Skip to content
CrowdStrike Developer Center

API Reference

The CrowdStrike Falcon API puts the full power of the Falcon platform in your hands. Automate threat response across thousands of endpoints. Build custom detection pipelines. Integrate real-time security telemetry into your SIEM, SOAR, or data lake. Hunt adversaries programmatically with the same intelligence CrowdStrike analysts use every day.

Explore by Domain

Section titled “Explore by Domain”

Endpoint Security

Section titled “Endpoint Security”

Manage hosts, investigate detections, respond to incidents, and track sensors across your fleet.

Alerts 9 operations
Hosts 10 operations
Detects 4 operations
Sensor Download 13 operations
Host Group 9 operations
Host Migration 10 operations
Discover 13 operations
Device Content 2 operations
Mobile Enrollment 2 operations
Quarantine 6 operations
Sensor Usage 2 operations

Real-Time Response

Section titled “Real-Time Response”

Execute commands on live endpoints, run scripts, contain compromised hosts, and manage RTR sessions at scale.

Real Time Response 23 operations
Real Time Response Admin 20 operations
Real Time Response Audit 1 operation

Threat Intelligence

Section titled “Threat Intelligence”

Research adversaries, track indicators of compromise, query intelligence reports, and analyze malware.

Intel 24 operations
Intelligence Feeds 3 operations
Intelligence Indicator Graph 2 operations
IOC 20 operations
IOCs 9 operations
Recon 26 operations
MalQuery 9 operations
Tailored Intelligence 5 operations
Falcon Intelligence Sandbox 15 operations
ThreatGraph 6 operations
CAO Hunting 7 operations

Cloud & Container Security

Section titled “Cloud & Container Security”

Register cloud accounts, monitor containers and Kubernetes workloads, assess cloud posture, and track image vulnerabilities.

Cloud Security 7 operations
CSPM Registration 39 operations
Cloud Security Assets 4 operations
Cloud Security Compliance 2 operations
Cloud Security Detections 3 operations
Cloud Security Risks 1 operation
Cloud Policies 29 operations
Cloud AWS Registration 7 operations
Cloud Azure Registration 9 operations
Cloud GCP Registration 7 operations
Cloud Google Cloud Registration 7 operations
Cloud OCI Registration 7 operations
Cloud Connect AWS 9 operations
D4C Registration 22 operations
Cloud Snapshots 8 operations
Container Images 13 operations
Container Vulnerabilities 10 operations
Container Alerts 3 operations
Container Detections 7 operations
Container Image Compliance 11 operations
Container Packages 7 operations
Drift Indicators 5 operations
Unidentified Containers 3 operations
Kubernetes Protection 63 operations
Kubernetes Container Compliance 10 operations
Falcon Container 20 operations
Image Assessment Policies 11 operations

Vulnerability Management

Section titled “Vulnerability Management”

Pull CVE data, prioritize remediation with ExPRT ratings, and track exposure risk across your environment.

Spotlight Vulnerabilities 5 operations
Spotlight Evaluation Logic 4 operations
Spotlight Vulnerability Metadata 1 operation
Exposure Management 12 operations
Serverless Vulnerabilities 1 operation

Identity & Access

Section titled “Identity & Access”

Investigate entities, assess identity risk, manage users, and operate across multi-tenant MSSP environments.

Identity Protection 8 operations
User Management 25 operations
MSSP (Flight Control) 31 operations
OAuth2 2 operations
Installation Tokens 9 operations
Certificate Based Exclusions 6 operations
Zero Trust Assessment 4 operations
Federated Connections 3 operations

Data Pipelines & SIEM

Section titled “Data Pipelines & SIEM”

Stream events in real time, execute CQL queries against Next-Gen SIEM, and build data ingestion pipelines.

NGSIEM 48 operations
Event Streams 2 operations
FDR 5 operations
Foundry LogScale 11 operations
Correlation Rules 18 operations
Correlation Rules Admin 1 operation
Custom Storage 18 operations

Policy & Configuration

Section titled “Policy & Configuration”

Manage firewall rules, configure IOA exclusions, control sensor visibility, and customize detection behavior.

Prevention Policy 10 operations
Device Control Policies 18 operations
Response Policies 10 operations
Sensor Update Policy 19 operations
Firewall Management 33 operations
Firewall Policies 10 operations
Custom IOA 20 operations
IOA Exclusions 14 operations
ML Exclusions 14 operations
Sensor Visibility Exclusions 5 operations
Content Update Policies 11 operations
Admission Control Policies 15 operations
Configuration Assessment 2 operations
Configuration Assessment Evaluation Logic 1 operation
Delivery Settings 2 operations

Workflows & Automation

Section titled “Workflows & Automation”

Orchestrate security operations with scheduled reports, on-demand scans, and automated workflows.

Scheduled Reports 3 operations
Report Executions 4 operations
Workflows 20 operations
On Demand Scan (ODS) 16 operations
Quick Scan 4 operations
Quick Scan Pro 6 operations
IT Automation 42 operations
FaaS Execution 1 operation

Application Security

Section titled “Application Security”

Manage application security posture, monitor SaaS integrations, and assess API risks.

ASPM 52 operations
SaaS Security 21 operations
API Integrations 3 operations

Data Protection

Section titled “Data Protection”

Configure data loss prevention policies and scan data at rest.

Data Protection Configuration 47 operations

File Integrity & Change Monitoring

Section titled “File Integrity & Change Monitoring”

Monitor file changes, manage policies, and track deviations across your environment.

FileVantage 31 operations
Sample Uploads 11 operations
Downloads 4 operations

Network Security

Section titled “Network Security”

Scan networks, manage zones, discover assets, and report on scan results.

Network Scan Scans 6 operations
Network Scan Networks 6 operations
Network Scan Templates 6 operations
Network Scan Zones 7 operations
Network Scan Scanners 4 operations
Network Scan Scan Runs 5 operations
Network Scan Scan Run Reports 1 operation
Network Scan Global Configs 2 operations

Case & Incident Management

Section titled “Case & Incident Management”

Manage cases, track escalations, and coordinate response across your SOC.

Case Management 53 operations
Message Center 9 operations
Falcon Complete Dashboard 19 operations
Overwatch Dashboard 5 operations

Knowledge & AI

Section titled “Knowledge & AI”

Manage knowledge bases, files, and audit events for AI-powered workflows.

Knowledge Bases 5 operations
Knowledge Base Files 6 operations
Knowledge Base Audit Events 4 operations

Deployment & Updates

Section titled “Deployment & Updates”

Manage deployments, releases, and serverless export jobs.

Deployments 6 operations
Serverless Exports 4 operations

Integrate with Artificial Intelligence

Section titled “Integrate with Artificial Intelligence”

The Falcon MCP Server gives AI assistants direct access to the CrowdStrike Falcon platform through the Model Context Protocol. Investigate threats, triage detections, query hosts, research adversaries, and automate security operations - all through natural language conversations with your AI tools.

Learn more about Falcon MCP →

Integrate with Code

Section titled “Integrate with Code”

Python

FalconPy
Scripting, automation, data pipelines, serverless functions, and SOC tooling.

PowerShell

PSFalcon
Windows administration, Active Directory, and endpoint management.

Go

goFalcon
Microservices, CLI tools, and high-throughput cloud-native systems.

TypeScript

FalconJS
Web dashboards, Node.js services, and serverless functions.

Rust

Rusty Falcon
Performance-critical agents, secure systems, and low-latency processing.

Ruby

Crimson Falcon
Rails applications, web services, and compliance workflows.
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use