CrowdStrike Falcon

the crowdstrike falcon connector enables automated interactions with the falcon platform's threat detection, analysis, and response features crowdstrike falcon is a leading endpoint protection platform that leverages advanced threat intelligence and real time response capabilities to stop breaches this connector enables swimlane turbine users to automate incident response and threat hunting by integrating with crowdstrike falcon's comprehensive suite of actions users can manage quarantined files, terminate sessions, retrieve detection summaries, execute real time commands, and much more, all within the swimlane turbine platform this integration empowers security teams to rapidly respond to threats and streamline their security operations prerequisites to effectively utilize the crowdstrike falcon connector with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint url for the crowdstrike falcon api client id unique identifier for the oauth client client secret secret key associated with the oauth client asset configuration each crowdstrike cloud has a different base url when making requests to the crowdstrike api, use the base url that corresponds to the cloud where your integration is hosted us 1 https //api crowdstrike com https //api crowdstrike com us 2 https //api us 2 crowdstrike com https //api us 2 crowdstrike com eu 1 https //api eu 1 crowdstrike com https //api eu 1 crowdstrike com us gov 1 https //api laggar gcw\ crowdstrike com https //api laggar gcw\ crowdstrike com us gov 2 https //api us gov 2 crowdstrike mil https //api us gov 2 crowdstrike mil capabilities this connector has the following capabilities detections get detections get detections summary update detections host get host info get host id manage host search hosts incidents get incidents perform incident action query behaviors users get user ids by email indicators create indicator get indicator query host for indicator query indicator update indicator reports search reports real time response (rtr) cmd result admin cmd run get script get uploaded file info upload script get script ids extracted file content delete session file id session file download list files get session ids upload file refresh, delete, and initialize session falcon sandbox get file analysis get reports query reports upload file analysis submit file analysis scan delete quarantine file manage scans retrieve scan by id scheduled reports get scheduled reports launch scheduled reports query scheduled reports threatgraph vertex summary custom action get results from vulnerability keyword search link https //falconpy io/service collections/spotlight vulnerabilities html filter the vulnerabilities, refer the below example filter status 'open'+cve exploit status \['90']+cve exprt rating \['critical'] configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required member cid member cid for mssp environment string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions delete quarantine file removes quarantined files from endpoints in crowdstrike falcon using specified file ids, action types, and comments endpoint url /quarantine/entities/quarantined files/v1 method patch input argument name type required description input argument name type required description comment string required comment to list along with action taken ids array required list of quarantine ids to update action string required action to perform against the quarantined file output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 02 nov 2023 16 43 41 gmt", "content type" "application/json", "content length" "231", "connection" "keep alive", "x content type options" "nosniff", "x cs traceid" "c346f1ac 873b 4794 b85f f35b9a6b7884", "x ratelimit limit" "15", "x ratelimit remaining" "14", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" {} } ] delete rtr session terminate an existing real time response session in crowdstrike falcon with the specified session id endpoint url real time response/entities/sessions/v1 method delete input argument name type required description input argument name type required description session id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 204, "response headers" { "server" "nginx", "date" "fri, 21 oct 2022 18 04 36 gmt", "content type" "application/json", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "6fa00735 ec3f 4ce5 be30 5ba5e94ec8e6", "x ratelimit limit" "6000", "x ratelimit remaining" "5995", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "no content", "response text" "" } ] delete rtr session file removes a specified real time response session file from crowdstrike falcon using provided session and file ids endpoint url real time response/entities/file/v2 method delete input argument name type required description input argument name type required description session id string required unique identifier ids string required unique identifier output parameter type description output parameter type description status code number http status code of the response data object response data errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value trace id string unique identifier writes object output field writes resources affected number output field resources affected response text string output field response text reason string response reason phrase example \[ { "status code" 204, "response headers" { "server" "nginx", "date" "fri, 09 sep 2022 14 47 19 gmt", "content type" "application/json", "content length" "215", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "b353da90 67d7 49f1 8805 21d76bc45c72", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "data" { "errors" \[], "meta" {} }, "response text" "{\n \\"meta\\" {\n \\"query time\\" 0 006583976,\n \\"writes\\" {\n \\"resources affected\\" ", "reason" "bad request" } ] get detections retrieves a list of detection ids from crowdstrike falcon based on specified parameters endpoint url detects/queries/detects/v1 method get input argument name type required description input argument name type required description filter string optional parameter for get detections offset number optional parameter for get detections limit number optional parameter for get detections sort string optional parameter for get detections q string optional parameter for get detections output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 20 46 37 gmt", "content type" "application/json", "content length" "477", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "3279d3e5 f9fc 4f43 833b eab293fa9bbe", "x ratelimit limit" "6000", "x ratelimit remaining" "5995" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] get detection summaries retrieve summaries for specific detections in crowdstrike falcon by providing their unique ids endpoint url detects/entities/summaries/get/v1 method post input argument name type required description input argument name type required description ids array required unique identifier output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources cid string unique identifier created timestamp string output field created timestamp detection id string unique identifier device object output field device device id string unique identifier cid string unique identifier agent load flags string output field agent load flags agent local time string time value agent version string output field agent version bios manufacturer string output field bios manufacturer bios version string output field bios version config id base string unique identifier config id build string unique identifier config id platform string unique identifier external ip string output field external ip hostname string name of the resource first seen string output field first seen example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 21 17 15 gmt", "content type" "application/json", "content length" "1919", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "bbd58ec5 9822 4ed0 bbce 5f5c5b1da5c1", "x ratelimit limit" "6000", "x ratelimit remaining" "5995" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] execute rtr command executes a real time response admin command on a host in crowdstrike falcon using specific command string, device id, and session id endpoint url real time response/entities/admin command/v1 method post input argument name type required description input argument name type required description base command string optional parameter for execute rtr command command string string required parameter for execute rtr command device id string required unique identifier id number optional unique identifier persist boolean optional parameter for execute rtr command session id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources session id string unique identifier cloud request id string unique identifier queued command offline boolean output field queued command offline errors object error message if any example \[ { "status code" 201, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 18 15 48 gmt", "content type" "application/json", "content length" "264", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "2c4d5303 a9b9 4dc7 8b17 122bddca8374", "x ratelimit limit" "6000", "x ratelimit remaining" "5994", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "created", "json body" { "meta" {}, "resources" \[], "errors" null } } ] get file analysis retrieve the status of a sandbox file analysis in crowdstrike falcon by specifying the 'ids' parameter endpoint url /falconx/entities/submissions/v1 method get input argument name type required description input argument name type required description ids array required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get incidents ids retrieve a list of incident ids from crowdstrike falcon based on specified search parameters endpoint url incidents/queries/incidents/v1 method get input argument name type required description input argument name type required description sort string optional parameter for get incidents ids filter string optional parameter for get incidents ids offset string optional parameter for get incidents ids limit number optional parameter for get incidents ids output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "fri, 21 oct 2022 17 34 49 gmt", "content type" "application/json", "content length" "273", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "e832d840 8e96 4ed3 aafd 33f5613f3c0b", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] get reports by ids obtain detailed sandbox analysis reports from crowdstrike falcon using specific report ids endpoint url falconx/entities/reports/v1 method get input argument name type required description input argument name type required description ids array required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] query reports finds sandbox reports in crowdstrike falcon using an fql filter and paging, requiring specific parameters for execution endpoint url falconx/queries/reports/v1 method get input argument name type required description input argument name type required description offset string optional parameter for query reports limit number optional parameter for query reports sort string optional parameter for query reports filter string optional parameter for query reports output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get results from vulnerability keyword search retrieve ids, aids, and cves related to a specified vulnerability keyword in crowdstrike falcon, applying custom filters endpoint method post input argument name type required description input argument name type required description keyword string required keyword for filtering vulnerabilities filter string required filter the vulnerabilities based on status, exploit status, expert rating etc test mode boolean optional toggle to run a quick test output parameter type description output parameter type description status code number http status code of the response ids array unique identifier aids array unique identifier cves array output field cves host info object output field host info f06292f397d5438e9cb61faf97aa0726 object output field f06292f397d5438e9cb61faf97aa0726 hostname string name of the resource local ip string output field local ip fd3655157efd4d96977cbfd20dfba071 object output field fd3655157efd4d96977cbfd20dfba071 hostname string name of the resource local ip string output field local ip 2aba60819e344f939811b55a9af52d3f object output field 2aba60819e344f939811b55a9af52d3f hostname string name of the resource local ip string output field local ip 6ec71e642bac41c790fe263043604c97 object output field 6ec71e642bac41c790fe263043604c97 hostname string name of the resource local ip string output field local ip 35ee5ec29c734a54add3470bb290837b object output field 35ee5ec29c734a54add3470bb290837b hostname string name of the resource local ip string output field local ip example \[ { "status code" 200, "json body" { "ids" \[], "aids" \[], "cves" \[], "host info" {} } } ] get rtr extracted file contents retrieves the contents of a file extracted in a crowdstrike falcon rtr session, using a specific session id and sha256 endpoint url real time response/entities/extracted file contents/v1 method get input argument name type required description input argument name type required description session id string required unique identifier sha256 string required parameter for get rtr extracted file contents filename string optional name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase file array output field file file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" \[] } ] get rtr put files retrieves files for crowdstrike falcon's real time response 'put' command using specified ids endpoint url /real time response/entities/put files/v2 method get input argument name type required description input argument name type required description ids array required unique identifier output parameter type description parameter type description status code number http status code of the response data object response data errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value trace id string unique identifier writes object output field writes resources affected number output field resources affected resources array output field resources bucket string output field bucket cid string unique identifier comments for audit log string output field comments for audit log content string response content created by string output field created by created by uuid string unique identifier created timestamp string output field created timestamp example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "fri, 09 sep 2022 12 21 15 gmt", "content type" "application/json", "content length" "149", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "ae976111 9d15 4e08 8fd2 944e29b0a651", "x ratelimit limit" "6000", "x ratelimit remaining" "5998", "strict transport security" "max age=31536000; includesubdomains" }, "data" { "errors" \[], "meta" {}, "resources" \[] }, "reason" "ok" } ] get rtr session files retrieves a list of files from a specific crowdstrike falcon rtr session using the provided session id endpoint url /real time response/entities/file/v2 method get input argument name type required description input argument name type required description session id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier cloud request id string unique identifier created at string output field created at updated at string output field updated at deleted at string output field deleted at error message string response message name string name of the resource progress number output field progress session id string unique identifier sha256 string output field sha256 size number output field size stage string output field stage status string status value complete boolean output field complete errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 17 23 05 gmt", "content type" "application/json", "content length" "160", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "423cc665 1ac3 4b26 a2ba 5fb778ad0ae7", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] get rtr session ids retrieve a list of real time response session ids from crowdstrike falcon to aid in incident investigation and response endpoint url real time response/queries/sessions/v1 method get input argument name type required description output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 17 18 21 gmt", "content type" "application/json", "content length" "323", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "73e24c31 821c 44a0 8689 81348c270689", "x ratelimit limit" "6000", "x ratelimit remaining" "5995", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] get scheduled reports retrieves scheduled reports from crowdstrike falcon using specified report ids requires 'ids' parameter endpoint url /reports/entities/scheduled reports/v1 method get input argument name type required description input argument name type required description ids array required the scheduled report id to get details about output parameter type description parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value trace id string unique identifier writes object output field writes resources affected number output field resources affected resources array output field resources api client id string unique identifier can write boolean output field can write created on string output field created on customer id string unique identifier description string output field description expiration on string output field expiration on id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "errors" \[], "meta" {}, "resources" \[] } } ] get scripts retrieves custom scripts by specified ids for real time response operations in crowdstrike falcon endpoint url real time response/entities/scripts/v2 method get input argument name type required description input argument name type required description ids array required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier name string name of the resource description string output field description file type string type of the resource platform array output field platform size number output field size content string response content created by string output field created by created by uuid string unique identifier created timestamp string output field created timestamp modified by string output field modified by modified timestamp string output field modified timestamp sha256 string output field sha256 permission type string type of the resource run attempt count number count value run success count number whether the operation was successful write access boolean output field write access example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 17 50 32 gmt", "content type" "application/json", "content length" "605", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "07e49eb5 409a 4a44 a233 3037b242ad9c", "x ratelimit limit" "6000", "x ratelimit remaining" "5995", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[] } } ] get scripts ids obtain real time response script ids from crowdstrike falcon for incident response playbook integration endpoint url real time response/queries/scripts/v1 method get input argument name type required description input argument name type required description offset string optional parameter for get scripts ids limit number optional parameter for get scripts ids sort string optional parameter for get scripts ids filter string optional parameter for get scripts ids output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 17 37 05 gmt", "content type" "application/json", "content length" "650", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "31159bff 08b4 4175 a561 e6b7aa7f70c4", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[] } } ] get user ids retrieves a list of unique user ids from crowdstrike falcon for system user identification endpoint url user management/queries/users/v1 method get input argument name type required description input argument name type required description filter string optional parameter for get user ids limit number optional parameter for get user ids offset number optional parameter for get user ids sort string optional parameter for get user ids output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "mon, 09 jan 2023 23 11 38 gmt", "content type" "application/json", "content length" "222", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "97f3a15e 2472 49ef af72 1d675c122098", "x ratelimit limit" "6000", "x ratelimit remaining" "5997" }, "reason" "ok", "json body" { "meta" {}, "resources" \[] } } ] get host info retrieve detailed information for specified hosts in crowdstrike falcon using their unique ids endpoint url /devices/entities/devices/v2 method post input argument name type required description input argument name type required description ids array required unique identifier output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources device id string unique identifier cid string unique identifier agent load flags string output field agent load flags agent local time string time value agent version string output field agent version bios manufacturer string output field bios manufacturer bios version string output field bios version build number string output field build number config id base string unique identifier config id build string unique identifier config id platform string unique identifier cpu signature string output field cpu signature external ip string output field external ip mac address string output field mac address hostname string name of the resource first seen string output field first seen last seen string output field last seen example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 22 01 51 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "fa8f0e31 b0b0 4f71 a82e aed99cff4785", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" null } } ] search host executes a search across all hosts in crowdstrike falcon using a specified falcon query language (fql) query endpoint url /devices/queries/devices/v1 method get input argument name type required description input argument name type required description offset number optional parameter for search host limit number optional parameter for search host sort string optional parameter for search host filter string optional parameter for search host output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 21 36 02 gmt", "content type" "application/json", "content length" "267", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "3c0f732c 44bc 42f2 8b21 582b4054486b", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] get incidents retrieve detailed information for specified incidents in crowdstrike falcon using unique incident identifiers endpoint url incidents/entities/incidents/get/v1 method post input argument name type required description input argument name type required description ids array required unique identifier output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources incident id string unique identifier incident type number unique identifier cid string unique identifier host ids array unique identifier hosts array output field hosts device id string unique identifier cid string unique identifier agent load flags string output field agent load flags agent local time string time value agent version string output field agent version bios manufacturer string output field bios manufacturer bios version string output field bios version config id base string unique identifier config id build string unique identifier config id platform string unique identifier external ip string output field external ip hostname string name of the resource example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 19 oct 2022 21 08 34 gmt", "content type" "application/json", "content length" "984", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "ed44f4f3 d445 43df 8f19 97e27c1b07fc", "x ratelimit limit" "6000", "x ratelimit remaining" "5993" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] create indicator create a new threat intelligence indicator in crowdstrike falcon using the specified json body format endpoint url iocs/entities/indicators/v1 method post input argument name type required description input argument name type required description comment string optional parameter for create indicator indicators array optional parameter for create indicator action string optional parameter for create indicator applied globally boolean optional parameter for create indicator description string optional parameter for create indicator expiration string optional parameter for create indicator host groups array optional parameter for create indicator metadata object optional response data filename string optional name of the resource mobile action string optional parameter for create indicator platforms array optional parameter for create indicator severity string optional parameter for create indicator source string optional parameter for create indicator tags array optional parameter for create indicator type string optional type of the resource value string optional value for the parameter output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier errors object error message if any resources array output field resources id string unique identifier type string type of the resource value string value for the parameter action string output field action severity string output field severity platforms array output field platforms tags array output field tags file name string name of the resource file string output field file expired boolean output field expired deleted boolean output field deleted applied globally boolean output field applied globally from parent boolean output field from parent example \[ { "status code" 201, "response headers" { "server" "nginx", "date" "mon, 17 oct 2022 18 32 59 gmt", "content type" "application/json", "content length" "440", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "42dfdd44 d39d 4f40 9e2e 22639b5de5d8", "x ratelimit limit" "6000", "x ratelimit remaining" "5995" }, "reason" "created", "json body" { "meta" {}, "errors" null, "resources" \[] } } ] delete indicator removes a specified indicator from crowdstrike falcon using the provided parameters endpoint url iocs/entities/indicators/v1 method delete input argument name type required description input argument name type required description filter string optional parameter for delete indicator ids array optional unique identifier comment string optional parameter for delete indicator output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier errors object error message if any resources array output field resources example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 18 32 58 gmt", "content type" "application/json", "content length" "207", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "276d1125 e1ff 41a3 bdc6 ff9db65f3d81", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "errors" null, "resources" \[] } } ] get indicator retrieve detailed information for a specific indicator in crowdstrike falcon using its unique id endpoint url iocs/entities/indicators/v1 method get input argument name type required description input argument name type required description ids array required unique identifier output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier errors object error message if any resources array output field resources id string unique identifier type string type of the resource value string value for the parameter action string output field action severity string output field severity platforms array output field platforms tags array output field tags file name string name of the resource file string output field file expired boolean output field expired deleted boolean output field deleted applied globally boolean output field applied globally from parent boolean output field from parent example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 18 45 23 gmt", "content type" "application/json", "content length" "441", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "84480a60 2e75 4deb 9abd 44ac034175a1", "x ratelimit limit" "6000", "x ratelimit remaining" "5994" }, "reason" "ok", "json body" { "meta" {}, "errors" null, "resources" \[] } } ] query indicator query crowdstrike falcon for indicator ids by specifying 'type' and 'value' to augment threat intelligence initiatives endpoint url /indicators/queries/devices/v1 method get input argument name type required description input argument name type required description type string required type of the resource value string required value for the parameter limit number optional parameter for query indicator offset number optional parameter for query indicator output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset string output field offset limit number output field limit trace id string unique identifier entity string output field entity resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 17 06 57 gmt", "content type" "application/json", "content length" "228", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "7a0bdb09 f1df 48ee 970f 48291e14ea00", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] search indicators executes a refined search for indicators within crowdstrike falcon using specified filter criteria and returns matching results endpoint url iocs/queries/indicators/v1 method get input argument name type required description input argument name type required description filter string required parameter for search indicators offset number optional parameter for search indicators limit number optional parameter for search indicators sort string optional parameter for search indicators after string optional parameter for search indicators output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total offset number output field offset after string output field after powered by string output field powered by trace id string unique identifier errors object error message if any resources array output field resources example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 18 22 49 gmt", "content type" "application/json", "content length" "362", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "49884bfe e178 45a0 84e0 dd8445d67abc", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "errors" null, "resources" \[] } } ] update indicator update specific indicator details within the crowdstrike falcon platform to maintain accurate threat intelligence endpoint url iocs/entities/indicators/v1 method patch input argument name type required description argument name type required description retrodetects boolean optional parameter for update indicator ignore warnings boolean optional parameter for update indicator bulk update object optional date value action string optional parameter for update indicator applied globally boolean optional parameter for update indicator description string optional parameter for update indicator expiration string optional parameter for update indicator filter string optional parameter for update indicator from parent boolean optional parameter for update indicator host groups array optional parameter for update indicator metadata object optional response data filename string optional name of the resource mobile action string optional parameter for update indicator platforms array optional parameter for update indicator severity string optional parameter for update indicator source string optional parameter for update indicator tags array optional parameter for update indicator comment string optional parameter for update indicator indicators array optional parameter for update indicator action string optional parameter for update indicator applied globally boolean optional parameter for update indicator description string optional parameter for update indicator expiration string optional parameter for update indicator host groups array optional parameter for update indicator output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier errors object error message if any resources array output field resources file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 18 oct 2022 19 21 59 gmt", "content type" "application/json", "content length" "192", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "9b70ab70 9506 4f11 abc8 920efde2034d", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "errors" null, "resources" \[] } } ] initialize rtr session establishes a new real time response session within crowdstrike falcon for immediate incident response endpoint url real time response/entities/sessions/v1 method post input argument name type required description input argument name type required description paramters object optional parameter for initialize rtr session timeout number optional parameter for initialize rtr session timeout duration string optional parameter for initialize rtr session device id string optional unique identifier origin string optional parameter for initialize rtr session queue offline boolean optional parameter for initialize rtr session output parameter type description parameter type description status code number http status code of the response data object response data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources session id string unique identifier scripts array output field scripts command string output field command description string output field description examples string output field examples internal only boolean output field internal only runnable boolean output field runnable sub commands array output field sub commands file name string name of the resource file string output field file args array output field args id number unique identifier created at string output field created at updated at string output field updated at script id number unique identifier arg type string type of the resource data type string response data example \[ { "status code" 201, "response headers" { "server" "nginx", "date" "wed, 07 sep 2022 11 23 32 gmt", "content type" "application/json", "content length" "1924", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "91ceb5e2 dd30 440c b4ee d63aa0e6b2df", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "data" { "meta" {}, "resources" \[], "errors" null }, "response text" "{\n \\"meta\\" {\n \\"query time\\" 1 504846194,\n \\"powered by\\" \\"empower api\\",\n \\"trac ", "reason" "created" } ] launch scheduled reports initiates execution of scheduled reports in crowdstrike falcon using provided id(s) and report details endpoint url /reports/entities/scheduled reports/execution/v1 method post input argument name type required description input argument name type required description id string required the report id(s) to launch output parameter type description parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value trace id string unique identifier writes object output field writes resources affected number output field resources affected resources array output field resources can write boolean output field can write created on string output field created on customer id string unique identifier execution metadata object response data report params object output field report params columns array output field columns dashboard id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "errors" \[], "meta" {}, "resources" \[] } } ] manage scans initiate, schedule, or control on demand windows scans in crowdstrike falcon using specified host and file path details endpoint url /ods/entities/scans/v1 method post input argument name type required description input argument name type required description hosts array required parameter for manage scans host groups array optional parameter for manage scans file paths array required parameter for manage scans scan exclusions array optional parameter for manage scans initiated from string optional parameter for manage scans cpu priority number optional parameter for manage scans description string optional parameter for manage scans quarantine boolean optional parameter for manage scans endpoint notification boolean optional parameter for manage scans pause duration number optional parameter for manage scans sensor ml level detection number optional parameter for manage scans sensor ml level prevention number optional parameter for manage scans cloud ml level detection number optional parameter for manage scans cloud ml level prevention number optional parameter for manage scans max duration number optional parameter for manage scans output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier cid string unique identifier profile id string unique identifier description string output field description file paths array output field file paths initiated from string output field initiated from quarantine boolean output field quarantine cpu priority number output field cpu priority preemption priority number output field preemption priority metadata array response data host id string unique identifier scan host metadata id string response data filecount object count value last updated string output field last updated filecount object count value example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 02 nov 2023 16 43 41 gmt", "content type" "application/json", "content length" "231", "connection" "keep alive", "x content type options" "nosniff", "x cs traceid" "c346f1ac 873b 4794 b85f f35b9a6b7884", "x ratelimit limit" "15", "x ratelimit remaining" "14", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[] } } ] perform device action executes a specified action on multiple devices in crowdstrike falcon using their ids and the chosen action name endpoint url devices/entities/devices actions/v2 method post input argument name type required description input argument name type required description action name string required name of the resource action parameters array optional parameters for the perform device action action name string optional name of the resource value string optional value for the parameter ids array required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier path string output field path errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 202, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 15 41 32 gmt", "content type" "application/json", "content length" "214", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "9a624a54 733b 41cd 9fae fce985b7ea10", "x ratelimit limit" "6000", "x ratelimit remaining" "5994" }, "reason" "accepted", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] perform incident action executes specified actions on multiple incidents in crowdstrike falcon using provided 'ids' and 'action parameters' endpoint url incidents/entities/incident actions/v1 method post input argument name type required description input argument name type required description ids array required unique identifier action parameters array required parameters for the perform incident action action name string required name of the resource value string required value for the parameter output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources file name string name of the resource file string output field file errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 15 55 00 gmt", "content type" "application/json", "content length" "160", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "eede97f3 8a60 476a 934d d4051d4f4a37", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] query behaviors retrieve crowdstrike falcon behaviors using an fql filter with sorting and paging options endpoint url /incidents/queries/behaviors/v1 method get input argument name type required description input argument name type required description filter string optional optional filter and sort criteria in the form of an fql query offset number optional starting index of overall result set from which to return ids limit number optional the maximum records to return \[1 500] sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either "asc" or "desc" output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources file name string name of the resource file string output field file errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 22 jul 2025 08 38 10 gmt", "content type" "application/json", "content length" "198", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=31536000; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "98aa8db9 a69d 4b87 907a 2393919c8f11", "x ratelimit limit" "6000", "x ratelimit remaining" "5951" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] query host by indicator locate hosts in crowdstrike falcon that have observed a specified custom indicator of compromise (ioc) by type and value endpoint url /indicators/queries/devices/v1 method get input argument name type required description input argument name type required description type string required type of the resource value string required value for the parameter limit string optional parameter for query host by indicator offset string optional parameter for query host by indicator output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset string output field offset limit number output field limit trace id string unique identifier entity string output field entity resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "fri, 21 oct 2022 20 45 11 gmt", "content type" "application/json", "content length" "228", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "0e57fcdc 6e9e 4cd3 b493 b6fde9f7a66f", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] query scheduled reports retrieve a list of report ids from crowdstrike falcon based on specified query and filter criteria endpoint url /reports/queries/scheduled reports/v1 method get input argument name type required description input argument name type required description sort string optional possible order by fields created on, last updated on, last execution on, next execution on filter string optional fql query specifying the filter parameters filter term criteria type, trigger reference, recipients, user uuid, cid, trigger params metadata filter range criteria created on, modified on; use any common date format, such as '2010 05 15t14 55 21 892315096z' q string optional match query criteria, which includes all the filter string fields offset string optional starting index of overall result set from which to return ids limit number optional number of ids to return output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier writes object output field writes resources affected number output field resources affected resources array output field resources errors array error message if any code number output field code id string unique identifier message string response message example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 16 jan 2025 10 40 08 gmt", "content type" "application/json", "content length" "245", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=31536000; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "2bd55126 bb08 44d4 905f 450da0f88a47", "x ratelimit limit" "6000", "x ratelimit remaining" "5998" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] retrieve scans by id retrieve detailed information for specific scans in crowdstrike falcon using their unique identifiers endpoint url /ods/entities/scans/v1 method get input argument name type required description input argument name type required description ids string required unique identifier output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier cid string unique identifier profile id string unique identifier description string output field description file paths array output field file paths initiated from string output field initiated from quarantine boolean output field quarantine cpu priority number output field cpu priority preemption priority number output field preemption priority metadata array response data host id string unique identifier host scan id string unique identifier scan host metadata id string response data filecount object count value scanned number output field scanned example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "tue, 07 nov 2023 16 30 27 gmt", "content type" "application/json", "content length" "1018", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "15c0882f 1bf6 4529 8cbd cf81c12e4dc9", "x ratelimit limit" "6000", "x ratelimit remaining" "5996" }, "reason" "ok", "json body" { "meta" {}, "resources" \[] } } ] rtr cmd result retrieve results of a real time response command in crowdstrike falcon using cloud request id and sequence id endpoint url /real time response/entities/admin command/v1 method get input argument name type required description input argument name type required description cloud request id string required unique identifier sequence id number required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources session id string unique identifier task id string unique identifier complete boolean output field complete stdout string output field stdout stderr string output field stderr base command string output field base command errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "thu, 20 oct 2022 18 34 29 gmt", "content type" "application/json", "content length" "875", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "7357b311 85cd 4d26 abdd 8e57e16f3dfb", "x ratelimit limit" "6000", "x ratelimit remaining" "5995", "strict transport security" "max age=31536000; includesubdomains" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] search reports locate and filter crowdstrike falcon report ids by using a query with specific parameters to refine search results endpoint url reports/queries/scheduled reports/v1 method get input argument name type required description input argument name type required description q string optional parameter for search reports filter string optional parameter for search reports sort string optional parameter for search reports offset string optional parameter for search reports limit number optional parameter for search reports output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] submit file analysis uploads a file to crowdstrike falcon for sandbox analysis, specifying the environment via the 'sandbox' parameter endpoint url falconx/entities/submissions/v1 method post input argument name type required description input argument name type required description sandbox array required parameter for submit file analysis action script string optional parameter for submit file analysis command line string optional parameter for submit file analysis document password string optional parameter for submit file analysis enable tor boolean optional parameter for submit file analysis environment id number required unique identifier network settings string optional parameter for submit file analysis sha256 string optional parameter for submit file analysis submit name string optional name of the resource system date string optional date value system time string optional time value url string optional url endpoint for the request send email notification boolean optional parameter for submit file analysis user tags array optional parameter for submit file analysis output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok" } ] update detection updates specified detections in crowdstrike falcon using a list of detection 'ids' provided in the json body endpoint url detects/entities/detects/v2 method patch input argument name type required description input argument name type required description assigned to uuid string optional unique identifier comment string optional parameter for update detection ids array required unique identifier show in ui boolean optional parameter for update detection status string optional status value output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "fri, 21 oct 2022 16 56 04 gmt", "content type" "application/json", "content length" "165", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "c72a8e5b d928 415f 9573 e88a469d075d", "x ratelimit limit" "6000", "x ratelimit remaining" "5994" }, "reason" "ok", "json body" { "meta" {} } } ] upload file analysis upload a file to crowdstrike falcon for sandbox analysis, with required form data and data body inputs endpoint url samples/entities/samples/v2 method post input argument name type required description input argument name type required description form data object required response data sample array required content of the uploaded sample in binary format file name string required name of the resource file string required parameter for upload file analysis data body object required response data file name string required name of the file is confidential boolean optional defines visibility of this file in falcon malquery, either via the api or the falcon console comment string optional a descriptive comment to identify the file for other users output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value trace id string unique identifier writes object output field writes resources affected number output field resources affected resources array output field resources example \[ { "status code" 200, "response headers" { "server" "nginx", "date" "wed, 19 oct 2022 19 53 29 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "1b07769e 66b4 41fb a970 9d6a764206ac", "x ratelimit limit" "6000", "x ratelimit remaining" "5995" }, "reason" "ok", "json body" { "errors" \[], "meta" {}, "resources" \[] } } ] upload rtr put file upload a new file to crowdstrike falcon for use with the real time response 'put' command, requiring an attachment endpoint url real time response/entities/put files/v1 method post input argument name type required description input argument name type required description attachments array required script to be uploaded file string optional parameter for upload rtr put file description string optional parameter for upload rtr put file name string optional name of the resource comments for audit log string optional parameter for upload rtr put file output parameter type description output parameter type description data object response data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "data" { "meta" {} } } ] upload script upload a new custom script to crowdstrike falcon for real time response, requiring an attachment endpoint url /real time response/entities/scripts/v1 method post input argument name type required description input argument name type required description attachments array required script to be uploaded file string optional parameter for upload script description string optional parameter for upload script name string optional name of the resource comments for audit log string optional parameter for upload script permission type string optional type of the resource content string optional response content platform array optional parameter for upload script output parameter type description output parameter type description status code number http status code of the response data object response data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "content length" "192" }, "data" { "meta" {} } } ] vertex summary retrieve a summary of connected edges and vertex data from crowdstrike falcon for a specified vertex type and ids endpoint url /threatgraph/combined/{{vertex type}}/summary/v1 method get input argument name type required description input argument name type required description scope string optional defines what scope you are querying for for customer scope, use the value "customer" for device scope, use "device" (default) ids string required this represents the identifier of the actual object you're looking for these ids should be treated as opaque identifiers and can be retrieved from other threatgraph calls this parameter can be provided up to 100 times to retrieve details on multiple vertices vertex type string required the vertex that you are looking for output parameter type description parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta query time number time value trace id string unique identifier resources array output field resources id string unique identifier customer id string unique identifier scope string output field scope device id string unique identifier vertex type string type of the resource object id string unique identifier timestamp string output field timestamp properties object output field properties activeprivilegeescalationcount string count value asepwrittencount string count value authenticationid string unique identifier binaryexecutablewrittencount string count value commandline string output field commandline conhostid string unique identifier configbuild string output field configbuild directorycreatedcount string count value dnsrequestcount string count value exeandservicecount string count value example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "meta" {}, "resources" \[], "errors" \[] } } ] response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 650 content type the media type of the resource application/json date the date and time at which the message was originated tue, 18 oct 2022 21 36 02 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=15724800; includesubdomains, max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x cs region http response header x cs region us 1 x cs traceid http response header x cs traceid 15c0882f 1bf6 4529 8cbd cf81c12e4dc9 x ratelimit limit the number of requests allowed in the current rate limit window 6000 x ratelimit remaining the number of requests remaining in the current rate limit window 5997 notes manage scans action file path exclusions can be formatted in glob syntax for more info, see glob syntax https //falcon crowdstrike com/documentation/page/e2e4b1b4/glob syntax you must have an account in order to view the documentation crowdstrike falcon documentation https //falcon crowdstrike com/support/documentationfalconpy docs https //www falconpy io/service collections/quarantine html