift Indicators: READ Consumes · Produces application/json
PEP 8 get_drift_indicators_by_date

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter drift indicators using a query in Falcon Query Language (FQL). Supported filters: cid,cloud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace,occurred_at,parent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name
limitqueryintegerThe upper-bound on the number of records to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import DriftIndicators


falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )


response = falcon.get_drift_indicators_by_date(filter="string", limit=integer)
print(response)

ReadDriftIndicatorsCount

Section titled “ReadDriftIndicatorsCount”

Returns the total count of Drift indicators over a time period

GET /container-security/aggregates/drift-indicators/count/v1
Scope Drift Indicators: READ Consumes · Produces application/json
PEP 8 read_drift_indicator_counts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter images using a query in Falcon Query Language (FQL). Supported filters: cid,cloud_name,command_line,container_id,file_name,file_sha256,host_id,indicator_process_id,namespace,occurred_at,parent_process_id,pod_name,prevented,scheduler_name,severity,worker_node_name
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import DriftIndicators


falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )


response = falcon.read_drift_indicator_counts(filter="string")
print(response)

SearchAndReadDriftIndicatorEntities

Section titled “SearchAndReadDriftIndicatorEntities”

Retrieve Drift Indicators by the provided search criteria

GET /container-security/combined/drift-indicators/v1
Scope Drift Indicators: READ Consumes · Produces application/json
PEP 8 search_and_read_drift_indicators

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter Drift Indicators using a query in Falcon Query Language (FQL). Supported filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name
limitqueryintegerThe upper-bound on the number of records to retrieve.
offsetqueryintegerThe offset from where to begin.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe fields to sort the records on.

Code Examples

Section titled “Code Examples”
from falconpy import DriftIndicators


falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )


response = falcon.search_and_read_drift_indicators(filter="string",
                                                   limit=integer,
                                                   offset=integer,
                                                   sort="string")
print(response)

ReadDriftIndicatorEntities

Section titled “ReadDriftIndicatorEntities”

Retrieve Drift Indicator entities identified by the provided IDs

GET /container-security/entities/drift-indicators/v1
Consumes · Produces application/json
PEP 8 read_drift_indicator_entities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsqueryarray (string)Search Drift Indicators by ids - The maximum amount is 100 IDs
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import DriftIndicators


falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.read_drift_indicator_entities(ids=id_list)
print(response)

SearchDriftIndicators

Section titled “SearchDriftIndicators”

Retrieve all drift indicators that match the given query

GET /container-security/queries/drift-indicators/v1
Scope Drift Indicators: READ Consumes · Produces application/json
PEP 8 search_drift_indicators

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter Drift Indicators using a query in Falcon Query Language (FQL). Supported filters: cid, cloud_name, command_line, container_id, file_name, file_sha256, host_id, indicator_process_id, namespace, occurred_at, parent_process_id, pod_name, prevented, scheduler_name, severity, worker_node_name
limitqueryintegerThe upper-bound on the number of records to retrieve.
offsetqueryintegerThe offset from where to begin.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe fields to sort the records on.

Code Examples

Section titled “Code Examples”
from falconpy import DriftIndicators


falcon = DriftIndicators(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )


response = falcon.search_drift_indicators(filter="string",
                                          limit=integer,
                                          offset=integer,
                                          sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use