CrowdStrike OpenAPI

Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc.

Endpoint · CrowdStrike OpenAPI

Configuration parameters

  • server_url — Cloud Base URL (required)
  • credentials — Client ID (required)
  • timeout — The amount of time (in seconds) that a request will wait for a client to establish a connection to a remote machine before a timeout occurs.
  • proxy — Use system proxy settings
  • insecure — Trust any certificate (not secure)

Commands (365)

  • cs-add-role

    Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.

  • cs-add-user-group-members

    Add new User Group member. Maximum 500 members allowed per User Group.

  • cs-addcid-group-members

    Add new CID Group member.

  • cs-aggregate-allow-list

    Retrieve aggregate allowlist ticket values based on the matched filter.

  • cs-aggregate-block-list

    Retrieve aggregate block list ticket values based on the matched filter.

  • cs-aggregate-detections

    Retrieve aggregate detection values based on the matched filter.

  • cs-aggregate-device-count-collection

    Retrieve aggregate host/devices count based on the matched filter.

  • cs-aggregate-escalations

    Retrieve aggregate escalation ticket values based on the matched filter.

  • cs-aggregate-notificationsv1

    Get notification aggregates as specified via JSON in request body.

  • cs-aggregate-remediations

    Retrieve aggregate remediation ticket values based on the matched filter.

  • cs-aggregateevents

    Aggregate events for customer.

  • cs-aggregatefc-incidents

    Retrieve aggregate incident values based on the matched filter.

  • cs-aggregatepolicyrules

    Aggregate rules within a policy for customer.

  • cs-aggregaterulegroups

    Aggregate rule groups for customer.

  • cs-aggregaterules

    Aggregate rules for customer.

  • cs-aggregates-detections-global-counts

    Get the total number of detections pushed across all customers.

  • cs-aggregates-events

    Get aggregate OverWatch detection event info by providing an aggregate query.

  • cs-aggregates-events-collections

    Get OverWatch detection event collection info by providing an aggregate query.

  • cs-aggregates-incidents-global-counts

    Get the total number of incidents pushed across all customers.

  • cs-aggregatesow-events-global-counts

    Get the total number of OverWatch events across all customers.

  • cs-apipreemptproxypostgraphql

    Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

  • cs-auditeventsquery

    Search for audit events by providing an FQL filter and paging details.

  • cs-auditeventsread

    Gets the details of one or more audit events by id.

  • cs-batch-active-responder-cmd

    Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.

  • cs-batch-admin-cmd

    Batch executes a RTR administrator command across the hosts mapped to the given batch ID.

  • cs-batch-cmd

    Batch executes a RTR read-only command across the hosts mapped to the given batch ID.

  • cs-batch-get-cmd

    Batch executes `get` command across hosts to retrieve files. After this call is made `GET /real-time-response/combined/batch-get-command/v1` is used to query for the results.

  • cs-batch-get-cmd-status

    Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.

  • cs-batch-init-sessions

    Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.

  • cs-batch-refresh-sessions

    Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.

  • cs-create-actionsv1

    Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.

  • cs-create-device-control-policies

    Create Device Control Policies by specifying details about the policy to create.

  • cs-create-firewall-policies

    Create Firewall Policies by specifying details about the policy to create.

  • cs-create-host-groups

    Create Host Groups by specifying details about the group to create.

  • cs-create-or-updateaws-settings

    Create or update Global Settings which are applicable to all provisioned AWS accounts.

  • cs-create-prevention-policies

    Create Prevention Policies by specifying details about the policy to create.

  • cs-create-rulesv1

    Create monitoring rules.

  • cs-create-sensor-update-policies

    Create Sensor Update Policies by specifying details about the policy to create.

  • cs-create-sensor-update-policiesv2

    Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.

  • cs-create-user

    Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1.

  • cs-create-user-groups

    Create new User Group(s). Maximum 500 User Group(s) allowed per customer.

  • cs-createaws-account

    Creates a new AWS account in our system for a customer and generates the installation script.

  • cs-createcid-groups

    Create new CID Group(s). Maximum 500 CID Group(s) allowed.

  • cs-createcspm-aws-account

    Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.

  • cs-createcspmgcp-account

    Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.

  • cs-createml-exclusionsv1

    Create the ML exclusions.

  • cs-creatert-response-policies

    Create Response Policies by specifying details about the policy to create.

  • cs-createrule

    Create a rule within a rule group. Returns the rule.

  • cs-createrulegroup

    Create new rule group on a platform for a customer with a name and description, and return the ID.

  • cs-createrulegroup-mixin0

    Create a rule group for a platform with a name and an optional description. Returns the rule group.

  • cs-createsv-exclusionsv1

    Create the sensor visibility exclusions.

  • cs-crowd-score

    Query environment wide CrowdScore and return the entity data.

  • cs-customersettingsread

    Check current installation token settings.

  • cs-delete-actionv1

    Delete an action from a monitoring rule based on the action ID.

  • cs-delete-device-control-policies

    Delete a set of Device Control Policies by specifying their IDs.

  • cs-delete-firewall-policies

    Delete a set of Firewall Policies by specifying their IDs.

  • cs-delete-host-groups

    Delete a set of Host Groups by specifying their IDs.

  • cs-delete-notificationsv1

    Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.

  • cs-delete-prevention-policies

    Delete a set of Prevention Policies by specifying their IDs.

  • cs-delete-report

    Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

  • cs-delete-rulesv1

    Delete monitoring rules.

  • cs-delete-samplev2

    Removes a sample, including file, meta and submissions from the collection.

  • cs-delete-samplev3

    Removes a sample, including file, meta and submissions from the collection.

  • cs-delete-sensor-update-policies

    Delete a set of Sensor Update Policies by specifying their IDs.

  • cs-delete-sensor-visibility-exclusionsv1

    Delete the sensor visibility exclusions by id.

  • cs-delete-user

    Delete a user permanently.

  • cs-delete-user-group-members

    Delete User Group members entry.

  • cs-delete-user-groups

    Delete User Group(s) by ID(s).

  • cs-deleteaws-accounts

    Delete a set of AWS Accounts by specifying their IDs.

  • cs-deleteaws-accounts-mixin0

    Delete AWS accounts.

  • cs-deletecid-group-members

    Delete CID Group members entry.

  • cs-deletecid-groups

    Delete CID Group(s) by ID(s).

  • cs-deletecspm-aws-account

    Deletes an existing AWS account or organization in our system.

  • cs-deletecspm-azure-account

    Deletes an Azure subscription from the system.

  • cs-deleted-roles

    Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).

  • cs-deleteioa-exclusionsv1

    Delete the IOA exclusions by id.

  • cs-deleteml-exclusionsv1

    Delete the ML exclusions by id.

  • cs-deletert-response-policies

    Delete a set of Response Policies by specifying their IDs.

  • cs-deleterulegroups

    Delete rule group entities by ID.

  • cs-deleterulegroups-mixin0

    Delete rule groups by ID.

  • cs-deleterules

    Delete rules from a rule group by ID.

  • cs-devices-count

    Number of hosts in your customer account that have observed a given custom IOC.

  • cs-devices-ran-on

    Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v2.

  • cs-download-sensor-installer-by-id

    Download sensor installer by SHA256 ID.

  • cs-entitiesprocesses

    For the provided ProcessID retrieve the process details.

  • cs-get-actionsv1

    Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.

  • cs-get-aggregate-detects

    Get detect aggregates as specified via json in request body.

  • cs-get-artifacts

    Download IOC packs, PCAP files, and other analysis artifacts.

  • cs-get-assessmentv1

    Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).

  • cs-get-available-role-ids

    Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.

  • cs-get-behaviors

    Get details on behaviors by providing behavior IDs.

  • cs-get-children

    Get link to child customer by child CID(s).

  • cs-get-cloudconnectazure-entities-account-v1

    Return information about Azure account registration.

  • cs-get-cloudconnectazure-entities-userscriptsdownload-v1

    Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.

  • cs-get-cloudconnectcspmazure-entities-account-v1

    Return information about Azure account registration.

  • cs-get-cloudconnectcspmazure-entities-userscriptsdownload-v1

    Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.

  • cs-get-clusters

    Provides the clusters acknowledged by the Kubernetes Protection service.

  • cs-get-combined-sensor-installers-by-query

    Get sensor installer details by provided query.

  • cs-get-detect-summaries

    View information about detections.

  • cs-get-device-control-policies

    Retrieve a set of Device Control Policies by specifying their IDs.

  • cs-get-device-count-collection-queries-by-filter

    Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled.

  • cs-get-device-details

    Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API.

  • cs-get-device-login-history

    Retrieve details about recent login sessions for a set of devices.

  • cs-get-device-network-history

    Retrieve history of IP and MAC addresses of devices.

  • cs-get-firewall-policies

    Retrieve a set of Firewall Policies by specifying their IDs.

  • cs-get-helm-values-yaml

    Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart.

  • cs-get-host-groups

    Retrieve a set of Host Groups by specifying their IDs.

  • cs-get-incidents

    Get details on incidents by providing incident IDs.

  • cs-get-intel-actor-entities

    Retrieve specific actors using their actor IDs.

  • cs-get-intel-indicator-entities

    Retrieve specific indicators using their indicator IDs.

  • cs-get-intel-report-entities

    Retrieve specific reports using their report IDs.

  • cs-get-intel-reportpdf

    Return a Report PDF attachment.

  • cs-get-intel-rule-entities

    Retrieve details for rule sets for the specified ids.

  • cs-get-intel-rule-file

    Download earlier rule sets.

  • cs-get-latest-intel-rule-file

    Download the latest rule set.

  • cs-get-locations

    Provides the cloud locations acknowledged by the Kubernetes Protection service.

  • cs-get-mal-query-downloadv1

    Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time.

  • cs-get-mal-query-entities-samples-fetchv1

    Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing.

  • cs-get-mal-query-metadatav1

    Retrieve indexed files metadata by their hash.

  • cs-get-mal-query-quotasv1

    Get information about search and download quotas in your environment.

  • cs-get-mal-query-requestv1

    Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.

  • cs-get-notifications-detailed-translatedv1

    Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request.

  • cs-get-notifications-detailedv1

    Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.

  • cs-get-notifications-translatedv1

    Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.

  • cs-get-notificationsv1

    Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.

  • cs-get-prevention-policies

    Retrieve a set of Prevention Policies by specifying their IDs.

  • cs-get-reports

    Get a full sandbox report.

  • cs-get-roles

    Get info about a role.

  • cs-get-roles-byid

    Get MSSP Role assignment(s). MSSP Role assignment is of the format :.

  • cs-get-rulesv1

    Get monitoring rules rules by provided IDs.

  • cs-get-samplev2

    Retrieves the file associated with the given ID (SHA256).

  • cs-get-samplev3

    Retrieves the file associated with the given ID (SHA256).

  • cs-get-scans

    Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.

  • cs-get-scans-aggregates

    Get scans aggregations as specified via json in request body.

  • cs-get-sensor-installers-by-query

    Get sensor installer IDs by provided query.

  • cs-get-sensor-installers-entities

    Get sensor installer details by provided SHA256 IDs.

  • cs-get-sensor-installersccid-by-query

    Get CCID to use with sensor installers.

  • cs-get-sensor-update-policies

    Retrieve a set of Sensor Update Policies by specifying their IDs.

  • cs-get-sensor-update-policiesv2

    Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.

  • cs-get-sensor-visibility-exclusionsv1

    Get a set of Sensor Visibility Exclusions by specifying their IDs.

  • cs-get-submissions

    Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

  • cs-get-summary-reports

    Get a short summary version of a sandbox report.

  • cs-get-user-group-members-byid

    Get User Group members by User Group ID(s).

  • cs-get-user-groups-byid

    Get User Group by ID(s).

  • cs-get-user-role-ids

    Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.

  • cs-get-vulnerabilities

    Get details on vulnerabilities by providing one or more IDs.

  • cs-getaws-accounts

    Retrieve a set of AWS Accounts by specifying their IDs.

  • cs-getaws-accounts-mixin0

    Provides a list of AWS accounts.

  • cs-getaws-settings

    Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts.

  • cs-getcid-group-by-id

    Get CID Group(s) by ID(s).

  • cs-getcid-group-members-by

    Get CID Group members by CID Group IDs.

  • cs-getcspm-aws-account

    Returns information about the current status of an AWS account.

  • cs-getcspm-aws-account-scripts-attachment

    Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.

  • cs-getcspm-aws-console-setupur-ls

    Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.

  • cs-getcspm-azure-user-scripts

    Return a script for customer to run in their cloud environment to grant us access to their Azure environment.

  • cs-getcspm-policy

    Given a policy ID, returns detailed policy information.

  • cs-getcspm-policy-settings

    Returns information about current policy settings.

  • cs-getcspm-scan-schedule

    Returns scan schedule configuration for one or more cloud platforms.

  • cs-getcspmcgp-account

    Returns information about the current status of an GCP account.

  • cs-getcspmgcp-user-scripts

    Return a script for customer to run in their cloud environment to grant us access to their GCP environment.

  • cs-getcspmgcp-user-scripts-attachment

    Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment.

  • cs-getevents

    Get events entities by ID and optionally version.

  • cs-getfirewallfields

    Get the firewall field specifications by ID.

  • cs-getioa-events

    For CSPM IOA events, gets list of IOA events.

  • cs-getioa-exclusionsv1

    Get a set of IOA Exclusions by specifying their IDs.

  • cs-getioa-users

    For CSPM IOA users, gets list of IOA users.

  • cs-getioc

    DEPRECATED Use the new IOC Management endpoint (GET /iocs/entities/indicators/v1). Get an IOC by providing a type and value.

  • cs-getml-exclusionsv1

    Get a set of ML Exclusions by specifying their IDs.

  • cs-getpatterns

    Get pattern severities by ID.

  • cs-getplatforms

    Get platforms by ID, e.g., windows or mac or droid.

  • cs-getplatforms-mixin0

    Get platforms by ID.

  • cs-getpolicycontainers

    Get policy container entities by policy ID.

  • cs-getrt-response-policies

    Retrieve a set of Response Policies by specifying their IDs.

  • cs-getrulegroups

    Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.

  • cs-getrulegroups-mixin0

    Get rule groups by ID.

  • cs-getrules

    Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string).

  • cs-getrules-mixin0

    Get rules by ID and optionally version in the following format: `ID[:version]`. The max number of IDs is constrained by URL size.

  • cs-getrulesget

    Get rules by ID and optionally version in the following format: `ID[:version]`.

  • cs-getruletypes

    Get rule types by ID.

  • cs-grant-user-role-ids

    Assign one or more roles to a user.

  • cs-indicatorcombinedv1

    Get Combined for Indicators.

  • cs-indicatorcreatev1

    Create Indicators.

  • cs-indicatordeletev1

    Delete Indicators by ids.

  • cs-indicatorgetv1

    Get Indicators by ids.

  • cs-indicatorsearchv1

    Search for Indicators.

  • cs-indicatorupdatev1

    Update Indicators.

  • cs-list-available-streamso-auth2

    Discover all event streams in your environment.

  • cs-oauth2-access-token

    Generate an OAuth2 access token.

  • cs-oauth2-revoke-token

    Revoke a previously issued OAuth2 access token before the end of its standard 30-minute life .

  • cs-patch-cloudconnectazure-entities-clientid-v1

    Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.

  • cs-patch-cloudconnectcspmazure-entities-clientid-v1

    Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.

  • cs-patchcspm-aws-account

    Patches a existing account in our system for a customer.

  • cs-perform-actionv2

    Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.

  • cs-perform-device-control-policies-action

    Perform the specified action on the Device Control Policies specified in the request.

  • cs-perform-firewall-policies-action

    Perform the specified action on the Firewall Policies specified in the request.

  • cs-perform-group-action

    Perform the specified action on the Host Groups specified in the request.

  • cs-perform-incident-action

    Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.

  • cs-perform-prevention-policies-action

    Perform the specified action on the Prevention Policies specified in the request.

  • cs-perform-sensor-update-policies-action

    Perform the specified action on the Sensor Update Policies specified in the request.

  • cs-performrt-response-policies-action

    Perform the specified action on the Response Policies specified in the request.

  • cs-post-cloudconnectazure-entities-account-v1

    Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.

  • cs-post-cloudconnectcspmazure-entities-account-v1

    Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.

  • cs-post-mal-query-entities-samples-multidownloadv1

    Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip.

  • cs-post-mal-query-exact-searchv1

    Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint.

  • cs-post-mal-query-fuzzy-searchv1

    Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.

  • cs-post-mal-query-huntv1

    Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint.

  • cs-preview-rulev1

    Preview rules notification count and distribution. This will return aggregations on: channel, count, site.

  • cs-processes-ran-on

    Search for processes associated with a custom IOC.

  • cs-provisionaws-accounts

    Provision AWS Accounts by specifying details about the accounts to provision.

  • cs-query-actionsv1

    Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.

  • cs-query-allow-list-filter

    Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled.

  • cs-query-behaviors

    Search for behaviors by providing an FQL filter, sorting, and paging details.

  • cs-query-block-list-filter

    Retrieve block listtickets that match the provided filter criteria with scrolling enabled.

  • cs-query-children

    Query for customers linked as children.

  • cs-query-combined-device-control-policies

    Search for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria.

  • cs-query-combined-device-control-policy-members

    Search for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-combined-firewall-policies

    Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria.

  • cs-query-combined-firewall-policy-members

    Search for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-combined-group-members

    Search for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-combined-host-groups

    Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Groups which match the filter criteria.

  • cs-query-combined-prevention-policies

    Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria.

  • cs-query-combined-prevention-policy-members

    Search for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-combined-sensor-update-builds

    Retrieve available builds for use with Sensor Update Policies.

  • cs-query-combined-sensor-update-policies

    Search for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

  • cs-query-combined-sensor-update-policiesv2

    Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

  • cs-query-combined-sensor-update-policy-members

    Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-combinedrt-response-policies

    Search for Response Policies in your environment by providing an FQL filter and paging details. Returns a set of Response Policies which match the filter criteria.

  • cs-query-combinedrt-response-policy-members

    Search for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

  • cs-query-detection-ids-by-filter

    Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled.

  • cs-query-detects

    Search for detection IDs that match a given query.

  • cs-query-device-control-policies

    Search for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria.

  • cs-query-device-control-policy-members

    Search for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-query-devices-by-filter

    Search for hosts in your environment by platform, hostname, IP, and other criteria.

  • cs-query-devices-by-filter-scroll

    Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit).

  • cs-query-escalations-filter

    Retrieve escalation tickets that match the provided filter criteria with scrolling enabled.

  • cs-query-firewall-policies

    Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria.

  • cs-query-firewall-policy-members

    Search for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-query-group-members

    Search for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-query-hidden-devices

    Retrieve hidden hosts that match the provided filter criteria.

  • cs-query-host-groups

    Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria.

  • cs-query-incident-ids-by-filter

    Retrieve incidents that match the provided filter criteria with scrolling enabled.

  • cs-query-incidents

    Search for incidents by providing an FQL filter, sorting, and paging details.

  • cs-query-intel-actor-entities

    Get info about actors that match provided FQL filters.

  • cs-query-intel-actor-ids

    Get actor IDs that match provided FQL filters.

  • cs-query-intel-indicator-entities

    Get info about indicators that match provided FQL filters.

  • cs-query-intel-indicator-ids

    Get indicators IDs that match provided FQL filters.

  • cs-query-intel-report-entities

    Get info about reports that match provided FQL filters.

  • cs-query-intel-report-ids

    Get report IDs that match provided FQL filters.

  • cs-query-intel-rule-ids

    Search for rule IDs that match provided filter criteria.

  • cs-query-notificationsv1

    Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.

  • cs-query-prevention-policies

    Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria.

  • cs-query-prevention-policy-members

    Search for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-query-remediations-filter

    Retrieve remediation tickets that match the provided filter criteria with scrolling enabled.

  • cs-query-reports

    Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria.

  • cs-query-roles

    Query MSSP Role assignment. At least one of CID Group ID or User Group ID should also be provided. Role ID is optional.

  • cs-query-rulesv1

    Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

  • cs-query-samplev1

    Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200.

  • cs-query-sensor-update-policies

    Search for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.

  • cs-query-sensor-update-policy-members

    Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-query-sensor-visibility-exclusionsv1

    Search for sensor visibility exclusions.

  • cs-query-submissions

    Find submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria.

  • cs-query-submissions-mixin0

    Find IDs for submitted scans by providing an FQL filter and paging details. Returns a set of volume IDs that match your criteria.

  • cs-query-user-group-members

    Query User Group member by User UUID.

  • cs-query-user-groups

    Query User Groups.

  • cs-query-vulnerabilities

    Search for Vulnerabilities in your environment by providing an FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.

  • cs-queryaws-accounts

    Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria.

  • cs-queryaws-accounts-fori-ds

    Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria.

  • cs-querycid-group-members

    Query a CID Groups members by associated CID.

  • cs-querycid-groups

    Query CID Groups.

  • cs-queryevents

    Find all event IDs matching the query with filter.

  • cs-queryfirewallfields

    Get the firewall field specification IDs for the provided platform.

  • cs-queryio-cs

    DEPRECATED Use the new IOC Management endpoint (GET /iocs/queries/indicators/v1). Search the custom IOCs in your customer account.

  • cs-queryioa-exclusionsv1

    Search for IOA exclusions.

  • cs-queryml-exclusionsv1

    Search for ML exclusions.

  • cs-querypatterns

    Get all pattern severity IDs.

  • cs-queryplatforms

    Get the list of platform names.

  • cs-queryplatforms-mixin0

    Get all platform IDs.

  • cs-querypolicyrules

    Find all firewall rule IDs matching the query with filter, and return them in precedence order.

  • cs-queryrt-response-policies

    Search for Response Policies in your environment by providing an FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

  • cs-queryrt-response-policy-members

    Search for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

  • cs-queryrulegroups

    Find all rule group IDs matching the query with filter.

  • cs-queryrulegroups-mixin0

    Finds all rule group IDs matching the query with optional filter.

  • cs-queryrulegroupsfull

    Find all rule groups matching the query with optional filter.

  • cs-queryrules

    Find all rule IDs matching the query with filter.

  • cs-queryrules-mixin0

    Finds all rule IDs matching the query with optional filter.

  • cs-queryruletypes

    Get all rule type IDs.

  • cs-refresh-active-stream-session

    Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.

  • cs-regenerateapi-key

    Regenerate API key for docker registry integrations.

  • cs-retrieve-emails-bycid

    List the usernames (usually an email address) for all users in your customer account.

  • cs-retrieve-user

    Get info about a user.

  • cs-retrieve-useruui-ds-bycid

    List user IDs for all users in your customer account. For more information on each user, provide the user ID to `/users/entities/user/v1`.

  • cs-retrieve-useruuid

    Get a user's ID by providing a username (usually an email address).

  • cs-reveal-uninstall-token

    Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'.

  • cs-revoke-user-role-ids

    Revoke one or more roles from a user.

  • cs-rtr-aggregate-sessions

    Get aggregates on session data.

  • cs-rtr-check-active-responder-command-status

    Get status of an executed active-responder command on a single host.

  • cs-rtr-check-admin-command-status

    Get status of an executed RTR administrator command on a single host.

  • cs-rtr-check-command-status

    Get status of an executed command on a single host.

  • cs-rtr-create-put-files

    Upload a new put-file to use for the RTR `put` command.

  • cs-rtr-create-scripts

    Upload a new custom-script to use for the RTR `runscript` command.

  • cs-rtr-delete-file

    Delete a RTR session file.

  • cs-rtr-delete-put-files

    Delete a put-file based on the ID given. Can only delete one file at a time.

  • cs-rtr-delete-queued-session

    Delete a queued session command.

  • cs-rtr-delete-scripts

    Delete a custom-script based on the ID given. Can only delete one script at a time.

  • cs-rtr-delete-session

    Delete a session.

  • cs-rtr-execute-active-responder-command

    Execute an active responder command on a single host.

  • cs-rtr-execute-admin-command

    Execute a RTR administrator command on a single host.

  • cs-rtr-execute-command

    Execute a command on a single host.

  • cs-rtr-get-extracted-file-contents

    Get RTR extracted file contents for specified session and sha256.

  • cs-rtr-get-put-files

    Get put-files based on the ID's given. These are used for the RTR `put` command.

  • cs-rtr-get-scripts

    Get custom-scripts based on the ID's given. These are used for the RTR `runscript` command.

  • cs-rtr-init-session

    Initialize a new session with the RTR cloud.

  • cs-rtr-list-all-sessions

    Get a list of session_ids.

  • cs-rtr-list-files

    Get a list of files for the specified RTR session.

  • cs-rtr-list-put-files

    Get a list of put-file ID's that are available to the user for the `put` command.

  • cs-rtr-list-queued-sessions

    Get queued session metadata by session ID.

  • cs-rtr-list-scripts

    Get a list of custom-script ID's that are available to the user for the `runscript` command.

  • cs-rtr-list-sessions

    Get session metadata by session id.

  • cs-rtr-pulse-session

    Refresh a session timeout on a single host.

  • cs-rtr-update-scripts

    Upload a new scripts to replace an existing one.

  • cs-scan-samples

    Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.

  • cs-set-device-control-policies-precedence

    Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

  • cs-set-firewall-policies-precedence

    Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

  • cs-set-prevention-policies-precedence

    Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

  • cs-set-sensor-update-policies-precedence

    Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

  • cs-setrt-response-policies-precedence

    Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

  • cs-submit

    Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

  • cs-tokenscreate

    Creates a token.

  • cs-tokensdelete

    Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.

  • cs-tokensquery

    Search for tokens by providing an FQL filter and paging details.

  • cs-tokensread

    Gets the details of one or more tokens by id.

  • cs-tokensupdate

    Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.

  • cs-trigger-scan

    Triggers a dry run or a full scan of a customer's kubernetes footprint.

  • cs-update-actionv1

    Update an action for a monitoring rule.

  • cs-update-detects-by-idsv2

    Modify the state, assignee, and visibility of detections.

  • cs-update-device-control-policies

    Update Device Control Policies by specifying the ID of the policy and details to update.

  • cs-update-device-tags

    Append or remove one or more Falcon Grouping Tags on one or more hosts.

  • cs-update-firewall-policies

    Update Firewall Policies by specifying the ID of the policy and details to update.

  • cs-update-host-groups

    Update Host Groups by specifying the ID of the group and details to update.

  • cs-update-notificationsv1

    Update notification status or assignee. Accepts bulk requests.

  • cs-update-prevention-policies

    Update Prevention Policies by specifying the ID of the policy and details to update.

  • cs-update-rulesv1

    Update monitoring rules.

  • cs-update-sensor-update-policies

    Update Sensor Update Policies by specifying the ID of the policy and details to update.

  • cs-update-sensor-update-policiesv2

    Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.

  • cs-update-sensor-visibility-exclusionsv1

    Update the sensor visibility exclusions.

  • cs-update-user

    Modify an existing user's first or last name.

  • cs-update-user-groups

    Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.

  • cs-updateaws-account

    Updates the AWS account per the query meters provided.

  • cs-updateaws-accounts

    Update AWS Accounts by specifying the ID of the account and details to update.

  • cs-updatecid-groups

    Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.

  • cs-updatecspm-azure-tenant-default-subscriptionid

    Update an Azure default subscription_id in our system for given tenant_id.

  • cs-updatecspm-policy-settings

    Updates a policy setting - can be used to override policy severity or to disable a policy entirely.

  • cs-updatecspm-scan-schedule

    Updates scan schedule configuration for one or more cloud platforms.

  • cs-updateioa-exclusionsv1

    Update the IOA exclusions.

  • cs-updateioc

    DEPRECATED Use the new IOC Management endpoint (PATCH /iocs/entities/indicators/v1). Update an IOC by providing a type and value.

  • cs-updateml-exclusionsv1

    Update the ML exclusions.

  • cs-updatepolicycontainer

    Update an identified policy container.

  • cs-updatert-response-policies

    Update Response Policies by specifying the ID of the policy and details to update.

  • cs-updaterulegroup

    Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules.

  • cs-updaterulegroup-mixin0

    Update a rule group. The following properties can be modified: name, description, enabled.

  • cs-updaterules

    Update rules within a rule group. Return the updated rules.

  • cs-upload-samplev2

    Upload a file for sandbox analysis. After uploading, use `/falconx/entities/submissions/v1` to start analyzing the file.

  • cs-upload-samplev3

    Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.

  • cs-validate

    Validates field values and checks for matches if a test string is provided.

  • cs-verifyaws-account-access

    Performs an Access Verification check on the specified AWS Account IDs.