Operations by Collection

An operation is a request against a specific endpoint within the CrowdStrike API. Each operation combines an HTTP method with an API endpoint and has a unique Operation ID. No two operations share the same method/endpoint combination.

Every operation within every service collection has a unique, case-sensitive string identifier. Operation IDs are used throughout the CrowdStrike SDKs to reference specific API calls — as method names, function parameters, and endpoint identifiers across all supported languages. They also serve as the primary way to locate operation details within this documentation.

The tables below list all available operations grouped by their service collection. Each Operation ID links to the full operation details including parameters, request body schema, and code examples.

Admission Control Policies

Operation ID	Description
admission_control_get_policies	Get admission control policies.
admission_control_create_policy	Create an admission control policy.
admission_control_update_policy	Update an admission control policy.
admission_control_delete_policies	Delete an admission control policy.
admission_control_add_host_groups	Add one or more host groups to an admission control policy.
admission_control_remove_host_groups	Remove one or more host groups from an admission control policy.
admission_control_update_policy_precedence	Update admission control policy precedence.
admission_control_add_rule_group_custom_rule	Add one or more custom Rego rules to a rule group in an admission control policy.
admission_control_remove_rule_group_custom_rule	Delete one or more custom Rego rules from all rule groups in an admission control policy.
admission_control_set_rule_group_precedence	Change precedence of rule groups within an admission control policy.
admission_control_replace_rule_group_selectors	Replace labels and/or namespaces of a rule group within an admission control policy.
admission_control_create_rule_groups	Create one or more rule groups and add them to an existing admission control policy.
admission_control_update_rule_groups	Update a rule group.
admission_control_delete_rule_groups	Delete rule groups.
admission_control_query_policies	Search admission control policies.

Alerts

Operation ID	Description
PostAggregatesAlertsV1	Retrieve aggregates for alerts across all CIDs.
PostAggregatesAlertsV2	Retrieve aggregates for alerts across all CIDs.
PostCombinedAlertsV1	Retrieves all Alerts that match a particular FQL filter. This API is intended for retrieval of large amounts of Alerts(>10k) using a pagination based on a after token.
PatchEntitiesAlertsV2	Perform actions on alerts identified by alert ID(s) in request.
PatchEntitiesAlertsV3	Perform actions on alerts identified by alert ID(s) in request.
PostEntitiesAlertsV1	Retrieve all alerts given their IDs.
PostEntitiesAlertsV2	Retrieve all alerts given their IDs.
GetQueriesAlertsV1	Search for alert IDs that match a given query.
GetQueriesAlertsV2	Search for alert IDs that match a given query.

API Integrations

Operation ID	Description
GetCombinedPluginConfigs	Queries for config resources and returns details
ExecuteCommandProxy	Execute a command and proxy the response directly.
ExecuteCommand	Execute a command.

ASPM

Operation ID	Description
ExecuteFunctionDataCount	A selected list of queryLanguage count queries.
ExecuteFunctionsCount	A selected list of queryLanguage count queries.
ExecuteFunctionDataQueryCount	A selected list of queryLanguage count queries.
ExecuteFunctionsQueryCount	A selected list of queryLanguage count queries.
ExecuteFunctionData	A selected list of queryLanguage queries.
ExecuteFunctionsOvertime	A selected list of queryLanguage overtime queries.
ExecuteFunctions	A selected list of queryLanguage services queries.
ExecuteFunctionDataQuery	A selected list of queryLanguage queries.
ExecuteFunctionsQueryOvertime	A selected list of queryLanguage overtime queries.
ExecuteFunctionsQuery	A selected list of queryLanguage services queries.
getServiceArtifacts	Retrieve service artifacts.
UpsertBusinessApplications	Create or Update Business Applications
GetCloudSecurityIntegrationState	Get Cloud Security integration state.
SetCloudSecurityIntegrationState	Set Cloud Security integration state.
GetExecutorNodes	Get all the relay nodes
UpdateExecutorNode	Update an existing relay node
CreateExecutorNode	Create a new relay node
GetExecutorNodesMetadata	Get metadata about all executor nodes.
DeleteExecutorNode	Delete a relay node
RetrieveRelayInstances	Retrieve the relay instances in CSV format.
GetIntegrationTasks	Get all the integration tasks
CreateIntegrationTask	Create new integration task.
GetIntegrationTasksMetadata	Get metadata about all integration tasks.
GetIntegrationTasksV2	Get all the integration tasks.
UpdateIntegrationTask	Update an existing integration task by its ID
DeleteIntegrationTask	Delete an existing integration task by its ID
RunIntegrationTask	Run an integration task by its ID
RunIntegrationTaskAdmin	Run an integration task by its ID with admin scope.
RunIntegrationTaskV2	Run an integration task by its ID
GetIntegrationTypes	Get all the integration types
GetIntegrations	Get a list of all the integrations
CreateIntegration	Create a new integration
GetIntegrationsV2	Get a list of all the integrations.
UpdateIntegration	Update an existing integration by its ID
DeleteIntegration	Delete an existing integration by its ID
ExecuteQuery	Execute a query. The syntax used is identical to that of the query page.
ServiceNowGetDeployments	Retrieve ServiceNow deployments
ServiceNowGetServices	Retrieve ServiceNow services.
GetServicesCount	Get the total amount of existing services
GetServiceViolationTypes	Get the different types of violation
GetTags	Get all the tags
UpsertTags	Create new or update existing tag. You can update unique tags table or regular tags table
DeleteTags	Remove existing tags
DeleteGroup
GetGroupHierarchy	Get group hierarchy
GetGroupV2	Get group details
GetGroupsV2
GetIntegrationTasksAdmin	Get all the integration tasks, requires admin scope
GetUsersV2	List users
PostGroupV2	Create group
UpdateDefaultGroup	Update default group
UpdateGroup	Update group

CAO Hunting

Operation ID	Description
AggregateHuntingGuides	Aggregate Hunting Guides
AggregateIntelligenceQueries	Aggregate intelligence queries.
GetArchiveExport	Creates an Archive Export.
GetHuntingGuides	Retrieves a list of Hunting Guides
GetIntelligenceQueries	Retrieves a list of Intelligence queries.
SearchHuntingGuides	Search for Hunting Guides that match the provided conditions
SearchIntelligenceQueries	Search intelligence queries that match the provided conditions.

Case Management

Operation ID	Description
aggregates_file_details_post_v1	Get file details aggregates as specified via json in the request body.
combined_file_details_get_v1	Query file details
entities_files_upload_post_v1	Upload file for case
entities_file_details_patch_v1	Update file details
entities_file_details_get_v1	Get file details by id
entities_files_bulk_download_post_v1	Download multiple existing file from case as a ZIP
entities_files_download_get_v1	Download existing file from case
entities_files_delete_v1	Delete file details by id
queries_file_details_get_v1	Query for ids of file details
entities_get_rtr_file_metadata_post_v1	Get metadata for a file via RTR without retrieving it.
entities_retrieve_rtr_file_post_v1	Retrieve a file from host using RTR and add it to a case.
entities_retrieve_rtr_recent_file_post_v1	Retrieve a recently fetched RTR file and add it to a case.
aggregates_notification_groups_post_v1	Get notification groups aggregations
aggregates_notification_groups_post_v2	Get notification groups aggregations
aggregates_slas_post_v1	Get SLA aggregations
aggregates_templates_post_v1	Get templates aggregations
aggregates_access_tags_post_v1	Get access tag aggregates.
entities_access_tags_get_v1	Get access tags.
entities_notification_groups_get_v1	Get notification groups by ID
entities_notification_groups_post_v1	Create notification group
entities_notification_groups_patch_v1	Update notification group
entities_notification_groups_delete_v1	Delete notification groups by ID
entities_notification_groups_get_v2	Get notification groups by ID
entities_notification_groups_post_v2	Create notification group
entities_notification_groups_patch_v2	Update notification group
entities_notification_groups_delete_v2	Delete notification groups by ID
entities_fields_get_v1	Get fields by ID
entities_slas_get_v1	Get SLAs by ID
entities_slas_post_v1	Create SLA
entities_slas_patch_v1	Update SLA
entities_slas_delete_v1	Delete SLAs
entities_template_snapshots_get_v1	Get template snapshots
entities_templates_export_get_v1	Export templates to files in a zip archive
entities_templates_import_post_v1	Import a template from a file
entities_templates_get_v1	Get templates by ID
entities_templates_post_v1	Create template
entities_templates_patch_v1	Update template
entities_templates_delete_v1	Delete templates
queries_access_tags_get_v1	Query access tags.
queries_fields_get_v1	Query fields
queries_notification_groups_get_v1	Query notification groups
queries_notification_groups_get_v2	Query notification groups
queries_slas_get_v1	Query SLAs
queries_template_snapshots_get_v1	Query template snapshots
queries_templates_get_v1	Query templates
entities_alert_evidence_post_v1	Adds the given list of alert evidence to the specified case.
entities_case_tags_post_v1	Adds the given list of tags to the specified case.
entities_case_tags_delete_v1	Removes the specified tags from the specified case.
entities_cases_put_v2	Creates the given Case
entities_cases_post_v2	Retrieves all Cases given their IDs.
entities_cases_patch_v2	Updates given fields on the specified case.
entities_event_evidence_post_v1	Adds the given list of event evidence to the specified case.
queries_cases_get_v1	Retrieves all Cases IDs that match a given query.

Certificate Based Exclusions

Operation ID	Description
cb_exclusions_get_v1	Find all exclusion IDs matching the query with filter.
cb_exclusions_create_v1	Create new Certificate Based Exclusions.
cb_exclusions_delete_v1	Delete the exclusions by id.
cb_exclusions_update_v1	Updates existing Certificate Based Exclusions.
certificates_get_v1	Retrieves certificate signing information for a file.
cb_exclusions_query_v1	Search for cert-based exclusions.

Cloud AWS Registration

Operation ID	Description
cloud_registration_aws_create_account	Creates a new account in our system for a customer.
cloud_registration_aws_delete_account	Deletes an existing AWS account or organization in our system.
cloud_registration_aws_get_accounts	Retrieve existing AWS accounts by account IDs.
cloud_registration_aws_query_accounts	Retrieve existing AWS accounts by account IDs.
cloud_registration_aws_trigger_health_check	Trigger health check scan for AWS accounts.
cloud_registration_aws_update_account	Patches a existing account in our system for a customer.
cloud_registration_aws_validate_accounts	Validates the AWS account registration status, and discover organization child accounts if organization is specified.

Cloud Azure Registration

Operation ID	Description
cloud_registration_azure_create_registration	Create an Azure registration for a tenant.
cloud_registration_azure_delete_legacy_subscription	Delete existing legacy Azure subscriptions.
cloud_registration_azure_delete_registration	Deletes existing Azure registrations.
cloud_registration_azure_download_script	Retrieve script to create resources.
cloud_registration_azure_get_registration	Retrieve existing Azure registration for a tenant.
cloud_registration_azure_trigger_health_check	Trigger health check scan for Azure registrations.
cloud_registration_azure_update_registration	Update an existing Azure registration for a tenant.
cloud_registration_azure_validate_registration	Validate an Azure registration by checking service principal, role assignments and deployment stack (if the deployment method is Bicep)
download_azure_script	Download Azure deployment script (Terraform or Bicep).

Cloud Connect AWS

Operation ID	Description
QueryAWSAccounts	Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria
GetAWSSettings	Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts
GetAWSAccounts	Retrieve a set of AWS Accounts by specifying their IDs
ProvisionAWSAccounts	Provision AWS Accounts by specifying details about the accounts to provision
DeleteAWSAccounts	Delete a set of AWS Accounts by specifying their IDs
UpdateAWSAccounts	Update AWS Accounts by specifying the ID of the account and details to update
CreateOrUpdateAWSSettings	Create or update Global Settings which are applicable to all provisioned AWS accounts
VerifyAWSAccountAccess	Performs an Access Verification check on the specified AWS Account IDs
QueryAWSAccountsForIDs	Search for provisioned AWS Accounts by providing a FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria

Cloud GCP Registration

Operation ID	Description
cloud_registration_gcp_get_entities	Retrieve all GCP entities (organizations, folders, projects) grouped by type with support for FQL filtering, sorting, and pagination.
cloud_registration_gcp_trigger_health_check	Trigger health check scan for GCP registrations
cloud_registration_gcp_get_registration	Retrieve a Google Cloud Registration.
cloud_registration_gcp_put_registration	Creates/Updates a Google Cloud Registration.
cloud_registration_gcp_create_registration	Create a Google Cloud Registration.
cloud_registration_gcp_update_registration	Update a Google Cloud Registration.
cloud_registration_gcp_delete_registration	Deletes a Google Cloud Registration and returns the deleted registration in the response body.

Cloud Google Cloud Registration

Operation ID	Description
cloud_registration_gcp_get_entities	Retrieve all GCP entities (organizations, folders, projects) grouped by type with support for FQL filtering, sorting, and pagination.
cloud_registration_gcp_trigger_health_check	Trigger health check scan for GCP registrations
cloud_registration_gcp_get_registration	Retrieve a Google Cloud Registration.
cloud_registration_gcp_put_registration	Creates/Updates a Google Cloud Registration.
cloud_registration_gcp_create_registration	Create a Google Cloud Registration.
cloud_registration_gcp_delete_registration	Deletes a Google Cloud Registration and returns the deleted registration in the response body.
cloud_registration_gcp_update_registration	Update a Google Cloud Registration.

Cloud OCI Registration

Operation ID	Description
cloud_security_registration_oci_get_account	Retrieve a list of OCI tenancies with support for FQL filtering, sorting, and pagination
cloud_security_registration_oci_rotate_key	Refresh key for the OCI Tenancy
cloud_security_registration_oci_validate_tenancy	Validate the OCI account in CSPM for a provided CID. For internal clients only.
cloud_security_registration_oci_create_account	Create OCI tenancy account in CSPM
cloud_security_registration_oci_delete_account	Delete an existing OCI tenancy in CSPM.
cloud_security_registration_oci_update_account	Update an existing OCI account.
cloud_security_registration_oci_download_script	Retrieve script to create resources in tenancy OCID

Cloud Policies

Operation ID	Description
GetRuleInputSchema	Get rule input schema for given resource type.
ReplaceControlRules	Assign rules to a compliance control (full replace).
GetComplianceControls	Get compliance controls by ID.
CreateComplianceControl	Create a new custom compliance control.
UpdateComplianceControl	Update a custom compliance control.
DeleteComplianceControl	Delete custom compliance controls.
QueryComplianceControls	Query for compliance controls by various parameters.
GetRule	Get a rule by id.
RenameSectionComplianceFramework	Rename a section in a custom compliance framework.
GetComplianceFrameworks	Get compliance frameworks by ID.
CreateComplianceFramework	Create a new custom compliance framework.
UpdateComplianceFramework	Update a custom compliance framework.
DeleteComplianceFramework	Delete a custom compliance framework and all associated controls and rule assignments.
GetEnrichedAsset	Get enriched assets that combine a primary resource with all its related resources.
GetEvaluationResult	Get evaluation results based on the provided rule.
GetRuleOverride	Get a rule override by ID.
CreateRuleOverride	Create a new rule override.
UpdateRuleOverride	Update a rule override.
DeleteRuleOverride	Delete a rule override.
CreateRuleMixin0	Create a new rule.
UpdateRule	Update a rule.
DeleteRuleMixin0	Delete a rule.
QueryComplianceFrameworks	Query for compliance frameworks by various parameters.
QueryRule	Query for rules by various parameters.
GetSuppressionRules	Get Suppression Rules by ID.
CreateSuppressionRule	Create a new suppression rule.
UpdateSuppressionRule	Update a suppression rule.
DeleteSuppressionRules	Delete Suppression Rules by ID.
QuerySuppressionRules	Query suppression rules with filtering, sorting and pagination.

Cloud Security

Operation ID	Description
combined_cloud_risks	Get cloud risks with full details based on filters and sort criteria.
ListCloudGroupsExternal	Query Cloud Groups and return entities with full details.
ListCloudGroupsByIDExternal	Retrieve Cloud Groups by their UUIDs.
CreateCloudGroupExternal	Create a new Cloud Group with specified properties and selectors.
UpdateCloudGroupExternal	Update an existing Cloud Group’s properties.
DeleteCloudGroupsExternal	Delete Cloud Groups in batch by their UUIDs.
ListCloudGroupIDsExternal	Query Cloud Groups and return only their IDs.

Cloud Security Assets

Operation ID	Description
cloud_security_assets_combined_application_findings	Get findings for an application resource with pagination.
cloud_security_assets_combined_compliance_by_account	Get combined compliance by account.
cloud_security_assets_entities_get	Gets raw resources based on the provided IDs param. Maximum of 100 resources can be requested with this method. Use POST method with same path if more are required.
cloud_security_assets_queries	Query cloud security assets.

Cloud Security Compliance

Operation ID	Description
cloud_compliance_framework_posture_summaries	Get sections and requirements with scores for benchmarks.
cloud_compliance_rule_posture_summaries	Get compliance score and counts for rules.

Cloud Security Detections

Operation ID	Description
cspm_evaluations_combined_iom_by_rule	Return IOMs grouped by rule.
cspm_evaluations_iom_entities	Gets IOMs based on the provided IDs
cspm_evaluations_iom_queries	Gets a list of IOM IDs for the given parameters, filters and sort criteria.

Cloud Security Risks

Operation ID	Description
cloud_security_timeline_risks_enriched	Returns the enriched asset timeline. Rate limited to 500 requests per minute per CID. Exceeding this limit returns HTTP 429 (Too Many Requests).

Cloud Snapshots

Operation ID	Description
CombinedDetections	Search IaC Detections using a query in Falcon Query Language.
ReadDeploymentsCombined	Search for snapshot jobs identified by the provided filter.
RegisterCspmSnapshotAccount	Register customer cloud account for snapshot scanning.
ReadDeploymentsEntities	Retrieve snapshot jobs identified by the provided IDs.
CreateDeploymentEntity	Launch a snapshot scan for a given cloud asset.
GetCredentialsIAC	Gets the registry credentials (external endpoint).
GetScanReport	Retrieve the scan report for an instance.
GetCredentialsMixin0	Gets the registry credentials.

Configuration Assessment

Operation ID	Description
getCombinedAssessmentsQuery	Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria
getRuleDetails	Get rules details for provided one or more rule IDs

Configuration Assessment Evaluation Logic

Operation ID	Description
getEvaluationLogicMixin0	Get details on evaluation logic items by providing one or more finding IDs.

Container Alerts

Operation ID	Description
ReadContainerAlertsCountBySeverity	Get Container Alert counts by severity.
ReadContainerAlertsCount	Search Container Alerts by the provided search criteria.
SearchAndReadContainerAlerts	Search Container Alerts by the provided search criteria.

Container Detections

Operation ID	Description
GetRuntimeDetectionsCombinedV2	Retrieve image assessment detections identified by the provided filter criteria.
ReadDetectionsCountBySeverity	Aggregate counts of detections by severity.
ReadDetectionsCountByType	Aggregate counts of detections by detection type.
ReadDetectionsCount	Aggregate count of detections.
ReadCombinedDetections	Retrieve image assessment detections identified by the provided filter criteria.
ReadDetections	Retrieve image assessment detection entities identified by the provided filter criteria.
SearchDetections	Retrieve image assessment detection entities identified by the provided filter criteria.

Container Image Compliance

Operation ID	Description
extAggregateClusterAssessments	Get the assessments for each cluster.
extAggregateImageAssessments	Get the assessments for each image.
extAggregateRulesAssessments	Get the assessments for each rule.
extAggregateFailedContainersByRulesPath	Get the containers grouped into rules on which they failed.
extAggregateFailedContainersCountBySeverity	Get the failed containers count grouped into severity levels.
extAggregateFailedImagesByRulesPath	Get the images grouped into rules on which they failed.
extAggregateFailedImagesCountBySeverity	Get the failed images count grouped into severity levels.
extAggregateFailedRulesByClusters	Get the failed rules for each cluster grouped into severity levels.
extAggregateFailedRulesByImages	Get images with failed rules, rule count grouped by severity for each image.
extAggregateFailedRulesCountBySeverity	Get the failed rules count grouped into severity levels.
extAggregateRulesByStatus	Get the rules grouped by their statuses.

Container Images

Operation ID	Description
AggregateImageAssessmentHistory	Image assessment history
AggregateImageCountByBaseOS	Aggregate count of images grouped by Base OS distribution
AggregateImageCountByState	Aggregate count of images grouped by state
AggregateImageCount	Aggregate count of images
CombinedBaseImages	Retrieve base images identified by the provided filter criteria
GetCombinedImages	Get image assessment results by providing an FQL filter and paging details
CombinedImageByVulnerabilityCount	Retrieve top x images with the most vulnerabilities
CombinedImageDetail	Retrieve image entities identified by the provided filter criteria
ReadCombinedImagesExport	Retrieve images with an option to expand aggregated vulnerabilities/detections
CombinedImageIssuesSummary	Retrieve image issues summary such as Image detections, Runtime detections, Policies, vulnerabilities
CombinedImageVulnerabilitySummary	aggregates information about vulnerabilities for an image
CreateBaseImagesEntities	Creates base images using the provided details
DeleteBaseImages	Delete base images by base image UUID

Container Packages

Operation ID	Description
ReadPackagesByImageCount	Retrieves the N most frequently used packages across images.
ReadPackagesCountByZeroDay	Retrieve packages count affected by zero day vulnerabilities.
ReadPackagesByFixableVulnCount	Retrieve top x app packages with the most fixable vulnerabilities.
ReadPackagesByVulnCount	Retrieve top x packages with the most vulnerabilities.
ReadPackagesCombinedExport	Retrieve packages identified by the provided filter criteria for the purpose of export.
ReadPackagesCombined	Retrieve packages identified by the provided filter criteria.
ReadPackagesCombinedV2	Retrieve packages identified by the provided filter criteria.

Container Vulnerabilities

Operation ID	Description
ReadVulnerabilityCountByActivelyExploited	Aggregate count of vulnerabilities grouped by actively exploited
ReadVulnerabilityCountByCPSRating	Aggregate count of vulnerabilities grouped by csp_rating
ReadVulnerabilityCountByCVSSScore	Aggregate count of vulnerabilities grouped by cvss score
ReadVulnerabilityCountBySeverity	Aggregate count of vulnerabilities grouped by severity
ReadVulnerabilityCount	Aggregate count of vulnerabilities
ReadVulnerabilitiesByImageCount	Retrieve top x vulnerabilities with the most impacted images
ReadVulnerabilitiesPublicationDate	Retrieve top x vulnerabilities with the most recent publication date
ReadCombinedVulnerabilitiesDetails	Retrieve vulnerability details related to an image
ReadCombinedVulnerabilitiesInfo	Retrieve vulnerability and package related info for this customer
ReadCombinedVulnerabilities	Retrieve vulnerability and aggregate data filtered by the provided FQL

Content Update Policies

Operation ID	Description
queryCombinedContentUpdatePolicyMembers	Search for members of a Content Update Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
queryCombinedContentUpdatePolicies	Search for Content Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Content Update Policies which match the filter criteria.
performContentUpdatePoliciesAction	Perform the specified action on the Content Update Policies specified in the request.
setContentUpdatePoliciesPrecedence	Sets the precedence of Content Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies when updating precedence.
getContentUpdatePolicies	Retrieve a set of Content Update Policies by specifying their IDs.
createContentUpdatePolicies	Create Content Update Policies by specifying details about the policy to create.
deleteContentUpdatePolicies	Delete a set of Content Update Policies by specifying their IDs.
updateContentUpdatePolicies	Update Content Update Policies by specifying the ID of the policy and details to update.
queryContentUpdatePolicyMembers	Search for members of a Content Update Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
queryPinnableContentVersions	Search for content versions available for pinning given the category.
queryContentUpdatePolicies	Search for Content Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Content Update Policy IDs which match the filter criteria.

Correlation Rules

Operation ID	Description
aggregates_rule_versions_post_v1	Get rules aggregates as specified via json in the request body.
combined_rules_get_v1	Find all rules matching the query and filter.
combined_rules_get_v2	Find all rules matching the query and filter.
entities_latest_rules_get_v1	Retrieve latest rule versions by rule IDs.
entities_rule_versions_export_post_v1	Export rule versions.
entities_rule_versions_import_post_v1	Import rule versions.
entities_rule_versions_publish_patch_v1	Publish existing rule version.
entities_rule_versions_delete_v1	Delete versions by IDs.
entities_rules_get_v1	Retrieve rules by IDs.
entities_rules_post_v1	Create a correlation rule.
entities_rules_delete_v1	Delete rules by IDs.
entities_rules_patch_v1	Update a correlation rule.
entities_rules_get_v2	Retrieve rule versions by IDs.
queries_rules_get_v1	Find all rule IDs matching the query and filter.
queries_rules_get_v2	Find all rule version IDs matching the query and filter.
queries_templates_get_v1Mixin0	Search rule template IDs matching the filter.
entities_templates_rules_post_v1	Create rule from template.
entities_templates_get_v1Mixin0	Retrieve rule templates by IDs.

Correlation Rules Admin

Operation ID	Description
entities_rules_ownership_put_v1	Change the owner of an existing Correlation Rule

CSPM Registration

Operation ID	Description
GetCSPMAwsAccount	Returns information about the current status of an AWS account.
CreateCSPMAwsAccount	Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteCSPMAwsAccount	Deletes an existing AWS account or organization in our system.
PatchCSPMAwsAccount	Patches a existing account in our system for a customer.
GetCSPMAwsConsoleSetupURLs	Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetCSPMAwsAccountScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetCSPMAzureAccount	Return information about Azure account registration
CreateCSPMAzureAccount	Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
DeleteCSPMAzureAccount	Deletes an Azure subscription from the system.
UpdateCSPMAzureAccountClientID	Update an Azure service account in our system by with the user-created client_id created with the public key we’ve provided
UpdateCSPMAzureTenantDefaultSubscriptionID	Update an Azure default subscription_id in our system for given tenant_id
AzureDownloadCertificate	Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
AzureRefreshCertificate	Refresh certificate and returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetCSPMAzureUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment
GetBehaviorDetections	Retrieve a list of detected behaviors.
GetConfigurationDetections	Retrieve a list of active misconfigurations.
GetConfigurationDetectionEntities	Get misconfigurations based on the ID - including custom policy detections in addition to default policy detections.
GetConfigurationDetectionIDsV2	Get a list of active misconfiguration ids - including custom policy detections in addition to default policy detections.
GetCSPMPolicy	Given a policy ID, returns detailed policy information.
GetCSPMPoliciesDetails	Given an array of policy IDs, returns detailed policies information.
GetCSPMPolicySettings	Returns information about current policy settings.
UpdateCSPMPolicySettings	Updates a policy setting - can be used to override policy severity or to disable a policy entirely.
GetCSPMScanSchedule	Returns scan schedule configuration for one or more cloud platforms.
UpdateCSPMScanSchedule	Updates scan schedule configuration for one or more cloud platforms.
GetCSPMAzureManagementGroup	Return information about Azure management group registration
DeleteCSPMAzureManagementGroup	Deletes Azure management groups from the system.
CreateCSPMAzureManagementGroup	Creates a new management group in our system for a customer.
CreateCSPMGCPAccount	Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
DeleteCSPMGCPAccount	Deletes a GCP account from the system.
UpdateCSPMGCPAccount	Patches a existing account in our system for a customer.
ConnectCSPMGCPAccount	Creates a new GCP account with newly-uploaded service account or connects with existing service account with only the following fields: parent_id, parent_type and service_account_id
GetCSPMGCPServiceAccountsExt	Returns the service account id and client email for external clients.
UpdateCSPMGCPServiceAccountsExt	Updates an existing GCP service account.
GetCSPMGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment
GetCSPMGCPValidateAccountsExt	Run a synchronous health check.
ValidateCSPMGCPServiceAccountExt	Validates credentials for a service account
GetCSPMCGPAccount	Returns information about the current status of an GCP account.
UpdateCSPMAzureAccount	Patches a existing account in our system for a customer.
getCloudEventIDs	Get list of related cloud event LogScale IDs for a given IOA

Custom IOA

Operation ID	Description
get_patterns	Get pattern severities by ID.
get_platformsMixin0	Get platforms by ID.
get_rule_groupsMixin0	Get rule groups by ID.
create_rule_groupMixin0	Create a rule group for a platform with a name and an optional description. Returns the rule group.
delete_rule_groupsMixin0	Delete rule groups by ID.
update_rule_groupMixin0	Update a rule group. The following properties can be modified: name, description, enabled.
get_rule_types	Get rule types by ID.
get_rules_get	Get rules by ID and optionally version in the following format: ID[:version].
get_rulesMixin0	Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.
create_rule	Create a rule within a rule group. Returns the rule.
delete_rules	Delete rules from a rule group by ID.
update_rules	Update rules within a rule group. Return the updated rules.
update_rules_v2	Update name, description, enabled or field_values for individual rules within a rule group.
validate	Validates field values and checks for matches if a test string is provided.
query_patterns	Get all pattern severity IDs.
query_platformsMixin0	Get all platform IDs.
query_rule_groups_full	Find all rule groups matching the query with optional filter.
query_rule_groupsMixin0	Finds all rule group IDs matching the query with optional filter.
query_rule_types	Get all rule type IDs.
query_rulesMixin0	Finds all rule IDs matching the query with optional filter.

Custom Storage

Operation ID	Description
ListCollections	List available collection names in alphabetical order.
DescribeCollections	Fetch metadata about one or more existing collections.
DescribeCollection	Fetch metadata about an existing collection.
ListObjects	List the object keys in the specified collection in alphabetical order.
SearchObjects	Search for objects that match the specified filter criteria (returns metadata, not actual objects).
GetObject	Get the bytes for the specified object.
PutObject	Put the specified new object at the given key or overwrite an existing object at the given key.
DeleteObject	Delete the specified object.
GetObjectMetadata	Get the metadata for the specified object.
ListSchemas	Get the list of schemas for the requested collection in reverse version order (latest first).
GetSchema	Get the bytes of the specified schema of the requested collection.
GetSchemaMetadata	Get the metadata for the specified schema of the requested collection.
ListObjectsByVersion	List the object keys in the specified collection in alphabetical order.
SearchObjectsByVersion	Search for objects that match the specified filter criteria (returns metadata, not actual objects).
GetVersionedObject	Get the bytes for the specified object.
PutObjectByVersion	Put the specified new object at the given key or overwrite an existing object at the given key.
DeleteVersionedObject	Delete the specified versioned object.
GetVersionedObjectMetadata	Get the metadata for the specified object.

D4C Registration

Operation ID	Description
GetD4CAwsAccount	Returns information about the current status of an AWS account.
CreateD4CAwsAccount	Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
DeleteD4CAwsAccount	Deletes an existing AWS account or organization in our system.
GetD4CAwsConsoleSetupURLs	Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
GetD4CAWSAccountScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
GetDiscoverCloudAzureAccount	Return information about Azure account registration.
CreateDiscoverCloudAzureAccount	Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
UpdateDiscoverCloudAzureAccountClientID	Update an Azure service account in our system by with the user-created client_id created with the public key we’ve provided.
GetDiscoverCloudAzureUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.
GetDiscoverCloudAzureUserScripts	Return a script for customer to run in their cloud environment to grant us access to their Azure environment.
DiscoverCloudAzureDownloadCertificate	Returns JSON object(s) that contain the base64 encoded certificate for a service principal.
GetDiscoverCloudAzureTenantIDs	Return all available Azure tenant IDs.
GetHorizonD4CScripts	Returns static install scripts for Horizon.
DeleteD4CGCPAccount	Deletes a GCP account from the system.
ConnectD4CGCPAccount	Creates a new GCP account with newly-uploaded service account or connects with existing service account.
GetD4CGCPServiceAccountsExt	Returns the service account id and client email for external clients.
UpdateD4CGCPServiceAccountsExt	Updates an existing GCP service account.
GetD4CGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment.
CreateD4CGCPAccount	Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
GetCSPMGCPUserScriptsAttachment	Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment.
GetD4CCGPAccount	Returns information about the current status of an GCP account.
GetD4CGCPUserScripts	Return a script for customer to run in their cloud environment to grant us access to their GCP environment.

Data Protection Configuration

Operation ID	Description
entities_classification_get_v2	Gets the classifications that match the provided ids
entities_classification_post_v2	Create classifications
entities_classification_patch_v2	Update classifications
entities_classification_delete_v2	Deletes classifications that match the provided ids
entities_cloud_application_get	Get a particular cloud-application
entities_cloud_application_create	Persist the given cloud application for the provided entity instance
entities_cloud_application_patch	Update a cloud application.
entities_cloud_application_delete	Delete cloud application.
entities_content_pattern_get	Get a particular content-pattern(s).
entities_content_pattern_create	Persist the given content pattern for the provided entity instance.
entities_content_pattern_patch	Update a content pattern.
entities_content_pattern_delete	Delete content pattern.
entities_policy_precedence_post_v1	Update Policy Precedence.
entities_enterprise_account_get	Get a particular enterprise-account(s).
entities_enterprise_account_create	Persist the given enterprise account for the provided entity instance.
entities_enterprise_account_patch	Update a enterprise account.
entities_enterprise_account_delete	Delete enterprise account.
entities_file_type_get	Get a particular file-type.
entities_sensitivity_label_get_v2	Get sensitivity label matching the IDs (V2).
entities_sensitivity_label_create_v2	Create new sensitivity label (V2).
entities_sensitivity_label_delete_v2	Delete sensitivity labels matching the IDs (V2).
entities_local_application_group_get	Get particular local application groups.
entities_local_application_group_create	Persist the given local application group for the provided entity instance.
entities_local_application_group_patch	Update a local application group.
entities_local_application_group_delete	Soft Delete local application. The application won’t be visible anymore, but will still be in the database.
entities_local_application_get	Get a particular local application.
entities_local_application_create	Persist the given local application for the provided entity instance.
entities_local_application_patch	Update a local application.
entities_local_application_delete	Soft Delete local application. The application wont be visible anymore, but will still be in the database.
entities_policy_get_v2	Get policies that match the provided ids.
entities_policy_post_v2	Create policies.
entities_policy_patch_v2	Update policies.
entities_policy_delete_v2	Delete policies that match the provided ids.
entities_web_location_get_v2	Get web-location entities matching the provided ID(s).
entities_web_location_create_v2	Persist the given web-locations.
entities_web_location_patch_v2	Update a web-location.
entities_web_location_delete_v2	Delete web-location.
queries_classification_get_v2	Search for classifications that match the provided criteria.
queries_cloud_application_get_v2	Get all cloud-application IDs matching the query with filter.
queries_content_pattern_get_v2	Get all content-pattern IDs matching the query with filter.
queries_enterprise_account_get_v2	Get all enterprise-account IDs matching the query with filter.
queries_file_type_get_v2	Get all file-type IDs matching the query with filter.
queries_sensitivity_label_get_v2	Get all sensitivity label IDs matching the query with filter.
queries_local_application_group_get	Get all local application group IDs matching the query with filter.
queries_local_application_get	Get all local-application IDs matching the query with filter.
queries_policy_get_v2	Search for policies that match the provided criteria.
queries_web_location_get_v2	Get web-location IDs matching the query with filter.

Delivery Settings

Operation ID	Description
GetDeliverySettings	Get Delivery Settings.
PostDeliverySettings	Create Delivery Settings.

Deployments

Operation ID	Description
CombinedReleaseNotesV1	Queries for releases resources and returns details.
CombinedReleasesV1Mixin0	Queries for releases resources and returns details.
GetDeploymentsExternalV1	Get deployment resources by IDs.
GetEntityIDsByQueryPOST	Returns the release notes for the IDs in the request.
GetEntityIDsByQueryPOSTV2	Get entity IDs by query (v2).
QueryReleaseNotesV1	Queries for release-notes resources and returns IDs.

Detects

Operation ID	Description
GetAggregateDetects	Get detect aggregates as specified via json in request body.
UpdateDetectsByIdsV2	Modify the state, assignee, and visibility of detections.
GetDetectSummaries	View information about detections.
QueryDetects	Search for detection IDs that match a given query.

Device Content

Operation ID	Description
entities_states_v1	Retrieve the host content state for a number of ids between 1 and 100.
queries_states_v1	Query for the content state of the host.

Device Control Policies

Operation ID	Description
queryCombinedDeviceControlPolicyMembers	Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria.
queryCombinedDeviceControlPolicies	Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria.
getDefaultDeviceControlPolicies	Retrieve the configuration for the Default Device Control Policy.
updateDefaultDeviceControlPolicies	Update the configuration for the Default Device Control Policy.
performDeviceControlPoliciesAction	Perform the specified action on the Device Control Policies specified in the request.
getDefaultDeviceControlSettings	Get default device control settings (USB and Bluetooth).
updateDefaultDeviceControlSettings	Update the configuration for Default Device Control Settings.
setDeviceControlPoliciesPrecedence	Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
getDeviceControlPolicies	Retrieve a set of Device Control Policies by specifying their IDs.
getDeviceControlPoliciesV2	Get device control policies for the given filter criteria. Supports USB and Bluetooth.
createDeviceControlPolicies	Create Device Control Policies by specifying details about the policy to create.
postDeviceControlPoliciesV2	Create Device Control Policies by specifying details about the policy to create.
deleteDeviceControlPolicies	Delete a set of Device Control Policies by specifying their IDs.
patchDeviceControlPoliciesClassesV1	Update device control policy’s classes (USB and Bluetooth).
updateDeviceControlPolicies	Update Device Control Policies by specifying the ID of the policy and details to update.
patchDeviceControlPoliciesV2	Update Device Control Policies by specifying the ID of the policy and details to update.
queryDeviceControlPolicyMembers	Search for members of a Device Control Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
queryDeviceControlPolicies	Search for Device Control Policies in your environment by providing a FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria.

Discover

Operation ID	Description
combined_applications	Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on applications which match the filter criteria.
combined_hosts	Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns details on assets which match the filter criteria.
get_accounts	Get details on accounts by providing one or more IDs.
get_applications	Get details on applications by providing one or more IDs.
get_hosts	Get details on assets by providing one or more IDs.
get_iot_hosts	Get details on IoT assets by providing one or more IDs.
get_logins	Get details on logins by providing one or more IDs.
query_accounts	Search for accounts in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_applications	Search for applications in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of application IDs which match the filter criteria.
query_hosts	Search for assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hosts	Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_iot_hostsV2	Search for IoT assets in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.
query_logins	Search for logins in your environment by providing a FQL (Falcon Query Language) filter and paging details. Returns a set of asset IDs which match the filter criteria.

Downloads

Operation ID	Description
DownloadFile	Gets pre-signed URL for the file.
EnumerateFile	Enumerates a list of files available for CID.
FetchFilesDownloadInfo	Get files info and pre-signed download URLs
FetchFilesDownloadInfoV2	Get cloud security tools info and pre-signed download URLs

Drift Indicators

Operation ID	Description
GetDriftIndicatorsValuesByDate	Returns the count of Drift Indicators by the date. by default it’s for 7 days.
ReadDriftIndicatorsCount	Returns the total count of Drift indicators over a time period
SearchAndReadDriftIndicatorEntities	Retrieve Drift Indicators by the provided search criteria
ReadDriftIndicatorEntities	Retrieve Drift Indicator entities identified by the provided IDs
SearchDriftIndicators	Retrieve all drift indicators that match the given query

Event Streams

Operation ID	Description
refreshActiveStreamSession	Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response.
listAvailableStreamsOAuth2	Discover all event streams in your environment

Exposure Management

Operation ID	Description
aggregate_external_assets	Returns external assets aggregates.
combined_ecosystem_subsidiaries	Retrieves a list of ecosystem subsidiaries with their detailed information.
blob_download_external_assets	Download the entire contents of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request.
blob_preview_external_assets	Download a preview of the blob. The relative link to this endpoint is returned in the GET /entities/external-assets/v1 request.
get_ecosystem_subsidiaries	Retrieves detailed information about ecosystem subsidiaries by ID.
post_external_assets_inventory_v1	Add external assets for external asset scanning.
get_external_assets	Get details on external assets by providing one or more IDs.
delete_external_assets	Delete multiple external assets.
patch_external_assets	Update the details of external assets.
query_ecosystem_subsidiaries	Retrieves a list of IDs for ecosystem subsidiaries.
query_external_assets	Get a list of external asset IDs that match the provided filter conditions. Use these IDs with the /entities/external-assets/v1 endpoints
query_external_assets_v2	Query external assets (v2).

FaaS Execution

Operation ID	Description
ReadRequestBody	Retrieve a large request body, such as a file, that has spilled into object storage.

Falcon Complete Dashboard

Operation ID	Description
AggregateAlerts	Retrieve aggregate alerts values based on the matched filter
AggregateAllowList	Retrieve aggregate allowlist ticket values based on the matched filter
AggregateBlockList	Retrieve aggregate blocklist ticket values based on the matched filter
AggregateDeviceCountCollection	Retrieve aggregate host/devices count based on the matched filter
AggregateEscalations	Retrieve aggregate escalation ticket values based on the matched filter
AggregateFCIncidents	Retrieve aggregate incident values based on the matched filter
AggregateRemediations	Retrieve aggregate remediation ticket values based on the matched filter
AggregatePreventionPolicy	Retrieve aggregate prevention policy values based on the matched filter
AggregateSensorUpdatePolicy	Retrieve aggregate sensor update policy values based on the matched filter
AggregateSupportIssues	Retrieve aggregate support issue values based on the matched filter
AggregateTotalDeviceCounts	Retrieve aggregate total host/devices based on the matched filter
QueryAlertIdsByFilter	Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled
QueryAlertIdsByFilterV2	Retrieve Alert IDs that match the provided FQL filter criteria with scrolling enabled
QueryAllowListFilter	Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled
QueryBlockListFilter	Retrieve block listtickets that match the provided filter criteria with scrolling enabled
GetDeviceCountCollectionQueriesByFilter	Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled
QueryEscalationsFilter	Retrieve escalation tickets that match the provided filter criteria with scrolling enabled
QueryIncidentIdsByFilter	Retrieve incidents that match the provided filter criteria with scrolling enabled
QueryRemediationsFilter	Retrieve remediation tickets that match the provided filter criteria with scrolling enabled

Falcon Container

Operation ID	Description
DownloadExportFile	Download an export file.
ReadExportJobs	Read export jobs entities.
LaunchExportJob	Launch an export job of a Container Security resource. Maximum of 1 job in progress per resource.
QueryExportJobs	Query export jobs entities.
PolicyChecks	Perform policy checks against container configurations.
GetReportByReference	Retrieve a report by its reference.
GetReportByScanID	Retrieve a report by scan ID.
GetCombinedImages	Retrieve registry entities identified by the customer ID.
GetCredentials	Gets the registry credentials.
GetImageAssessmentReport	Retrieve an assessment report for an image by specifying repository and tag.
HeadImageScanInventory	Get headers for POST request for image scan inventory.
DeleteImageDetails	Delete image details from the CrowdStrike registry.
ImageMatchesPolicy	Check if an image matches a policy by specifying repository and tag.
PostImageScanInventory	Post image scan inventory.
ReadImageVulnerabilities	Retrieve an assessment report for an image by specifying repository and tag.
ReadRegistryEntities	Retrieve registry entities associated with the client ID.
ReadRegistryEntitiesByUUID	Retrieve registry entities associated with a specific UUID.
DeleteRegistryEntities	Delete registry entities by UUID.
CreateRegistryEntities	Create registry entities using the provided detail.
UpdateRegistryEntities	Update the registry entity, as identified by the entity UUID, using the provided details.

Falconx Sandbox

Operation ID	Description
GetArtifacts	Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings	Get extracted strings from a memory dump.
GetMemoryDumpHexDump	Get the hex view of a memory dump.
GetMemoryDump	Get memory dump content, as a binary.
GetSummaryReports	Get a short summary version of a sandbox report.
GetReports	Get a full sandbox report.
DeleteReport	Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions	Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit	Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports	Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions	Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2	Retrieves the file associated with the given ID (SHA256)
UploadSampleV2	Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2	Removes a sample, including file, meta and submissions from the collection
QuerySampleV1	Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

FDR

Operation ID	Description
fdrschema_combined_event_get	Fetches the combined schema.
fdrschema_entities_event_get	Fetch event schema by ID.
fdrschema_queries_event_get	Get list of event IDs given a particular query.
fdrschema_entities_field_get	Fetch field schema by ID.
fdrschema_queries_field_get	Get list of field IDs given a particular query.

Federated Connections

Operation ID	Description
post_federated_connections_config	Create configuration for a federated connection
delete_federated_connections_config	Delete configuration for a federated connection
patch_federated_connections_config	Update configuration for a federated connection

FileVantage

Operation ID	Description
getActionsMixin0	Retrieves the processing results for one or more actions.
startActions	Initiates the specified action on the provided change IDs.
getContents	Retrieves the content captured for the provided change ID.
getChanges	Retrieve information on changes.
updatePolicyHostGroups	Manage host groups assigned to a policy.
updatePolicyPrecedence	Updates the policy precedence for all policies of a specific type.
updatePolicyRuleGroups	Manage the rule groups assigned to the policy or set the rule group precedence for all rule groups within the policy.
getPolicies	Retrieves the configuration for 1 or more policies.
createPolicies	Creates a new policy of the specified type. New policies are always added at the end of the precedence list for the provided policy type.
deletePolicies	Deletes 1 or more policies.
updatePolicies	Updates the general information of the provided policy.
getScheduledExclusions	Retrieves the configuration of 1 or more scheduled exclusions from the provided policy id.
createScheduledExclusions	Creates a new scheduled exclusion configuration for the provided policy id.
deleteScheduledExclusions	Deletes 1 or more scheduled exclusions from the provided policy id.
updateScheduledExclusions	Updates the provided scheduled exclusion configuration within the provided policy.
updateRuleGroupPrecedence	Updates the rule precedence for all rules in the identified rule group.
getRules	Retrieves the configuration for 1 or more rules.
createRules	Creates a new rule configuration within the specified rule group.
deleteRules	Deletes 1 or more rules from the specified rule group.
updateRules	Updates the provided rule configuration within the specified rule group.
getRuleGroups	Retrieves the rule group details for 1 or more rule groups.
createRuleGroups	Creates a new rule group of the specified type.
deleteRuleGroups	Deletes 1 or more rule groups.
updateRuleGroups	Updates the provided rule group.
signalChangesExternal	Initiates workflows for the provided change IDs.
queryActionsMixin0	Returns one or more action IDs.
queryChanges	Returns 1 or more change ids.
highVolumeQueryChanges	Returns 1 or more change ids.
queryPolicies	Retrieve the ids of all policies that are assigned the provided policy type.
queryScheduledExclusions	Retrieve the ids of all scheduled exclusions contained within the provided policy id.
queryRuleGroups	Retrieve the ids of all rule groups that are of the provided rule group type.

Firewall Management

Operation ID	Description
aggregate_events	Aggregate events for customer
aggregate_policy_rules	Aggregate rules within a policy for customer
aggregate_rule_groups	Aggregate rule groups for customer
aggregate_rules	Aggregate rules for customer
get_events	Get events entities by ID and optionally version
get_firewall_fields	Get the firewall field specifications by ID
get_network_locations_details	Get network locations entities by ID
update_network_locations_metadata	Updates the network locations metadata such as polling_intervals for the cid
update_network_locations_precedence	Updates the network locations precedence according to the list of ids provided.
get_network_locations	Get a summary of network locations entities by ID
upsert_network_locations	Updates the network locations provided, and return the ID.
create_network_locations	Create new network locations provided, and return the ID.
delete_network_locations	Delete network location entities by ID.
update_network_locations	Updates the network locations provided, and return the ID.
get_platforms	Get platforms by ID, e.g., windows or mac or droid
get_policy_containers	Get policy container entities by policy ID
update_policy_container_v1	Update an identified policy container
update_policy_container	Update an identified policy container
get_rule_groups	Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
create_rule_group	Create new rule group on a platform for a customer with a name and description, and return the ID
delete_rule_groups	Delete rule group entities by ID
update_rule_group	Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
create_rule_group_validation	Validates the request of creating a new rule group on a platform for a customer with a name and description
update_rule_group_validation	Validates the request of updating name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules
get_rules	Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string)
validate_filepath_pattern	Validates that the test pattern matches the executable filepath glob pattern.
query_events	Find all event IDs matching the query with filter
query_firewall_fields	Get the firewall field specification IDs for the provided platform
query_network_locations	Get a list of network location IDs
query_platforms	Get the list of platform names
query_policy_rules	Find all firewall rule IDs matching the query with filter, and return them in precedence order
query_rule_groups	Find all rule group IDs matching the query with filter
query_rules	Find all rule IDs matching the query with filter

Firewall Policies

Operation ID	Description
queryCombinedFirewallPolicyMembers	Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedFirewallPolicies	Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria
performFirewallPoliciesAction	Perform the specified action on the Firewall Policies specified in the request
setFirewallPoliciesPrecedence	Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getFirewallPolicies	Retrieve a set of Firewall Policies by specifying their IDs
createFirewallPolicies	Create Firewall Policies by specifying details about the policy to create
deleteFirewallPolicies	Delete a set of Firewall Policies by specifying their IDs
updateFirewallPolicies	Update Firewall Policies by specifying the ID of the policy and details to update
queryFirewallPolicyMembers	Search for members of a Firewall Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryFirewallPolicies	Search for Firewall Policies in your environment by providing a FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria

Foundry LogScale

Operation ID	Description
ListReposV1	Lists available repositories and views
IngestDataAsyncV1	Ingest data into the application repository asynchronously
IngestDataV1	Ingest data into the application repository
CreateFileV1	Creates a lookup file.
UpdateFileV1	Updates a lookup file.
CreateSavedSearchesDynamicExecuteV1	Execute a dynamic saved search
GetSavedSearchesExecuteV1	Get the results of a saved search
CreateSavedSearchesExecuteV1	Execute a saved search
CreateSavedSearchesIngestV1	Populate a saved search
GetSavedSearchesJobResultsDownloadV1	Get the results of a saved search as a file
ListViewV1	List views

Host Group

Operation ID	Description
queryCombinedGroupMembers	Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedHostGroups	Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Groups which match the filter criteria
performGroupAction	Perform the specified action on the Host Groups specified in the request
getHostGroups	Retrieve a set of Host Groups by specifying their IDs
createHostGroups	Create Host Groups by specifying details about the group to create
deleteHostGroups	Delete a set of Host Groups by specifying their IDs
updateHostGroups	Update Host Groups by specifying the ID of the group and details to update
queryGroupMembers	Search for members of a Host Group in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryHostGroups	Search for Host Groups in your environment by providing a FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria

Host Migration

Operation ID	Description
HostMigrationAggregatesV1	Get host migration aggregates as specified via json in request body.
MigrationAggregatesV1	Get migration aggregates as specified via json in request body.
HostMigrationsActionsV1	Perform an action on host migrations.
GetHostMigrationsV1	Get host migration details.
GetMigrationDestinationsV1	Get destinations for a migration.
MigrationsActionsV1	Perform an action on a migration job.
GetMigrationsV1	Get migration job details.
CreateMigrationV1	Create a device migration job.
GetHostMigrationIDsV1	Query host migration IDs.
GetMigrationIDsV1	Query migration jobs.

Hosts

Operation ID	Description
CombinedDevicesByFilter	Search for hosts. Returns full device records.
CombinedHiddenDevicesByFilter	Search for hidden hosts. Returns full device records.
GetOnlineState_V1	Get online status for one or more hosts.
PerformActionV2	Contain, lift containment, delete, or restore a host.
PostDeviceDetailsV2	Get details on one or more hosts by AID.
QueryDeviceLoginHistoryV2	Retrieve recent login sessions for devices.
QueryDevicesByFilterScroll	Search for hosts with continuous pagination.
QueryGetNetworkAddressHistoryV1	Retrieve IP and MAC address history.
QueryHiddenDevices	Retrieve hidden hosts matching filter criteria.
UpdateDeviceTags	Append or remove Falcon Grouping Tags.

Identity Protection

Operation ID	Description
GetSensorAggregates	Get sensor aggregates as specified via json in request body.
GetSensorDetails	Get details on one or more sensors by providing device IDs in a POST body. Supports up to a maximum of 5000 IDs.
QuerySensorsByFilter	Search for sensors in your environment by hostname, IP, and other criteria.
api_preempt_proxy_post_graphql	Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
get_policy_rules	Get policy rules.
post_policy_rules	Create policy rules.
delete_policy_rules	Delete policy rules.
get_policy_rules_query	Query policy rule IDs.

Image Assessment Policies

Operation ID	Description
ReadPolicies	Get all Image Assessment policies
CreatePolicies	Create Image Assessment policies
DeletePolicy	Delete Image Assessment Policy by policy UUID
UpdatePolicies	Update Image Assessment Policy entities
ReadPolicyExclusions	Retrieve Image Assessment Policy Exclusion entities
UpdatePolicyExclusions	Update Image Assessment Policy Exclusion entities
ReadPolicyGroups	Retrieve Image Assessment Policy Group entities
CreatePolicyGroups	Create Image Assessment Policy Group entities
DeletePolicyGroup	Delete Image Assessment Policy Group entities
UpdatePolicyGroups	Update Image Assessment Policy Group entities
UpdatePolicyPrecedence	Update Image Assessment Policy precedence

Installation Tokens

Operation ID	Description
audit_events_read	Gets the details of one or more audit events by id.
customer_settings_read	Check current installation token settings.
customer_settings_update	Update installation token settings.
tokens_read	Gets the details of one or more tokens by id.
tokens_create	Creates a token.
tokens_delete	Deletes a token immediately. To revoke a token, use tokens_update instead.
tokens_update	Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
audit_events_query	Search for audit events by providing a FQL filter and paging details.
tokens_query	Search for tokens by providing a FQL filter and paging details.

Intel

Operation ID	Description
QueryIntelActorEntities	Get info about actors that match provided FQL filters.
QueryIntelIndicatorEntities	Get info about indicators that match provided FQL filters.
QueryMalwareEntities	Get malware entities that match provided FQL filters.
QueryIntelReportEntities	Get info about reports that match provided FQL filters.
GetMalwareMitreReport	Export Mitre ATT&CK information for a given malware family.
GetIntelActorEntities	Retrieve specific actors using their actor IDs.
GetIntelIndicatorEntities	Retrieve specific indicators using their indicator IDs.
GetMalwareEntities	Get malware entities for specified IDs.
GetMitreReport	Export Mitre ATT&CK information for a given actor.
PostMitreAttacks	Retrieves report and observable IDs associated with the given actor and attacks.
GetIntelReportPDF	Return a Report PDF attachment
GetIntelReportEntities	Retrieve specific reports using their report IDs.
GetIntelRuleFile	Download earlier rule sets.
GetLatestIntelRuleFile	Download the latest rule set.
GetIntelRuleEntities	Retrieve details for rule sets for the specified ids.
GetVulnerabilities	Get vulnerabilities
QueryIntelActorIds	Get actor IDs that match provided FQL filters.
QueryIntelIndicatorIds	Get indicators IDs that match provided FQL filters.
QueryMalware	Get malware family names that match provided FQL filters.
QueryMitreAttacksForMalware	Gets MITRE tactics and techniques for the given malware.
QueryMitreAttacks	Gets MITRE tactics and techniques for the given actor.
QueryIntelReportIds	Get report IDs that match provided FQL filters.
QueryIntelRuleIds	Search for rule IDs that match provided filter criteria.
QueryVulnerabilities	Get vulnerabilities IDs

Intelligence Feeds

Operation ID	Description
DownloadFeedArchive	Download feed file contents as a zip archive.
ListFeedTypes	List the accessible feeds for a given customer.
QueryFeedArchives	Query the accessible feeds for a customer.

Intelligence Indicator Graph

Operation ID	Description
LookupIndicators	Get indicators based on their value.
SearchIndicators	Search indicators based on FQL filter.

IOA Exclusions

Operation ID	Description
getIOAExclusionsV1	Get a set of IOA Exclusions by specifying their IDs.
createIOAExclusionsV1	Create the IOA exclusions.
deleteIOAExclusionsV1	Delete the IOA exclusions by ID.
updateIOAExclusionsV1	Update the IOA exclusions.
queryIOAExclusionsV1	Search for IOA exclusions.
ss_ioa_exclusions_aggregates_v2	Get Self Service IOA Exclusion aggregates as specified via json in the request body.
ss_ioa_exclusions_get_reports_v2	Create a report of Self Service IOA Exclusions scoped by the given filters.
ss_ioa_exclusions_get_v2	Get the Self Service IOA Exclusions rules by id.
ss_ioa_exclusions_create_v2	Create new Self Service IOA Exclusions.
ss_ioa_exclusions_update_v2	Update the Self Service IOA Exclusions rule by id.
ss_ioa_exclusions_delete_v2	Delete the Self Service IOA Exclusions rule by id.
ss_ioa_exclusions_matched_rule_v2	Get Self Service IOA Exclusions rules for matched IFN/CLI for child, parent and grandparent.
ss_ioa_exclusions_new_rules_v2	Get defaults for Self Service IOA Exclusions based on provided IFN/CLI for child, parent and grandparent.
ss_ioa_exclusions_search_v2	Search for Self Service IOA Exclusions.

IOC

Operation ID	Description
indicator_aggregate_v1	Get Indicators aggregates as specified via json in the request body.
indicator_combined_v1	Get Combined for Indicators.
action_get_v1	Get Actions by ids.
GetIndicatorsReport	Launch an indicators report creation job
indicator_get_v1	Get Indicators by ids.
indicator_create_v1	Create Indicators.
indicator_delete_v1	Delete Indicators by ids.
indicator_update_v1	Update Indicators.
action_query_v1	Query Actions.
indicator_search_v1	Search for Indicators.
ioc_type_query_v1	Query IOC Types.
platform_query_v1	Query Platforms.
severity_query_v1	Query Severities.
DevicesCount	Number of hosts in your customer account that have observed a given custom IOC
indicator_get_device_count_v1	Number of hosts in your customer account that have observed a given custom IOC
DevicesRanOn	Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
indicator_get_devices_ran_on_v1	Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1
ProcessesRanOn	Search for processes associated with a custom IOC (Deprecated)
indicator_get_processes_ran_on_v1	Search for processes associated with a custom IOC
entities_processes	For the provided ProcessID retrieve the process details

IOCs

Operation ID	Description
DevicesCount	Number of hosts in your customer account that have observed a given custom IOC.
GetIOC	This operation has been superseded by the IOC.indicator_get_v1 operation and is no longer used.
CreateIOC	This operation has been superseded by the IOC.indicator_create_v1 operation and is no longer used.
DeleteIOC	This operation has been superseded by the IOC.indicator_delete_v1 operation and is no longer used.
UpdateIOC	This operation has been superseded by the IOC.indicator_update_v1 operation and is no longer used.
DevicesRanOn	Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v1.
QueryIOCs	This operation has been superseded by the IOC.indicator_search_v1 operation and is no longer used.
ProcessesRanOn	Search for processes associated with a custom IOC.
entities_processes	For the provided ProcessID retrieve the process details.

IT Automation

Operation ID	Description
ITAutomationGetAssociatedTasks	Retrieve tasks associated with the provided file ID
ITAutomationCombinedScheduledTasks	Returns full details of scheduled tasks matching the filter query parameter
ITAutomationRunLiveQuery	Start a new task execution from the provided query data in the request and return the initiated task executions
ITAutomationGetTaskExecutionsByQuery	Retrieve task executions by query
ITAutomationGetTaskGroupsByQuery	Retrieve task groups by query
ITAutomationGetTasksByQuery	Retrieve tasks by query
ITAutomationGetPolicies	Retrieve policies
ITAutomationCreatePolicy	Create a new policy of the specified type
ITAutomationUpdatePolicies	Update a new policy of the specified type
ITAutomationDeletePolicy	Delete a policy
ITAutomationUpdatePolicyHostGroups	Update policy host groups
ITAutomationUpdatePoliciesPrecedence	Update policies precedence
ITAutomationGetScheduledTasks	Retrieve scheduled tasks
ITAutomationCreateScheduledTask	Create a scheduled task from the given request
ITAutomationUpdateScheduledTask	Update an existing scheduled task with the supplied info
ITAutomationDeleteScheduledTasks	Delete scheduled tasks
ITAutomationCancelTaskExecution	Cancel a task execution
ITAutomationGetTaskExecutionHostStatus	Retrieve task execution host status
ITAutomationRerunTaskExecution	Rerun the task execution specified in the request
ITAutomationGetExecutionResultsSearchStatus	Retrieve execution results search status
ITAutomationStartExecutionResultsSearch	Start an asynchronous task execution results search
ITAutomationGetExecutionResults	Retrieve execution results
ITAutomationGetTaskExecution	Retrieve a task execution
ITAutomationStartTaskExecution	Start a new task execution from an existing task provided in the request and returns the initiated task executions
ITAutomationGetTaskGroups	Retrieve task groups
ITAutomationCreateTaskGroup	Create a task group
ITAutomationUpdateTaskGroup	Update a task group for a given ID
ITAutomationDeleteTaskGroups	Delete task groups
ITAutomationGetTasks	Retrieve tasks
ITAutomationCreateTask	Create a task with details from the given request
ITAutomationUpdateTask	Update a task with details from the given request
ITAutomationDeleteTask	Delete a task
ITAutomationQueryPolicies	Query policies
ITAutomationSearchScheduledTasks	Search scheduled tasks
ITAutomationSearchTaskExecutions	Search task executions
ITAutomationSearchTaskGroups	Search task groups
ITAutomationSearchTasks	Search tasks
ITAutomationGetUserGroup	Returns user groups for each provided id
ITAutomationCreateUserGroup	Creates a user group from the given request
ITAutomationUpdateUserGroup	Update a user group for a given id
ITAutomationDeleteUserGroup	Deletes user groups for each provided ids
ITAutomationSearchUserGroup	Returns the list of user group ids matching the filter query parameter. It can be used together with the entities endpoint to retrieve full information on user groups

Knowledge Base Audit Events

Operation ID	Description
aggregates_knowledge_base_audit_events_v1	Aggregate knowledge base audit events based on the provided msa criteria.
combined_knowledge_base_audit_events_v1	Get knowledge base audit events with full event details and pagination.
entities_knowledge_base_audit_events_v1	Retrieve knowledge base audit event entities by their IDs.
queries_knowledge_base_audit_events_v1	Query knowledge base audit event IDs with pagination and filtering.

Knowledge Base Files

Operation ID	Description
entities_knowledge_base_files_download_v1	Download knowledge base file entities for the provided id.
entities_knowledge_base_files_v1	Retrieve knowledge base file entities for the provided id.
entities_knowledge_base_files_update_v1	Update an existing file in a knowledge base. Supports updating file content and optionally its description.
entities_knowledge_base_files_create_v1	Upload a file to a knowledge base.
entities_knowledge_base_files_delete_v1	Delete document from knowledge base.
queries_knowledge_base_files_v1	Query knowledge base files based on the provided filters.

Knowledge Bases

Operation ID	Description
aggregates_knowledge_bases_v1	Aggregate knowledge bases based on the provided msa criteria.
entities_knowledge_bases_v1	Retrieve knowledge base entities for the provided id.
entities_knowledge_bases_create_v1	Create or update a knowledge base. For deletion, provide knowledge base with IsDeleted=true.
entities_knowledge_bases_update_v1	Update an existing knowledge base.
queries_knowledge_bases_v1	Query knowledge bases based on the provided filters.

Kubernetes Container Compliance

Operation ID	Description
AggregateAssessmentsGroupedByClustersV2	Returns cluster details along with aggregated assessment results organized by cluster, including pass/fail assessment counts for various asset types.
AggregateComplianceByAssetType	Provides aggregated compliance assessment metrics and rule status information, organized by asset type.
AggregateComplianceByClusterType	Provides aggregated compliance assessment metrics and rule status information, organized by Kubernetes cluster type.
AggregateComplianceByFramework	Provides aggregated compliance assessment metrics and rule status information, organized by compliance framework.
AggregateFailedRulesByClustersV3	Retrieves the most non-compliant clusters, ranked in descending order based on the number of failed compliance rules across severity levels (critical, high, medium, and low).
AggregateAssessmentsGroupedByRulesV2	Returns rule details along with aggregated assessment results organized by compliance rule, including pass/fail assessment counts.
AggregateTopFailedImages	Retrieves the most non-compliant container images, ranked in descending order based on the number of failed assessments across severity levels (critical, high, medium, and low).
CombinedImagesFindings	Returns detailed compliance assessment results for container images, providing the information needed to identify compliance violations.
CombinedNodesFindings	Returns detailed compliance assessment results for kubernetes nodes, providing the information needed to identify compliance violations.
getRulesMetadataByID	Retrieve detailed compliance rule information by ID. Includes descriptions, remediation steps, and audit procedures by specifying rule identifiers.

Kubernetes Protection

Operation ID	Description
ReadClustersByDateRangeCount	Retrieve clusters by date range counts
ReadClustersByKubernetesVersionCount	Bucket clusters by kubernetes version
ReadClustersByStatusCount	Bucket clusters by status
ReadClusterCount	Retrieve cluster counts
ReadContainersByDateRangeCount	Retrieve containers by date range counts
ReadContainerCountByRegistry	Retrieve top container image registries
FindContainersCountAffectedByZeroDayVulnerabilities	Retrieve containers count affected by zero day vulnerabilities
ReadVulnerableContainerImageCount	Retrieve count of vulnerable images running on containers
ReadContainerCount	Retrieve container counts
FindContainersByContainerRunTimeVersion	Retrieve containers by container_runtime_version
GroupContainersByManaged	Group the containers by Managed
ReadContainerImageDetectionsCountByDate	Retrieve count of image assessment detections on running containers over a period of time
ReadContainerImagesByState	Retrieve count of image states running on containers
ReadContainersSensorCoverage	Bucket containers by agent type and calculate sensor coverage
ReadContainerVulnerabilitiesBySeverityCount	Retrieve container vulnerabilities by severity counts
ReadDeploymentsByDateRangeCount	Retrieve deployments by date range counts
ReadDeploymentCount	Retrieve deployment counts
ReadClusterEnrichment	Retrieve cluster enrichment data
ReadContainerEnrichment	Retrieve container enrichment data
ReadDeploymentEnrichment	Retrieve deployment enrichment data
ReadNodeEnrichment	Retrieve node enrichment data
ReadPodEnrichment	Retrieve pod enrichment data
ReadDistinctContainerImageCount	Retrieve count of distinct images running on containers
ReadContainerImagesByMostUsed	Bucket container by image-digest
ReadKubernetesIomByDateRange	Returns the count of Kubernetes IOMs by the date. by default it’s for 7 days.
ReadNamespacesByDateRangeCount	Retrieve namespaces by date range counts
ReadNamespaceCount	Retrieve namespace counts
ReadKubernetesIomCount	Returns the total count of Kubernetes IOMs over the past seven days
ReadNodesByCloudCount	Bucket nodes by cloud providers
ReadNodesByContainerEngineVersionCount	Bucket nodes by their container engine version
ReadNodesByDateRangeCount	Retrieve nodes by date range counts
ReadNodeCount	Retrieve node counts
ReadPodsByDateRangeCount	Retrieve pods by date range counts
ReadPodCount	Retrieve pod counts
ReadClusterCombined	Retrieve kubernetes clusters identified by the provided filter criteria
ReadClusterCombinedV2	Retrieve kubernetes clusters identified by the provided filter criteria
ReadRunningContainerImages	Retrieve images on running containers
ReadContainerCombined	Retrieve containers identified by the provided filter criteria
ReadDeploymentCombined	Retrieve kubernetes deployments identified by the provided filter criteria
SearchAndReadKubernetesIomEntities	Search Kubernetes IOM by the provided search criteria
ReadNodeCombined	Retrieve kubernetes nodes identified by the provided filter criteria
ReadPodCombined	Retrieve kubernetes pods identified by the provided filter criteria
ReadKubernetesIomEntities	Retrieve Kubernetes IOM entities identified by the provided IDs
SearchKubernetesIoms	Search Kubernetes IOMs by the provided search criteria. this endpoint returns a list of Kubernetes IOM UUIDs matching the query
GetAWSAccounts	Provides a list of AWS accounts.
CreateAWSAccount	Creates a new AWS account in our system for a customer and generates the installation script
DeleteAWSAccountsMixin0	Delete AWS accounts.
UpdateAWSAccount	Updates the AWS account per the query parameters provided
ListAzureAccounts	Provides the azure subscriptions registered to Kubernetes Protection.
CreateAzureSubscription	Creates a new Azure Subscription in our system
DeleteAzureSubscription	Delete an Azure Subscription from the system.
GetLocations	Provides the cloud locations acknowledged by the Kubernetes Protection service
GetCombinedCloudClusters	Returns a combined list of provisioned cloud accounts and known kubernetes clusters.
GetAzureTenantConfig	Returns the Azure tenant config.
GetStaticScripts	Get static bash scripts that are used during registration.
GetAzureTenantIDs	Provides all the azure subscriptions and tenants IDs.
GetAzureInstallScript	Provide the script to run for a given tenant id and subscription IDs.
GetHelmValuesYaml	Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart
RegenerateAPIKey	Regenerate API key for docker registry integrations.
GetClusters	Provides the clusters acknowledged by the Kubernetes Protection service
TriggerScan	Triggers a dry run or a full scan of a customer’s kubernetes footprint.
PostSearchKubernetesIOMEntities	Search Kubernetes IOM entities by filter criteria
PatchAzureServicePrincipal	Adds the client ID for the given tenant ID to our system.

MalQuery

Operation ID	Description
GetMalQueryQuotasV1	Get information about search and download quotas in your environment
PostMalQueryFuzzySearchV1	Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
GetMalQueryDownloadV1	Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryMetadataV1	Retrieve indexed files metadata by their hash
GetMalQueryRequestV1	Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalQueryEntitiesSamplesFetchV1	Fetch a zip archive with password ‘infected’ containing the samples. Call this once the /entities/samples-multidownload request has finished processing
PostMalQueryEntitiesSamplesMultidownloadV1	Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1	Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryHuntV1	Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

Message Center

Operation ID	Description
AggregateCases	Retrieve aggregate case values based on the matched filter
GetCaseActivityByIds	Retrieve activities for given id’s
CaseAddActivity	Add an activity to case. Only activities of type comment are allowed via API
CaseDownloadAttachment	retrieves an attachment for the case, given the attachment id
CaseAddAttachment	Upload an attachment for the case.
CreateCaseV2	create a new case
GetCaseEntitiesByIDs	Retrieve message center cases
QueryActivityByCaseID	Retrieve activities id’s for a case
QueryCasesIdsByFilter	Retrieve case id’s that match the provided filter criteria

ML Exclusions

Operation ID	Description
getMLExclusionsV1	Get a set of ML Exclusions by specifying their IDs.
createMLExclusionsV1	Create the ML exclusions.
deleteMLExclusionsV1	Delete the ML exclusions by ID.
updateMLExclusionsV1	Update the ML exclusions.
queryMLExclusionsV1	Search for ML exclusions.
exclusions_aggregates_v2	Get exclusion aggregates as specified via json in request body.
exclusions_get_all_v2	Get all exclusions.
exclusions_perform_action_v2	Actions used to manipulate the content of exclusions, with ancestor fields.
exclusions_get_reports_v2	Create a report of ML exclusions scoped by the given filters.
exclusions_get_v2	Get the exclusions by id, with ancestor fields.
exclusions_create_v2	Create the exclusions, with ancestor fields.
exclusions_update_v2	Update the exclusions by id, with ancestor fields.
exclusions_delete_v2	Delete the exclusions by id, with ancestor fields.
exclusions_search_v2	Search for exclusions, with ancestor fields.

Mobile Enrollment

Operation ID	Description
RequestDeviceEnrollmentV3	Trigger on-boarding process for a mobile device
RequestDeviceEnrollmentV4	Trigger on-boarding process for a mobile device

MSSP (Flight Control)

Operation ID	Description
getChildrenV2	Get link to child customer by child CID(s)
getChildren	Get link to child customer by child CID(s)
getCIDGroupMembersBy	Get CID group members by CID Group ID.
getCIDGroupMembersByV1	Get CID Group members by CID Group IDs.
addCIDGroupMembers	Add new CID Group member.
deleteCIDGroupMembers	Delete CID Group members entry.
getCIDGroupById	Get CID Groups by ID.
getCIDGroupByIdV1	Get CID Group(s) by ID(s).
createCIDGroups	Create new CID Group(s). Maximum 500 CID Group(s) allowed.
deleteCIDGroups	Delete CID Group(s) by ID(s).
updateCIDGroups	Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
getRolesByID	Get MSSP Role assignment(s). MSSP Role assignment is of the format: <user_group_id>.<cid_group_id>.
addRole	Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
deletedRoles	Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
getUserGroupMembersByID	Get User Group members by User Group ID(s).
getUserGroupMembersByIDV1	Get User Group members by User Group ID(s).
addUserGroupMembers	Add new User Group member. Maximum 500 members allowed per User Group.
deleteUserGroupMembers	Delete User Group members entry.
getUserGroupsByID	Get User Group by ID(s).
getUserGroupsByIDV1	Get user groups by ID.
createUserGroups	Create new User Group(s). Maximum 500 User Group(s) allowed per customer.
deleteUserGroups	Delete User Group(s) by ID(s).
updateUserGroups	Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
getUserGroupsByIDV2	Get user groups by ID.
queryChildren	Query for customers linked as children
queryCIDGroupMembers	Query a CID Groups members by associated CID.
queryCIDGroups	Query CID Groups.
queryRoles	Query links between user groups and CID groups. At least one of CID Group ID or User Group ID should also be provided. Role ID is optional.
queryUserGroupMembers	Query User Group member by User UUID.
queryUserGroups	Query User Groups.
deleteCIDGroupMembersV1	Deprecated: Please use deleteCIDGroupMembersV2.

Network Scan Global Configs

Operation ID	Description
get_global_configs	Get “global-configs” for the CID
update_global_configs	Update “global-configs” using provided specifications

Network Scan Networks

Operation ID	Description
aggregate_networks	Returns “networks” aggregations
get_networks	Get “networks” by their IDs
create_networks	Create “networks” using provided specifications
delete_networks	Delete “networks” by their IDs
update_networks	Update “networks” using provided specifications
query_networks	Get “networks IDs” by filter

Network Scan Scan Run Reports

Operation ID	Description
get_scan_run_reports	Downloads scan run report in CSV format

Network Scan Scan Runs

Operation ID	Description
aggregate_scan_runs	Returns “scan-runs” aggregations
get_scan_runs	Get “scan-runs” by their IDs
create_scan_runs	Create “scan-runs” using provided specifications
update_scan_runs	Update “scan-runs” using provided specifications
query_scan_runs	Get “scan-runs IDs” by filter

Network Scan Scanners

Operation ID	Description
aggregate_scanners	Returns “scanners” aggregations
get_scanners	Get “scanners” by their IDs
update_scanners	Update “scanners” using provided specifications
query_scanners	Get “scanners IDs” by filter

Network Scan Scans

Operation ID	Description
aggregate_scansMixin0	Returns “scans” aggregations
get_scans	Get “scans” by their IDs
create_scans	Create “scans” using provided specifications
delete_scans	Delete “scans” by their IDs
update_scans	Update “scans” using provided specifications
query_scansMixin0	Get “scans IDs” by filter

Network Scan Templates

Operation ID	Description
get_template_configs	Get details on the network scan template configurations
get_templates	Get “templates” by their IDs
create_templates	Create “templates” using provided specifications
delete_templates	Delete “templates” by their IDs
update_templates	Update “templates” using provided specifications
query_templates	Get “templates IDs” by filter

Network Scan Zones

Operation ID	Description
aggregate_zones	Returns “zones” aggregations
combined_zones	Get “zones” by filter
get_zones	Get “zones” by their IDs
create_zones	Create “zones” using provided specifications
delete_zones	Delete “zones” by their IDs
update_zones	Update “zones” using provided specifications
query_zones	Get “zones IDs” by filter

NGSIEM

Operation ID	Description
UploadLookupV1	Upload a lookup file to NGSIEM.
GetLookupV1	Download lookup file from NGSIEM.
GetLookupFromPackageWithNamespaceV1	Download lookup file in namespaced package from NGSIEM.
GetLookupFromPackageV1	Download lookup file in package from NGSIEM.
StartSearchV1	Initiate a NGSIEM search.
GetSearchStatusV1	Get status of a NGSIEM search.
StopSearchV1	Stop a NGSIEM search.
GetDashboardTemplate	Get dashboard template by ID.
CreateDashboardFromTemplate	Create dashboard from template.
UpdateDashboardFromTemplate	Update dashboard from template.
DeleteDashboard	Delete dashboard.
GetLookupFile	Get lookup file by ID.
CreateLookupFile	Create lookup file.
UpdateLookupFile	Update lookup file.
DeleteLookupFile	Delete lookup file.
GetParserTemplate	Get parser template by ID.
CreateParserFromTemplate	Create Parser in NGSIEM from template.
GetParser	Get parser by ID.
CreateParser	Create Parser in NGSIEM.
UpdateParser	Update parser.
DeleteParser	Delete Parser in NGSIEM.
UpdateParserAutoUpdatePolicy	Update a parser auto update policy.
InstallParser	Install a CrowdStrike-managed out-of-the-box (OOTB) parser.
BulkInstallParsers	Install multiple CrowdStrike-managed out-of-the-box (OOTB) parsers.
GetSavedQueryTemplate	Retrieve Saved Query in NGSIEM as LogScale YAML Template by ID.
CreateSavedQuery	Create Saved Query from LogScale YAML Template in NGSIEM.
UpdateSavedQueryFromTemplate	Update Saved Query from LogScale YAML Template in NGSIEM.
DeleteSavedQuery	Delete Saved Query in NGSIEM.
ListDashboards	List dashboards.
ListLookupFiles	List lookup files.
ListParsers	List parsers.
ListSavedQueries	List saved queries.
UpdateLookupFileEntries	Update entries in an existing Lookup File in NGSIEM.
ExternalListDataConnections	List and search data connections.
ExternalListDataConnectors	List available data connectors.
ExternalGetDataConnectionStatus	Get data connection provisioning status.
ExternalUpdateDataConnectionStatus	Update data connection status.
ExternalGetDataConnectionToken	Get Ingest token for data connection.
ExternalRegenerateDataConnectionToken	Regenerate Ingest token for data connection.
ExternalGetDataConnectionByID	Get data connection by ID.
ExternalCreateDataConnection	Create a new data connection.
ExternalUpdateDataConnection	Update a data connection.
ExternalDeleteDataConnection	Delete a data connection.
ExternalListConnectorConfigs	List configurations for a data connector.
ExternalCreateConnectorConfig	Create a new configuration for a data connector.
ExternalPatchConnectorConfig	Patch configurations for a data connector.
ExternalDeleteConnectorConfigs	Delete data connection config.
UpdateParserFromTemplate	Update Parser in NGSIEM from YAML Template. Please note that name changes are not supported, but rather should be created as a new parser.

OAuth2

Operation ID	Description
oauth2RevokeToken	Revoke a previously issued OAuth2 access token before the end of its standard 30-minute lifespan.
oauth2AccessToken	Generate an OAuth2 access token

ODS (On Demand Scan)

Operation ID	Description
aggregate_query_scan_host_metadata	Get aggregates on ODS scan-hosts data.
aggregate_scans	Get aggregates on ODS scan data.
aggregate_scheduled_scans	Get aggregates on ODS scheduled-scan data.
get_malicious_files_by_ids	Get malicious files by ids.
cancel_scans	Cancel ODS scans for the given scan ids.
get_scan_host_metadata_by_ids	Get scan hosts by ids.
get_scans_by_scan_ids_v1	Get Scans by IDs.
get_scans_by_scan_ids_v2	Get Scans by IDs.
create_scan	Create ODS scan and start or schedule scan for the given scan request.
get_scheduled_scans_by_scan_ids	Get ScheduledScans by IDs.
schedule_scan	Create ODS scan and start or schedule scan for the given scan request.
delete_scheduled_scans	Delete ODS scheduled-scans for the given scheduled-scan ids.
query_malicious_files	Query malicious files.
query_scan_host_metadata	Query scan hosts.
query_scans	Query Scans.
query_scheduled_scans	Query ScheduledScans.

Overwatch Dashboard

Operation ID	Description
AggregatesDetectionsGlobalCounts	Get the total number of detections pushed across all customers.
AggregatesEventsCollections	Get OverWatch detection event collection info by providing an aggregate query.
AggregatesEvents	Get aggregate OverWatch detection event info by providing an aggregate query.
AggregatesIncidentsGlobalCounts	Get the total number of incidents pushed across all customers.
AggregatesOWEventsGlobalCounts	Get the total number of OverWatch events across all customers.

Prevention Policy

Operation ID	Description
queryCombinedPreventionPolicyMembers	Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedPreventionPolicies	Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria
performPreventionPoliciesAction	Perform the specified action on the Prevention Policies specified in the request
setPreventionPoliciesPrecedence	Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getPreventionPolicies	Retrieve a set of Prevention Policies by specifying their IDs
createPreventionPolicies	Create Prevention Policies by specifying details about the policy to create
deletePreventionPolicies	Delete a set of Prevention Policies by specifying their IDs
updatePreventionPolicies	Update Prevention Policies by specifying the ID of the policy and details to update
queryPreventionPolicyMembers	Search for members of a Prevention Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryPreventionPolicies	Search for Prevention Policies in your environment by providing a FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria

Quarantine

Operation ID	Description
ActionUpdateCount	Returns count of potentially affected quarantined files for each action.
GetAggregateFiles	Get quarantine file aggregates as specified via json in request body.
GetQuarantineFiles	Get quarantine file metadata for specified ids.
UpdateQuarantinedDetectsByIds	Apply action by quarantine file ids.
QueryQuarantineFiles	Get quarantine file ids that match the provided filter criteria.
UpdateQfByQuery	Apply quarantine file actions by query.

Quick Scan

Operation ID	Description
GetScansAggregates	Get scans aggregations as specified via json in request body.
GetScans	Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
ScanSamples	Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute
QuerySubmissionsMixin0	Find IDs for submitted scans by providing a FQL filter and paging details. Returns a set of volume IDs that match your criteria.

Quick Scan Pro

Operation ID	Description
UploadFileQuickScanPro	Uploads a file to be further analyzed with QuickScan Pro. The samples expire after 90 days.
DeleteFile	Deletes file by its sha256 identifier.
GetScanResult	Gets the result of an QuickScan Pro scan.
LaunchScan	Starts scanning a file uploaded through UploadFileQuickScanPro.
DeleteScanResult	Deletes the result of an QuickScan Pro scan.
QueryScanResults	Gets QuickScan Pro scan jobs for a given FQL filter.

Real Time Response

Operation ID	Description
RTR_AggregateSessions	Get aggregates on session data.
BatchActiveResponderCmd	Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchCmd	Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdStatus	Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchGetCmd	Batch executes get command across hosts to retrieve files. After this call is made BatchGetCmdStatus is used to query for the results.
BatchInitSessions	Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessions	Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 5 minutes unless refreshed.
RTR_CheckActiveResponderCommandStatus	Get status of an executed active-responder command on a single host.
RTR_ExecuteActiveResponderCommand	Execute an active responder command on a single host.
RTR_CheckCommandStatus	Get status of an executed command on a single host.
RTR_ExecuteCommand	Execute a command on a single host.
RTR_GetExtractedFileContents	Get RTR extracted file contents for specified session and sha256.
RTR_ListFiles	Get a list of files for the specified RTR session.
RTR_ListFilesV2	Get a list of files for the specified RTR session. (Expanded output detail.)
RTR_DeleteFile	Delete a RTR session file.
RTR_DeleteFileV2	Delete a RTR session file. (Expanded output detail, use with RTR_ListFilesV2.)
RTR_ListQueuedSessions	Get queued session metadata by session ID.
RTR_DeleteQueuedSession	Delete a queued session command.
RTR_PulseSession	Refresh a session timeout on a single host.
RTR_ListSessions	Get session metadata by session id.
RTR_InitSession	Initialize a new session with the RTR cloud.
RTR_DeleteSession	Delete a session.
RTR_ListAllSessions	Get a list of session_ids.

Real Time Response Admin

Operation ID	Description
BatchAdminCmd	Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
RTR_CheckAdminCommandStatus	Get status of an executed RTR administrator command on a single host.
RTR_ExecuteAdminCommand	Execute a RTR administrator command on a single host.
RTR_GetFalconScripts	Get Falcon scripts with metadata and content of script
RTR_GetPut_Files	Get put-files based on the ID’s given. These are used for the RTR put command.
RTR_GetPut_FilesV2	Get put-files based on the ID’s given. These are used for the RTR put command.
RTR_GetPutFileContents	Get the contents of a put-file based on the ID given.
RTR_CreatePut_Files	Upload a new put-file to use for the RTR put command.
RTR_CreatePut_FilesV2	Upload a new put-file to use for the RTR put command.
RTR_DeletePut_Files	Delete a put-file based on the ID given. Can only delete one file at a time.
RTR_GetScripts	Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.
RTR_GetScriptsV2	Get custom-scripts based on the ID’s given. These are used for the RTR runscript command.
RTR_ListFalconScripts	Get a list of Falcon script IDs available to the user to run
RTR_CreateScripts	Upload a new custom-script to use for the RTR runscript command.
RTR_CreateScriptsV2	Upload a new custom-script to use for the RTR runscript command.
RTR_DeleteScripts	Delete a custom-script based on the ID given. Can only delete one script at a time.
RTR_UpdateScripts	Upload a new scripts to replace an existing one.
RTR_UpdateScriptsV2	Upload a new scripts to replace an existing one.
RTR_ListPut_Files	Get a list of put-file ID’s that are available to the user for the put command.
RTR_ListScripts	Get a list of custom-script ID’s that are available to the user for the runscript command.

Real Time Response Audit

Operation ID	Description
RTRAuditSessions	Get all the RTR sessions created for a customer in a specified duration

Recon

Operation ID	Description
AggregateNotificationsExposedDataRecordsV1	Get notification exposed data record aggregates as specified via JSON in request body.
AggregateNotificationsV1	Get notification aggregates as specified via JSON in request body.
PreviewRuleV1	Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
GetActionsV1	Get actions based on their IDs. IDs can be retrieved using the QueryActionsV1 operation.
CreateActionsV1	Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
DeleteActionV1	Delete an action from a monitoring rule based on the action ID.
UpdateActionV1	Update an action for a monitoring rule.
GetFileContentForExportJobsV1	Download the file associated with a job ID.
GetExportJobsV1	Get the status of export jobs based on their IDs. Export jobs can be launched by calling CreateExportJobsV1. When a job is complete, use the job ID to download the file(s) associated with it using GetFileContentForExportJobsV1.
CreateExportJobsV1	Launch asynchronous export job. Use the job ID to poll the status of the job using GetExportJobsV1.
DeleteExportJobsV1	Delete export jobs (and their associated file(s)) based on their IDs.
GetNotificationsDetailedTranslatedV1	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match. This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request.
GetNotificationsDetailedV1	Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
GetNotificationsExposedDataRecordsV1	Get notifications exposed data records based on their IDs. IDs can be retrieved using the QueryNotificationsExposedDataRecordsV1 operation. The associated notification can be fetched using the notifications operations.
GetNotificationsTranslatedV1	Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation. This endpoint will return translated notification content. The only target language available is English.
GetNotificationsV1	Get notifications based on their IDs. IDs can be retrieved using the QueryNotificationsV1 operation.
DeleteNotificationsV1	Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
UpdateNotificationsV1	Update notification status or assignee. Accepts bulk requests.
GetRulesV1	Get monitoring rules rules by provided IDs.
CreateRulesV1	Create monitoring rules.
DeleteRulesV1	Delete monitoring rules.
UpdateRulesV1	Update monitoring rules.
QueryActionsV1	Query actions based on provided criteria. Use the IDs from this response to get the action entities on GetActionsV1.
QueryNotificationsExposedDataRecordsV1	Query notifications exposed data records based on provided criteria. Use the IDs from this response to get the notification entities on GetNotificationsExposedDataRecordsV1.
QueryNotificationsV1	Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GetNotificationsV1 or GetNotificationsDetailedV1.
QueryRulesV1	Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on GetRulesV1.

Report Executions

Operation ID	Description
report_executions_download_get	Get report entity download
report_executions_retry	Retry the execution of a report by ID.
report_executions_get	Retrieve report details for the provided report IDs.
report_executions_query	Find all report execution IDs matching the query with filter

Response Policies

Operation ID	Description
queryCombinedRTResponsePolicyMembers	Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria
queryCombinedRTResponsePolicies	Search for Response Policies in your environment by providing a FQL filter and paging details. Returns a set of Response Policies which match the filter criteria
performRTResponsePoliciesAction	Perform the specified action on the Response Policies specified in the request
setRTResponsePoliciesPrecedence	Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence
getRTResponsePolicies	Retrieve a set of Response Policies by specifying their IDs
createRTResponsePolicies	Create Response Policies by specifying details about the policy to create
deleteRTResponsePolicies	Delete a set of Response Policies by specifying their IDs
updateRTResponsePolicies	Update Response Policies by specifying the ID of the policy and details to update
queryRTResponsePolicyMembers	Search for members of a Response policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria
queryRTResponsePolicies	Search for Response Policies in your environment by providing a FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

SaaS Security

Operation ID	Description
DismissAffectedEntityV3	Dismiss affected entity.
DismissSecurityCheckV3	Dismiss security check.
GetActivityMonitorV3	Get activity monitor.
GetAlertsV3	Get alerts.
GetAppInventory	Get application inventory.
GetAppInventoryUsers	Get application inventory users.
GetAssetInventoryV3	Get asset inventory.
GetDeviceInventoryV3	Get device inventory.
GetIntegrationsV3	Get integrations.
GetMetricsV3	Get metrics.
GetSecurityCheckAffectedV3	Get affected resources for security checks.
GetSecurityCheckComplianceV3	Get security check compliance.
GetSecurityChecksV3	Get security checks.
GetSupportedSaasV3	Get supported SaaS applications.
GetSystemLogsV3	Get system logs.
GetSystemUsersV3	Get system users.
GetUserInventoryV3	Get user inventory.
IntegrationBuilderEndTransactionV3	End integration builder transaction.
IntegrationBuilderGetStatusV3	Get integration builder status.
IntegrationBuilderResetV3	Reset integration builder.
IntegrationBuilderUploadV3	Upload integration builder.

Sample Uploads

Operation ID	Description
ArchiveListV1	Retrieves the archives files in chunks.
ArchiveGetV1	Retrieves the archives upload operation statuses. Status done means that archive was processed successfully. Status error means that archive was not processed successfully.
ArchiveUploadV1	Uploads an archive and extracts files list from it. Operation is asynchronous.
ArchiveDeleteV1	Delete an archive that was uploaded previously.
ArchiveUploadV2	Uploads an archive and extracts files list from it. Operation is asynchronous.
ExtractionListV1	Retrieves the files extractions in chunks.
ExtractionGetV1	Retrieves the files extraction operation statuses.
ExtractionCreateV1	Extracts files from an uploaded archive and copies them to internal storage making it available for content analysis.
GetSampleV3	Retrieves the file associated with the given ID (SHA256).
UploadSampleV3	Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
DeleteSampleV3	Removes a sample, including file, meta and submissions from the collection.

Scheduled Reports

Operation ID	Description
scheduled_reports_launch	Launch scheduled report executions for the provided ID(s).
scheduled_reports_get	Retrieve scheduled reports for the provided report IDs.
scheduled_reports_query	Find all report IDs matching the query with filter

Sensor Download

Operation ID	Description
GetCombinedSensorInstallersByQuery	Get sensor installer details by provided query
GetCombinedSensorInstallersByQueryV2	Get sensor installer details by provided query
GetCombinedSensorInstallersByQueryV3	Get sensor installer details by provided query
DownloadSensorInstallerById	Download sensor installer by SHA256 ID
DownloadSensorInstallerByIdV2	Download sensor installer by SHA256 ID
DownloadSensorInstallerByIdV3	Download sensor installer by SHA256 ID
GetSensorInstallersEntities	Get sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV2	Get sensor installer details by provided SHA256 IDs
GetSensorInstallersEntitiesV3	Get sensor installer details by provided SHA256 IDs
GetSensorInstallersCCIDByQuery	Get CCID to use with sensor installers
GetSensorInstallersByQuery	Get sensor installer IDs by provided query
GetSensorInstallersByQueryV2	Get sensor installer IDs by provided query
GetSensorInstallersByQueryV3	Get sensor installer IDs by provided query

Sensor Update Policy

Operation ID	Description
revealUninstallToken	Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value ‘MAINTENANCE’ as the value for ‘device_id’.
incrementUninstallToken	Increment a bulk maintenance token.
queryCombinedSensorUpdateBuilds	Retrieve available builds for use with Sensor Update Policies.
queryCombinedSensorUpdateKernels	Retrieve kernel compatibility info for Sensor Update Builds.
queryCombinedSensorUpdatePolicyMembers	Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria.
queryCombinedSensorUpdatePolicies	Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
queryCombinedSensorUpdatePoliciesV2	Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
performSensorUpdatePoliciesAction	Perform the specified action on the Sensor Update Policies specified in the request.
setSensorUpdatePoliciesPrecedence	Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
getSensorUpdatePolicies	Retrieve a set of Sensor Update Policies by specifying their IDs.
createSensorUpdatePolicies	Create Sensor Update Policies by specifying details about the policy to create.
deleteSensorUpdatePolicies	Delete a set of Sensor Update Policies by specifying their IDs.
updateSensorUpdatePolicies	Update Sensor Update Policies by specifying the ID of the policy and details to update.
getSensorUpdatePoliciesV2	Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.
createSensorUpdatePoliciesV2	Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.
updateSensorUpdatePoliciesV2	Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.
querySensorUpdateKernelsDistinct	Retrieve kernel compatibility info for Sensor Update Builds.
querySensorUpdatePolicyMembers	Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
querySensorUpdatePolicies	Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.

Sensor Usage

Operation ID	Description
GetSensorUsageHourly	Fetches hourly average. Each data point represents the average of how many unique AIDs were seen per hour for the previous 28 days.
GetSensorUsageWeekly	Fetches weekly average. Each data point represents the average of how many unique AIDs were seen per week for the previous 28 days.

Sensor Visibility Exclusions

Operation ID	Description
getSensorVisibilityExclusionsV1	Get a set of Sensor Visibility Exclusions by specifying their IDs.
createSVExclusionsV1	Create a sensor visibility exclusion.
deleteSensorVisibilityExclusionsV1	Delete the sensor visibility exclusions by ID.
updateSensorVisibilityExclusionsV1	Update a sensor visibility exclusion.
querySensorVisibilityExclusionsV1	Search for sensor visibility exclusions.

Serverless Exports

Operation ID	Description
ReadExportJobsMixin0	Read export jobs entities.
QueryExportJobsMixin0	Query export jobs entities.
DownloadExportFileMixin0	Download an export file.
LaunchExportJobMixin0	Launch an export job of a Lambda Security resource.

Serverless Vulnerabilities

Operation ID	Description
GetCombinedVulnerabilitiesSARIF	Retrieve all lambda vulnerabilities that match the given query and return in the SARIF format.

Spotlight Evaluation Logic

Operation ID	Description
combinedQueryEvaluationLogic	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic entities which match the filter criteria.
combinedSupportedEvaluationExt	Perform a combined query and get for RiskSupportedEvaluation entities.
getEvaluationLogic	Get details on evaluation logic items by providing one or more IDs.
queryEvaluationLogic	Search for evaluation logic in your environment by providing a FQL filter and paging details. Returns a set of evaluation logic IDs which match the filter criteria.

Spotlight Vulnerabilities

Operation ID	Description
combinedQueryVulnerabilities	Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability entities which match the filter criteria.
getRemediationsV2	Get details on remediation by providing one or more IDs.
getVulnerabilities	Get details on vulnerabilities by providing one or more IDs.
queryVulnerabilities	Search for Vulnerabilities in your environment by providing a FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.
getRemediations	Get details on remediations by providing one or more IDs.

Spotlight Vulnerability Metadata

Operation ID	Description
combineVulnMetadataExt	Perform a combined query and get operation for retrieving Risk (vulnerability metadata) entities.

Tailored Intelligence

Operation ID	Description
GetEventsBody	Get event body for the provided event ID
GetEventsEntities	Get events entities for specified ids.
QueryEvents	Get events ids that match the provided filter criteria.
GetRulesEntities	Get rules entities for specified ids.
QueryRules	Get rules ids that match the provided filter criteria.

ThreatGraph

Operation ID	Description
combined_edges_get	Retrieve edges for a given vertex id. One edge type must be specified.
combined_ran_on_get	Look up instances of indicators such as hashes, domain names, and ip addresses that have been seen on devices in your environment.
combined_summary_get	Retrieve summary for a given vertex ID.
entities_vertices_get	Retrieve metadata for a given vertex ID.
entities_vertices_getv2	Retrieve metadata for a given vertex ID.
queries_edgetypes_get	Show all available edge types.

Unidentified Containers

Operation ID	Description
ReadUnidentifiedContainersByDateRangeCount	Returns the count of Unidentified Containers over the last 7 days
ReadUnidentifiedContainersCount	Returns the total count of Unidentified Containers over a time period
SearchAndReadUnidentifiedContainers	Search Unidentified Containers by the provided search criteria

User Management

Operation ID	Description
aggregateUsersV1	Get user aggregates as specified via json in request body.
GetRoles	Get info about a role.
combinedUserRolesV1	Get user grant(s). This operation lists both direct as well as flight control grants between a User and a Customer.
CombinedUserRolesV2	Get user grant(s). This operation lists both direct as well as flight control grants between a User and a Customer.
entitiesRolesV1	Get info about a role, supports Flight Control.
entitiesRolesGETV2	Get info about a role.
userActionV1	Apply actions to one or more users.
userRolesActionV1	Grant or Revoke one or more role(s) to a user against a CID.
GrantUserRoleIds	Assign one or more roles to a user.
RevokeUserRoleIds	Revoke one or more roles from a user
GetAvailableRoleIds	Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to GetRoles.
queriesRolesV1	Show role IDs for all roles available in your customer account. Supports Flight Control.
queryUserV1	List user IDs for all users in your customer account.
GetUserRoleIds	Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to GetRoles.
RetrieveUser	Get info about a user.
retrieveUsersGETV1	Get info about users including their name, UID and CID by providing user UUIDs.
CreateUser	Create a new user. After creating a user, assign one or more roles with GrantUserRoleIds.
createUserV1	Create a new user. After creating a user, assign one or more roles with userRolesActionV1. Supports Flight Control.
DeleteUser	Delete a user permanently.
deleteUserV1	Delete a user permanently. Supports Flight Control.
UpdateUser	Modify an existing user’s first or last name
updateUserV1	Modify an existing user’s first or last name. Supports Flight Control.
RetrieveEmailsByCID	List the usernames (usually an email address) for all users in your customer account
RetrieveUserUUIDsByCID	List user IDs for all users in your customer account. For more information on each user, provide the user ID to RetrieveUser.
RetrieveUserUUID	Get a user’s ID by providing a username (usually an email address)

Workflows

Operation ID	Description
WorkflowActivitiesCombined	Search for activities by name. Returns all supported activities if no filter is specified.
WorkflowActivitiesContentCombined	Search for activities by name. Returns all supported activities if no filter specified.
WorkflowExecute	Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowExecuteInternal	Executes an on-demand Workflow, the body is JSON used to trigger the execution, the response the execution ID(s)
WorkflowMockExecute	Executes an on-demand Workflow with mocks
WorkflowExecutionsAction	Allows a user to resume/retry a failed workflow execution.
WorkflowExecutionResults	Get execution result of a given execution
WorkflowSystemDefinitionsDeProvision	Deprovisions a system definition that was previously provisioned on the target CID
WorkflowSystemDefinitionsPromote	Promote a version of a system definition
WorkflowSystemDefinitionsProvision	Provisions a system definition onto the target CID by using the template and provided parameters
WorkflowDefinitionsCombined	Search workflow definitions based on the provided filter
WorkflowTriggersCombined	Search for triggers by namespaced identifier, i.e. FalconAudit, Detection, or FalconAudit/Detection/Status. Returns all triggers if no filter is specified.
WorkflowExecutionsCombined	Search workflow executions based on the provided filter
WorkflowDefinitionsExport	Exports a workflow definition for the given definition ID
WorkflowDefinitionsImport	Imports a workflow definition based on the provided model
WorkflowDefinitionsAction	Enable or disable a workflow definition, or stop all executions for a definition.
WorkflowDefinitionsUpdate	Updates a workflow definition based on the provided model.
WorkflowGetHumanInputV1	Gets one or more specific human inputs by their IDs.
WorkflowUpdateHumanInputV1	Provides an input in response to a human input action. Depending on action configuration, one or more of Approve, Decline, and/or Escalate are permitted.
v1_child_executions_query	Search for child executions by providing a FQL filter and paging details.

Zero Trust Assessment

Operation ID	Description
getAssessmentV1	Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
getAuditV1	Get the Zero Trust Assessment audit report for one customer ID (CID).
getAssessmentsByScoreV1	Get Zero Trust Assessment data for one or more hosts by providing a customer ID (CID) and a range of scores.
getCombinedAssessmentsQuery	Search for assessments in your environment by providing an FQL filter and paging details. Returns a set of HostFinding entities which match the filter criteria