CrowdStrike Falcon V2

the crowdstrike falcon v2 connector enables automated interactions with the crowdstrike falcon platform, allowing for real time response and threat intelligence management directly from the swimlane turbine environment crowdstrike falcon v2 is a cutting edge cybersecurity platform that specializes in endpoint protection, threat intelligence, and incident response this connector enables seamless integration with swimlane turbine, allowing users to automate the creation, management, and analysis of threat indicators and real time response scripts by leveraging the connector, security teams can efficiently execute actions such as file analysis, host information retrieval, and session management directly within the swimlane ecosystem, enhancing their ability to respond to threats rapidly and effectively asset configuration or prerequisites before integrating the crowdstrike falcon v2 connector with turbine, ensure you have the following oauth 2 0 client credentials for secure authentication, which include url endpoint for the crowdstrike api client id unique identifier for the application making the request client secret a secret key used in conjunction with the client id to authenticate to the crowdstrike api capabilities this connector has the following capabilities alerts get alert details query alerts update alerts by id get query alerts detections get detections summaries query detections falcon sandbox get file analysis get reports query reports submit file for analysis upload file for analysis host get host info search host lift contained endpoint perform action identity protection get sensor details query sensors query identity protection by graphql incidents get incidents get behaviors query crowdscore indicators create indicator get indicators query host by indicator query indicator update indicator real time response (rtr) create rtr scripts delete rtr file delete rtr put files delete rtr scripts delete rtr session execute rtr command get rtr put files get rtr scripts init rtr session list all rtr sessions list rtr falcon scripts list rtr files rtr get batch get cmd rtr post batch get cmd report executions get report executions download report execution scan get scans spotlightvulnerabilities list host vulnerabilities event streams list available streams refresh active stream session threatgreaph get edges get ran on get summary get vertices get edge types configurations crowdstrike falcon v2 oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required ignore http errors ignore http errors boolean optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through example http //myproxy 8888 http //myproxy 8888 string optional https proxy a proxy to route requests through example https //myotherproxy 8080 https //myotherproxy 8080 string optional actions create indicator creates new threat indicators in crowdstrike falcon v2 using the provided 'indicators' data input argument name type required description comment string optional ioc comment indicators array required list of indicators to create action string optional default action for ioc applied globally boolean optional flag indicating this ioc is applied globally description string optional ioc description expiration string optional utc formatted date string host groups array required list of host groups this ioc applies to metadata object optional dictionary containing the filename for the ioc filename string optional filename to use for the metadata dictionary mobile action string optional parameter for create indicator platforms array required platforms this ioc impacts severity string optional ioc severity source string optional ioc source tags array optional ioc tags type string required ioc type value string required string representation of the ioc ignore warnings boolean optional flag to indicate that warnings are ignored retrodetects boolean optional flag to indicate whether to submit retrodetects output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier type string type of the resource value string value for the parameter example \[ { "status code" 201, "headers" { "server" "nginx", "date" "fri, 31 may 2024 06 47 49 gmt", "content type" "application/json", "content length" "469", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "0177c568 3429 4acb a431 364e5b571afe", "x ratelimit limit" "6000", "x ratelimit remaining" "5998" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] create rtr scripts initiates the creation of real time response scripts in crowdstrike falcon v2 for immediate endpoint deployment, requiring a data body input input argument name type required description data body object required response data comments for audit log string optional a descriptive comment for the audit log description string optional file description name string optional file name (if different than actual file name) platform array optional platform for the script currently supports windows, mac, and linux if no platform is provided, windows is assumed permission type string required permissions for the custom script content string optional the text contents you want to use for the script takes place of a file upload files array optional parameter for create rtr scripts file name string required name of the resource file string required parameter for create rtr scripts output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "wed, 29 may 2024 11 22 55 gmt", "content type" "application/json", "content length" "160", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "e37ebaae 7daa 4da2 9c2c b491369e1d78", "x ratelimit limit" "6000", "x ratelimit remaining" "5998", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {} } } ] delete rtr file removes a specified real time response file from crowdstrike falcon hosts using provided 'ids' and 'session id' input argument name type required description ids string required rtr session file id (sha256) session id string required rtr session id output parameter type description status code number http status code of the response headers object http headers for the request body object request body data errors array error message if any message string response message resources array output field resources file name string name of the resource file string output field file example \[ { "status code" 204, "headers" {}, "body" { "errors" \[], "resources" \[] } } ] delete rtr put files removes specified real time response files from crowdstrike falcon using their unique ids input argument name type required description ids array required file ids output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 17 15 18 gmt", "content type" "application/json", "content length" "161", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "25446ed1 d0d4 4374 9281 c596387b6064", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {} } } ] delete rtr scripts removes specified real time response scripts from crowdstrike falcon using provided script ids input argument name type required description ids array required file ids output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 28 may 2024 17 43 18 gmt", "content type" "application/json", "content length" "160", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "f33c1753 6451 4160 961b c95d5110a1f0", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {} } } ] delete rtr session terminate a specific real time response session in crowdstrike falcon by providing the session id input argument name type required description session id string required rtr session id output parameter type description status code number http status code of the response headers object http headers for the request body object request body data errors array error message if any message string response message resources array output field resources file name string name of the resource file string output field file example \[ { "status code" 204, "headers" {}, "body" { "errors" \[], "resources" \[] } } ] download report execution retrieve execution details for specified report ids in crowdstrike falcon v2 using the 'ids' parameter input argument name type required description ids array required the report execution id to get details about chunksize number optional the number of objects to have in each attachment output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining file array report chunks file string output field file file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 28 may 2024 18 00 53 gmt", "content type" "application/json", "content length" "464", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "a8f42c6a 9965 4d85 939c ab5a81a50e63", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] execute rtr command initiates a real time response command on a host within crowdstrike falcon using specified base command, command string, and session id input argument name type required description base command string required read only base command to perform command string string required full command line of the command to execute persist boolean optional flag indicating if this command should be executed when the host returns to service session id string required rtr session id to execute the command against output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources session id string unique identifier cloud request id string unique identifier queued command offline boolean output field queued command offline errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 201, "headers" { "server" "nginx", "date" "mon, 27 may 2024 05 39 07 gmt", "content type" "application/json", "content length" "261", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "ec8b5d53 770e 44c9 91e7 410e436f0860", "x ratelimit limit" "6000", "x ratelimit remaining" "5998", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get alert details retrieve detailed information for specified alerts in crowdstrike falcon using composite ids input argument name type required description include hidden boolean optional allows previously hidden alerts to be retrieved composite ids array required id(s) of the alerts to retrieve output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource transfer encoding string output field transfer encoding connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier resources array output field resources agent id string unique identifier aggregate id string unique identifier alleged filetype string type of the resource cid string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "headers" { "server" "string", "date" "2024 01 01t00 00 00z", "content type" "string", "transfer encoding" "string", "connection" "string", "content encoding" "string", "strict transport security" "string", "x cs region" "string", "x cs traceid" "string", "x ratelimit limit" "string", "x ratelimit remaining" "string" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get behaviors retrieves detailed behavior records for specified ids in crowdstrike falcon, requiring a json body with 'ids' input argument name type required description ids array required behavior id(s) to retrieve output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources behavior id string unique identifier alert ids array unique identifier cid string unique identifier aid string unique identifier pattern id number unique identifier template instance id number unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 07 48 54 gmt", "content type" "application/json", "content length" "894", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "92e99eb6 b1c1 430c 8f2a 6df85afb94c6", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get detections summaries retrieve summaries for specific detections in crowdstrike falcon using detection ids provided in the json body input argument name type required description ids array required id(s) of the detections to retrieve output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources cid string unique identifier created timestamp string output field created timestamp detection id string unique identifier device object output field device device id string unique identifier cid string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 24 may 2024 19 13 06 gmt", "content type" "application/json", "content length" "1877", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "eb80164d f5f8 4462 bed0 f4c7e849a2de", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get edge types obtain all available edge types from crowdstrike falcon v2 to enhance incident analysis and response workflows output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get edges retrieves edges for a specified vertex id in crowdstrike falcon v2, requiring at least one edge type parameter input argument name type required description ids string optional vertex id to get details for only one value is supported limit number optional how many edges to return in a single request \[1 100] offset string optional the offset to use to retrieve the next page of results edge type string optional the type of edges that you would like to retrieve direction string optional the direction of edges that you would like to retrieve scope string optional scope of the request nano boolean optional return nano precision entity timestamps output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get file analysis retrieve detailed file analysis from crowdstrike falcon using specific 'ids' as parameters input argument name type required description ids array required id of a submitted malware sample output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier quota object output field quota total number output field total used number output field used in progress number output field in progress resources array output field resources id string unique identifier cid string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "thu, 30 may 2024 09 36 05 gmt", "content type" "application/json", "content length" "427", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "52257afe cfa3 4a54 8b56 86f9f360ec9f", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get host info retrieve detailed information for specified hosts in crowdstrike falcon using their unique ids input argument name type required description ids array required the host agent id's used to get details on output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources device id string unique identifier cid string unique identifier agent load flags string output field agent load flags agent local time string time value agent version string output field agent version bios manufacturer string output field bios manufacturer example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "headers" { "server" "string", "date" "2024 01 01t00 00 00z", "content type" "string", "content length" "string", "connection" "string", "content encoding" "string", "strict transport security" "string", "x cs region" "string", "x cs traceid" "string", "x ratelimit limit" "string", "x ratelimit remaining" "string" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get incidents retrieves detailed information for specified incidents in crowdstrike falcon using incident ids provided in the json body input argument name type required description ids array required incident id(s) to retrieve output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources incident id string unique identifier incident type number unique identifier cid string unique identifier host ids array unique identifier hosts array output field hosts device id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 07 33 12 gmt", "content type" "application/json", "content length" "960", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "9cec3c3b bff9 41b5 9b59 86fa593f6df1", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get indicators retrieves detailed information on indicators of compromise from crowdstrike falcon using specified ids input argument name type required description ids array required the ids of the indicators to retrieve output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier type string type of the resource value string value for the parameter example \[ { "status code" 200, "headers" { "server" "nginx", "date" "thu, 30 may 2024 20 07 47 gmt", "content type" "application/json", "content length" "512", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "ed545c3a c1e4 4ae5 afda d729d167bb82", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get queries alerts retrieve alert ids that match a specific query from crowdstrike falcon v2, with no additional parameters needed input argument name type required description filter string optional filter alerts using a query in falcon query language (fql) an asterisk wildcard includes all results limit number optional the maximum number of alerts to return in this response offset number optional the first alert to return, where 0 is the latest alert use with the limit parameter to manage pagination of results q string optional search all alert metadata for the provided string sort string optional sort alerts using the provided fql filter include hidden boolean optional allows previously hidden alerts to be retrieved output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier resources array output field resources example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 10 jun 2024 10 09 58 gmt", "content type" "application/json", "content length" "498", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "c355acdd 5c61 4e72 821b 6219e3e8de7f", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get ran on retrieve instances of indicators like hashes, domain names, and ip addresses observed on devices within the crowdstrike falcon environment input argument name type required description value string optional the value of the indicator to search by type string optional the type of indicator that you would like to retrieve limit number optional how many edges to return in a single request \[1 100] offset string optional the offset to use to retrieve the next page of results nano boolean optional return nano precision entity timestamps output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get report executions retrieve execution details for specified report ids in crowdstrike falcon v2 using the 'ids' parameter input argument name type required description ids array required the report execution id to get details about output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier customer id string unique identifier user uuid string unique identifier user id string unique identifier type string type of the resource scheduled report id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 28 may 2024 18 00 53 gmt", "content type" "application/json", "content length" "464", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "a8f42c6a 9965 4d85 939c ab5a81a50e63", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get reports fetches threat intelligence reports from crowdstrike falcon using specified report ids input argument name type required description ids array required id of a report output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource transfer encoding string output field transfer encoding connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier quota object output field quota total number output field total used number output field used in progress number output field in progress resources array output field resources id string unique identifier cid string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "headers" { "server" "string", "date" "2024 01 01t00 00 00z", "content type" "string", "transfer encoding" "string", "connection" "string", "content encoding" "string", "strict transport security" "string", "x cs region" "string", "x cs traceid" "string", "x ratelimit limit" "string", "x ratelimit remaining" "string" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get rtr put files retrieves files placed on hosts during real time response sessions in crowdstrike falcon v2 using specified file ids input argument name type required description ids array required file ids output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier name string name of the resource file type string type of the resource platform array output field platform size number output field size created by string output field created by example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 17 10 02 gmt", "content type" "application/json", "content length" "477", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "3acc8952 e34b 42c0 906d 92e1fbbd9863", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get rtr scripts retrieves specified real time response (rtr) scripts from crowdstrike falcon using provided script ids input argument name type required description ids array required file ids output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier name string name of the resource description string output field description file type string type of the resource platform array output field platform size number output field size example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 28 may 2024 17 35 03 gmt", "content type" "application/json", "content length" "563", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "226cf254 2b1d 4e8f a4b0 e76c41dfc0bd", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] get scans retrieve detailed results for specified scan ids in crowdstrike falcon v2, offering insights into conducted scans input argument name type required description ids array required id of a submitted scan to retrieve output parameter type description status code number http status code of the response headers object http headers for the request body object request body data example \[ { "status code" 200, "headers" {}, "body" {} } ] get sensor details retrieve detailed information for specified sensors in crowdstrike falcon using sensor ids provided in the request input argument name type required description ids array required the host agent ids used to get details on output parameter type description status code number http status code of the response headers object http headers for the request body object request body data example \[ { "status code" 200, "headers" {}, "body" {} } ] get summary retrieve a summary for a specified vertex type in crowdstrike falcon v2, requiring the 'vertex type' path parameter endpoint url /threatgraph/combined/{{vertex type}}/summary/v1 method get input argument name type required description vertex type string required type of vertex to get properties for ids array optional vertex id to get details for scope string optional scope of the request nano boolean optional return nano precision entity timestamps output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get vertices retrieve metadata for a specified vertex type in crowdstrike falcon v2, requiring a vertex id as a path parameter endpoint url /threatgraph/entities/{{vertex type}}/v2 method get input argument name type required description vertex type string required type of vertex to get properties for ids array optional vertex id to get details for scope string optional scope of the request nano boolean optional return nano precision entity timestamps output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] init rtr session initiates a real time response (rtr) session in crowdstrike falcon using a device id, with an option to queue if the device is offline input argument name type required description device id string required the host agent id to refresh the rtr session on origin string optional origin of the request queue offline boolean required flag indicating if this should be queued to pulse after the host returns to service timeout number optional timeout for how long to wait for the request in seconds defaults to 30 with maximum 600 timeout duration string optional timeout duration for how long to wait for the request in duration syntax output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource transfer encoding string output field transfer encoding connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources session id string unique identifier scripts array output field scripts command string output field command description string output field description examples string output field examples internal only boolean output field internal only example \[ { "status code" 201, "headers" { "server" "nginx", "date" "sun, 26 may 2024 16 47 17 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "c18de5c7 28b6 4edb a43a 696049e0fec4", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] lift contained endpoint removes containment from a specified host in your environment using the crowdstrike falcon v2 platform, requiring host 'ids' input argument name type required description action name string optional action name ids array required the host agent id (aid) of the host you want to impact if you provide ids to the method using this keyword, you do not have to provide a body payload output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier path string output field path errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 202, "headers" { "server" "nginx", "date" "mon, 10 jun 2024 09 21 46 gmt", "content type" "application/json", "content length" "216", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "012d36b3 bfe8 4563 a037 aa7db99ae68f", "x ratelimit limit" "6000", "x ratelimit remaining" "5998" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] list all rtr sessions retrieve an overview of all active and historical real time response sessions in crowdstrike falcon input argument name type required description limit number optional maximum number of records to return max 5000 offset number optional starting index of overall result set from which to return ids filter string optional fql query expression that should be used to limit the results sort string optional the property to sort by output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "sun, 26 may 2024 16 18 03 gmt", "content type" "application/json", "content length" "436", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "8a850895 10ba 443b bf4f e1b67358bf85", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] list available streams retrieve all event streams from the crowdstrike falcon v2 environment using a specified app id input argument name type required description app id string required label that identifies your connection maximum 32 alphanumeric characters (a z, a z, 0 9) format string optional format for streaming events output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 20 sep 2024 08 04 38 gmt", "content type" "application/json", "content length" "215", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "2b13ff37 6ffc 40cb 8027 1b702cd13ccb", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "json body" {} } ] list host vulnerabilities retrieve a list of host vulnerabilities from crowdstrike falcon v2 using an fql filter to return matching vulnerability ids input argument name type required description after string optional a pagination token used with the limit parameter to manage pagination of results on your first request, don't provide an after token limit number optional the number of items to return in this response sort string optional full query string parameters payload in json format filter string required sort vulnerabilities by their properties output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection x content type options string type of the resource x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 10 jun 2024 10 31 46 gmt", "content type" "application/json", "content length" "231", "connection" "keep alive", "x content type options" "nosniff", "x cs traceid" "1a41eb4c eb2e 4a10 a8e0 da0fd3322018", "x ratelimit limit" "15", "x ratelimit remaining" "14", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "errors" \[] } } ] list rtr falcon scripts retrieve available real time response scripts from crowdstrike falcon for remote host execution input argument name type required description filter string optional optional filter criteria in the form of an fql query offset number optional starting index of overall result set from which to return id's limit number optional number of id's to return sort string optional sort by spec ex 'created at output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 06 19 58 gmt", "content type" "application/json", "content length" "397", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "0873f04c 1e64 48a5 9613 17d4f5bc1cdb", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] list rtr files retrieve a list of files from real time response sessions in crowdstrike falcon using the provided session id input argument name type required description session id string required rtr session id output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 05 27 36 gmt", "content type" "application/json", "content length" "158", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "51a5a683 e7b8 42a9 9bb7 9d0b5f77a3e5", "x ratelimit limit" "6000", "x ratelimit remaining" "5998", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] perform action executes containment, lifting, deletion, or restoration actions on hosts identified by unique ids in crowdstrike falcon input argument name type required description action name string required specify one of the actions to perform the action ids array required the host agent id (aid) of the host you want to impact if you provide ids to the method using this keyword, you do not have to provide a body payload (service class usage only) a maximum of 100 ids may be provided to this keyword output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier path string output field path errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 202, "headers" { "server" "nginx", "date" "fri, 20 sep 2024 08 16 47 gmt", "content type" "application/json", "content length" "217", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "35b0eb2c 1375 4f13 b902 03fe20a7943c", "x ratelimit limit" "6000", "x ratelimit remaining" "5994" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query alerts retrieve a list of alerts from crowdstrike falcon using specified criteria to enable targeted security responses input argument name type required description offset number optional the first alert to return, where 0 is the latest alert limit number optional the maximum number of alerts to return in this response include hidden boolean optional allows previously hidden alerts to be retrieved sort string optional sort alerts using the fql filter filter string optional filter alerts using a query in falcon query language (fql) q string optional search all alert metadata for the provided string output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier resources array output field resources example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 09 03 20 gmt", "content type" "application/json", "content length" "475", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "88c181db 510b 4386 a7e3 c8ccff94aca7", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query crowdscore retrieve the crowdscore for entities from crowdstrike falcon v2 to assess their risk levels input argument name type required description filter string optional fql syntax formatted string used to limit the results offset number optional starting index of overall result set from which to return ids limit number optional maximum number of records to return sort string optional the property to sort by (ex modified timestamp desc) output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources id string unique identifier cid string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "thu, 30 may 2024 18 12 05 gmt", "content type" "application/json", "content length" "375", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "d4d5beb0 aec6 469b 9b39 469db91b9349", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query detections retrieve a list of detection events from crowdstrike falcon based on specified criteria input argument name type required description limit number optional the maximum number of detections to return in this response (default 100; max 9999) offset number optional the first detection to return, where 0 is the latest detection filter string optional filter detections using a query in falcon query language (fql) an asterisk wildcard includes all results sort string optional parameter for query detections q string optional search all detection metadata for the provided string output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 24 may 2024 19 08 54 gmt", "content type" "application/json", "content length" "407", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "65fa2703 fedf 4e5c aaf2 89a06e4f4297", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query host by indicator retrieve details of hosts associated with a specific indicator in crowdstrike falcon v2, requiring 'type' and 'value' parameters input argument name type required description type string required type of the resource value string required value for the parameter limit number optional parameter for query host by indicator offset number optional parameter for query host by indicator output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset string output field offset limit number output field limit trace id string unique identifier entity string output field entity resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 17 45 39 gmt", "content type" "application/json", "content length" "249", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "7dfddaf4 fec6 492b a5be 9a11fe0b5bcc", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query identity protection by graphql executes a graphql query for identity protection in crowdstrike falcon using the 'query' parameter input argument name type required description query string required json similar formatted query to perform variables object optional dictionary of variables to provide to the query output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 20 sep 2024 07 50 03 gmt", "content type" "application/json", "content length" "456", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "json body" {} } ] query indicator retrieve threat intelligence indicators from crowdstrike falcon using specified criteria to enhance security insights input argument name type required description limit number optional maximum number of results to return offset number optional the offset to start retrieving records from filter string optional fql syntax formatted filter that should be used to limit the results from parent boolean optional return results for the parent only sort string optional fql syntax formatted sort filter after string optional a pagination token used with the limit parameter to manage pagination of results output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total offset number output field offset powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 24 may 2024 07 39 09 gmt", "content type" "application/json", "content length" "522", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "3145c559 d52e 425f 8a3f 798060f0be55", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query reports retrieve a list of reports from crowdstrike falcon using specified query criteria input argument name type required description filter string optional optional filter and sort criteria in the form of an fql query offset number optional starting index of overall result set from which to return ids limit number optional the maximum records to return (max 5000) sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either asc or desc output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier quota object output field quota total number output field total used number output field used example \[ { "status code" 200, "headers" { "server" "nginx", "date" "mon, 27 may 2024 10 28 27 gmt", "content type" "application/json", "content length" "301", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "0c39193e 9bec 4bb9 a498 d49d076014ed", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] query sensors retrieve sensor details and status for endpoint monitoring within the crowdstrike falcon environment input argument name type required description limit number optional the maximum records to return \[1 200] offset number optional the offset to start retrieving records from filter string optional the filter expression that should be used to limit the results sort string optional the property to sort by (e g status desc or hostname asc) output parameter type description status code number http status code of the response headers object http headers for the request body object request body data example \[ { "status code" 200, "headers" {}, "body" {} } ] query submissions retrieve detailed information on submissions, including status and results, from crowdstrike falcon v2 input argument name type required description filter string optional optional filter and sort criteria in the form of an fql query limit number optional the maximum records to return (max 5000) offset number optional starting index of overall result set from which to return ids sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either asc or desc output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 20 sep 2024 07 50 03 gmt", "content type" "application/json", "content length" "456", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "errors" \[], "meta" {}, "resources" \[] } } ] refresh active stream session renews an active event stream session in crowdstrike falcon v2 using the specified partition and app id for uninterrupted monitoring input argument name type required description partition number required partition to request data for if you are using the service class, this will default to 0 when not specified action name string required the name of the action to perform the only allowed value is refresh active stream session defaults to this value if not present when using the service class app id string required label that identifies your connection maximum 32 alphanumeric characters (a z, a z, 0 9) output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier errors array error message if any example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 20 sep 2024 07 50 03 gmt", "content type" "application/json", "content length" "456", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87", "x ratelimit limit" "6000", "x ratelimit remaining" "5996", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "meta" {}, "errors" \[] } } ] rtr get batch get cmd retrieves the status and results of a specified batch get command in crowdstrike falcon v2 using the provided batch get cmd req id input argument name type required description batch get cmd req id string required batch get command request id (usually retrieved when making a call to batchgetcmd) timeout number optional timeout for how long to wait for the request in seconds, default timeout is 30 seconds timeout duration string optional parameter for rtr get batch get cmd output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data errors array error message if any code number output field code id string unique identifier message string response message meta object output field meta pagination object output field pagination limit number output field limit offset number output field offset total number output field total powered by string output field powered by query time number time value example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 11 jun 2024 05 37 32 gmt", "content type" "application/json", "content length" "210", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "ffa4bb9b 3c9b 4178 b0f1 aab2c8c5ca76", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "errors" \[], "meta" {}, "resources" {} } } ] rtr post batch get cmd executes a batch 'get' command on multiple hosts in crowdstrike falcon v2 to retrieve files, with results available through batchgetcmdstatus endpoint method get input argument name type required description batch id string optional unique identifier file path string optional parameter for rtr post batch get cmd optional hosts array optional parameter for rtr post batch get cmd timeout number optional parameter for rtr post batch get cmd timeout duration string optional parameter for rtr post batch get cmd host timeout duration string optional parameter for rtr post batch get cmd output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining strict transport security string output field strict transport security body object request body data batch get cmd req id string unique identifier combined object output field combined resources object output field resources additionalprop1 object output field additionalprop1 aid string unique identifier base command string output field base command complete boolean output field complete errors array error message if any offline queued boolean output field offline queued query time number time value sequence id number unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 11 jun 2024 05 37 32 gmt", "content type" "application/json", "content length" "210", "connection" "keep alive", "content encoding" "gzip", "x cs region" "us 1", "x cs traceid" "ffa4bb9b 3c9b 4178 b0f1 aab2c8c5ca76", "x ratelimit limit" "6000", "x ratelimit remaining" "5999", "strict transport security" "max age=31536000; includesubdomains" }, "body" { "batch get cmd req id" "string", "combined" {}, "errors" \[], "meta" {} } } ] search host retrieve detailed host information from the crowdstrike falcon environment based on specified search criteria input argument name type required description offset number optional the offset to start retrieving records from limit number optional the maximum records to return \[1 5000] sort string optional the property to sort by (e g status desc or hostname asc) filter string optional the filter expression that should be used to limit the results output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination offset number output field offset limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource example \[ { "status code" 200, "headers" { "server" "nginx", "date" "fri, 24 may 2024 18 21 07 gmt", "content type" "application/json", "content length" "411", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "35ff4175 dc74 45a7 969c 3707822de1ea", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] submit file for analysis submit a file for analysis to crowdstrike falcon v2 with sha256, user tags, and environment id input argument name type required description action script string optional runtime script for sandbox analysis command line string optional command line script passed to the submitted file at runtime max length 2048 characters document password string optional auto filled for adobe or office files that prompt for a password max length 32 characters enable tor boolean optional deprecated, please use network settings instead if true, sandbox analysis routes network traffic via tor environment id number required specifies the sandbox environment used for analysis accepted values are 400 macos catalina 10 15, 300 linux ubuntu 16 04, 64 bit, 200 android (static analysis), 160 windows 10, 64 bit, 110 windows 7, 64 bit and 100 windows 7, 32 bit network settings string optional specifies the sandbox network settings used for analysis send email notification boolean optional boolean indicating if an email notification should be sent sha256 string required id of the sample, which is a sha256 hash value submit name string optional name of the malware sample that's used for file type detection and analysis system date string optional set a custom date in the format yyyy mm dd for the sandbox environment system time string optional set a custom time in the format hh \ mm for the sandbox environment url string optional a web page or file url it can be http(s) or ftp the sha256 keyword must be unset if this keyword is used user tags array required user tags output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value powered by string output field powered by trace id string unique identifier quota object output field quota total number output field total used number output field used in progress number output field in progress resources array output field resources id string unique identifier cid string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "thu, 30 may 2024 09 20 40 gmt", "content type" "application/json", "content length" "416", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "40292170 d8b7 40a2 b0f9 59fbc30d6c86", "x ratelimit limit" "6000", "x ratelimit remaining" "5998" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] update alerts by id updates specific alerts in crowdstrike falcon v2 using unique identifiers, with an option to include hidden alerts input argument name type required description add tag string optional add a tag to 1 or more alert(s) append comment string optional appends new comment to existing comments assign to name string optional assign 1 or more alert(s) to a user identified by user name assign to user id string optional assign 1 or more alert(s) to a user identified by user id (eg user1\@example com mailto\ user1\@example com ) assign to uuid string optional a user id (ex user\@somewhere com mailto\ user\@somewhere com ) to assign the alert to ids array required composite id(s) of the alerts to update new behavior processed string optional adds a newly processed behavior to 1 or more alert(s) remove tag string optional remove a tag from 1 or more alert(s) remove tags by prefix string optional remove tags with given prefix from 1 or more alert(s) show in ui boolean optional boolean determining if this alert is displayed in the falcon console true this alert is displayed in falcon false this alert is not displayed in falcon unassign string optional unassign an previously assigned user from 1 or more alert(s) the value passed to this action is ignored update status string optional update status of the alert include hidden boolean required allows previously hidden alerts to be retrieved output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value writes object output field writes resources affected number output field resources affected powered by string output field powered by trace id string unique identifier example \[ { "status code" 200, "headers" { "server" "nginx", "date" "thu, 30 may 2024 06 13 34 gmt", "content type" "application/json", "content length" "161", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "d063bf0b 7622 428e 846d 646ab236ca3b", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {} } } ] update indicator updates an existing indicator in the crowdstrike falcon platform with new intelligence or modifications, requiring a json body input input argument name type required description bulk update object optional date value action string optional default action for ioc applied globally boolean optional flag indicating this ioc is applied globally description string optional ioc description expiration string optional utc formatted date string from parent boolean optional return results for the parent only host groups array optional list of host groups this ioc applies to metadata object optional response data filename string optional filename to use for the metadata dictionary mobile action string optional mobile action to perform platforms array optional platforms this ioc impacts severity string optional ioc severity source string optional ioc source tags array optional ioc tags filter string optional fql syntax formatted filter that should be used to filter indicators in bulk type string optional ioc type value string optional string representation of the ioc comment string optional ioc comment indicators array optional parameter for update indicator id string optional the indicator id to be updated action string optional default action for ioc applied globally boolean optional flag indicating this ioc is applied globally description string optional ioc description expiration string optional utc formatted date string from parent boolean optional return results for the parent only output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value pagination object output field pagination limit number output field limit total number output field total powered by string output field powered by trace id string unique identifier resources array output field resources file name string name of the resource file string output field file errors array error message if any example \[ { "status code" 200, "headers" { "server" "nginx", "date" "tue, 28 may 2024 06 29 11 gmt", "content type" "application/json", "content length" "192", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "0af52173 f617 4266 b0da 778f4e79af06", "x ratelimit limit" "6000", "x ratelimit remaining" "5998" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] upload file for analysis upload a file to crowdstrike falcon v2 for comprehensive threat analysis, requiring 'file data' as input input argument name type required description data body object optional response data comment string optional a descriptive comment to identify the file for other users file name string optional name to use for the file uses current file name if not specified is confidential boolean optional defines the visibility of this file in falcon malquery, either via the api or the falcon console true file is only shown to users within your customer account false file can be seen by other crowdstrike customers file data array required response data file name string required name of the resource file string required parameter for upload file for analysis output parameter type description status code number http status code of the response headers object http headers for the request server string output field server date string date value content type string type of the resource content length string response content connection string output field connection content encoding string response content strict transport security string output field strict transport security x cs region string output field x cs region x cs traceid string unique identifier x ratelimit limit string output field x ratelimit limit x ratelimit remaining string output field x ratelimit remaining body object request body data meta object output field meta query time number time value trace id string unique identifier resources array output field resources errors array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "headers" { "server" "nginx", "date" "wed, 29 may 2024 17 30 22 gmt", "content type" "application/json", "content length" "208", "connection" "keep alive", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains", "x cs region" "us 1", "x cs traceid" "d1e81c8a 5b34 49e3 94b5 8cd04b60323d", "x ratelimit limit" "6000", "x ratelimit remaining" "5999" }, "body" { "meta" {}, "resources" \[], "errors" \[] } } ] response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt notes this connector is implemented based on crowdstrike falcon sdk(pip package crowdstrike falconpy 1 4 3) crowdstrike falcon documentation https //falcon crowdstrike com/support/documentationalerts documentation https //falconpy io/service collections/alerts htmldetections documentation https //falconpy io/service collections/detects htmlfalcon sandbox https //falconpy io/service collections/falconx sandbox htmlhost documentation https //falconpy io/service collections/hosts htmlidentity protection documentation https //falconpy io/service collections/identity protection htmlincidents documentation https //falconpy io/service collections/incidents htmlindicators documentation https //falconpy io/service collections/ioc htmlreal time response documentation https //falconpy io/service collections/real time response htmlreal time response admin documentation https //falconpy io/service collections/real time response admin htmlreport executions documentation https //falconpy io/service collections/report executions htmlscan documentation https //falconpy io/service collections/quick scan htmlevent stream documentation https //falconpy io/service collections/event streams html