Skip to content
CrowdStrike Developer Center

Workflows

The Workflows service collection provides operations for managing and executing CrowdStrike Falcon workflows. Search for workflow activities, triggers, definitions, and executions. Execute workflows on demand, import and export definitions, manage human input actions, and configure system definitions for multi-tenant deployments.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
WorkflowActivitiesCombined
search_activities		Search for activities by name. Returns all supported activities if no filter is specified.
WorkflowActivitiesContentCombined
search_activities_content		Search for activities by name. Returns all supported activities if no filter specified.
WorkflowExecute
execute		Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowExecuteInternal
execute_internal		Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowMockExecute
mock_execute		Executes an on-demand Workflow with mocks
WorkflowExecutionsAction
execution_action		Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionResults
execution_results		Get execution result of a given execution
WorkflowSystemDefinitionsDeProvision
deprovision		Deprovisions a system definition that was previously provisioned on the target CID
WorkflowSystemDefinitionsPromote
promote		Promote a version of a system definition
WorkflowSystemDefinitionsProvision
provision		Provisions a system definition onto the target CID by using the template and provided parameters
WorkflowDefinitionsCombined
search_definitions		Search workflow definitions based on the provided filter
WorkflowTriggersCombined
search_triggers		Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.
WorkflowExecutionsCombined
search_executions		Search workflow executions based on the provided filter
WorkflowDefinitionsExport
export_definition		Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport
import_definition		Imports a workflow definition based on the provided model
WorkflowDefinitionsAction
workflow_definition_action		Enable or disable a workflow definition, or stop all executions for a definition.
WorkflowDefinitionsUpdate
update_definition		Updates a workflow definition based on the provided model.
WorkflowGetHumanInputV1
get_human_input		Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1
update_human_input		Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
v1_child_executions_query
query_child_executions		Search for child executions by providing a FQL filter and paging details.

WorkflowActivitiesCombined

Section titled “WorkflowActivitiesCombined”

Search for activities by name. Returns all supported activities if no filter is specified.

GET /workflows/combined/activities/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 search_activities

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
offsetquerystringStarting pagination offset of records to return.
limitqueryintegerMaximum number of records to return.
sortquerystringSort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.search_activities(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string")
print(response)

WorkflowActivitiesContentCombined

Section titled “WorkflowActivitiesContentCombined”

Search for activities by name. Returns all supported activities if no filter specified.

GET /workflows/combined/activity-content/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 search_activities_content

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
limitqueryintegerMaximum number of records to return.
offsetquerystringStarting pagination offset of records to return.
sortquerystringSort items by providing a comma separated list of property and direction (eg name.desc,time.asc). If direction is omitted, defaults to descending.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.search_activities_content(filter="string",
                                            offset="string",
                                            limit=integer,
                                            sort="string")
print(response)

WorkflowExecute

Section titled “WorkflowExecute”

Execute an on-demand workflow. Response will contain the execution ID.

POST /workflows/entities/execute/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 execute

Parameters

Section titled “Parameters”
NameTypeData typeDescription
definition_idquerystring or list of stringsDefinition ID to execute, either a name or an ID can be specified.
execution_cidquerystring or list of stringsCID(s) to execute on.
namequerystringWorkflow name to execute, either a name or an ID can be specified.
keyquerystringKey used to help deduplicate executions, if unset a new UUID is used
depthqueryintegerUsed to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
source_event_urlquerystringUsed to record a URL to the source that led to triggering this workflow
parametersquerydictionaryFull query string parameters payload in JSON format.
bodybodydictionaryFull body payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.execute(definition_id="string",
                          execution_cid="string",
                          name="string",
                          key="string",
                          depth="string",
                          source_event_url="string")
print(response)

WorkflowExecuteInternal

Section titled “WorkflowExecuteInternal”

Execute an on-demand workflow. Response will contain the execution ID.

POST /workflows/entities/execute/internal/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 execute_internal

Parameters

Section titled “Parameters”
NameTypeData typeDescription
batch_sizequeryintegerUsed to set the size of the batch.
definition_idquerystring or list of stringsDefinition ID to execute, either a name or an ID can be specified.
execution_cidquerystring or list of stringsCID(s) to execute on.
namequerystringWorkflow name to execute, either a name or an ID can be specified.
keyquerystringKey used to help deduplicate executions, if unset a new UUID is used
depthqueryintegerUsed to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
source_event_urlquerystringUsed to record a URL to the source that led to triggering this workflow
parametersquerydictionaryFull query string parameters payload in JSON format.
bodybodydictionaryFull body payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.execute_internal(batch_size=integer,
                                   definition_id="string",
                                   execution_cid="string",
                                   name="string",
                                   key="string",
                                   depth="string",
                                   source_event_url="string")
print(response)

WorkflowMockExecute

Section titled “WorkflowMockExecute”

Execute an on-demand workflow with mocks.

POST /workflows/entities/mock-executions/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 mock_execute

Parameters

Section titled “Parameters”
NameTypeData typeDescription
definition_idquerystring or list of stringsDefinition ID to execute, either a name or an ID can be specified.
execution_cidquerystring or list of stringsCID(s) to execute on.
namequerystringWorkflow name to execute, either a name or an ID can be specified.
keyquerystringKey used to help deduplicate executions, if unset a new UUID is used
depthqueryintegerUsed to record the execution depth to help limit execution loops when a workflow triggers another. The maximum depth is 4.
source_event_urlquerystringUsed to record a URL to the source that led to triggering this workflow
skip_validationquerybooleanSkip validation of the workflow definition.
ignore_activity_mock_referencesquerybooleanIgnore activity mock references during execution.
validate_onlyquerybooleanPrevent execution after validating mocks against definition.
parametersquerydictionaryFull query string parameters payload in JSON format.
bodybodydictionaryFull body payload in JSON format containing the schema definition, mocks, and the on demand trigger.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.mock_execute(definition_id="string",
                               execution_cid="string",
                               ignore_activity_mock_references="string",
                               name="string",
                               key="string",
                               depth="string",
                               skip_validation="string",
                               source_event_url="string",
                               validate_only=boolean)
print(response)

WorkflowExecutionsAction

Section titled “WorkflowExecutionsAction”

Allows a user to resume/retry a failed workflow execution.

POST /workflows/entities/execution-actions/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 execution_action

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_namequerystringSpecify one of these actions: resume - resume/retry the workflow execution(s) specified in ids. cancel - cancel the workflow execution(s) specified in ids.
action_parametersbodylist of dictionariesList of actions to perform.
idsbodystring or list of stringsExecution IDs.
bodybodydictionaryFull body payload in JSON format. Not required when using other keywords.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


action_parameters = [
    {
        "name": "string",
        "value": "string"
    }
]


response = falcon.execution_action(action_name="string",
                                   action_parameters=action_parameters,
                                   ids=id_list,
                                   name="string",
                                   value="string")
print(response)

WorkflowExecutionResults

Section titled “WorkflowExecutionResults”

Get execution result of a given execution

GET /workflows/entities/execution-results/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 execution_results

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsWorkflow execution ID to return results for.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.execution_results(ids=id_list)
print(response)

WorkflowSystemDefinitionsDeProvision

Section titled “WorkflowSystemDefinitionsDeProvision”

Deprovisions a system definition that was previously provisioned on the target CID.

POST /workflows/system-definitions/deprovision/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 deprovision

Parameters

Section titled “Parameters”
NameTypeData typeDescription
definition_idbodystringWorkflow definition ID.
deprovision_allbodybooleanFlag indicating if all workflows should be deprovisioned.
template_idbodystringTemplate ID.
template_namebodystringTemplate name.
bodybodydictionaryFull body payload in JSON format. Not required when using other keywords.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.deprovision(definition_id="string",
                              deprovision_all=boolean,
                              template_id="string",
                              template_name="string")
print(response)

WorkflowSystemDefinitionsPromote

Section titled “WorkflowSystemDefinitionsPromote”

Promote a version of a system definition.

Tenant must be already provisioned. This allows the caller to apply an updated template version on a CID and expects all parameters to be supplied. If the template supports multi-instance, the customer scope definition ID must be supplied to determine which customer workflow should be update.

POST /workflows/system-definitions/promote/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 promote

Parameters

Section titled “Parameters”
NameTypeData typeDescription
activitiesbodydictionaryDictionary of workflow activities.
conditionsbodylist of dictionariesList of workflow conditions.
customer_definition_idbodystringCustomer definition ID.
namebodystringName of the workflow.
parametersbodydictionaryOverrides specified activities, conditions and trigger keywords.
template_idbodystringTemplate ID.
template_namebodystringTemplate name.
template_versionbodystringTemplate version.
triggerbodydictionaryWorkflow trigger definition.
bodybodydictionaryFull body payload in JSON format. Not required when using other keywords.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.promote(activities={},
                          conditions=[{"key": "value"}],
                          customer_definition_id="string",
                          name="string",
                          template_id="string",
                          template_name="string",
                          template_version="string",
                          trigger={})
print(response)

WorkflowSystemDefinitionsProvision

Section titled “WorkflowSystemDefinitionsProvision”

Provisions a system definition onto the target CID by using the template and provided parameters.

POST /workflows/system-definitions/provision/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 provision

Parameters

Section titled “Parameters”
NameTypeData typeDescription
activitiesbodydictionaryDictionary of workflow activities.
conditionsbodylist of dictionariesList of workflow conditions.
customer_definition_idbodystringCustomer definition ID.
namebodystringWorkflow name.
parametersbodydictionaryOverrides specified activities, conditions and trigger keywords.
template_idbodystringTemplate ID.
template_namebodystringTemplate name.
template_versionbodystringTemplate version.
triggerbodydictionaryWorkflow trigger definition.
bodybodydictionaryFull body payload in JSON format. Not required when using other keywords.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.provision(activities={},
                            conditions=[{"key": "value"}],
                            name="string",
                            template_id="string",
                            template_name="string",
                            template_version="string",
                            trigger={})
print(response)

WorkflowDefinitionsCombined

Section titled “WorkflowDefinitionsCombined”

Search workflow definitions based on the provided filter.

GET /workflows/combined/definitions/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 search_definitions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
offsetquerystringStarting pagination offset of records to return.
limitqueryintegerMaximum number of records to return.
sortquerystringSort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.search_definitions(filter="string",
                                     offset="string",
                                     limit=integer,
                                     sort="string")
print(response)

WorkflowTriggersCombined

Section titled “WorkflowTriggersCombined”

Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.

GET /workflows/combined/triggers/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 search_triggers

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
offsetquerystringStarting pagination offset of records to return.
limitqueryintegerMaximum number of records to return.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.search_triggers(filter="string",
                                  offset="string",
                                  limit=integer)
print(response)

WorkflowExecutionsCombined

Section titled “WorkflowExecutionsCombined”

Search workflow executions based on the provided filter.

GET /workflows/combined/executions/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 search_executions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
offsetquerystringStarting pagination offset of records to return.
limitqueryintegerMaximum number of records to return.
sortquerystringSort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.search_executions(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string")
print(response)

WorkflowDefinitionsExport

Section titled “WorkflowDefinitionsExport”

Exports a workflow definition for the given definition ID.

GET /workflows/entities/definitions/export/v1
Scope Workflow: READ Consumes · Produces application/json · application/yaml
PEP 8 export_definition

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringID of workflow definitions to return details for.
sanitizequerybooleanSanitize PII from workflow before it is exported.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.export_definition(id="string", sanitize=boolean)
print(response)

WorkflowDefinitionsImport

Section titled “WorkflowDefinitionsImport”

Imports a workflow definition based on the provided model

POST /workflows/entities/definitions/import/v1
Scope Workflow: WRITE Consumes · Produces multipart/form-data
PEP 8 import_definition

Parameters

Section titled “Parameters”
NameTypeData typeDescription
data_fileformDatafileA workflow definition in YAML format to import. Can be the file location or the file contents.
namequerystringWorkflow name to override.
validate_onlyquerybooleanWhen enabled, prevents saving workflow after validating.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.import_definition(data_file="string",
                                    name="string",
                                    validate_only=boolean)
print(response)

WorkflowDefinitionsAction

Section titled “WorkflowDefinitionsAction”

Enable or disable a workflow definition, or stop all executions for a definition.

When a definition is disabled it will not execute against any new trigger events.

POST /workflows/entities/definition-actions/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 workflow_definition_action

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_namequerystringSpecify one of these actions: enable - enable the workflow(s) specified in ids, disable - disable the workflow(s) specified in ids, cancel - cancel all in-flight executions for the workflow specified in ids. Required parameter.
idsbodystring or list of stringsID(s) of workflow definitions to perform the action against.
bodybodydictionaryFull body payload in JSON format. Required parameter.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.workflow_definition_action(action_name="string", ids=id_list)
print(response)

WorkflowDefinitionsUpdate

Section titled “WorkflowDefinitionsUpdate”

Updates a workflow definition based on the provided model.

PUT /workflows/entities/definitions/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 update_definition

Parameters

Section titled “Parameters”
NameTypeData typeDescription
change_logbodystringWorkflow revision change log comment.
definitionbodydictionaryWorkflow definition parameters.
flight_controlbodydictionaryWorkflow flight control functionality definitions.
idbodystringWorkflow ID to update.
validate_onlyquerybooleanWhen enabled, prevents saving workflow after validating.
bodybodydictionaryFull workflow definition with all parameters in JSON format.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.update_definition(validate_only=boolean,
                                    definition={},
                                    change_log="string",
                                    enabled="string",
                                    flight_control={},
                                    id="string")
print(response)

WorkflowGetHumanInputV1

Section titled “WorkflowGetHumanInputV1”

Gets one or more specific human inputs by their IDs.

GET /workflows/entities/human-inputs/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 get_human_input

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsID(s) of human inputs to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_human_input(ids=id_list)
print(response)

WorkflowUpdateHumanInputV1

Section titled “WorkflowUpdateHumanInputV1”

Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.

PATCH /workflows/entities/human-inputs/v1
Scope Workflow: WRITE Consumes · Produces application/json
PEP 8 update_human_input

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringID of human input to provide an input to.
inputbodystringInput value.
notebodystringInput note.
bodybodydictionaryFull body payload in JSON format.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.update_human_input(id="string", input="string", note="string")
print(response)

v1_child_executions_query

Section titled “v1_child_executions_query”

Search for child executions by providing a FQL filter and paging details. Returns the set of child workflow execution IDs which match the filter criteria.

GET /workflows/queries/child-executions/v1
Scope Workflow: READ Consumes · Produces application/json
PEP 8 query_child_executions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query specifying filter parameters.
offsetquerystringStarting pagination offset of records to return.
limitqueryintegerMaximum number of records to return.
sortquerystringSort items by providing a comma separated list of property and direction (eg name.desc, time.asc). If direction is omitted, defaults to descending.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Workflows


falcon = Workflows(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )


response = falcon.query_child_executions(filter="string",
                                         offset="string",
                                         limit=integer,
                                         sort=["string"])
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use