Halcyon

halcyon is a security platform that provides advanced threat detection and response capabilities for managing security operations halcyon is a comprehensive platform for asset management and threat detection, offering robust capabilities to manage and secure digital assets the halcyon connector for swimlane turbine enables seamless integration with halcyon's services, allowing users to automate asset reporting, alert management, and tenant information retrieval this integration empowers security teams to efficiently manage assets, respond to threats, and maintain system health, all within the swimlane turbine environment limitations none to date supported versions this halcyon connector uses the latest version api additional documents documentation click here https //assets falcon crowdstrike com/support/api/swagger html#/ prerequisites before you can use the halcyon connector for turbine, you'll need access to the halcyon api this requires the following http basic authentication using the following parameters url the endpoint url for accessing halcyon's api username your halcyon account username password your halcyon account password authentication methods http basic authentication method url the endpoint url for the halcyon api username your halcyon account username password your halcyon account password capabilities this halcyon connector provides the following capabilities export assets get alert by id get asset by id get installer info get installer info v2 get maintenance token get tenant by id healthcheck healthcheck prism list alerts list all descendants list tenants update alert update note for alert export assets requests the creation of a full or filtered asset report in csv format click here https //api halcyon ai/docs/index html#tag/assets/operation/export%20assets get alert by id get the alert matching the given identifier click here https //api halcyon ai/docs/index html#tag/alerts/operation/get%20alert get asset by id retrieves information about an asset click here https //api halcyon ai/docs/index html#tag/assets/operation/get%20asset get installer info get the installer information for the current tenant, including install token and download links for the available installer versions click here https //api halcyon ai/docs/index html#tag/installers/operation/get%20installer%20info get installer info v2 get the installer information for the current tenant, including install token and download links for the available installer versions click here https //api halcyon ai/docs/index html#tag/installers/operation/get%20installer%20info%20v2 get maintenance token get a maintenance token for asset's installed agent click here https //api halcyon ai/docs/index html#tag/assets/operation/get%20maintenance%20token get tenant by id get the tenant information associated with the given identifier click here https //api halcyon ai/docs/index html#operation/get%20tenant healthcheck reports success if the server is healthy click here https //api halcyon ai/docs/index html#operation/healthcheck healthcheck prism reports success if the prism proxy service is healthy click here https //api halcyon ai/docs/index html#tag/health/operation/healthcheck%20prism list alerts get a paginated list of alerts matching the given criteria click here https //api halcyon ai/docs/index html#operation/list%20alerts list all descendants gets a paginated list of all descendant tenants (across all sub tiers) for the given tenant click here https //api halcyon ai/docs/index html#tag/tenants/operation/list%20all%20descendants list tenants get a paginated list of tenants that the current user can access if the all query parameter is provided, this will return an unpaginated list of all tenants the user can access click here https //api halcyon ai/docs/index html#operation/list%20tenants update alert update the alert matching the given identifier click here https //api halcyon ai/docs/index html#operation/update%20alert update note for alert update an alert's note must specify the current note's version in order to update click here https //api halcyon ai/docs/index html#operation/update%20note%20for%20alert configurations halycyon http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions export assets request the creation of a full or filtered asset report in csv format from halcyon using specified json body and headers endpoint url v2/assets/export method post input argument name type required description headers object required http headers for the request headers x tenantid string required the tenant id to use for the request operator string optional the operator to use for the filters filters array optional the filters to apply to the assets filters operator string optional the operator to use for the filter filters agentversion string optional the agent version to filter by resultslimit number optional the maximum number of results to return sorting object optional the sorting to apply to the assets sorting sortby string required the field to sort by sorting sortorder string required the order to sort by input example {"json body" {"operator" "and","filters" \[{"operator" "equals","agentversion" "string"}],"resultslimit" 0,"sorting" {"sortby" "registereddate","sortorder" "desc"}},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase reportid string unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"reportid" "836df459 dc40 4aa1 972a 6eb0a864dff9"}} get alert by id get the alert in halcyon matching the given alertid using specified path parameters and headers endpoint url v2/alerts/{{alertid}} method get input argument name type required description path parameters alertid string required the id of the alert to retrieve headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"path parameters" {"alertid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier tenantid string unique identifier summary object output field summary summary artifact object output field summary artifact summary artifact authentihash string output field summary artifact authentihash summary artifact sha256 string output field summary artifact sha256 summary artifact filepath string output field summary artifact filepath summary artifact classificationtype string type of the resource summary artifact classificationdetails string output field summary artifact classificationdetails summary artifact kind string output field summary artifact kind summary kind string output field summary kind primaryprocess object output field primaryprocess primaryprocess artifact object output field primaryprocess artifact primaryprocess artifact authentihash string output field primaryprocess artifact authentihash primaryprocess artifact sha256 string output field primaryprocess artifact sha256 primaryprocess artifact filepath string output field primaryprocess artifact filepath primaryprocess artifact kind string output field primaryprocess artifact kind primaryprocess commandline string output field primaryprocess commandline primaryprocess pid string unique identifier primaryprocess parentpid string unique identifier primaryprocess modules array output field primaryprocess modules primaryprocess modules authentihash string output field primaryprocess modules authentihash primaryprocess modules sha256 string output field primaryprocess modules sha256 output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "a7b8c9d0 e1f2 4a3b 8c4d 5e6f7a8b9c0d","tenantid" "b7e8f9a0 1c2d 4e3f a5b6 c7d8e9f0a1b2","summary" {"artifact" {},"kind" "driverartifactsummaryresponse"},"primaryprocess" {"artifact" {},"commandline" "\\"c \\\program files\\\vendorapp\\\updater exe\\" silent check updates","pid" "4824","parentpid" "1236","modules" \[],"username" "corp\\\j smith","userid" "s 1 5 21 3842938471 2938475619 3847561923 1847","kind" "driverprocessres get asset by id retrieve detailed information about an asset in halcyon using the asset id as a path parameter and necessary headers endpoint url v2/assets/export{{assetid}} method get input argument name type required description path parameters assetid string required the id of the asset to retrieve headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"path parameters" {"assetid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier tenantid string unique identifier name string name of the resource createddate string date value lastupdateddate string date value lastheartbeatdate string date value deletedat object output field deletedat policygroup object output field policygroup policygroup id string unique identifier policygroup name string name of the resource policygroup owner string output field policygroup owner deploymentgroup object output field deploymentgroup deploymentgroup id string unique identifier deploymentgroup name string name of the resource macaddresses array output field macaddresses ipaddresses array output field ipaddresses ipaddresses value string value for the parameter ipaddresses ipaddresstype string type of the resource epplist array output field epplist epplist name string name of the resource epplist version string output field epplist version epplist lastupdated string output field epplist lastupdated output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "a3b2c1d4 e5f6 4a7b 8c9d 0e1f2a3b4c5d","tenantid" "b7e8f9a0 1c2d 4e3f a5b6 c7d8e9f0a1b2","name" "laptop xr7k92","createddate" "2024 11 15t09 32 14z","lastupdateddate" "2025 03 22t16 48 03z","lastheartbeatdate" "2025 03 23t08 12 41z","deletedat"\ null,"policygroup" {"id" "c4d5e6f7 a8b9 4c0d 1e2f 3a4b5c6d7e8f","name" "corporate endpoints prod","owner" "it security"},"deploymentgroup" {"id" "d5e6f7a8 b9c0 4d1e 2f3a 4b5c6d7e8f9a get installer info retrieve installer details for the current halcyon tenant, including install token and download links for available versions requires headers endpoint url v1/tenant/installer method get input argument name type required description headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data download url string response data data current version string response data data install token string response data data other versions object response data data other versions 7 11 18290 string response data data other versions 7 10 17105 string response data success boolean whether the operation was successful errors array error message if any errors file name string name of the resource errors file string error message if any pagination object output field pagination pagination total number output field pagination total pagination total pages number output field pagination total pages pagination previous page number output field pagination previous page pagination next page number output field pagination next page pagination first page number output field pagination first page pagination last page number output field pagination last page pagination page number output field pagination page output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"download url" "https //cdn example com/installers/falcon 7 12 19304 windows x64 msi","current version" "7 12 19304","install token" "eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9 eyjwbgf0zm9ybsi6indpbmrvd3milcj0b2tlbii6imy ","other versions" {}},"success"\ true,"errors" \[],"pagination" {"total" 156,"total pages" 16,"previous page" 0,"next page" 2,"first page" 1,"last page" 16,"page" 1}}} get installer info v2 get installer information for the current halcyon tenant, including install token and download links for available versions requires headers endpoint url v2/installers method get input argument name type required description parameters page number optional the page number to retrieve parameters pagesize number optional the number of items to retrieve per page parameters allsupported boolean optional whether to retrieve all supported installer versions headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"parameters" {"page" 1,"pagesize" 10,"allsupported"\ true},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items downloadurl string url endpoint for the request items latestversion string output field items latestversion items installertype string type of the resource items installationtoken string output field items installationtoken items version string output field items version pagination object output field pagination pagination totalitems number output field pagination totalitems pagination totalpages number output field pagination totalpages pagination currentpage number output field pagination currentpage pagination nextpage number output field pagination nextpage pagination previouspage number output field pagination previouspage output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagination" {"totalitems" 24,"totalpages" 3,"currentpage" 1,"nextpage" 2,"previouspage" 0}}} get maintenance token get a maintenance token for an asset's installed agent in halcyon using path parameters and headers, including assetid endpoint url v2/assets/export{{assetid}}/maintenance token method get input argument name type required description path parameters assetid string required the id of the asset to retrieve the maintenance token for headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"path parameters" {"assetid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase token string output field token output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"token" "b5507016 7da2 4777 a161 1e8042a6a377"}} get tenant by id get the tenant information associated with the given identifier in halcyon using the tenantid path parameter endpoint url identity/tenants/{{tenantid}} method get input argument name type required description path parameters tenantid string required the id of the tenant to retrieve input example {"path parameters" {"tenantid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource alias string output field alias idpalias string unique identifier managetenants boolean output field managetenants parentid string unique identifier createdat string output field createdat isnonenterprise boolean output field isnonenterprise tier number output field tier maximumdescendants number output field maximumdescendants output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "497f6eca 6276 4993 bfeb 53cbbbba6f08","name" "acme corp","alias" "acme prod","idpalias" "acme okta saml","managetenants"\ true,"parentid" "70850378 7d3c 4f45 91b7 942d4dfbbd43","createdat" "2019 08 24t14 15 22z","isnonenterprise"\ true,"tier" 0,"maximumdescendants" 0}} healthcheck reports success if the halcyon server is healthy endpoint url healthcheck method get output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"success"\ true}} healthcheck prism report success if the prism proxy service in halcyon is healthy endpoint url healthcheck/prism method get output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"success"\ true}} list alerts retrieve a paginated list of alerts in halcyon matching specified criteria requires headers for authentication endpoint url v2/alerts method get input argument name type required description parameters page number optional the page number to retrieve parameters pagesize number optional the number of items to retrieve per page parameters alertid string optional filter to alert with alertid parameters lastseenafter string optional datetime used to filter alerts last seen after parameters lastseenbefore string optional datetime used to filter alerts last seen before parameters firstseenafter string optional datetime used to filter alerts first seen after parameters firstseenbefore string optional datetime used to filter alerts first seen before parameters type string optional filter to alerts with type parameters action string optional filter to alerts with action parameters countgreaterthan number optional filter to alerts with count greater than the given value parameters countlessthan number optional filter to alerts with count less than the given value parameters offendingsha256 string optional filter to alerts with offendingsha256 parameters displaystatus string optional filter to alerts with display status parameters triagestatus string optional filter to alerts with triage status parameters sortby string optional field to sort the results by parameters sortorder string optional order to sort the results by headers object required http headers for the request headers x tenantid string required the tenant id to use for the request input example {"parameters" {"page" 1,"pagesize" 50,"alertid" "a7b8c9d0 e1f2 4a3b 8c4d 5e6f7a8b9c0d","lastseenafter" "2025 03 01t00 00 00z","lastseenbefore" "2025 03 23t23 59 59z","firstseenafter" "2025 02 15t00 00 00z","firstseenbefore" "2025 03 22t23 59 59z","type" "badbehavior","action" "block","countgreaterthan" 2,"countlessthan" 100,"offendingsha256" "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","displaystatus" "visible","triagestatus" "new","sortby" "lastseen","sortorder" "desc"},"headers" {"x tenantid" "b7e8f9a0 1c2d 4e3f a5b6 c7d8e9f0a1b2"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items tenantid string unique identifier items alerttype string type of the resource items action string output field items action items firstoccurredat string output field items firstoccurredat items lastoccurredat string output field items lastoccurredat items totaloccurrences number output field items totaloccurrences items displaystatus string status value items triagestatus string status value items kind string output field items kind items summary object output field items summary items summary artifact object output field items summary artifact items summary artifact sha256 string output field items summary artifact sha256 items summary artifact filepath string output field items summary artifact filepath items summary artifact classificationtype string type of the resource items summary artifact classificationdetails string output field items summary artifact classificationdetails items summary artifact kind string output field items summary artifact kind items summary badextension string output field items summary badextension items summary badcommandline string output field items summary badcommandline items summary kind string output field items summary kind items primaryprocess object output field items primaryprocess items primaryprocess artifact object output field items primaryprocess artifact output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagination" {"totalitems" 127,"totalpages" 3,"currentpage" 1,"nextpage" 2,"previouspage" 0}}} list all descendants get a paginated list of all descendant tenants across sub tiers for a specified tenant in halcyon requires path parameters, headers, and json body endpoint url v2/tenants/{{id}}/descendants method post input argument name type required description path parameters id string required the id of the tenant to list the descendants of headers object required http headers for the request headers x tenantid string required the tenant id to use for the request operator string optional the operator to use for the filters filters array optional the filters to apply to the descendants filters operator string optional the operator to use for the filter filters alias string optional the alias to filter by pagination object optional parameter for list all descendants pagination page number optional the page number to retrieve pagination pagesize number optional the number of items to retrieve per page sorting object optional parameter for list all descendants sorting sortby string optional parameter for list all descendants sorting sortorder string optional parameter for list all descendants input example {"json body" {"operator" "and","filters" \[{"operator" "contains","alias" "string"}],"pagination" {"page" 1,"pagesize" 10},"sorting" {"sortby" "alias","sortorder" "asc"}},"path parameters" {"id" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items name string name of the resource items alias string output field items alias items parentid string unique identifier items parentname string name of the resource items parentalias string output field items parentalias items createdat string output field items createdat items tier number output field items tier items tenanttype string type of the resource items assetcount number count value assetcounts object output field assetcounts assetcounts total number output field assetcounts total assetcounts active number output field assetcounts active assetcounts inactive number output field assetcounts inactive pagination object output field pagination pagination totalitems number output field pagination totalitems pagination totalpages number output field pagination totalpages pagination currentpage number output field pagination currentpage pagination nextpage number output field pagination nextpage pagination previouspage number output field pagination previouspage output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"assetcounts" {"total" 827,"active" 801,"inactive" 26},"pagination" {"totalitems" 3,"totalpages" 1,"currentpage" 1,"nextpage" 0,"previouspage" 0}}} list tenants retrieve a paginated list of tenants accessible to the current user in halcyon use the 'all' query parameter for an unpaginated list of all accessible tenants endpoint url identity/tenants method get input argument name type required description parameters page number optional the page number to retrieve parameters pagesize number optional the number of items to retrieve per page parameters all boolean optional whether to retrieve all tenants input example {"parameters" {"page" 1,"pagesize" 10,"all"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase items array output field items items id string unique identifier items name string name of the resource items alias string output field items alias items idpalias string unique identifier items managetenants boolean output field items managetenants items parentid string unique identifier items createdat string output field items createdat items isnonenterprise boolean output field items isnonenterprise items tier number output field items tier pagination object output field pagination pagination totalitems number output field pagination totalitems pagination totalpages number output field pagination totalpages pagination currentpage number output field pagination currentpage pagination nextpage number output field pagination nextpage pagination previouspage number output field pagination previouspage output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"items" \[{}],"pagination" {"totalitems" 47,"totalpages" 5,"currentpage" 1,"nextpage" 2,"previouspage" 0}}} update alert update the alert in halcyon matching the given alertid using specified path parameters, headers, and json body endpoint url v2/alerts/{{alertid}} method put input argument name type required description path parameters alertid string required the id of the alert to update headers object required http headers for the request headers x tenantid string required the tenant id to use for the request displaystatus string optional the display status to set for the alert triagestatus string optional the triage status to set for the alert input example {"json body" {"displaystatus" "hidden","triagestatus" "new"},"path parameters" {"alertid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"success"\ true}} update note for alert update an alert's note in halcyon by specifying the alertid, current note's version, and new text content endpoint url v2/alerts/{{alertid}}/note method put input argument name type required description path parameters alertid string required the id of the alert to update the note for headers object required http headers for the request headers x tenantid string required the tenant id to use for the request text string optional the text of the note to update version number optional the version of the note to update input example {"json body" {"text" "this is a note for the alert ","version" 0},"path parameters" {"alertid" "497f6eca 6276 4993 bfeb 53cbbbba6f08"},"headers" {"x tenantid" "f97df110 f4de 492e 8849 4a6af68026b0"}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"success"\ true}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt