CrowdStrike Falcon

the crowdstrike falcon connector enables automated interactions with the falcon platform's threat detection, analysis, and response features crowdstrike falcon is a leading endpoint protection platform that leverages advanced threat intelligence and real time response capabilities to stop breaches this connector enables swimlane turbine users to automate incident response and threat hunting by integrating with crowdstrike falcon's comprehensive suite of actions users can manage quarantined files, terminate sessions, retrieve detection summaries, execute real time commands, and much more, all within the swimlane turbine platform this integration empowers security teams to rapidly respond to threats and streamline their security operations prerequisites to effectively utilize the crowdstrike falcon connector with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint url for the crowdstrike falcon api client id unique identifier for the oauth client client secret secret key associated with the oauth client asset configuration each crowdstrike cloud has a different base url when making requests to the crowdstrike api, use the base url that corresponds to the cloud where your integration is hosted us 1 https //api crowdstrike com us 2 https //api us 2 crowdstrike com eu 1 https //api eu 1 crowdstrike com us gov 1 https //api laggar gcw\ crowdstrike com us gov 2 https //api us gov 2 crowdstrike mil capabilities this connector has the following capabilities detections get detections get detections summary update detections host get host info get host id manage host search hosts incidents get incidents perform incident action query behaviors users get user ids by email indicators create indicator get indicator query host for indicator query indicator update indicator reports search reports real time response (rtr) cmd result admin cmd run get script get uploaded file info upload script get script ids extracted file content delete session file id session file download list files get session ids upload file refresh, delete, and initialize session falcon sandbox get file analysis get reports query reports upload file analysis submit file analysis scan delete quarantine file manage scans retrieve scan by id scheduled reports get scheduled reports launch scheduled reports query scheduled reports threatgraph vertex summary custom action get results from vulnerability keyword search https //falconpy io/service collections/spotlight vulnerabilities html filter the vulnerabilities, refer the below example filter status 'open'+cve exploit status \['90']+cve exprt rating \['critical'] notes manage scans action file path exclusions can be formatted in glob syntax for more info, https //falcon crowdstrike com/documentation/page/e2e4b1b4/glob syntax you must have an account in order to view the documentation https //falcon crowdstrike com/support/documentation https //www falconpy io/service collections/quarantine html configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required member cid member cid for mssp environment string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions delete quarantine file removes quarantined files from endpoints in crowdstrike falcon using specified file ids, action types, and comments endpoint url /quarantine/entities/quarantined files/v1 method patch input argument name type required description comment string optional comment to list along with action taken ids array optional list of quarantine ids to update action string optional action to perform against the quarantined file input example {"json body" {"comment" "string","ids" \["id1","id2"],"action" "delete"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 02 nov 2023 16 43 41 gmt","content type" "application/json","content length" "231","connection" "keep alive","x content type options" "nosniff","x cs traceid" "c346f1ac 873b 4794 b85f f35b9a6b7884","x ratelimit limit" "15","x ratelimit remaining" "14","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {}} delete rtr session terminate an existing real time response session in crowdstrike falcon with the specified session id endpoint url real time response/entities/sessions/v1 method delete input argument name type required description parameters session id string required parameters for the delete rtr session action input example {"parameters" {"session id" "5366aad8 86a6 4fa0 948e 010cc525e6bd"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {"server" "nginx","date" "fri, 21 oct 2022 18 04 36 gmt","content type" "application/json","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "6fa00735 ec3f 4ce5 be30 5ba5e94ec8e6","x ratelimit limit" "6000","x ratelimit remaining" "5995","strict transport security" "max age=31536000; includesubdomains"},"reason" "no content","response text" ""} delete rtr session file removes a specified real time response session file from crowdstrike falcon using provided session and file ids endpoint url real time response/entities/file/v2 method delete input argument name type required description parameters session id string required parameters for the delete rtr session file action parameters ids string required parameters for the delete rtr session file action input example {"parameters" {"session id" "123qwe","ids" "rtrsessionfileid"}} output parameter type description status code number http status code of the response data object response data data errors array response data data errors code number response data data errors id string response data data errors message string response data data meta object response data data meta pagination object response data data meta pagination limit number response data data meta pagination offset number response data data meta pagination total number response data data meta powered by string response data data meta query time number response data data meta trace id string response data data meta writes object response data data meta writes resources affected number response data response text string output field response text reason string response reason phrase output example {"status code" 204,"response headers" {"server" "nginx","date" "fri, 09 sep 2022 14 47 19 gmt","content type" "application/json","content length" "215","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "b353da90 67d7 49f1 8805 21d76bc45c72","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"data" {"errors" \[{}],"meta" {"pagination" {},"powered by" "string","query time" 0,"trace id" "s get detections retrieves a list of detection ids from crowdstrike falcon based on specified parameters endpoint url detects/queries/detects/v1 method get input argument name type required description parameters filter string optional parameters for the get detections action parameters offset number optional parameters for the get detections action parameters limit number optional parameters for the get detections action parameters sort string optional parameters for the get detections action parameters q string optional parameters for the get detections action input example {"parameters" {"filter" "status 'new'","offset" 0,"limit" 1,"sort" "first behavior","q" "query"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 20 46 37 gmt","content type" "application/json","content length" "477","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "3279d3e5 f9fc 4f43 833b eab293fa9bbe","x ratelimit limit" "6000","x ratelimit remaining" "5995"},"reason" "ok","json body" {"meta" {"query time" 0 00738949, get detection summaries retrieve summaries for specific detections in crowdstrike falcon by providing their unique ids endpoint url detects/entities/summaries/get/v1 method post input argument name type required description ids array optional unique identifier input example {"json body" {"ids" \["ldt 20c5964f60d649439068d19e3be19c2e 4295481339","ldt 4e400866e4d8462a9d1824eb52ca2516 8592791965","ldt 4e400866e4d8462a9d1824eb52ca2516 8591241167","ldt 4e400866e4d8462a9d1824eb52ca2516 8590422710","ldt 4e400866e4d8462a9d1824eb52ca2516 4298085720","ldt 4e400866e4d8462a9d1824eb52ca2516 4296113139","ldt 4e400866e4d8462a9d1824eb52ca2516 4295965514","ldt 766a3015cdcc41b39d24cdf9a1c8afd3 25796649270"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources cid string unique identifier resources created timestamp string output field resources created timestamp resources detection id string unique identifier resources device object output field resources device resources device device id string unique identifier resources device cid string unique identifier resources device agent load flags string output field resources device agent load flags resources device agent local time string time value resources device agent version string output field resources device agent version resources device bios manufacturer string output field resources device bios manufacturer resources device bios version string output field resources device bios version resources device config id base string unique identifier resources device config id build string unique identifier resources device config id platform string unique identifier resources device external ip string output field resources device external ip resources device hostname string name of the resource resources device first seen string output field resources device first seen resources device last seen string output field resources device last seen output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 21 17 15 gmt","content type" "application/json","content length" "1919","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "bbd58ec5 9822 4ed0 bbce 5f5c5b1da5c1","x ratelimit limit" "6000","x ratelimit remaining" "5995"},"reason" "ok","json body" {"meta" {"query time" 0 00223369 execute rtr command executes a real time response admin command on a host in crowdstrike falcon using specific command string, device id, and session id endpoint url real time response/entities/admin command/v1 method post input argument name type required description base command string optional parameter for execute rtr command command string string optional parameter for execute rtr command device id string optional unique identifier id number optional unique identifier persist boolean optional parameter for execute rtr command session id string optional unique identifier input example {"json body" {"base command" "ls","command string" " la","device id" "string","id" 0,"persist"\ true,"session id" "a8f685e0 117a 4707 867c 51b48f767392"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources session id string unique identifier resources cloud request id string unique identifier resources queued command offline boolean output field resources queued command offline errors object error message if any output example {"status code" 201,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 18 15 48 gmt","content type" "application/json","content length" "264","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "2c4d5303 a9b9 4dc7 8b17 122bddca8374","x ratelimit limit" "6000","x ratelimit remaining" "5994","strict transport security" "max age=31536000; includesubdomains"},"reason" "created","json body" {"meta" {"query time" 0 059549469,"powered by" "empower api","tra get file analysis retrieve the status of a sandbox file analysis in crowdstrike falcon by specifying the 'ids' parameter endpoint url /falconx/entities/submissions/v1 method get input argument name type required description parameters ids array required parameters for the get file analysis action input example {"parameters" {"ids" \["inc 4e400866e4d8462a9d1824eb52ca2516\ c8a3075e582a46dd86da7a35ab1e73e3"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get incidents ids retrieve a list of incident ids from crowdstrike falcon based on specified search parameters endpoint url incidents/queries/incidents/v1 method get input argument name type required description parameters sort string optional parameters for the get incidents ids action parameters filter string optional parameters for the get incidents ids action parameters offset string optional parameters for the get incidents ids action parameters limit number optional parameters for the get incidents ids action input example {"parameters" {"sort" "assigned to asc","filter" "start >='2020 06 02t22 15 57z'","offset" "0","limit" 500}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 21 oct 2022 17 34 49 gmt","content type" "application/json","content length" "273","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "e832d840 8e96 4ed3 aafd 33f5613f3c0b","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 00960287, get reports by ids obtain detailed sandbox analysis reports from crowdstrike falcon using specific report ids endpoint url falconx/entities/reports/v1 method get input argument name type required description parameters ids array required parameters for the get reports by ids action input example {"parameters" {"ids" \["123qweawdkjslkfjadjio1rjfieawfnisd"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} query reports finds sandbox reports in crowdstrike falcon using an fql filter and paging, requiring specific parameters for execution endpoint url falconx/queries/reports/v1 method get input argument name type required description parameters offset string optional parameters for the query reports action parameters limit number optional parameters for the query reports action parameters sort string optional parameters for the query reports action parameters filter string optional parameters for the query reports action input example {"parameters" {"offset" "0","limit" 100,"sort" "created at|asc","filter" "name 'report123'"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get results from vulnerability keyword search retrieve ids, aids, and cves related to a specified vulnerability keyword in crowdstrike falcon, applying custom filters endpoint method post input argument name type required description keyword string optional keyword for filtering vulnerabilities filter string optional filter the vulnerabilities based on status, exploit status, expert rating etc test mode boolean optional toggle to run a quick test input example {"json body" {"keyword" "chrome","test mode"\ true}} output parameter type description status code number http status code of the response ids array unique identifier aids array unique identifier cves array output field cves host info object output field host info host info f06292f397d5438e9cb61faf97aa0726 object output field host info f06292f397d5438e9cb61faf97aa0726 host info f06292f397d5438e9cb61faf97aa0726 hostname string name of the resource host info f06292f397d5438e9cb61faf97aa0726 local ip string output field host info f06292f397d5438e9cb61faf97aa0726 local ip host info fd3655157efd4d96977cbfd20dfba071 object output field host info fd3655157efd4d96977cbfd20dfba071 host info fd3655157efd4d96977cbfd20dfba071 hostname string name of the resource host info fd3655157efd4d96977cbfd20dfba071 local ip string output field host info fd3655157efd4d96977cbfd20dfba071 local ip host info 2aba60819e344f939811b55a9af52d3f object output field host info 2aba60819e344f939811b55a9af52d3f host info 2aba60819e344f939811b55a9af52d3f hostname string name of the resource host info 2aba60819e344f939811b55a9af52d3f local ip string output field host info 2aba60819e344f939811b55a9af52d3f local ip host info 6ec71e642bac41c790fe263043604c97 object output field host info 6ec71e642bac41c790fe263043604c97 host info 6ec71e642bac41c790fe263043604c97 hostname string name of the resource host info 6ec71e642bac41c790fe263043604c97 local ip string output field host info 6ec71e642bac41c790fe263043604c97 local ip host info 35ee5ec29c734a54add3470bb290837b object output field host info 35ee5ec29c734a54add3470bb290837b host info 35ee5ec29c734a54add3470bb290837b hostname string name of the resource host info 35ee5ec29c734a54add3470bb290837b local ip string output field host info 35ee5ec29c734a54add3470bb290837b local ip output example {"status code" 200,"json body" {"ids" \["7c5ab944bddb43cd8614686d5d5a2dd1 b144007d1bcb36a68bea0f9b1158a3d1","e2b1964cea2b49bea5f6a44cc61da9ac b144007d1bcb36a68bea0f9b1158a3d1","8615632cb69a43ce9432ebbaf5ff7f16 01bbf023d3e53b27be58cf5158448733"],"aids" \["a3b12addd4d14b959596d4e7c0cdd716","5f7b99fcde0a42cca5d0c4be8c061a80","3d30d861ee0d40f5b7f620b8d0b90c2f"],"cves" \["cve 2023 4863","cve 2024 7965","cve 2024 7971"],"host info" {"f06292f397d5438e9cb61faf97aa0726" {},"fd3655157efd4d96977cbfd20dfba071" get rtr extracted file contents retrieves the contents of a file extracted in a crowdstrike falcon rtr session, using a specific session id and sha256 endpoint url real time response/entities/extracted file contents/v1 method get input argument name type required description parameters session id string required parameters for the get rtr extracted file contents action parameters sha256 string required parameters for the get rtr extracted file contents action parameters filename string optional parameters for the get rtr extracted file contents action input example {"parameters" {"session id" "asd123","sha256" "efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b","filename" "myfile"}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file file file string output field file file file file name string name of the resource output example {"file" \[]} get rtr put files retrieves files for crowdstrike falcon's real time response 'put' command using specified ids endpoint url /real time response/entities/put files/v2 method get input argument name type required description parameters ids array required parameters for the get rtr put files action input example {"parameters" {"ids" \["qwe123"]}} output parameter type description status code number http status code of the response data object response data data errors array response data data errors code number response data data errors id string response data data errors message string response data data meta object response data data meta pagination object response data data meta pagination limit number response data data meta pagination offset number response data data meta pagination total number response data data meta powered by string response data data meta query time number response data data meta trace id string response data data meta writes object response data data meta writes resources affected number response data data resources array response data data resources bucket string response data data resources cid string response data data resources comments for audit log string response data data resources content string response data data resources created by string response data data resources created by uuid string response data data resources created timestamp string response data data resources description string response data output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 09 sep 2022 12 21 15 gmt","content type" "application/json","content length" "149","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "ae976111 9d15 4e08 8fd2 944e29b0a651","x ratelimit limit" "6000","x ratelimit remaining" "5998","strict transport security" "max age=31536000; includesubdomains"},"data" {"errors" \[{}],"meta" {"pagination" {},"powered by" "string","query time" 0,"trace id" "s get rtr session files retrieves a list of files from a specific crowdstrike falcon rtr session using the provided session id endpoint url /real time response/entities/file/v2 method get input argument name type required description parameters session id string required parameters for the get rtr session files action input example {"parameters" {"session id" "44a70ac4 1482 4cdb a49f 78eb170ebac4"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources cloud request id string unique identifier resources created at string output field resources created at resources updated at string output field resources updated at resources deleted at string output field resources deleted at resources error message string response message resources name string name of the resource resources progress number output field resources progress resources session id string unique identifier resources sha256 string output field resources sha256 resources size number output field resources size resources stage string output field resources stage resources status string status value resources complete boolean output field resources complete errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 17 23 05 gmt","content type" "application/json","content length" "160","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "423cc665 1ac3 4b26 a2ba 5fb778ad0ae7","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 019349868,"powered by" "empower api","trace id get rtr session ids retrieve a list of real time response session ids from crowdstrike falcon to aid in incident investigation and response endpoint url real time response/queries/sessions/v1 method get input argument name type required description input example {"parameters" {}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 17 18 21 gmt","content type" "application/json","content length" "323","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "73e24c31 821c 44a0 8689 81348c270689","x ratelimit limit" "6000","x ratelimit remaining" "5995","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 001995284,"pagination" {},"powered by" "empowe get scheduled reports retrieves scheduled reports from crowdstrike falcon using specified report ids requires 'ids' parameter endpoint url /reports/entities/scheduled reports/v1 method get input argument name type required description parameters ids array required the scheduled report id to get details about input example {"parameters" {"ids" \["07c38c6536454292b199145fa2903bee"]}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources api client id string unique identifier resources can write boolean output field resources can write resources created on string output field resources created on resources customer id string unique identifier resources description string output field resources description resources expiration on string output field resources expiration on resources id string unique identifier resources last execution object output field resources last execution output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"api client id" "string","can write"\ true,"created on" "string","customer id" "string","description" "string","expiration on" "string","id" "12345678 1234 1234 1234 123456789abc","last execution" {},"last updated on" "string","name" "example get scripts retrieves custom scripts by specified ids for real time response operations in crowdstrike falcon endpoint url real time response/entities/scripts/v2 method get input argument name type required description parameters ids array required parameters for the get scripts action input example {"parameters" {"ids" \["d8367f494e9311ea97920662caec3daa 6890622d3b88416f90879f7c3497ac1f","44d5b6154e9211ea800f02e419334184 6890622d3b88416f90879f7c3497ac1f"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources name string name of the resource resources description string output field resources description resources file type string type of the resource resources platform array output field resources platform resources size number output field resources size resources content string response content resources created by string output field resources created by resources created by uuid string unique identifier resources created timestamp string output field resources created timestamp resources modified by string output field resources modified by resources modified timestamp string output field resources modified timestamp resources sha256 string output field resources sha256 resources permission type string type of the resource resources run attempt count number count value resources run success count number whether the operation was successful resources write access boolean output field resources write access output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 17 50 32 gmt","content type" "application/json","content length" "605","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "07e49eb5 409a 4a44 a233 3037b242ad9c","x ratelimit limit" "6000","x ratelimit remaining" "5995","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 115900991,"powered by" "empower api","trace id get scripts ids obtain real time response script ids from crowdstrike falcon for incident response playbook integration endpoint url real time response/queries/scripts/v1 method get input argument name type required description parameters offset string optional parameters for the get scripts ids action parameters limit number optional parameters for the get scripts ids action parameters sort string optional parameters for the get scripts ids action parameters filter string optional parameters for the get scripts ids action input example {"parameters" {"offset" "0","limit" 100,"sort" "created at|asc","filter" "name 'script 1 ps1'"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 17 37 05 gmt","content type" "application/json","content length" "650","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "31159bff 08b4 4175 a561 e6b7aa7f70c4","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 019319069,"pagination" {},"powered by" "empowe get user ids retrieves a list of unique user ids from crowdstrike falcon for system user identification endpoint url user management/queries/users/v1 method get input argument name type required description parameters filter string optional parameters for the get user ids action parameters limit number optional parameters for the get user ids action parameters offset number optional parameters for the get user ids action parameters sort string optional parameters for the get user ids action input example {"parameters" {"filter" "","limit" 1,"offset" 0,"sort" "uid|asc"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 09 jan 2023 23 11 38 gmt","content type" "application/json","content length" "222","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "97f3a15e 2472 49ef af72 1d675c122098","x ratelimit limit" "6000","x ratelimit remaining" "5997"},"reason" "ok","json body" {"meta" {"query time" 0 005224134 get host info retrieve detailed information for specified hosts in crowdstrike falcon using their unique ids endpoint url /devices/entities/devices/v2 method post input argument name type required description ids array optional unique identifier input example {"json body" {"ids" \["4e400866e4d8462a9d1824eb52ca2516","e4c65cfccae64aa68271cb9d947543f6","cbfa8e6cecb1400993830b1b9d6d98f4"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources device id string unique identifier resources cid string unique identifier resources agent load flags string output field resources agent load flags resources agent local time string time value resources agent version string output field resources agent version resources bios manufacturer string output field resources bios manufacturer resources bios version string output field resources bios version resources build number string output field resources build number resources config id base string unique identifier resources config id build string unique identifier resources config id platform string unique identifier resources cpu signature string output field resources cpu signature resources external ip string output field resources external ip resources mac address string output field resources mac address resources hostname string name of the resource resources first seen string output field resources first seen resources last seen string output field resources last seen resources local ip string output field resources local ip output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 22 01 51 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "fa8f0e31 b0b0 4f71 a82e aed99cff4785","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 00 search host executes a search across all hosts in crowdstrike falcon using a specified falcon query language (fql) query endpoint url /devices/queries/devices/v1 method get input argument name type required description parameters offset number optional parameters for the search host action parameters limit number optional parameters for the search host action parameters sort string optional parameters for the search host action parameters filter string optional parameters for the search host action input example {"parameters" {"offset" 0,"limit" 1,"sort" "first behavior","filter" "filter expression"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 21 36 02 gmt","content type" "application/json","content length" "267","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "3c0f732c 44bc 42f2 8b21 582b4054486b","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 005665941 get incidents retrieve detailed information for specified incidents in crowdstrike falcon using unique incident identifiers endpoint url incidents/entities/incidents/get/v1 method post input argument name type required description ids array optional unique identifier input example {"json body" {"ids" \["inc 4e400866e4d8462a9d1824eb52ca2516\ c8a3075e582a46dd86da7a35ab1e73e3"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources incident id string unique identifier resources incident type number unique identifier resources cid string unique identifier resources host ids array unique identifier resources hosts array output field resources hosts resources hosts device id string unique identifier resources hosts cid string unique identifier resources hosts agent load flags string output field resources hosts agent load flags resources hosts agent local time string time value resources hosts agent version string output field resources hosts agent version resources hosts bios manufacturer string output field resources hosts bios manufacturer resources hosts bios version string output field resources hosts bios version resources hosts config id base string unique identifier resources hosts config id build string unique identifier resources hosts config id platform string unique identifier resources hosts external ip string output field resources hosts external ip resources hosts hostname string name of the resource resources hosts first seen string output field resources hosts first seen output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 19 oct 2022 21 08 34 gmt","content type" "application/json","content length" "984","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "ed44f4f3 d445 43df 8f19 97e27c1b07fc","x ratelimit limit" "6000","x ratelimit remaining" "5993"},"reason" "ok","json body" {"meta" {"query time" 0 050719544 create indicator create a new threat intelligence indicator in crowdstrike falcon using the specified json body format endpoint url iocs/entities/indicators/v1 method post input argument name type required description comment string optional parameter for create indicator indicators array optional parameter for create indicator indicators action string optional parameter for create indicator indicators applied globally boolean optional parameter for create indicator indicators description string optional parameter for create indicator indicators expiration string optional parameter for create indicator indicators host groups array optional parameter for create indicator indicators metadata object optional response data indicators metadata filename string optional response data indicators mobile action string optional parameter for create indicator indicators platforms array optional parameter for create indicator indicators severity string optional parameter for create indicator indicators source string optional parameter for create indicator indicators tags array optional parameter for create indicator indicators type string optional type of the resource indicators value string optional value for the parameter input example {"comment" "string","indicators" \[{"action" "string","applied globally"\ true,"description" "string","expiration" "string","host groups" \["string"],"metadata" {"filename" "example name"},"mobile action" "string","platforms" \["string"],"severity" "string","source" "string","tags" \["string"],"type" "string","value" "string"}]} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier errors object error message if any resources array output field resources resources id string unique identifier resources type string type of the resource resources value string value for the parameter resources action string output field resources action resources severity string output field resources severity resources platforms array output field resources platforms resources tags array output field resources tags resources tags file name string name of the resource resources tags file string output field resources tags file resources expired boolean output field resources expired resources deleted boolean output field resources deleted resources applied globally boolean output field resources applied globally resources from parent boolean output field resources from parent resources created on string output field resources created on output example {"status code" 201,"response headers" {"server" "nginx","date" "mon, 17 oct 2022 18 32 59 gmt","content type" "application/json","content length" "440","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "42dfdd44 d39d 4f40 9e2e 22639b5de5d8","x ratelimit limit" "6000","x ratelimit remaining" "5995"},"reason" "created","json body" {"meta" {"query time" 0 1892 delete indicator removes a specified indicator from crowdstrike falcon using the provided parameters endpoint url iocs/entities/indicators/v1 method delete input argument name type required description parameters filter string optional parameters for the delete indicator action parameters ids array optional parameters for the delete indicator action parameters comment string optional parameters for the delete indicator action input example {"parameters" {"filter" "fql filter","ids" \["48e23334c3854063dd96f8dd863b0f98046d35a8dbf0cbe7a30b2eb41b47e31e"],"comment" "the comment why this indicators were deleted"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier errors object error message if any resources array output field resources output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 18 32 58 gmt","content type" "application/json","content length" "207","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "276d1125 e1ff 41a3 bdc6 ff9db65f3d81","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 154435027 get indicator retrieve detailed information for a specific indicator in crowdstrike falcon using its unique id endpoint url iocs/entities/indicators/v1 method get input argument name type required description ids array optional unique identifier input example {"json body" {"ids" \["48e23334c3854063dd96f8dd863b0f98046d35a8dbf0cbe7a30b2eb41b47e31e"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier errors object error message if any resources array output field resources resources id string unique identifier resources type string type of the resource resources value string value for the parameter resources action string output field resources action resources severity string output field resources severity resources platforms array output field resources platforms resources tags array output field resources tags resources tags file name string name of the resource resources tags file string output field resources tags file resources expired boolean output field resources expired resources deleted boolean output field resources deleted resources applied globally boolean output field resources applied globally resources from parent boolean output field resources from parent resources created on string output field resources created on output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 18 45 23 gmt","content type" "application/json","content length" "441","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "84480a60 2e75 4deb 9abd 44ac034175a1","x ratelimit limit" "6000","x ratelimit remaining" "5994"},"reason" "ok","json body" {"meta" {"query time" 0 000457506 query indicator query crowdstrike falcon for indicator ids by specifying 'type' and 'value' to augment threat intelligence initiatives endpoint url /indicators/queries/devices/v1 method get input argument name type required description parameters type string required parameters for the query indicator action parameters value string required parameters for the query indicator action parameters limit number optional parameters for the query indicator action parameters offset number optional parameters for the query indicator action input example {"parameters" {"type" "domain","value" "swimlane com","limit" 10,"offset" 0}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset string output field meta pagination offset meta pagination limit number output field meta pagination limit meta trace id string unique identifier meta entity string output field meta entity resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 17 06 57 gmt","content type" "application/json","content length" "228","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "7a0bdb09 f1df 48ee 970f 48291e14ea00","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 035178383 search indicators executes a refined search for indicators within crowdstrike falcon using specified filter criteria and returns matching results endpoint url iocs/queries/indicators/v1 method get input argument name type required description parameters filter string required parameters for the search indicators action parameters offset number optional parameters for the search indicators action parameters limit number optional parameters for the search indicators action parameters sort string optional parameters for the search indicators action parameters after string optional parameters for the search indicators action input example {"parameters" {"filter" "value 'swimlane com'","offset" 0,"limit" 10,"sort" "action","after" "pagination token"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta pagination offset number output field meta pagination offset meta pagination after string output field meta pagination after meta powered by string output field meta powered by meta trace id string unique identifier errors object error message if any resources array output field resources output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 18 22 49 gmt","content type" "application/json","content length" "362","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "49884bfe e178 45a0 84e0 dd8445d67abc","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 013260798 update indicator update specific indicator details within the crowdstrike falcon platform to maintain accurate threat intelligence endpoint url iocs/entities/indicators/v1 method patch input argument name type required description parameters retrodetects boolean optional parameters for the update indicator action parameters ignore warnings boolean optional parameters for the update indicator action bulk update object optional date value bulk update action string optional parameter for update indicator bulk update applied globally boolean optional parameter for update indicator bulk update description string optional parameter for update indicator bulk update expiration string optional parameter for update indicator bulk update filter string optional parameter for update indicator bulk update from parent boolean optional parameter for update indicator bulk update host groups array optional parameter for update indicator bulk update metadata object optional response data bulk update metadata filename string optional response data bulk update mobile action string optional parameter for update indicator bulk update platforms array optional parameter for update indicator bulk update severity string optional parameter for update indicator bulk update source string optional parameter for update indicator bulk update tags array optional parameter for update indicator comment string optional parameter for update indicator indicators array optional parameter for update indicator indicators action string optional parameter for update indicator indicators applied globally boolean optional parameter for update indicator indicators description string optional parameter for update indicator indicators expiration string optional parameter for update indicator indicators host groups array optional parameter for update indicator indicators id string optional unique identifier input example {"parameters" {"retrodetects"\ true,"ignore warnings"\ true},"bulk update" {"action" "string","applied globally"\ true,"description" "string","expiration" "string","filter" "string","from parent"\ true,"host groups" \["string"],"metadata" {"filename" "example name"},"mobile action" "string","platforms" \["string"],"severity" "string","source" "string","tags" \["string"]},"comment" "string","indicators" \[{"action" "string","applied globally"\ true,"description" "string","expiration" "string","host groups" \["string"],"id" "12345678 1234 1234 1234 123456789abc","metadata" {"filename" "example name"},"mobile action" "string","platforms" \["string"],"severity" "string","source" "string","tags" \["string"]}]} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier errors object error message if any resources array output field resources resources file name string name of the resource resources file string output field resources file output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 18 oct 2022 19 21 59 gmt","content type" "application/json","content length" "192","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "9b70ab70 9506 4f11 abc8 920efde2034d","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 667011146 initialize rtr session establishes a new real time response session within crowdstrike falcon for immediate incident response endpoint url real time response/entities/sessions/v1 method post input argument name type required description paramters object optional parameter for initialize rtr session paramters timeout number optional parameter for initialize rtr session paramters timeout duration string optional parameter for initialize rtr session device id string optional unique identifier origin string optional parameter for initialize rtr session queue offline boolean optional parameter for initialize rtr session input example {"json body" {"device id" "985a4275d7ae4e34be339c68d43cc81a","origin" "string","queue offline"\ true},"paramters" {"timeout" 300,"timeout duration" "1m"}} output parameter type description status code number http status code of the response data object response data data meta object response data data meta query time number response data data meta powered by string response data data meta trace id string response data data resources array response data data resources session id string response data data resources scripts array response data data resources scripts command string response data data resources scripts description string response data data resources scripts examples string response data data resources scripts internal only boolean response data data resources scripts runnable boolean response data data resources scripts sub commands array response data data resources scripts sub commands file name string response data data resources scripts sub commands file string response data data resources scripts args array response data data resources scripts args id number response data data resources scripts args created at string response data data resources scripts args updated at string response data data resources scripts args script id number response data data resources scripts args arg type string response data data resources scripts args data type string response data data resources scripts args requires value boolean response data output example {"status code" 201,"response headers" {"server" "nginx","date" "wed, 07 sep 2022 11 23 32 gmt","content type" "application/json","content length" "1924","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "91ceb5e2 dd30 440c b4ee d63aa0e6b2df","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"data" {"meta" {"query time" 1 504846194,"powered by" "empower api","trace id" "91ceb5e2 dd30 4 launch scheduled reports initiates execution of scheduled reports in crowdstrike falcon using provided id(s) and report details endpoint url /reports/entities/scheduled reports/execution/v1 method post output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources can write boolean output field resources can write resources created on string output field resources created on resources customer id string unique identifier resources execution metadata object response data resources execution metadata report params object response data resources execution metadata report params columns array response data resources execution metadata report params dashboard id string response data resources execution metadata report params dashboard visibility string response data output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"can write"\ true,"created on" "string","customer id" "string","execution metadata" {},"expiration on" "string","id" "12345678 1234 1234 1234 123456789abc","job reference" "string","last updated on" "string","report file reference" "string","r manage scans initiate, schedule, or control on demand windows scans in crowdstrike falcon using specified host and file path details endpoint url /ods/entities/scans/v1 method post input argument name type required description hosts array optional parameter for manage scans host groups array optional parameter for manage scans file paths array optional parameter for manage scans scan exclusions array optional parameter for manage scans initiated from string optional parameter for manage scans cpu priority number optional parameter for manage scans description string optional parameter for manage scans quarantine boolean optional parameter for manage scans endpoint notification boolean optional parameter for manage scans pause duration number optional parameter for manage scans sensor ml level detection number optional parameter for manage scans sensor ml level prevention number optional parameter for manage scans cloud ml level detection number optional parameter for manage scans cloud ml level prevention number optional parameter for manage scans max duration number optional parameter for manage scans input example {"json body" {"hosts" \["49d80845335940c888b88bbaa632bd7e"],"host groups" \[""],"file paths" \["c \\\windows\\\explorer exe"],"scan exclusions" \[""],"initiated from" "falcon adhoc","cpu priority" 1,"description" "test apis ","quarantine"\ true,"endpoint notification"\ true,"pause duration" 2,"sensor ml level detection" 2,"sensor ml level prevention" 2,"cloud ml level detection" 2,"cloud ml level prevention" 2,"max duration" 2}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources cid string unique identifier resources profile id string unique identifier resources description string output field resources description resources file paths array output field resources file paths resources initiated from string output field resources initiated from resources quarantine boolean output field resources quarantine resources cpu priority number output field resources cpu priority resources preemption priority number output field resources preemption priority resources metadata array response data resources metadata host id string response data resources metadata scan host metadata id string response data resources metadata filecount object response data resources metadata last updated string response data resources filecount object count value resources status string status value output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 02 nov 2023 16 43 41 gmt","content type" "application/json","content length" "231","connection" "keep alive","x content type options" "nosniff","x cs traceid" "c346f1ac 873b 4794 b85f f35b9a6b7884","x ratelimit limit" "15","x ratelimit remaining" "14","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 207790105,"writes" {},"powered by" "svc odsapi","trace id" "e4 perform device action executes a specified action on multiple devices in crowdstrike falcon using their ids and the chosen action name endpoint url devices/entities/devices actions/v2 method post input argument name type required description parameters action name string required parameters for the perform device action action action parameters array optional parameters for the perform device action action action parameters name string optional parameters for the perform device action action action parameters value string optional parameters for the perform device action action ids array optional unique identifier input example {"parameters" {"action name" "unhide host"},"json body" {"action parameters" \[{"name" "name","value" "value"}],"ids" \["985a4275d7ae4e34be339c68d43cc81a"]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources path string output field resources path errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 202,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 15 41 32 gmt","content type" "application/json","content length" "214","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "9a624a54 733b 41cd 9fae fce985b7ea10","x ratelimit limit" "6000","x ratelimit remaining" "5994"},"reason" "accepted","json body" {"meta" {"query time" 14 05 perform incident action executes specified actions on multiple incidents in crowdstrike falcon using provided 'ids' and 'action parameters' endpoint url incidents/entities/incident actions/v1 method post input argument name type required description ids array optional unique identifier action parameters array optional parameters for the perform incident action action action parameters name string required parameters for the perform incident action action action parameters value string required parameters for the perform incident action action input example {"json body" {"ids" \["inc 4e400866e4d8462a9d1824eb52ca2516 50e5a788a8b14ca4ad23aa909bd16efb"],"action parameters" \[{"name" "update name","value" "renamed incident"}]}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources file name string name of the resource resources file string output field resources file errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 15 55 00 gmt","content type" "application/json","content length" "160","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "eede97f3 8a60 476a 934d d4051d4f4a37","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 063349771 query behaviors retrieve crowdstrike falcon behaviors using an fql filter with sorting and paging options endpoint url /incidents/queries/behaviors/v1 method get input argument name type required description parameters filter string optional optional filter and sort criteria in the form of an fql query parameters offset number optional starting index of overall result set from which to return ids parameters limit number optional the maximum records to return \[1 500] parameters sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either "asc" or "desc" input example {"parameters" {"filter" "filepath test","offset" 0,"limit" 100,"sort" "alert ids asc"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources file name string name of the resource resources file string output field resources file errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 22 jul 2025 08 38 10 gmt","content type" "application/json","content length" "198","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=31536000; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "98aa8db9 a69d 4b87 907a 2393919c8f11","x ratelimit limit" "6000","x ratelimit remaining" "5951"},"reason" "ok","json body" {"meta" {"query time" 0 015020273 query host by indicator locate hosts in crowdstrike falcon that have observed a specified custom indicator of compromise (ioc) by type and value endpoint url /indicators/queries/devices/v1 method get input argument name type required description parameters type string required parameters for the query host by indicator action parameters value string required parameters for the query host by indicator action parameters limit string optional parameters for the query host by indicator action parameters offset string optional parameters for the query host by indicator action input example {"parameters" {"type" "domain","value" "swimlane com","limit" "10","offset" "0"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset string output field meta pagination offset meta pagination limit number output field meta pagination limit meta trace id string unique identifier meta entity string output field meta entity resources array output field resources errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 21 oct 2022 20 45 11 gmt","content type" "application/json","content length" "228","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "0e57fcdc 6e9e 4cd3 b493 b6fde9f7a66f","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 035884016 query scheduled reports retrieve a list of report ids from crowdstrike falcon based on specified query and filter criteria endpoint url /reports/queries/scheduled reports/v1 method get input argument name type required description parameters sort string optional possible order by fields created on, last updated on, last execution on, next execution on parameters filter string optional fql query specifying the filter parameters filter term criteria type, trigger reference, recipients, user uuid, cid, trigger params metadata filter range criteria created on, modified on; use any common date format, such as '2010 05 15t14 55 21 892315096z' parameters q string optional match query criteria, which includes all the filter string fields parameters offset string optional starting index of overall result set from which to return ids parameters limit number optional number of ids to return input example {"parameters" {"sort" "created on","filter" "trigger reference","q" "","offset" "","limit" 3}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 16 jan 2025 10 40 08 gmt","content type" "application/json","content length" "245","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=31536000; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "2bd55126 bb08 44d4 905f 450da0f88a47","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"reason" "ok","json body" {"meta" {"query time" 0 030274587 retrieve scans by id retrieve detailed information for specific scans in crowdstrike falcon using their unique identifiers endpoint url /ods/entities/scans/v1 method get input argument name type required description parameters ids string required parameters for the retrieve scans by id action input example {"parameters" {"ids" "a69fbc6555704446a10314b70d19955c"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources cid string unique identifier resources profile id string unique identifier resources description string output field resources description resources file paths array output field resources file paths resources initiated from string output field resources initiated from resources quarantine boolean output field resources quarantine resources cpu priority number output field resources cpu priority resources preemption priority number output field resources preemption priority resources metadata array response data resources metadata host id string response data resources metadata host scan id string response data resources metadata scan host metadata id string response data resources metadata filecount object response data resources metadata filecount scanned number response data resources metadata filecount malicious number response data output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 07 nov 2023 16 30 27 gmt","content type" "application/json","content length" "1018","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "15c0882f 1bf6 4529 8cbd cf81c12e4dc9","x ratelimit limit" "6000","x ratelimit remaining" "5996"},"reason" "ok","json body" {"meta" {"query time" 0 02398445 rtr cmd result retrieve results of a real time response command in crowdstrike falcon using cloud request id and sequence id endpoint url /real time response/entities/admin command/v1 method get input argument name type required description parameters cloud request id string required parameters for the rtr cmd result action parameters sequence id number required parameters for the rtr cmd result action input example {"parameters" {"cloud request id" "505891fe 2b81 4531 baf0 d4bfc8d38107","sequence id" 0}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources session id string unique identifier resources task id string unique identifier resources complete boolean output field resources complete resources stdout string output field resources stdout resources stderr string output field resources stderr resources base command string output field resources base command errors array error message if any errors file name string name of the resource errors file string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 20 oct 2022 18 34 29 gmt","content type" "application/json","content length" "875","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "7357b311 85cd 4d26 abdd 8e57e16f3dfb","x ratelimit limit" "6000","x ratelimit remaining" "5995","strict transport security" "max age=31536000; includesubdomains"},"reason" "ok","json body" {"meta" {"query time" 0 321708212,"powered by" "empower api","trace id search reports locate and filter crowdstrike falcon report ids by using a query with specific parameters to refine search results endpoint url reports/queries/scheduled reports/v1 method get input argument name type required description parameters q string optional parameters for the search reports action parameters filter string optional parameters for the search reports action parameters sort string optional parameters for the search reports action parameters offset string optional parameters for the search reports action parameters limit number optional parameters for the search reports action input example {"parameters" {"q" "match query criteria","filter" "created on 2010 05 15t14 55 21 892315096z","sort" "created on","offset" "0","limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} submit file analysis uploads a file to crowdstrike falcon for sandbox analysis, specifying the environment via the 'sandbox' parameter endpoint url falconx/entities/submissions/v1 method post input argument name type required description sandbox array optional parameter for submit file analysis sandbox action script string optional parameter for submit file analysis sandbox command line string optional parameter for submit file analysis sandbox document password string optional parameter for submit file analysis sandbox enable tor boolean optional parameter for submit file analysis sandbox environment id number required unique identifier sandbox network settings string optional parameter for submit file analysis sandbox sha256 string optional parameter for submit file analysis sandbox submit name string optional name of the resource sandbox system date string optional date value sandbox system time string optional time value sandbox url string optional url endpoint for the request send email notification boolean optional parameter for submit file analysis user tags array optional parameter for submit file analysis input example {"sandbox" \[{"action script" "string","command line" "string","document password" "string","enable tor"\ true,"environment id" 123,"network settings" "string","sha256" "string","submit name" "example name","system date" "string","system time" "string","url" "https //example com/api/resource"}],"send email notification"\ true,"user tags" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase output example {} update detection updates specified detections in crowdstrike falcon using a list of detection 'ids' provided in the json body endpoint url detects/entities/detects/v2 method patch input argument name type required description assigned to uuid string optional unique identifier comment string optional parameter for update detection ids array optional unique identifier show in ui boolean optional parameter for update detection status string optional status value input example {"json body" {"assigned to uuid" "1234567891234567891","comment" "comment string","ids" \["ldt 4e400866e4d8462a9d1824eb52ca2516 64431642420"],"show in ui"\ true,"status" "new"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected meta powered by string output field meta powered by meta trace id string unique identifier output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 21 oct 2022 16 56 04 gmt","content type" "application/json","content length" "165","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "c72a8e5b d928 415f 9573 e88a469d075d","x ratelimit limit" "6000","x ratelimit remaining" "5994"},"reason" "ok","json body" {"meta" {"query time" 0 047651067 upload file analysis upload a file to crowdstrike falcon for sandbox analysis, with required form data and data body inputs endpoint url samples/entities/samples/v2 method post input argument name type required description form data object required response data form data sample array required content of the uploaded sample in binary format form data sample file name string required response data form data sample file string required response data data body object required response data data body file name string required name of the file data body is confidential boolean optional defines visibility of this file in falcon malquery, either via the api or the falcon console data body comment string optional a descriptive comment to identify the file for other users input example {"form data" {"sample" \[{"file name" "example name","file" "string"}]},"data body" {"file name" "example name","is confidential"\ true,"comment" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 19 oct 2022 19 53 29 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "1b07769e 66b4 41fb a970 9d6a764206ac","x ratelimit limit" "6000","x ratelimit remaining" "5995"},"reason" "ok","json body" {"errors" \[{}],"meta" {"pa upload rtr put file upload a new file to crowdstrike falcon for use with the real time response 'put' command, requiring an attachment endpoint url real time response/entities/put files/v1 method post input argument name type required description attachments array required script to be uploaded attachments file string optional parameter for upload rtr put file attachments description string optional parameter for upload rtr put file attachments name string optional name of the resource attachments comments for audit log string optional parameter for upload rtr put file input example {"attachments" \[{"file" "string","description" "string","name" "example name","comments for audit log" "string"}]} output parameter type description data object response data data meta object response data data meta query time number response data data meta writes object response data data meta writes resources affected number response data data meta powered by string response data data meta trace id string response data output example {"data" {"meta" {"query time" 0 858507743,"writes" {},"powered by" "empower","trace id" "348c03bc 24de 4a17 aa8f b4a5a2a4cd73"}}} upload script upload a new custom script to crowdstrike falcon for real time response, requiring an attachment endpoint url /real time response/entities/scripts/v1 method post input argument name type required description attachments array required script to be uploaded attachments file string optional parameter for upload script attachments description string optional parameter for upload script attachments name string optional name of the resource attachments comments for audit log string optional parameter for upload script attachments permission type string optional type of the resource attachments content string optional response content attachments platform array optional parameter for upload script input example {"attachments" \[{"file" "string","description" "string","name" "example name","comments for audit log" "string","permission type" "string","content" "string","platform" \["string"]}]} output parameter type description status code number http status code of the response data object response data data meta object response data data meta query time number response data data meta writes object response data data meta writes resources affected number response data data meta powered by string response data data meta trace id string response data output example {"status code" 200,"response headers" {"content type" "application/json","content length" "192"},"data" {"meta" {"query time" 0 652933766,"writes" {},"powered by" "empower","trace id" "bf90adeb 8c5e 4c0a 928f 688d9c52a54b"}}} vertex summary retrieve a summary of connected edges and vertex data from crowdstrike falcon for a specified vertex type and ids endpoint url /threatgraph/combined/{{vertex type}}/summary/v1 method get input argument name type required description parameters scope string optional defines what scope you are querying for for customer scope, use the value "customer" for device scope, use "device" (default) parameters ids string required this represents the identifier of the actual object you're looking for these ids should be treated as opaque identifiers and can be retrieved from other threatgraph calls this parameter can be provided up to 100 times to retrieve details on multiple vertices path parameters vertex type string required the vertex that you are looking for input example {"parameters" {"ids" "mod 2d6c3ed75e024b317ccd855ce584ac01 1788db64ec645c3bd54a6645f956c28593545bcaa22ae4cd12546954a6911e53","scope" "device"},"path parameters" {"vertex type" "process"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta trace id string unique identifier resources array output field resources resources id string unique identifier resources customer id string unique identifier resources scope string output field resources scope resources device id string unique identifier resources vertex type string type of the resource resources object id string unique identifier resources timestamp string output field resources timestamp resources properties object output field resources properties resources properties activeprivilegeescalationcount string count value resources properties asepwrittencount string count value resources properties authenticationid string unique identifier resources properties binaryexecutablewrittencount string count value resources properties commandline string output field resources properties commandline resources properties conhostid string unique identifier resources properties configbuild string output field resources properties configbuild resources properties directorycreatedcount string count value resources properties dnsrequestcount string count value resources properties exeandservicecount string count value resources properties executabledeletedcount string count value output example {"meta" {"query time" 123,"trace id" "string"},"resources" \[{"id" "12345678 1234 1234 1234 123456789abc","customer id" "string","scope" "string","device id" "string","vertex type" "string","object id" "string","timestamp" "2024 01 01t00 00 00z","properties" {},"edges" {}}],"errors" \[{"file name" "example name","file" "string"}]} response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 245 content type the media type of the resource application/json date the date and time at which the message was originated tue, 18 oct 2022 18 22 49 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=15724800; includesubdomains, max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x cs region http response header x cs region us 1 x cs traceid http response header x cs traceid 6d9bb61a eacb 4ff2 ab2d b01c54115d0a x ratelimit limit the number of requests allowed in the current rate limit window 15 x ratelimit remaining the number of requests remaining in the current rate limit window 5998