CrowdStrike Falcon V2

the crowdstrike falcon v2 connector enables seamless integration with the crowdstrike falcon platform, providing access to a range of actions such as threat detection, incident response, and real time system monitoring crowdstrike falcon v2 is a cutting edge cybersecurity platform that leverages advanced threat detection and response capabilities this connector enables seamless integration with swimlane turbine, allowing users to automate the creation, management, and analysis of threat indicators and real time response scripts enhance your security posture by tapping into crowdstrike's comprehensive telemetry and swift endpoint remediation directly from swimlane's low code automation platform asset configuration or prerequisites before you can use the crowdstrike falcon v2 connector for turbine, ensure you have the following oauth 2 0 client credentials for authentication with these parameters url the base url for the crowdstrike falcon api client id your specific client identifier for oauth 2 0 authentication client secret the secret key associated with your client id for oauth 2 0 authentication capabilities this connector has the following capabilities alerts get alert details query alerts update alerts by id get query alerts post aggregate alerts detections get detections summaries query detections falcon sandbox get file analysis get reports query reports submit file for analysis upload file for analysis host get host info search host lift contained endpoint perform action identity protection get sensor details query sensors query identity protection by graphql incidents get incidents get behaviors query crowdscore indicators create indicator get indicators query host by indicator query indicator update indicator real time response (rtr) create rtr scripts delete rtr file delete rtr put files delete rtr scripts delete rtr session execute rtr command get rtr put files get rtr scripts init rtr session list all rtr sessions list rtr falcon scripts list rtr files rtr get batch get cmd rtr post batch get cmd report executions get report executions download report execution scan get scans spotlightvulnerabilities list host vulnerabilities event streams list available streams refresh active stream session threatgreaph get edges get ran on get summary get vertices get edge types notes this connector is implemented based on crowdstrike falcon sdk(pip package crowdstrike falconpy 1 4 3) https //falcon crowdstrike com/support/documentation https //falconpy io/service collections/alerts html https //falconpy io/service collections/detects html https //falconpy io/service collections/falconx sandbox html https //falconpy io/service collections/hosts html https //falconpy io/service collections/identity protection html https //falconpy io/service collections/incidents html https //falconpy io/service collections/ioc html https //falconpy io/service collections/real time response html https //falconpy io/service collections/real time response admin html https //falconpy io/service collections/report executions html https //falconpy io/service collections/quick scan html https //falconpy io/service collections/event streams html configurations crowdstrike falcon v2 oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required ignore http errors ignore http errors boolean optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through example http //myproxy 8888 string optional https proxy a proxy to route requests through example https //myotherproxy 8080 string optional actions create indicator creates new threat indicators in crowdstrike falcon v2 using the specified 'indicators' data input argument name type required description parameters ignore warnings boolean optional flag to indicate that warnings are ignored parameters retrodetects boolean optional flag to indicate whether to submit retrodetects comment string optional ioc comment indicators array optional list of indicators to create indicators action string optional default action for ioc indicators applied globally boolean optional flag indicating this ioc is applied globally indicators description string optional ioc description indicators expiration string optional utc formatted date string indicators host groups array required list of host groups this ioc applies to indicators metadata object optional dictionary containing the filename for the ioc indicators metadata filename string optional filename to use for the metadata dictionary indicators mobile action string optional parameter for create indicator indicators platforms array required platforms this ioc impacts indicators severity string optional ioc severity indicators source string optional ioc source indicators tags array optional ioc tags indicators type string required ioc type indicators value string required string representation of the ioc input example {"parameters" {"ignore warnings"\ true,"retrodetects"\ true},"json body" {"indicators" \[{"host groups" \["ca420b7a19f148788572431948aafbcd"],"platforms" \["mac","linux"],"type" "ipv4","value" "96 79 235 37"}]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources type string request body data body resources value string request body data output example {"status code" 201,"headers" {"server" "nginx","date" "fri, 31 may 2024 06 47 49 gmt","content type" "application/json","content length" "469","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "0177c568 3429 4acb a431 364e5b571afe","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"body" {"meta" {"query time" 0 336750823,"pagination" {},"powered by create rtr scripts initiates the creation of real time response scripts in crowdstrike falcon v2 for immediate endpoint deployment input argument name type required description data body object required response data data body comments for audit log string optional a descriptive comment for the audit log data body description string optional file description data body name string optional file name (if different than actual file name) data body platform array optional platform for the script currently supports windows, mac, and linux if no platform is provided, windows is assumed data body permission type string required permissions for the custom script data body content string optional the text contents you want to use for the script takes place of a file upload files array optional parameter for create rtr scripts files file name string required name of the resource files file string required parameter for create rtr scripts input example {"data body" {"comments for audit log" "sample audit","description" "sample desc","name" "sample file","platform" \["mac"],"permission type" "public","content" "inline file data"},"files" \[{"file" "123 456 789","file name" "test file 2"}]} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "wed, 29 may 2024 11 22 55 gmt","content type" "application/json","content length" "160","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "e37ebaae 7daa 4da2 9c2c b491369e1d78","x ratelimit limit" "6000","x ratelimit remaining" "5998","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 841638876,"writes" {},"powered by" "empower api","trace id" "e37ebaae 7daa delete rtr file removes a specified real time response file from crowdstrike falcon hosts using 'ids' and 'session id' input argument name type required description parameters ids string required rtr session file id (sha256) parameters session id string required rtr session id input example {"parameters" {"ids" "e9dbc600 1476 4d6b 855d ee5e24064e5e","session id" "96306856 91c0 4bd7 8672 2c0a03397a65"}} output parameter type description status code number http status code of the response headers object http headers for the request body object request body data body errors array request body data body errors message string request body data body resources array request body data body resources file name string request body data body resources file string request body data output example {"status code" 204,"headers" {},"body" {"errors" \[{}],"resources" \[]}} delete rtr put files removes specified real time response files from crowdstrike falcon using their unique ids input argument name type required description parameters ids array required file ids input example {"parameters" {"ids" \["ef9a3b83323611ee89bc0e02492fd4cf 6890622d3b88416f90879f7c3497ac1f"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 17 15 18 gmt","content type" "application/json","content length" "161","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "25446ed1 d0d4 4374 9281 c596387b6064","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 969570258,"writes" {},"powered by" "empower api","trace id" "25446ed1 d0d4 delete rtr scripts removes specified real time response scripts from crowdstrike falcon using provided script ids input argument name type required description parameters ids array required file ids input example {"parameters" {"ids" \["ce4b7d781cdc11ef8b17b60ca7c6aaf0 fe41f2ee79c84d25bf3740369ea8bdb4"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 28 may 2024 17 43 18 gmt","content type" "application/json","content length" "160","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "f33c1753 6451 4160 961b c95d5110a1f0","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 786009831,"writes" {},"powered by" "empower api","trace id" "f33c1753 6451 delete rtr session ends a specific real time response session in crowdstrike falcon using the provided session id input argument name type required description parameters session id string required rtr session id input example {"parameters" {"session id" "e77dee0e 208c 4150 bc35 0ae1e177b0f7"}} output parameter type description status code number http status code of the response headers object http headers for the request body object request body data body errors array request body data body errors message string request body data body resources array request body data body resources file name string request body data body resources file string request body data output example {"status code" 204,"headers" {},"body" {"errors" \[{}],"resources" \[]}} download report execution retrieve execution details for specified report ids in crowdstrike falcon v2 using the 'ids' parameter input argument name type required description parameters ids array required the report execution id to get details about chunksize number optional the number of objects to have in each attachment input example {"parameters" {"ids" \["5c53d6559c7244c897c862ba3149c548"]},"chunksize" \["20"]} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request file array report chunks file file string output field file file file file name string name of the resource output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 28 may 2024 18 00 53 gmt","content type" "application/json","content length" "464","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "a8f42c6a 9965 4d85 939c ab5a81a50e63","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 032564367,"powered by" "reports","tra execute rtr command initiates a real time response command on a host within crowdstrike falcon using specified base command, command string, and session id input argument name type required description base command string optional read only base command to perform command string string optional full command line of the command to execute persist boolean optional flag indicating if this command should be executed when the host returns to service session id string optional rtr session id to execute the command against input example {"json body" {"base command" "ls","command string" "ls","persist"\ true,"session id" "96306856 91c0 4bd7 8672 2c0a03397a65"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources session id string request body data body resources cloud request id string request body data body resources queued command offline boolean request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 201,"headers" {"server" "nginx","date" "mon, 27 may 2024 05 39 07 gmt","content type" "application/json","content length" "261","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "ec8b5d53 770e 44c9 91e7 410e436f0860","x ratelimit limit" "6000","x ratelimit remaining" "5998","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 013513642,"powered by" "empower api","trace id" "ec8b5d53 770e 44c9 91e7 4 get alert details retrieve detailed information for specified alerts in crowdstrike falcon using composite ids input argument name type required description parameters include hidden boolean optional allows previously hidden alerts to be retrieved composite ids array optional id(s) of the alerts to retrieve input example {"parameters" {"include hidden"\ true},"json body" {"composite ids" \["9cee3cb8390040a986142632cff93a6f\ ind\ ccde88355e0a48fa9558daadb64861ea 26027824139 10303 1316112"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers transfer encoding string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources agent id string request body data body resources aggregate id string request body data body resources alleged filetype string request body data body resources cid string request body data output example {"headers" {"server" "string","date" "2024 01 01t00 00 00z","content type" "string","transfer encoding" "string","connection" "string","content encoding" "string","strict transport security" "string","x cs region" "string","x cs traceid" "string","x ratelimit limit" "string","x ratelimit remaining" "string"},"body" {"meta" {"query time" 123,"writes" {},"powered by" "string","trace id" "string"},"resources" \[{}],"errors" \[{}]}} get behaviors retrieves detailed behavior records for specified ids in crowdstrike falcon, requiring a json body with 'ids' input argument name type required description ids array optional behavior id(s) to retrieve input example {"json body" {"ids" \["ind\ c4c4b501190c48089ab7ab7671233545 150544003011 5733 528144"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources behavior id string request body data body resources alert ids array request body data body resources cid string request body data body resources aid string request body data body resources pattern id number request body data body resources template instance id number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 07 48 54 gmt","content type" "application/json","content length" "894","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "92e99eb6 b1c1 430c 8f2a 6df85afb94c6","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 00887423,"powered by" "incident api", get detections summaries retrieve summaries for specific detections in crowdstrike falcon using provided detection ids input argument name type required description ids array optional id(s) of the detections to retrieve input example {"json body" {"ids" \["ldt\ c4c4b501190c48089ab7ab7671233545 81605197317"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources cid string request body data body resources created timestamp string request body data body resources detection id string request body data body resources device object request body data body resources device device id string request body data body resources device cid string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 24 may 2024 19 13 06 gmt","content type" "application/json","content length" "1877","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "eb80164d f5f8 4462 bed0 f4c7e849a2de","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 002821487,"powered by" "legacy detec get edge types obtain all available edge types from crowdstrike falcon v2 to enhance incident analysis and response workflows output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get edges retrieves edges for a specified vertex id in crowdstrike falcon v2, with at least one edge type parameter required input argument name type required description parameters ids string optional vertex id to get details for only one value is supported parameters limit number optional how many edges to return in a single request \[1 100] parameters offset string optional the offset to use to retrieve the next page of results parameters edge type string optional the type of edges that you would like to retrieve parameters direction string optional the direction of edges that you would like to retrieve parameters scope string optional scope of the request parameters nano boolean optional return nano precision entity timestamps input example {"parameters" {"ids" "string","limit" 123,"offset" "string","edge type" "string","direction" "string","scope" "string","nano"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get file analysis retrieve detailed analysis of files from crowdstrike falcon by specifying 'ids' as parameters input argument name type required description parameters ids array required id of a submitted malware sample input example {"parameters" {"ids" \["9cee3cb8390040a986142632cff93a6f 39def1af7703496bafacbf47ffa458fe"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body meta quota object request body data body meta quota total number request body data body meta quota used number request body data body meta quota in progress number request body data body resources array request body data body resources id string request body data body resources cid string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "thu, 30 may 2024 09 36 05 gmt","content type" "application/json","content length" "427","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "52257afe cfa3 4a54 8b56 86f9f360ec9f","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 010101636,"powered by" "falconx api", get host info retrieve detailed information for specified hosts in crowdstrike falcon using their unique ids input argument name type required description parameters ids array required the host agent id's used to get details on input example {"parameters" {"ids" \["ccde88355e0a48fa9558daadb64861ea"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources device id string request body data body resources cid string request body data body resources agent load flags string request body data body resources agent local time string request body data body resources agent version string request body data body resources bios manufacturer string request body data output example {"headers" {"server" "string","date" "2024 01 01t00 00 00z","content type" "string","content length" "string","connection" "string","content encoding" "string","strict transport security" "string","x cs region" "string","x cs traceid" "string","x ratelimit limit" "string","x ratelimit remaining" "string"},"body" {"meta" {"query time" 123,"powered by" "string","trace id" "string"},"resources" \[{}],"errors" \[{}]}} get incidents retrieves detailed information for specified incidents in crowdstrike falcon using provided incident ids input argument name type required description ids array optional incident id(s) to retrieve input example {"json body" {"ids" \["inc 2ec86c41c8524a4b86a0f675e919857f 0d03844fc2cc448eb37f8b8476fb2c95"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources incident id string request body data body resources incident type number request body data body resources cid string request body data body resources host ids array request body data body resources hosts array request body data body resources hosts device id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 07 33 12 gmt","content type" "application/json","content length" "960","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "9cec3c3b bff9 41b5 9b59 86fa593f6df1","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 004143106,"powered by" "incident api" get indicators retrieves detailed information on indicators of compromise from crowdstrike falcon using specified ids input argument name type required description parameters ids array required the ids of the indicators to retrieve input example {"parameters" {"ids" \["48e23334c3854063dd96f8dd863b0f98046d35a8dbf0cbe7a30b2eb41b47e31e"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources type string request body data body resources value string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "thu, 30 may 2024 20 07 47 gmt","content type" "application/json","content length" "512","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "ed545c3a c1e4 4ae5 afda d729d167bb82","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 018581527,"pagination" {},"powered by get queries alerts retrieve alert ids matching a specific query from crowdstrike falcon v2 without requiring additional parameters input argument name type required description parameters filter string optional filter alerts using a query in falcon query language (fql) an asterisk wildcard includes all results parameters limit number optional the maximum number of alerts to return in this response parameters offset number optional the first alert to return, where 0 is the latest alert use with the limit parameter to manage pagination of results parameters q string optional search all alert metadata for the provided string parameters sort string optional sort alerts using the provided fql filter parameters include hidden boolean optional allows previously hidden alerts to be retrieved input example {"parameters" {"filter" "string1","limit" 10,"offset" 2,"q" "string","sort" "asc","include hidden"\ true}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 10 jun 2024 10 09 58 gmt","content type" "application/json","content length" "498","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "c355acdd 5c61 4e72 821b 6219e3e8de7f","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 018427628,"pagination" {},"writes" {} get ran on retrieve instances of indicators (hashes, domain names, ip addresses) observed on devices in the crowdstrike falcon environment input argument name type required description parameters value string optional the value of the indicator to search by parameters type string optional the type of indicator that you would like to retrieve parameters limit number optional how many edges to return in a single request \[1 100] parameters offset string optional the offset to use to retrieve the next page of results parameters nano boolean optional return nano precision entity timestamps input example {"parameters" {"value" "string","type" "string","limit" 123,"offset" "string","nano"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get report executions retrieve execution details for specified report ids in crowdstrike falcon v2 using the 'ids' parameter input argument name type required description parameters ids array required the report execution id to get details about input example {"parameters" {"ids" \["5c53d6559c7244c897c862ba3149c548"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources customer id string request body data body resources user uuid string request body data body resources user id string request body data body resources type string request body data body resources scheduled report id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 28 may 2024 18 00 53 gmt","content type" "application/json","content length" "464","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "a8f42c6a 9965 4d85 939c ab5a81a50e63","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 032564367,"powered by" "reports","tra get reports fetches threat intelligence reports from crowdstrike falcon using specified report ids input argument name type required description parameters ids array required id of a report input example {"parameters" {"ids" \["9cee3cb8390040a986142632cff93a6f cc338bfdc9314f619f873c216a085472"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers transfer encoding string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body meta quota object request body data body meta quota total number request body data body meta quota used number request body data body meta quota in progress number request body data body resources array request body data body resources id string request body data body resources cid string request body data output example {"headers" {"server" "string","date" "2024 01 01t00 00 00z","content type" "string","transfer encoding" "string","connection" "string","content encoding" "string","strict transport security" "string","x cs region" "string","x cs traceid" "string","x ratelimit limit" "string","x ratelimit remaining" "string"},"body" {"meta" {"query time" 123,"powered by" "string","trace id" "string","quota" {}},"resources" \[{}],"errors" \[{}]}} get rtr put files retrieves files placed on hosts during real time response sessions in crowdstrike falcon v2 using specified file ids input argument name type required description parameters ids array required file ids input example {"parameters" {"ids" \["ef9a3b83323611ee89bc0e02492fd4cf 6890622d3b88416f90879f7c3497ac1f"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources name string request body data body resources file type string request body data body resources platform array request body data body resources size number request body data body resources created by string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 17 10 02 gmt","content type" "application/json","content length" "477","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "3acc8952 e34b 42c0 906d 92e1fbbd9863","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 69794026,"powered by" "empower api","trace id" "3acc8952 e34b 42c0 906d 92 get rtr scripts retrieves specified real time response (rtr) scripts from crowdstrike falcon using provided script ids input argument name type required description parameters ids array required file ids input example {"parameters" {"ids" \["d8367f494e9311ea97920662caec3daa 6890622d3b88416f90879f7c3497ac1f"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources name string request body data body resources description string request body data body resources file type string request body data body resources platform array request body data body resources size number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 28 may 2024 17 35 03 gmt","content type" "application/json","content length" "563","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "226cf254 2b1d 4e8f a4b0 e76c41dfc0bd","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 104620007,"powered by" "empower api","trace id" "226cf254 2b1d 4e8f a4b0 e get scans obtain detailed scan results for given ids from crowdstrike falcon v2, providing insights into the scans conducted input argument name type required description parameters ids array required id of a submitted scan to retrieve input example {"parameters" {"ids" \["0edf67fa585bedac6db7571f9fe3a449a2d0a4d78529a8bfee4f845f00931f89"]}} output parameter type description status code number http status code of the response headers object http headers for the request body object request body data output example {"status code" 200,"headers" {},"body" {}} get sensor details retrieve detailed information for specified sensors in crowdstrike falcon by providing sensor ids input argument name type required description ids array optional the host agent ids used to get details on input example {"json body" {"ids" \["fdc71309 8745 4c39 9c9b 859f171036bf"]}} output parameter type description status code number http status code of the response headers object http headers for the request body object request body data output example {"status code" 200,"headers" {},"body" {}} get summary retrieve a summary for a specified vertex type in crowdstrike falcon v2, requiring the 'vertex type' path parameter endpoint url /threatgraph/combined/{{vertex type}}/summary/v1 method get input argument name type required description path parameters vertex type string required type of vertex to get properties for parameters ids array optional vertex id to get details for parameters scope string optional scope of the request parameters nano boolean optional return nano precision entity timestamps input example {"path parameters" {"vertex type" "string"},"parameters" {"ids" \["string"],"scope" "string","nano"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get vertices retrieve metadata for a specified vertex type in crowdstrike falcon v2, requiring a vertex id endpoint url /threatgraph/entities/{{vertex type}}/v2 method get input argument name type required description path parameters vertex type string required type of vertex to get properties for parameters ids array optional vertex id to get details for parameters scope string optional scope of the request parameters nano boolean optional return nano precision entity timestamps input example {"path parameters" {"vertex type" "string"},"parameters" {"ids" \["string"],"scope" "string","nano"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} init rtr session initiates a real time response session in crowdstrike falcon using a device id, with an option to queue if offline input argument name type required description device id string optional the host agent id to refresh the rtr session on origin string optional origin of the request queue offline boolean optional flag indicating if this should be queued to pulse after the host returns to service timeout number optional timeout for how long to wait for the request in seconds defaults to 30 with maximum 600 timeout duration string optional timeout duration for how long to wait for the request in duration syntax input example {"json body" {"device id" "ccde88355e0a48fa9558daadb64861ea","queue offline"\ true,"timeout" 30,"timeout duration" "s"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers transfer encoding string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources session id string request body data body resources scripts array request body data body resources scripts command string request body data body resources scripts description string request body data body resources scripts examples string request body data body resources scripts internal only boolean request body data output example {"status code" 201,"headers" {"server" "nginx","date" "sun, 26 may 2024 16 47 17 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "c18de5c7 28b6 4edb a43a 696049e0fec4","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 3 894993811,"powered by" "empower api","trace id" "c18de5c7 28b6 4edb lift contained endpoint removes containment from a specified host in your environment using the crowdstrike falcon v2 platform, requiring host 'ids' input argument name type required description parameters action name string optional action name ids array optional the host agent id (aid) of the host you want to impact if you provide ids to the method using this keyword, you do not have to provide a body payload input example {"parameters" {"action name" "contain"},"json body" {"ids" \["ccde88355e0a48fa9558daadb64861ea"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources path string request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 202,"headers" {"server" "nginx","date" "mon, 10 jun 2024 09 21 46 gmt","content type" "application/json","content length" "216","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "012d36b3 bfe8 4563 a037 aa7db99ae68f","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"body" {"meta" {"query time" 0 313760617,"powered by" "device api"," list all rtr sessions retrieve an overview of all active and historical real time response sessions in crowdstrike falcon input argument name type required description parameters limit number optional maximum number of records to return max 5000 parameters offset number optional starting index of overall result set from which to return ids parameters filter string optional fql query expression that should be used to limit the results parameters sort string optional the property to sort by input example {"parameters" {"limit" 10,"offset" 0}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "sun, 26 may 2024 16 18 03 gmt","content type" "application/json","content length" "436","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "8a850895 10ba 443b bf4f e1b67358bf85","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 065409959,"pagination" {},"powered by" "empower api","trace id" "8a850895 list available streams retrieve all event streams from the crowdstrike falcon v2 environment using the provided app id input argument name type required description parameters app id string required label that identifies your connection maximum 32 alphanumeric characters (a z, a z, 0 9) parameters format string optional format for streaming events input example {"parameters" {"app id" " ","format" "json"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 20 sep 2024 08 04 38 gmt","content type" "application/json","content length" "215","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "2b13ff37 6ffc 40cb 8027 1b702cd13ccb","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"json body" {}} list host vulnerabilities retrieve a list of host vulnerabilities from crowdstrike falcon v2 using an fql filter to return matching vulnerability ids input argument name type required description parameters after string optional a pagination token used with the limit parameter to manage pagination of results on your first request, don't provide an after token parameters limit number optional the number of items to return in this response parameters sort string optional full query string parameters payload in json format parameters filter string required sort vulnerabilities by their properties input example {"parameters" {"after" "string","limit" 10,"sort" "created timestamp|desc","filter" "aid 'abcde6b9a3427d8c4a1af416424d6231'"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers x content type options string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 10 jun 2024 10 31 46 gmt","content type" "application/json","content length" "231","connection" "keep alive","x content type options" "nosniff","x cs traceid" "1a41eb4c eb2e 4a10 a8e0 da0fd3322018","x ratelimit limit" "15","x ratelimit remaining" "14","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 1 57e 07,"powered by" "crowdstrike api gateway","trace id" "1a41eb4c eb2e 4a10 a8e0 da0fd332 list rtr falcon scripts retrieve a list of available real time response scripts from crowdstrike falcon for execution on remote hosts input argument name type required description parameters filter string optional optional filter criteria in the form of an fql query parameters offset number optional starting index of overall result set from which to return id's parameters limit number optional number of id's to return parameters sort string optional sort by spec ex 'created at input example {"parameters" {"offset" 0,"limit" 10}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 06 19 58 gmt","content type" "application/json","content length" "397","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "0873f04c 1e64 48a5 9613 17d4f5bc1cdb","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 003614303,"pagination" {},"powered by" "empower api","trace id" "0873f04c list rtr files retrieve a list of files from real time response sessions in crowdstrike falcon using the provided session id input argument name type required description parameters session id string required rtr session id input example {"parameters" {"session id" "96306856 91c0 4bd7 8672 2c0a03397a65"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 05 27 36 gmt","content type" "application/json","content length" "158","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "51a5a683 e7b8 42a9 9bb7 9d0b5f77a3e5","x ratelimit limit" "6000","x ratelimit remaining" "5998","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 015268557,"powered by" "empower api","trace id" "51a5a683 e7b8 42a9 9bb7 9 perform action executes specified actions such as containment, lifting, deletion, or restoration on identified hosts in crowdstrike falcon using unique ids input argument name type required description parameters action name string required specify one of the actions to perform the action ids array optional the host agent id (aid) of the host you want to impact if you provide ids to the method using this keyword, you do not have to provide a body payload (service class usage only) a maximum of 100 ids may be provided to this keyword input example {"parameters" {"action name" "detection suppress"},"json body" {"ids" \["20","100"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources path string request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 202,"headers" {"server" "nginx","date" "fri, 20 sep 2024 08 16 47 gmt","content type" "application/json","content length" "217","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "35b0eb2c 1375 4f13 b902 03fe20a7943c","x ratelimit limit" "6000","x ratelimit remaining" "5994"},"body" {"meta" {"query time" 0 469539059,"powered by" "device api"," post aggregate alerts retrieve aggregated alert values from crowdstrike falcon using specified criteria and filters requires a 'field' in the json body input argument name type required description parameters include hidden boolean optional allows previously hidden alerts to be retrieved date ranges array optional applies to date range aggregations list of date ranges for aggregation date ranges from string required start date/time for the range date ranges to string required end date/time for the range exclude string optional elements to exclude field string optional the field on which to compute the aggregation filter string optional fql syntax formatted string to use to filter the results from number optional starting position include string optional elements to include interval string optional time interval for date histogram aggregations required for date histogram type max doc count number optional only return buckets if values are less than or equal to the value here min doc count number optional only return buckets if values are greater than or equal to the value here missing string optional missing is the value to be used when the aggregation field is missing from the object in other words, the missing parameter defines how documents that are missing a value should be treated by default they will be ignored, but it is also possible to treat them as if they had a value name string optional name of the aggregate query, as chosen by the user used to identify the results returned to you q string optional full text search across all metadata fields ranges array optional applies to range aggregations ranges values will depend on field for example, if max severity is used, ranges might look like ranges with from and to values ranges from number optional starting value for the range ranges to number optional ending value for the range size number optional the max number of term buckets to be returned sort string optional fql syntax string to sort bucket results count sort by document count, term sort by the string value alphabetically supports asc and desc using format sub aggregates array optional a nested aggregation there is a maximum of 3 nested aggregations per request sub aggregates name string required name for the sub aggregate sub aggregates type string required type of sub aggregation sub aggregates field string required field to aggregate on time zone string optional time zone for bucket results input example {"parameters" {"include hidden"\ false},"json body" {"date ranges" \[{"from" "2024 01 01t00 00 00z","to" "2024 01 31t23 59 59z"}],"field" "severity","filter" "status 'new'","type" "terms"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers transfer encoding string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources value string the aggregated field value body resources count number the count of alerts for this value body resources sub aggregates array sub aggregation results if specified body resources sub aggregates value string request body data body resources sub aggregates count number request body data body errors array request body data output example {"headers" {"server" "string","date" "2024 01 01t00 00 00z","content type" "string","transfer encoding" "string","connection" "string","content encoding" "string","strict transport security" "string","x cs region" "string","x cs traceid" "string","x ratelimit limit" "string","x ratelimit remaining" "string"},"body" {"meta" {"query time" 123,"powered by" "string","trace id" "string"},"resources" \[{}],"errors" \[{}]}} query alerts retrieve a list of alerts from crowdstrike falcon based on specified criteria for targeted security responses input argument name type required description parameters offset number optional the first alert to return, where 0 is the latest alert parameters limit number optional the maximum number of alerts to return in this response parameters include hidden boolean optional allows previously hidden alerts to be retrieved parameters sort string optional sort alerts using the fql filter parameters filter string optional filter alerts using a query in falcon query language (fql) parameters q string optional search all alert metadata for the provided string input example {"parameters" {"offset" 0,"limit" 10,"include hidden"\ false}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 09 03 20 gmt","content type" "application/json","content length" "475","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "88c181db 510b 4386 a7e3 c8ccff94aca7","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 016096131,"pagination" {},"writes" {} query crowdscore retrieve the crowdscore for entities from crowdstrike falcon v2 to assess their risk levels input argument name type required description parameters filter string optional fql syntax formatted string used to limit the results parameters offset number optional starting index of overall result set from which to return ids parameters limit number optional maximum number of records to return parameters sort string optional the property to sort by (ex modified timestamp desc) input example {"parameters" {"offset" 1,"limit" 10}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources id string request body data body resources cid string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "thu, 30 may 2024 18 12 05 gmt","content type" "application/json","content length" "375","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "d4d5beb0 aec6 469b 9b39 469db91b9349","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 025790123,"pagination" {},"powered by query detections retrieve a list of detection events from crowdstrike falcon based on specified criteria input argument name type required description parameters limit number optional the maximum number of detections to return in this response (default 100; max 9999) parameters offset number optional the first detection to return, where 0 is the latest detection parameters filter string optional filter detections using a query in falcon query language (fql) an asterisk wildcard includes all results parameters sort string optional parameters for the query detections action parameters q string optional search all detection metadata for the provided string input example {"parameters" {"limit" 10,"offset" 0}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 24 may 2024 19 08 54 gmt","content type" "application/json","content length" "407","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "65fa2703 fedf 4e5c aaf2 89a06e4f4297","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 005995313,"pagination" {},"powered by query host by indicator retrieve host details linked to a specific indicator in crowdstrike falcon v2, with required 'type' and 'value' parameters input argument name type required description parameters type string required parameters for the query host by indicator action parameters value string required parameters for the query host by indicator action parameters limit number optional parameters for the query host by indicator action parameters offset number optional parameters for the query host by indicator action input example {"parameters" {"type" "sha256","value" "swimlane com","limit" 10,"offset" 0}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset string request body data body meta pagination limit number request body data body meta trace id string request body data body meta entity string request body data body resources array request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 17 45 39 gmt","content type" "application/json","content length" "249","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "7dfddaf4 fec6 492b a5be 9a11fe0b5bcc","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 6 9e 08,"pagination" {},"trace id" "81b query identity protection by graphql executes a graphql query for identity protection within crowdstrike falcon using the provided 'query' parameter input argument name type required description query string optional json similar formatted query to perform variables object optional dictionary of variables to provide to the query input example {"json body" {"query" "{\n entities(first 1)\n {\n nodes {\n entityid \n }\n }\n}"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 20 sep 2024 07 50 03 gmt","content type" "application/json","content length" "456","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"json body" {}} query indicator retrieve threat intelligence indicators from crowdstrike falcon using specified criteria to enhance security insights input argument name type required description parameters limit number optional maximum number of results to return parameters offset number optional the offset to start retrieving records from parameters filter string optional fql syntax formatted filter that should be used to limit the results parameters from parent boolean optional return results for the parent only parameters sort string optional fql syntax formatted sort filter parameters after string optional a pagination token used with the limit parameter to manage pagination of results input example {"parameters" {"limit" 100,"offset" 35}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination total number request body data body meta pagination offset number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 24 may 2024 07 39 09 gmt","content type" "application/json","content length" "522","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "3145c559 d52e 425f 8a3f 798060f0be55","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 013341804,"pagination" {},"powered by query reports retrieve a list of reports from crowdstrike falcon based on specified query criteria input argument name type required description parameters filter string optional optional filter and sort criteria in the form of an fql query parameters offset number optional starting index of overall result set from which to return ids parameters limit number optional the maximum records to return (max 5000) parameters sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either asc or desc input example {"parameters" {"offset" 0,"limit" 10}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body meta quota object request body data body meta quota total number request body data body meta quota used number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "mon, 27 may 2024 10 28 27 gmt","content type" "application/json","content length" "301","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "0c39193e 9bec 4bb9 a498 d49d076014ed","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 116668387,"pagination" {},"powered by query sensors retrieve sensor details and status for endpoint monitoring within the crowdstrike falcon environment input argument name type required description parameters limit number optional the maximum records to return \[1 200] parameters offset number optional the offset to start retrieving records from parameters filter string optional the filter expression that should be used to limit the results parameters sort string optional the property to sort by (e g status desc or hostname asc) input example {"parameters" {"limit" 100,"offset" 35}} output parameter type description status code number http status code of the response headers object http headers for the request body object request body data output example {"status code" 200,"headers" {},"body" {}} query submissions retrieve detailed information on submissions, including status and results, from crowdstrike falcon v2 input argument name type required description filter string optional optional filter and sort criteria in the form of an fql query limit number optional the maximum records to return (max 5000) offset number optional starting index of overall result set from which to return ids sort string optional the property to sort on, followed by a dot ( ), followed by the sort direction, either asc or desc input example {"parameters" {"filter" " ","limit" 50,"offset" 0,"sort" "desc"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body errors array request body data body errors code number request body data body errors id string request body data body errors message string request body data body meta object request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination offset number request body data body meta pagination total number request body data body meta powered by string request body data body meta query time number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 20 sep 2024 07 50 03 gmt","content type" "application/json","content length" "456","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"body" {"errors" \[{}],"meta" {"pagination" {},"powered by" "string","query time" 0,"trace id" "string","w\ refresh active stream session renews an active event stream session in crowdstrike falcon v2 using the specified partition and app id for continuous monitoring input argument name type required description partition number required partition to request data for if you are using the service class, this will default to 0 when not specified parameters action name string required the name of the action to perform the only allowed value is refresh active stream session defaults to this value if not present when using the service class parameters app id string required label that identifies your connection maximum 32 alphanumeric characters (a z, a z, 0 9) input example {"parameters" {"action name" "refresh active stream session","app id" " "},"partition" 0} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body errors array request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 20 sep 2024 07 50 03 gmt","content type" "application/json","content length" "456","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "0186811e 4b00 49d8 a9e6 e7b2f59f5f87","x ratelimit limit" "6000","x ratelimit remaining" "5996","strict transport security" "max age=31536000; includesubdomains"},"body" {"meta" {"query time" 0 000257867,"powered by" "falconhose","trace id" "f02691b5 5fcd 4e1f 9e5d d3 rtr get batch get cmd retrieves the status and results of a specified batch get command in crowdstrike falcon v2 using the provided batch get cmd req id input argument name type required description parameters batch get cmd req id string required batch get command request id (usually retrieved when making a call to batchgetcmd) parameters timeout number optional timeout for how long to wait for the request in seconds, default timeout is 30 seconds parameters timeout duration string optional parameters for the rtr get batch get cmd action input example {"parameters" {"batch get cmd req id" "request id123342","timeout" 30,"timeout duration" "60s"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body errors array request body data body errors code number request body data body errors id string request body data body errors message string request body data body meta object request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination offset number request body data body meta pagination total number request body data body meta powered by string request body data body meta query time number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 11 jun 2024 05 37 32 gmt","content type" "application/json","content length" "210","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "ffa4bb9b 3c9b 4178 b0f1 aab2c8c5ca76","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"errors" \[{}],"meta" {"pagination" {},"powered by" "string","query time" 0,"trace id" "string","w\ rtr post batch get cmd executes a batch 'get' command across multiple hosts in crowdstrike falcon v2 to retrieve files, with status accessible via batchgetcmdstatus endpoint method get input argument name type required description parameters timeout number optional parameters for the rtr post batch get cmd action parameters timeout duration string optional parameters for the rtr post batch get cmd action parameters host timeout duration string optional parameters for the rtr post batch get cmd action batch id string optional unique identifier file path string optional parameter for rtr post batch get cmd optional hosts array optional parameter for rtr post batch get cmd input example {"parameters" {"timeout" 30,"timeout duration" "30s","host timeout duration" "10s"},"json body" {"batch id" "string","file path" "string","optional hosts" \["string"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request headers strict transport security string http headers for the request body object request body data body batch get cmd req id string request body data body combined object request body data body combined resources object request body data body combined resources additionalprop1 object request body data body combined resources additionalprop1 aid string request body data body combined resources additionalprop1 base command string request body data body combined resources additionalprop1 complete boolean request body data body combined resources additionalprop1 errors array request body data body combined resources additionalprop1 offline queued boolean request body data body combined resources additionalprop1 query time number request body data body combined resources additionalprop1 sequence id number request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 11 jun 2024 05 37 32 gmt","content type" "application/json","content length" "210","connection" "keep alive","content encoding" "gzip","x cs region" "us 1","x cs traceid" "ffa4bb9b 3c9b 4178 b0f1 aab2c8c5ca76","x ratelimit limit" "6000","x ratelimit remaining" "5999","strict transport security" "max age=31536000; includesubdomains"},"body" {"batch get cmd req id" "string","combined" {"resources" {}},"errors" \[{}],"meta" {"pagination" {} search host retrieve detailed information on hosts within the crowdstrike falcon environment using specific search criteria input argument name type required description parameters offset number optional the offset to start retrieving records from parameters limit number optional the maximum records to return \[1 5000] parameters sort string optional the property to sort by (e g status desc or hostname asc) parameters filter string optional the filter expression that should be used to limit the results input example {"parameters" {"offset" 0,"limit" 10}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination offset number request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "fri, 24 may 2024 18 21 07 gmt","content type" "application/json","content length" "411","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "35ff4175 dc74 45a7 969c 3707822de1ea","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 007732427,"pagination" {},"powered by submit file for analysis submit a file for analysis to crowdstrike falcon v2 using sha256, user tags, and environment id input argument name type required description action script string optional runtime script for sandbox analysis command line string optional command line script passed to the submitted file at runtime max length 2048 characters document password string optional auto filled for adobe or office files that prompt for a password max length 32 characters enable tor boolean optional deprecated, please use network settings instead if true, sandbox analysis routes network traffic via tor environment id number optional specifies the sandbox environment used for analysis accepted values are 400 macos catalina 10 15, 300 linux ubuntu 16 04, 64 bit, 200 android (static analysis), 160 windows 10, 64 bit, 110 windows 7, 64 bit and 100 windows 7, 32 bit network settings string optional specifies the sandbox network settings used for analysis send email notification boolean optional boolean indicating if an email notification should be sent sha256 string optional id of the sample, which is a sha256 hash value submit name string optional name of the malware sample that's used for file type detection and analysis system date string optional set a custom date in the format yyyy mm dd for the sandbox environment system time string optional set a custom time in the format hh \ mm for the sandbox environment url string optional a web page or file url it can be http(s) or ftp the sha256 keyword must be unset if this keyword is used user tags array optional user tags input example {"json body" {"environment id" 300,"sha256" "0edf67fa585bedac6db7571f9fe3a449a2d0a4d78529a8bfee4f845f00931f89","user tags" \["t1"]}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta powered by string request body data body meta trace id string request body data body meta quota object request body data body meta quota total number request body data body meta quota used number request body data body meta quota in progress number request body data body resources array request body data body resources id string request body data body resources cid string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "thu, 30 may 2024 09 20 40 gmt","content type" "application/json","content length" "416","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "40292170 d8b7 40a2 b0f9 59fbc30d6c86","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"body" {"meta" {"query time" 0 124695049,"powered by" "falconx api", update alerts by id updates specific alerts in crowdstrike falcon v2 using unique identifiers and allows inclusion of hidden alerts input argument name type required description parameters include hidden boolean required allows previously hidden alerts to be retrieved add tag string optional add a tag to 1 or more alert(s) append comment string optional appends new comment to existing comments assign to name string optional assign 1 or more alert(s) to a user identified by user name assign to user id string optional assign 1 or more alert(s) to a user identified by user id (eg mailto\ user1\@example com ) assign to uuid string optional a user id (ex mailto\ user\@somewhere com ) to assign the alert to ids array optional composite id(s) of the alerts to update new behavior processed string optional adds a newly processed behavior to 1 or more alert(s) remove tag string optional remove a tag from 1 or more alert(s) remove tags by prefix string optional remove tags with given prefix from 1 or more alert(s) show in ui boolean optional boolean determining if this alert is displayed in the falcon console true this alert is displayed in falcon false this alert is not displayed in falcon unassign string optional unassign an previously assigned user from 1 or more alert(s) the value passed to this action is ignored update status string optional update status of the alert input example {"parameters" {"include hidden"\ true},"json body" {"ids" \["9cee3cb8390040a986142632cff93a6f\ ind\ ccde88355e0a48fa9558daadb64861ea 26027824139 10303 1316112"],"update status" "in progress"}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta writes object request body data body meta writes resources affected number request body data body meta powered by string request body data body meta trace id string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "thu, 30 may 2024 06 13 34 gmt","content type" "application/json","content length" "161","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "d063bf0b 7622 428e 846d 646ab236ca3b","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 0 466943467,"writes" {},"powered by" "d update indicator updates an existing indicator in the crowdstrike falcon platform with new intelligence or modifications a json body input is required input argument name type required description parameters ignore warnings boolean optional flag to indicate that warnings are ignored parameters retrodetects boolean optional flag to indicate whether to submit retrodetects bulk update object optional date value bulk update action string optional default action for ioc bulk update applied globally boolean optional flag indicating this ioc is applied globally bulk update description string optional ioc description bulk update expiration string optional utc formatted date string bulk update from parent boolean optional return results for the parent only bulk update host groups array optional list of host groups this ioc applies to bulk update metadata object optional response data bulk update metadata filename string optional filename to use for the metadata dictionary bulk update mobile action string optional mobile action to perform bulk update platforms array optional platforms this ioc impacts bulk update severity string optional ioc severity bulk update source string optional ioc source bulk update tags array optional ioc tags bulk update filter string optional fql syntax formatted filter that should be used to filter indicators in bulk bulk update type string optional ioc type bulk update value string optional string representation of the ioc comment string optional ioc comment indicators array optional parameter for update indicator indicators id string optional the indicator id to be updated indicators action string optional default action for ioc indicators applied globally boolean optional flag indicating this ioc is applied globally indicators description string optional ioc description input example {"parameters" {"ignore warnings"\ true,"retrodetects"\ true},"json body" {"bulk update" {"platforms" \["linux","windows","mac"],"filter" "id '251f034e85cae0de16c1ac1d4bca712b7d39889d3fab896c7e7b5b680b6479f8' "}}} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta pagination object request body data body meta pagination limit number request body data body meta pagination total number request body data body meta powered by string request body data body meta trace id string request body data body resources array request body data body resources file name string request body data body resources file string request body data body errors array request body data output example {"status code" 200,"headers" {"server" "nginx","date" "tue, 28 may 2024 06 29 11 gmt","content type" "application/json","content length" "192","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "0af52173 f617 4266 b0da 778f4e79af06","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"body" {"meta" {"query time" 0 719683384,"pagination" {},"powered by upload file for analysis upload a file to crowdstrike falcon v2 for in depth threat analysis, with 'file data' as the required input input argument name type required description data body object optional response data data body comment string optional a descriptive comment to identify the file for other users data body file name string optional name to use for the file uses current file name if not specified data body is confidential boolean optional defines the visibility of this file in falcon malquery, either via the api or the falcon console true file is only shown to users within your customer account false file can be seen by other crowdstrike customers file data array required response data file data file name string required response data file data file string required response data input example {"data body" {"comment" "sample file","file name" "sample doc","is confidential"\ true},"file data" \[{"file" "123 456 789","file name" "test123"}]} output parameter type description status code number http status code of the response headers object http headers for the request headers server string http headers for the request headers date string http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers content encoding string http headers for the request headers strict transport security string http headers for the request headers x cs region string http headers for the request headers x cs traceid string http headers for the request headers x ratelimit limit string http headers for the request headers x ratelimit remaining string http headers for the request body object request body data body meta object request body data body meta query time number request body data body meta trace id string request body data body resources array request body data body errors array request body data body errors file name string request body data body errors file string request body data output example {"status code" 200,"headers" {"server" "nginx","date" "wed, 29 may 2024 17 30 22 gmt","content type" "application/json","content length" "208","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains, max age=31536000; includesubdomains","x cs region" "us 1","x cs traceid" "d1e81c8a 5b34 49e3 94b5 8cd04b60323d","x ratelimit limit" "6000","x ratelimit remaining" "5999"},"body" {"meta" {"query time" 8 8e 08,"trace id" "28f9533c 951d 4357 response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt