CrowdStrike OpenAPI
Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc.
Endpoint · CrowdStrike OpenAPI
Configuration parameters
server_url— Cloud Base URL (required)credentials— Client ID (required)timeout— The amount of time (in seconds) that a request will wait for a client to establish a connection to a remote machine before a timeout occurs.proxy— Use system proxy settingsinsecure— Trust any certificate (not secure)
Commands (365)
-
cs-add-roleAssign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.
-
cs-add-user-group-membersAdd new User Group member. Maximum 500 members allowed per User Group.
-
cs-addcid-group-membersAdd new CID Group member.
-
cs-aggregate-allow-listRetrieve aggregate allowlist ticket values based on the matched filter.
-
cs-aggregate-block-listRetrieve aggregate block list ticket values based on the matched filter.
-
cs-aggregate-detectionsRetrieve aggregate detection values based on the matched filter.
-
cs-aggregate-device-count-collectionRetrieve aggregate host/devices count based on the matched filter.
-
cs-aggregate-escalationsRetrieve aggregate escalation ticket values based on the matched filter.
-
cs-aggregate-notificationsv1Get notification aggregates as specified via JSON in request body.
-
cs-aggregate-remediationsRetrieve aggregate remediation ticket values based on the matched filter.
-
cs-aggregateeventsAggregate events for customer.
-
cs-aggregatefc-incidentsRetrieve aggregate incident values based on the matched filter.
-
cs-aggregatepolicyrulesAggregate rules within a policy for customer.
-
cs-aggregaterulegroupsAggregate rule groups for customer.
-
cs-aggregaterulesAggregate rules for customer.
-
cs-aggregates-detections-global-countsGet the total number of detections pushed across all customers.
-
cs-aggregates-eventsGet aggregate OverWatch detection event info by providing an aggregate query.
-
cs-aggregates-events-collectionsGet OverWatch detection event collection info by providing an aggregate query.
-
cs-aggregates-incidents-global-countsGet the total number of incidents pushed across all customers.
-
cs-aggregatesow-events-global-countsGet the total number of OverWatch events across all customers.
-
cs-apipreemptproxypostgraphqlIdentity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.
-
cs-auditeventsquerySearch for audit events by providing an FQL filter and paging details.
-
cs-auditeventsreadGets the details of one or more audit events by id.
-
cs-batch-active-responder-cmdBatch executes a RTR active-responder command across the hosts mapped to the given batch ID.
-
cs-batch-admin-cmdBatch executes a RTR administrator command across the hosts mapped to the given batch ID.
-
cs-batch-cmdBatch executes a RTR read-only command across the hosts mapped to the given batch ID.
-
cs-batch-get-cmdBatch executes `get` command across hosts to retrieve files. After this call is made `GET /real-time-response/combined/batch-get-command/v1` is used to query for the results.
-
cs-batch-get-cmd-statusRetrieves the status of the specified batch get command. Will return successful files when they are finished processing.
-
cs-batch-init-sessionsBatch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
-
cs-batch-refresh-sessionsBatch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.
-
cs-create-actionsv1Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.
-
cs-create-device-control-policiesCreate Device Control Policies by specifying details about the policy to create.
-
cs-create-firewall-policiesCreate Firewall Policies by specifying details about the policy to create.
-
cs-create-host-groupsCreate Host Groups by specifying details about the group to create.
-
cs-create-or-updateaws-settingsCreate or update Global Settings which are applicable to all provisioned AWS accounts.
-
cs-create-prevention-policiesCreate Prevention Policies by specifying details about the policy to create.
-
cs-create-rulesv1Create monitoring rules.
-
cs-create-sensor-update-policiesCreate Sensor Update Policies by specifying details about the policy to create.
-
cs-create-sensor-update-policiesv2Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.
-
cs-create-userCreate a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1.
-
cs-create-user-groupsCreate new User Group(s). Maximum 500 User Group(s) allowed per customer.
-
cs-createaws-accountCreates a new AWS account in our system for a customer and generates the installation script.
-
cs-createcid-groupsCreate new CID Group(s). Maximum 500 CID Group(s) allowed.
-
cs-createcspm-aws-accountCreates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.
-
cs-createcspmgcp-accountCreates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.
-
cs-createml-exclusionsv1Create the ML exclusions.
-
cs-creatert-response-policiesCreate Response Policies by specifying details about the policy to create.
-
cs-createruleCreate a rule within a rule group. Returns the rule.
-
cs-createrulegroupCreate new rule group on a platform for a customer with a name and description, and return the ID.
-
cs-createrulegroup-mixin0Create a rule group for a platform with a name and an optional description. Returns the rule group.
-
cs-createsv-exclusionsv1Create the sensor visibility exclusions.
-
cs-crowd-scoreQuery environment wide CrowdScore and return the entity data.
-
cs-customersettingsreadCheck current installation token settings.
-
cs-delete-actionv1Delete an action from a monitoring rule based on the action ID.
-
cs-delete-device-control-policiesDelete a set of Device Control Policies by specifying their IDs.
-
cs-delete-firewall-policiesDelete a set of Firewall Policies by specifying their IDs.
-
cs-delete-host-groupsDelete a set of Host Groups by specifying their IDs.
-
cs-delete-notificationsv1Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.
-
cs-delete-prevention-policiesDelete a set of Prevention Policies by specifying their IDs.
-
cs-delete-reportDelete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
-
cs-delete-rulesv1Delete monitoring rules.
-
cs-delete-samplev2Removes a sample, including file, meta and submissions from the collection.
-
cs-delete-samplev3Removes a sample, including file, meta and submissions from the collection.
-
cs-delete-sensor-update-policiesDelete a set of Sensor Update Policies by specifying their IDs.
-
cs-delete-sensor-visibility-exclusionsv1Delete the sensor visibility exclusions by id.
-
cs-delete-userDelete a user permanently.
-
cs-delete-user-group-membersDelete User Group members entry.
-
cs-delete-user-groupsDelete User Group(s) by ID(s).
-
cs-deleteaws-accountsDelete a set of AWS Accounts by specifying their IDs.
-
cs-deleteaws-accounts-mixin0Delete AWS accounts.
-
cs-deletecid-group-membersDelete CID Group members entry.
-
cs-deletecid-groupsDelete CID Group(s) by ID(s).
-
cs-deletecspm-aws-accountDeletes an existing AWS account or organization in our system.
-
cs-deletecspm-azure-accountDeletes an Azure subscription from the system.
-
cs-deleted-rolesDelete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).
-
cs-deleteioa-exclusionsv1Delete the IOA exclusions by id.
-
cs-deleteml-exclusionsv1Delete the ML exclusions by id.
-
cs-deletert-response-policiesDelete a set of Response Policies by specifying their IDs.
-
cs-deleterulegroupsDelete rule group entities by ID.
-
cs-deleterulegroups-mixin0Delete rule groups by ID.
-
cs-deleterulesDelete rules from a rule group by ID.
-
cs-devices-countNumber of hosts in your customer account that have observed a given custom IOC.
-
cs-devices-ran-onFind hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v2.
-
cs-download-sensor-installer-by-idDownload sensor installer by SHA256 ID.
-
cs-entitiesprocessesFor the provided ProcessID retrieve the process details.
-
cs-get-actionsv1Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.
-
cs-get-aggregate-detectsGet detect aggregates as specified via json in request body.
-
cs-get-artifactsDownload IOC packs, PCAP files, and other analysis artifacts.
-
cs-get-assessmentv1Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).
-
cs-get-available-role-idsShow role IDs for all roles available in your customer account. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.
-
cs-get-behaviorsGet details on behaviors by providing behavior IDs.
-
cs-get-childrenGet link to child customer by child CID(s).
-
cs-get-cloudconnectazure-entities-account-v1Return information about Azure account registration.
-
cs-get-cloudconnectazure-entities-userscriptsdownload-v1Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.
-
cs-get-cloudconnectcspmazure-entities-account-v1Return information about Azure account registration.
-
cs-get-cloudconnectcspmazure-entities-userscriptsdownload-v1Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.
-
cs-get-clustersProvides the clusters acknowledged by the Kubernetes Protection service.
-
cs-get-combined-sensor-installers-by-queryGet sensor installer details by provided query.
-
cs-get-detect-summariesView information about detections.
-
cs-get-device-control-policiesRetrieve a set of Device Control Policies by specifying their IDs.
-
cs-get-device-count-collection-queries-by-filterRetrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled.
-
cs-get-device-detailsGet details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API.
-
cs-get-device-login-historyRetrieve details about recent login sessions for a set of devices.
-
cs-get-device-network-historyRetrieve history of IP and MAC addresses of devices.
-
cs-get-firewall-policiesRetrieve a set of Firewall Policies by specifying their IDs.
-
cs-get-helm-values-yamlProvides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart.
-
cs-get-host-groupsRetrieve a set of Host Groups by specifying their IDs.
-
cs-get-incidentsGet details on incidents by providing incident IDs.
-
cs-get-intel-actor-entitiesRetrieve specific actors using their actor IDs.
-
cs-get-intel-indicator-entitiesRetrieve specific indicators using their indicator IDs.
-
cs-get-intel-report-entitiesRetrieve specific reports using their report IDs.
-
cs-get-intel-reportpdfReturn a Report PDF attachment.
-
cs-get-intel-rule-entitiesRetrieve details for rule sets for the specified ids.
-
cs-get-intel-rule-fileDownload earlier rule sets.
-
cs-get-latest-intel-rule-fileDownload the latest rule set.
-
cs-get-locationsProvides the cloud locations acknowledged by the Kubernetes Protection service.
-
cs-get-mal-query-downloadv1Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time.
-
cs-get-mal-query-entities-samples-fetchv1Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing.
-
cs-get-mal-query-metadatav1Retrieve indexed files metadata by their hash.
-
cs-get-mal-query-quotasv1Get information about search and download quotas in your environment.
-
cs-get-mal-query-requestv1Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
-
cs-get-notifications-detailed-translatedv1Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request.
-
cs-get-notifications-detailedv1Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.
-
cs-get-notifications-translatedv1Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.
-
cs-get-notificationsv1Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.
-
cs-get-prevention-policiesRetrieve a set of Prevention Policies by specifying their IDs.
-
cs-get-reportsGet a full sandbox report.
-
cs-get-rolesGet info about a role.
-
cs-get-roles-byidGet MSSP Role assignment(s). MSSP Role assignment is of the format :.
-
cs-get-rulesv1Get monitoring rules rules by provided IDs.
-
cs-get-samplev2Retrieves the file associated with the given ID (SHA256).
-
cs-get-samplev3Retrieves the file associated with the given ID (SHA256).
-
cs-get-scansCheck the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.
-
cs-get-scans-aggregatesGet scans aggregations as specified via json in request body.
-
cs-get-sensor-installers-by-queryGet sensor installer IDs by provided query.
-
cs-get-sensor-installers-entitiesGet sensor installer details by provided SHA256 IDs.
-
cs-get-sensor-installersccid-by-queryGet CCID to use with sensor installers.
-
cs-get-sensor-update-policiesRetrieve a set of Sensor Update Policies by specifying their IDs.
-
cs-get-sensor-update-policiesv2Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.
-
cs-get-sensor-visibility-exclusionsv1Get a set of Sensor Visibility Exclusions by specifying their IDs.
-
cs-get-submissionsCheck the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
-
cs-get-summary-reportsGet a short summary version of a sandbox report.
-
cs-get-user-group-members-byidGet User Group members by User Group ID(s).
-
cs-get-user-groups-byidGet User Group by ID(s).
-
cs-get-user-role-idsShow role IDs of roles assigned to a user. For more information on each role, provide the role ID to `/customer/entities/roles/v1`.
-
cs-get-vulnerabilitiesGet details on vulnerabilities by providing one or more IDs.
-
cs-getaws-accountsRetrieve a set of AWS Accounts by specifying their IDs.
-
cs-getaws-accounts-mixin0Provides a list of AWS accounts.
-
cs-getaws-settingsRetrieve a set of Global Settings which are applicable to all provisioned AWS accounts.
-
cs-getcid-group-by-idGet CID Group(s) by ID(s).
-
cs-getcid-group-members-byGet CID Group members by CID Group IDs.
-
cs-getcspm-aws-accountReturns information about the current status of an AWS account.
-
cs-getcspm-aws-account-scripts-attachmentReturn a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.
-
cs-getcspm-aws-console-setupur-lsReturn a URL for customer to visit in their cloud environment to grant us access to their AWS environment.
-
cs-getcspm-azure-user-scriptsReturn a script for customer to run in their cloud environment to grant us access to their Azure environment.
-
cs-getcspm-policyGiven a policy ID, returns detailed policy information.
-
cs-getcspm-policy-settingsReturns information about current policy settings.
-
cs-getcspm-scan-scheduleReturns scan schedule configuration for one or more cloud platforms.
-
cs-getcspmcgp-accountReturns information about the current status of an GCP account.
-
cs-getcspmgcp-user-scriptsReturn a script for customer to run in their cloud environment to grant us access to their GCP environment.
-
cs-getcspmgcp-user-scripts-attachmentReturn a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment.
-
cs-geteventsGet events entities by ID and optionally version.
-
cs-getfirewallfieldsGet the firewall field specifications by ID.
-
cs-getioa-eventsFor CSPM IOA events, gets list of IOA events.
-
cs-getioa-exclusionsv1Get a set of IOA Exclusions by specifying their IDs.
-
cs-getioa-usersFor CSPM IOA users, gets list of IOA users.
-
cs-getiocDEPRECATED Use the new IOC Management endpoint (GET /iocs/entities/indicators/v1). Get an IOC by providing a type and value.
-
cs-getml-exclusionsv1Get a set of ML Exclusions by specifying their IDs.
-
cs-getpatternsGet pattern severities by ID.
-
cs-getplatformsGet platforms by ID, e.g., windows or mac or droid.
-
cs-getplatforms-mixin0Get platforms by ID.
-
cs-getpolicycontainersGet policy container entities by policy ID.
-
cs-getrt-response-policiesRetrieve a set of Response Policies by specifying their IDs.
-
cs-getrulegroupsGet rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.
-
cs-getrulegroups-mixin0Get rule groups by ID.
-
cs-getrulesGet rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string).
-
cs-getrules-mixin0Get rules by ID and optionally version in the following format: `ID[:version]`. The max number of IDs is constrained by URL size.
-
cs-getrulesgetGet rules by ID and optionally version in the following format: `ID[:version]`.
-
cs-getruletypesGet rule types by ID.
-
cs-grant-user-role-idsAssign one or more roles to a user.
-
cs-indicatorcombinedv1Get Combined for Indicators.
-
cs-indicatorcreatev1Create Indicators.
-
cs-indicatordeletev1Delete Indicators by ids.
-
cs-indicatorgetv1Get Indicators by ids.
-
cs-indicatorsearchv1Search for Indicators.
-
cs-indicatorupdatev1Update Indicators.
-
cs-list-available-streamso-auth2Discover all event streams in your environment.
-
cs-oauth2-access-tokenGenerate an OAuth2 access token.
-
cs-oauth2-revoke-tokenRevoke a previously issued OAuth2 access token before the end of its standard 30-minute life .
-
cs-patch-cloudconnectazure-entities-clientid-v1Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.
-
cs-patch-cloudconnectcspmazure-entities-clientid-v1Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.
-
cs-patchcspm-aws-accountPatches a existing account in our system for a customer.
-
cs-perform-actionv2Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.
-
cs-perform-device-control-policies-actionPerform the specified action on the Device Control Policies specified in the request.
-
cs-perform-firewall-policies-actionPerform the specified action on the Firewall Policies specified in the request.
-
cs-perform-group-actionPerform the specified action on the Host Groups specified in the request.
-
cs-perform-incident-actionPerform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.
-
cs-perform-prevention-policies-actionPerform the specified action on the Prevention Policies specified in the request.
-
cs-perform-sensor-update-policies-actionPerform the specified action on the Sensor Update Policies specified in the request.
-
cs-performrt-response-policies-actionPerform the specified action on the Response Policies specified in the request.
-
cs-post-cloudconnectazure-entities-account-v1Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
-
cs-post-cloudconnectcspmazure-entities-account-v1Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.
-
cs-post-mal-query-entities-samples-multidownloadv1Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip.
-
cs-post-mal-query-exact-searchv1Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint.
-
cs-post-mal-query-fuzzy-searchv1Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
-
cs-post-mal-query-huntv1Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint.
-
cs-preview-rulev1Preview rules notification count and distribution. This will return aggregations on: channel, count, site.
-
cs-processes-ran-onSearch for processes associated with a custom IOC.
-
cs-provisionaws-accountsProvision AWS Accounts by specifying details about the accounts to provision.
-
cs-query-actionsv1Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.
-
cs-query-allow-list-filterRetrieve allowlist tickets that match the provided filter criteria with scrolling enabled.
-
cs-query-behaviorsSearch for behaviors by providing an FQL filter, sorting, and paging details.
-
cs-query-block-list-filterRetrieve block listtickets that match the provided filter criteria with scrolling enabled.
-
cs-query-childrenQuery for customers linked as children.
-
cs-query-combined-device-control-policiesSearch for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria.
-
cs-query-combined-device-control-policy-membersSearch for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-combined-firewall-policiesSearch for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria.
-
cs-query-combined-firewall-policy-membersSearch for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-combined-group-membersSearch for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-combined-host-groupsSearch for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Groups which match the filter criteria.
-
cs-query-combined-prevention-policiesSearch for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria.
-
cs-query-combined-prevention-policy-membersSearch for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-combined-sensor-update-buildsRetrieve available builds for use with Sensor Update Policies.
-
cs-query-combined-sensor-update-policiesSearch for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
-
cs-query-combined-sensor-update-policiesv2Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
-
cs-query-combined-sensor-update-policy-membersSearch for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-combinedrt-response-policiesSearch for Response Policies in your environment by providing an FQL filter and paging details. Returns a set of Response Policies which match the filter criteria.
-
cs-query-combinedrt-response-policy-membersSearch for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.
-
cs-query-detection-ids-by-filterRetrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled.
-
cs-query-detectsSearch for detection IDs that match a given query.
-
cs-query-device-control-policiesSearch for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria.
-
cs-query-device-control-policy-membersSearch for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-query-devices-by-filterSearch for hosts in your environment by platform, hostname, IP, and other criteria.
-
cs-query-devices-by-filter-scrollSearch for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit).
-
cs-query-escalations-filterRetrieve escalation tickets that match the provided filter criteria with scrolling enabled.
-
cs-query-firewall-policiesSearch for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria.
-
cs-query-firewall-policy-membersSearch for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-query-group-membersSearch for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-query-hidden-devicesRetrieve hidden hosts that match the provided filter criteria.
-
cs-query-host-groupsSearch for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria.
-
cs-query-incident-ids-by-filterRetrieve incidents that match the provided filter criteria with scrolling enabled.
-
cs-query-incidentsSearch for incidents by providing an FQL filter, sorting, and paging details.
-
cs-query-intel-actor-entitiesGet info about actors that match provided FQL filters.
-
cs-query-intel-actor-idsGet actor IDs that match provided FQL filters.
-
cs-query-intel-indicator-entitiesGet info about indicators that match provided FQL filters.
-
cs-query-intel-indicator-idsGet indicators IDs that match provided FQL filters.
-
cs-query-intel-report-entitiesGet info about reports that match provided FQL filters.
-
cs-query-intel-report-idsGet report IDs that match provided FQL filters.
-
cs-query-intel-rule-idsSearch for rule IDs that match provided filter criteria.
-
cs-query-notificationsv1Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.
-
cs-query-prevention-policiesSearch for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria.
-
cs-query-prevention-policy-membersSearch for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-query-remediations-filterRetrieve remediation tickets that match the provided filter criteria with scrolling enabled.
-
cs-query-reportsFind sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria.
-
cs-query-rolesQuery MSSP Role assignment. At least one of CID Group ID or User Group ID should also be provided. Role ID is optional.
-
cs-query-rulesv1Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.
-
cs-query-samplev1Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200.
-
cs-query-sensor-update-policiesSearch for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.
-
cs-query-sensor-update-policy-membersSearch for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-query-sensor-visibility-exclusionsv1Search for sensor visibility exclusions.
-
cs-query-submissionsFind submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria.
-
cs-query-submissions-mixin0Find IDs for submitted scans by providing an FQL filter and paging details. Returns a set of volume IDs that match your criteria.
-
cs-query-user-group-membersQuery User Group member by User UUID.
-
cs-query-user-groupsQuery User Groups.
-
cs-query-vulnerabilitiesSearch for Vulnerabilities in your environment by providing an FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.
-
cs-queryaws-accountsSearch for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria.
-
cs-queryaws-accounts-fori-dsSearch for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria.
-
cs-querycid-group-membersQuery a CID Groups members by associated CID.
-
cs-querycid-groupsQuery CID Groups.
-
cs-queryeventsFind all event IDs matching the query with filter.
-
cs-queryfirewallfieldsGet the firewall field specification IDs for the provided platform.
-
cs-queryio-csDEPRECATED Use the new IOC Management endpoint (GET /iocs/queries/indicators/v1). Search the custom IOCs in your customer account.
-
cs-queryioa-exclusionsv1Search for IOA exclusions.
-
cs-queryml-exclusionsv1Search for ML exclusions.
-
cs-querypatternsGet all pattern severity IDs.
-
cs-queryplatformsGet the list of platform names.
-
cs-queryplatforms-mixin0Get all platform IDs.
-
cs-querypolicyrulesFind all firewall rule IDs matching the query with filter, and return them in precedence order.
-
cs-queryrt-response-policiesSearch for Response Policies in your environment by providing an FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.
-
cs-queryrt-response-policy-membersSearch for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
-
cs-queryrulegroupsFind all rule group IDs matching the query with filter.
-
cs-queryrulegroups-mixin0Finds all rule group IDs matching the query with optional filter.
-
cs-queryrulegroupsfullFind all rule groups matching the query with optional filter.
-
cs-queryrulesFind all rule IDs matching the query with filter.
-
cs-queryrules-mixin0Finds all rule IDs matching the query with optional filter.
-
cs-queryruletypesGet all rule type IDs.
-
cs-refresh-active-stream-sessionRefresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.
-
cs-regenerateapi-keyRegenerate API key for docker registry integrations.
-
cs-retrieve-emails-bycidList the usernames (usually an email address) for all users in your customer account.
-
cs-retrieve-userGet info about a user.
-
cs-retrieve-useruui-ds-bycidList user IDs for all users in your customer account. For more information on each user, provide the user ID to `/users/entities/user/v1`.
-
cs-retrieve-useruuidGet a user's ID by providing a username (usually an email address).
-
cs-reveal-uninstall-tokenReveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'.
-
cs-revoke-user-role-idsRevoke one or more roles from a user.
-
cs-rtr-aggregate-sessionsGet aggregates on session data.
-
cs-rtr-check-active-responder-command-statusGet status of an executed active-responder command on a single host.
-
cs-rtr-check-admin-command-statusGet status of an executed RTR administrator command on a single host.
-
cs-rtr-check-command-statusGet status of an executed command on a single host.
-
cs-rtr-create-put-filesUpload a new put-file to use for the RTR `put` command.
-
cs-rtr-create-scriptsUpload a new custom-script to use for the RTR `runscript` command.
-
cs-rtr-delete-fileDelete a RTR session file.
-
cs-rtr-delete-put-filesDelete a put-file based on the ID given. Can only delete one file at a time.
-
cs-rtr-delete-queued-sessionDelete a queued session command.
-
cs-rtr-delete-scriptsDelete a custom-script based on the ID given. Can only delete one script at a time.
-
cs-rtr-delete-sessionDelete a session.
-
cs-rtr-execute-active-responder-commandExecute an active responder command on a single host.
-
cs-rtr-execute-admin-commandExecute a RTR administrator command on a single host.
-
cs-rtr-execute-commandExecute a command on a single host.
-
cs-rtr-get-extracted-file-contentsGet RTR extracted file contents for specified session and sha256.
-
cs-rtr-get-put-filesGet put-files based on the ID's given. These are used for the RTR `put` command.
-
cs-rtr-get-scriptsGet custom-scripts based on the ID's given. These are used for the RTR `runscript` command.
-
cs-rtr-init-sessionInitialize a new session with the RTR cloud.
-
cs-rtr-list-all-sessionsGet a list of session_ids.
-
cs-rtr-list-filesGet a list of files for the specified RTR session.
-
cs-rtr-list-put-filesGet a list of put-file ID's that are available to the user for the `put` command.
-
cs-rtr-list-queued-sessionsGet queued session metadata by session ID.
-
cs-rtr-list-scriptsGet a list of custom-script ID's that are available to the user for the `runscript` command.
-
cs-rtr-list-sessionsGet session metadata by session id.
-
cs-rtr-pulse-sessionRefresh a session timeout on a single host.
-
cs-rtr-update-scriptsUpload a new scripts to replace an existing one.
-
cs-scan-samplesSubmit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.
-
cs-set-device-control-policies-precedenceSets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
-
cs-set-firewall-policies-precedenceSets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
-
cs-set-prevention-policies-precedenceSets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
-
cs-set-sensor-update-policies-precedenceSets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
-
cs-setrt-response-policies-precedenceSets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
-
cs-submitSubmit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
-
cs-tokenscreateCreates a token.
-
cs-tokensdeleteDeletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.
-
cs-tokensquerySearch for tokens by providing an FQL filter and paging details.
-
cs-tokensreadGets the details of one or more tokens by id.
-
cs-tokensupdateUpdates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.
-
cs-trigger-scanTriggers a dry run or a full scan of a customer's kubernetes footprint.
-
cs-update-actionv1Update an action for a monitoring rule.
-
cs-update-detects-by-idsv2Modify the state, assignee, and visibility of detections.
-
cs-update-device-control-policiesUpdate Device Control Policies by specifying the ID of the policy and details to update.
-
cs-update-device-tagsAppend or remove one or more Falcon Grouping Tags on one or more hosts.
-
cs-update-firewall-policiesUpdate Firewall Policies by specifying the ID of the policy and details to update.
-
cs-update-host-groupsUpdate Host Groups by specifying the ID of the group and details to update.
-
cs-update-notificationsv1Update notification status or assignee. Accepts bulk requests.
-
cs-update-prevention-policiesUpdate Prevention Policies by specifying the ID of the policy and details to update.
-
cs-update-rulesv1Update monitoring rules.
-
cs-update-sensor-update-policiesUpdate Sensor Update Policies by specifying the ID of the policy and details to update.
-
cs-update-sensor-update-policiesv2Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.
-
cs-update-sensor-visibility-exclusionsv1Update the sensor visibility exclusions.
-
cs-update-userModify an existing user's first or last name.
-
cs-update-user-groupsUpdate existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.
-
cs-updateaws-accountUpdates the AWS account per the query meters provided.
-
cs-updateaws-accountsUpdate AWS Accounts by specifying the ID of the account and details to update.
-
cs-updatecid-groupsUpdate existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.
-
cs-updatecspm-azure-tenant-default-subscriptionidUpdate an Azure default subscription_id in our system for given tenant_id.
-
cs-updatecspm-policy-settingsUpdates a policy setting - can be used to override policy severity or to disable a policy entirely.
-
cs-updatecspm-scan-scheduleUpdates scan schedule configuration for one or more cloud platforms.
-
cs-updateioa-exclusionsv1Update the IOA exclusions.
-
cs-updateiocDEPRECATED Use the new IOC Management endpoint (PATCH /iocs/entities/indicators/v1). Update an IOC by providing a type and value.
-
cs-updateml-exclusionsv1Update the ML exclusions.
-
cs-updatepolicycontainerUpdate an identified policy container.
-
cs-updatert-response-policiesUpdate Response Policies by specifying the ID of the policy and details to update.
-
cs-updaterulegroupUpdate name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules.
-
cs-updaterulegroup-mixin0Update a rule group. The following properties can be modified: name, description, enabled.
-
cs-updaterulesUpdate rules within a rule group. Return the updated rules.
-
cs-upload-samplev2Upload a file for sandbox analysis. After uploading, use `/falconx/entities/submissions/v1` to start analyzing the file.
-
cs-upload-samplev3Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.
-
cs-validateValidates field values and checks for matches if a test string is provided.
-
cs-verifyaws-account-accessPerforms an Access Verification check on the specified AWS Account IDs.