CrowdStrike Container Security Integration Guide

Overview

The CrowdStrike Container Security integration allows your NINA workflows to connect with CrowdStrike Falcon platform for container runtime protection, image scanning, and kubernetes security. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 14 resources with 144 operations covering:

• Container Alerts: Operations for Container Alerts
• Container Detections: Operations for Container Detections
• Container Image Compliance: Operations for Container Image Compliance
• Container Images: Operations for Container Images
• Container Packages: Operations for Container Packages
• Container Vulnerabilities: Operations for Container Vulnerabilities
• Falcon Container: Operations for Falcon Container
• Falcon Container Cli: Operations for Falcon Container Cli
• Falcon Container Image: Operations for Falcon Container Image
• Kubernetes Container Compliance: Operations for Kubernetes Container Compliance
• Kubernetes Protection: Operations for Kubernetes Protection
• Runtime Detections: Operations for Runtime Detections
• Serverless Vulnerabilities: Operations for Serverless Vulnerabilities
• Unidentified Containers: Operations for Unidentified Containers

Credential Configuration

Before using the CrowdStrike Container Security integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

1. You provide the Client ID and Client Secret when creating a credential
2. The integration exchanges these for an OAuth2 access token automatically
3. Tokens are refreshed automatically when they expire
4. No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	https://api.crowdstrike.com	United States (default)
US-2	https://api.us-2.crowdstrike.com	United States (secondary)
EU-1	https://api.eu-1.crowdstrike.com	European Union
US-GOV-1	https://api.laggar.gcw.crowdstrike.com	US Government Cloud

How to Obtain API Credentials

1. Log in to the CrowdStrike Falcon Console
2. Navigate to Support and resources > API Clients and Keys
3. Click Add new API client
4. Configure the API client:
   • Client Name: A descriptive name (e.g., "NINA Integration")
   • Description: Purpose of this API client
   • API Scopes: Select the permissions required for your use case (see Required Scopes below)
5. Click Add to create the client
6. Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

1. Navigate to the Credentials section in NINA
2. Click Add New Credential
3. Fill in the credential details:
   • Integration Service: Select "CrowdStrike Container Security"
   • Client ID: Paste your CrowdStrike API Client ID
   • Client Secret: Paste your CrowdStrike API Client Secret
   • Base URL: Select your CrowdStrike cloud region URL
4. Click Test Connection to verify the credentials work
5. Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Container Alerts	Operations for Container Alerts	3
Container Detections	Operations for Container Detections	6
Container Image Compliance	Operations for Container Image Compliance	11
Container Images	Operations for Container Images	13
Container Packages	Operations for Container Packages	7
Container Vulnerabilities	Operations for Container Vulnerabilities	10
Falcon Container	Operations for Falcon Container	1
Falcon Container Cli	Operations for Falcon Container Cli	1
Falcon Container Image	Operations for Falcon Container Image	14
Kubernetes Container Compliance	Operations for Kubernetes Container Compliance	10
Kubernetes Protection	Operations for Kubernetes Protection	63
Runtime Detections	Operations for Runtime Detections	1
Serverless Vulnerabilities	Operations for Serverless Vulnerabilities	1
Unidentified Containers	Operations for Unidentified Containers	3

Resource Details

Container Alerts

Operations for Container Alerts

Operations

Operation	Name	Description
read_container_alerts_count	Read Container Alerts Count	SDK: container_alerts.ReadContainerAlertsCount
read_container_alerts_count_by_severity	Read Container Alerts Count By Severity	SDK: container_alerts.ReadContainerAlertsCountBySeverity
search_and_read_container_alerts	Search And Read Container Alerts	SDK: container_alerts.SearchAndReadContainerAlerts

Read Container Alerts Count

SDK: container_alerts.ReadContainerAlertsCount

Parameters:

Name	Type	Required	Description
filter	string	No	Search Container Alerts using a query in Falcon Query Language (FQL). Supported filter fields: - ...

Example:

{
  "filter": "<filter>"
}

Read Container Alerts Count By Severity

SDK: container_alerts.ReadContainerAlertsCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	Search Container Alerts using a query in Falcon Query Language (FQL). Supported filter fields: - ...

Example:

{
  "filter": "<filter>"
}

Search And Read Container Alerts

SDK: container_alerts.SearchAndReadContainerAlerts

Parameters:

Name	Type	Required	Description
filter	string	No	Search Container Alerts using a query in Falcon Query Language (FQL). Supported filter fields: - ...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Container Detections

Operations for Container Detections

Operations

Operation	Name	Description
read_combined_detections	Read Combined Detections	SDK: container_detections.ReadCombinedDetections
read_detections	Read Detections	SDK: container_detections.ReadDetections
read_detections_count	Read Detections Count	SDK: container_detections.ReadDetectionsCount
read_detections_count_by_severity	Read Detections Count By Severity	SDK: container_detections.ReadDetectionsCountBySeverity
read_detections_count_by_type	Read Detections Count By Type	SDK: container_detections.ReadDetectionsCountByType
search_detections	Search Detections	SDK: container_detections.SearchDetections

Read Combined Detections

SDK: container_detections.ReadCombinedDetections

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on. Supported columns: - containers_impacted - detection_name ...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Read Detections

SDK: container_detections.ReadDetections

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Detections Count

SDK: container_detections.ReadDetectionsCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...

Example:

{
  "filter": "<filter>"
}

Read Detections Count By Severity

SDK: container_detections.ReadDetectionsCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...

Example:

{
  "filter": "<filter>"
}

Read Detections Count By Type

SDK: container_detections.ReadDetectionsCountByType

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...

Example:

{
  "filter": "<filter>"
}

Search Detections

SDK: container_detections.SearchDetections

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images detections using a query in Falcon Query Language (FQL). Supported filter fields: -...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Container Image Compliance

Operations for Container Image Compliance

Operations

Operation	Name	Description
ext_aggregate_cluster_assessments	Ext Aggregate Cluster Assessments	SDK: container_image_compliance.ExtAggregateClusterAssessments
ext_aggregate_failed_containers_by_rules_path	Ext Aggregate Failed Containers By Rules Path	SDK: container_image_compliance.ExtAggregateFailedContainersByRulesPath
ext_aggregate_failed_containers_count_by_severity	Ext Aggregate Failed Containers Count By Severity	SDK: container_image_compliance.ExtAggregateFailedContainersCountBySeverity
ext_aggregate_failed_images_by_rules_path	Ext Aggregate Failed Images By Rules Path	SDK: container_image_compliance.ExtAggregateFailedImagesByRulesPath
ext_aggregate_failed_images_count_by_severity	Ext Aggregate Failed Images Count By Severity	SDK: container_image_compliance.ExtAggregateFailedImagesCountBySeverity
ext_aggregate_failed_rules_by_clusters	Ext Aggregate Failed Rules By Clusters	SDK: container_image_compliance.ExtAggregateFailedRulesByClusters
ext_aggregate_failed_rules_by_images	Ext Aggregate Failed Rules By Images	SDK: container_image_compliance.ExtAggregateFailedRulesByImages
ext_aggregate_failed_rules_count_by_severity	Ext Aggregate Failed Rules Count By Severity	SDK: container_image_compliance.ExtAggregateFailedRulesCountBySeverity
ext_aggregate_image_assessments	Ext Aggregate Image Assessments	SDK: container_image_compliance.ExtAggregateImageAssessments
ext_aggregate_rules_assessments	Ext Aggregate Rules Assessments	SDK: container_image_compliance.ExtAggregateRulesAssessments
ext_aggregate_rules_by_status	Ext Aggregate Rules By Status	SDK: container_image_compliance.ExtAggregateRulesByStatus

Ext Aggregate Cluster Assessments

SDK: container_image_compliance.ExtAggregateClusterAssessments

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: compliance_findin...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Containers By Rules Path

SDK: container_image_compliance.ExtAggregateFailedContainersByRulesPath

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: compliance_findin...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Containers Count By Severity

SDK: container_image_compliance.ExtAggregateFailedContainersCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cloud_...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Images By Rules Path

SDK: container_image_compliance.ExtAggregateFailedImagesByRulesPath

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cloud_...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Images Count By Severity

SDK: container_image_compliance.ExtAggregateFailedImagesCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cluste...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Rules By Clusters

SDK: container_image_compliance.ExtAggregateFailedRulesByClusters

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cloud_...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Rules By Images

SDK: container_image_compliance.ExtAggregateFailedRulesByImages

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: image_registry: I...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Failed Rules Count By Severity

SDK: container_image_compliance.ExtAggregateFailedRulesCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cloud_...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Image Assessments

SDK: container_image_compliance.ExtAggregateImageAssessments

Parameters:

Name	Type	Required	Description
after	string	No	'after' value from the last response. Keep it empty for the first request.
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: image_digest: Ima...
limit	string	No	number of images to return in the response after 'after' key. Keep it empty for the default numbe...

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "limit": "<limit>"
}

Ext Aggregate Rules Assessments

SDK: container_image_compliance.ExtAggregateRulesAssessments

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: cloud_info.cloud_...

Example:

{
  "filter": "<filter>"
}

Ext Aggregate Rules By Status

SDK: container_image_compliance.ExtAggregateRulesByStatus

Parameters:

Name	Type	Required	Description
filter	string	No	Filter results using a query in Falcon Query Language (FQL). Supported Filters: image_registry: I...

Example:

{
  "filter": "<filter>"
}

Container Images

Operations for Container Images

Operations

Operation	Name	Description
aggregate_image_assessment_history	Aggregate Image Assessment History	SDK: container_images.AggregateImageAssessmentHistory
aggregate_image_count	Aggregate Image Count	SDK: container_images.AggregateImageCount
aggregate_image_count_by_base_os	Aggregate Image Count By Base Os	SDK: container_images.AggregateImageCountByBaseOS
aggregate_image_count_by_state	Aggregate Image Count By State	SDK: container_images.AggregateImageCountByState
combined_base_images	Combined Base Images	SDK: container_images.CombinedBaseImages
combined_image_by_vulnerability_count	Combined Image By Vulnerability Count	SDK: container_images.CombinedImageByVulnerabilityCount
combined_image_detail	Combined Image Detail	SDK: container_images.CombinedImageDetail
combined_image_issues_summary	Combined Image Issues Summary	SDK: container_images.CombinedImageIssuesSummary
combined_image_vulnerability_summary	Combined Image Vulnerability Summary	SDK: container_images.CombinedImageVulnerabilitySummary
create_base_images_entities	Create Base Images Entities	SDK: container_images.CreateBaseImagesEntities
delete_base_images	Delete Base Images	SDK: container_images.DeleteBaseImages
get_combined_images	Get Combined Images	SDK: container_images.GetCombinedImages
read_combined_images_export	Read Combined Images Export	SDK: container_images.ReadCombinedImagesExport

Aggregate Image Assessment History

SDK: container_images.AggregateImageAssessmentHistory

Parameters:

Name	Type	Required	Description
filter	string	No	Filter using a query in Falcon Query Language (FQL). Supported filter fields: - cid - `registry...

Example:

{
  "filter": "<filter>"
}

Aggregate Image Count

SDK: container_images.AggregateImageCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cps_rating - crowdstrike_user - cve_id - detection_count - detection_name - `detectio...

Example:

{
  "filter": "<filter>"
}

Aggregate Image Count By Base Os

SDK: container_images.AggregateImageCountByBaseOS

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images using a query in Falcon Query Language (FQL). Supported filter fields: - arch - `...

Example:

{
  "filter": "<filter>"
}

Aggregate Image Count By State

SDK: container_images.AggregateImageCountByState

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images using a query in Falcon Query Language (FQL). Supported filter fields: - arch - `...

Example:

{
  "filter": "<filter>"
}

Combined Base Images

SDK: container_images.CombinedBaseImages

Parameters:

Name	Type	Required	Description
filter	string	No	Search base images using a query in Falcon Query Language (FQL). Supported filter fields: - `imag...

Example:

{
  "filter": "<filter>"
}

Combined Image By Vulnerability Count

SDK: container_images.CombinedImageByVulnerabilityCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images using a query in Falcon Query Language (FQL). Supported filter fields: - arch - `...
limit	number	No	The upper-bound on the number of records to retrieve.
offset	number	No	The fields to sort the records on. Not supported.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Combined Image Detail

SDK: container_images.CombinedImageDetail

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images using a query in Falcon Query Language (FQL). Supported filter fields: - arch - `...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.
with_config	boolean	No	(true/false) include image config, default is false

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "with_config": true
}

Combined Image Issues Summary

SDK: container_images.CombinedImageIssuesSummary

Parameters:

Name	Type	Required	Description
cid	string	No	CS Customer ID
image_digest	string	No	Digest ID
include_base_image_vuln	boolean	No	Include base image vulnerabilities.
registry	string	No	Registry. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
repository	string	No	Repository name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
tag	string	No	Tag name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "cid": "<cid>",
  "image_digest": "<image_digest>",
  "include_base_image_vuln": true,
  "registry": "<registry>",
  "repository": "<repository>",
  "tag": "<tag>"
}

Combined Image Vulnerability Summary

SDK: container_images.CombinedImageVulnerabilitySummary

Parameters:

Name	Type	Required	Description
cid	string	No	CS Customer ID
image_digest	string	No	Digest ID
include_base_image_vuln	boolean	No	Include base image vulnerabilities.
registry	string	No	Registry. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
repository	string	No	Repository name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
tag	string	No	Tag name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "cid": "<cid>",
  "image_digest": "<image_digest>",
  "include_base_image_vuln": true,
  "registry": "<registry>",
  "repository": "<repository>",
  "tag": "<tag>"
}

Create Base Images Entities

SDK: container_images.CreateBaseImagesEntities

Parameters:

Name	Type	Required	Description
base_images	object	Yes	base images. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_images": {}
}

Delete Base Images

SDK: container_images.DeleteBaseImages

Parameters:

Name	Type	Required	Description
ids	array	No	BaseImageIDs

Example:

{
  "ids": ["<ids>"]
}

Get Combined Images

SDK: container_images.GetCombinedImages

Parameters:

Name	Type	Required	Description
filter	string	No	Filter images using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_relate...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on. Supported columns: - first_seen - `highest_detection_severit...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Read Combined Images Export

SDK: container_images.ReadCombinedImagesExport

Parameters:

Name	Type	Required	Description
expand_detections	boolean	No	Expand detections details
expand_vulnerabilities	boolean	No	Expand vulnerabilities details
filter	string	No	- cps_rating - crowdstrike_user - cve_id - detection_count - detection_name - `detectio...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	- base_os - cid - detections - firstScanned - first_seen - highest_cps_current_rating...

Example:

{
  "expand_detections": true,
  "expand_vulnerabilities": true,
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Container Packages

Operations for Container Packages

Operations

Operation	Name	Description
read_packages_by_fixable_vuln_count	Read Packages By Fixable Vuln Count	SDK: container_packages.ReadPackagesByFixableVulnCount
read_packages_by_image_count	Read Packages By Image Count	SDK: container_packages.ReadPackagesByImageCount
read_packages_by_vuln_count	Read Packages By Vuln Count	SDK: container_packages.ReadPackagesByVulnCount
read_packages_combined	Read Packages Combined	SDK: container_packages.ReadPackagesCombined
read_packages_combined_export	Read Packages Combined Export	SDK: container_packages.ReadPackagesCombinedExport
read_packages_combined_v2	Read Packages Combined V2	SDK: container_packages.ReadPackagesCombinedV2
read_packages_count_by_zero_day	Read Packages Count By Zero Day	SDK: container_packages.ReadPackagesCountByZeroDay

Read Packages By Fixable Vuln Count

SDK: container_packages.ReadPackagesByFixableVulnCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Packages By Image Count

SDK: container_packages.ReadPackagesByImageCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	Maximum number of package results to return Default: 5

Example:

{
  "filter": "<filter>",
  "limit": 10
}

Read Packages By Vuln Count

SDK: container_packages.ReadPackagesByVulnCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Packages Combined

SDK: container_packages.ReadPackagesCombined

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
only_zero_day_affected	boolean	No	(true/false) load zero day affected packages
sort	string	No	The fields to sort the records on. Supported columns: - license - package_name_version - `typ...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "only_zero_day_affected": true,
  "sort": "<sort>"
}

Read Packages Combined Export

SDK: container_packages.ReadPackagesCombinedExport

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
only_zero_day_affected	boolean	No	(true/false) load zero day affected packages
sort	string	No	The fields to sort the records on. Supported columns: - license - package_name_version - `typ...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "only_zero_day_affected": true,
  "sort": "<sort>"
}

Read Packages Combined V2

SDK: container_packages.ReadPackagesCombinedV2

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - `ai_rela...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
only_zero_day_affected	boolean	No	(true/false) load zero day affected packages
sort	string	No	The fields to sort the records on. Supported columns: - license - package_name_version - `typ...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "only_zero_day_affected": true,
  "sort": "<sort>"
}

Read Packages Count By Zero Day

SDK: container_packages.ReadPackagesCountByZeroDay

Parameters:

Name	Type	Required	Description
filter	string	No	Filter packages using a query in Falcon Query Language (FQL). Supported filter fields: - cid

Example:

{
  "filter": "<filter>"
}

Container Vulnerabilities

Operations for Container Vulnerabilities

Operations

Operation	Name	Description
read_combined_vulnerabilities	Read Combined Vulnerabilities	SDK: container_vulnerabilities.ReadCombinedVulnerabilities
read_combined_vulnerabilities_details	Read Combined Vulnerabilities Details	SDK: container_vulnerabilities.ReadCombinedVulnerabilitiesDetails
read_combined_vulnerabilities_info	Read Combined Vulnerabilities Info	SDK: container_vulnerabilities.ReadCombinedVulnerabilitiesInfo
read_vulnerabilities_by_image_count	Read Vulnerabilities By Image Count	SDK: container_vulnerabilities.ReadVulnerabilitiesByImageCount
read_vulnerabilities_publication_date	Read Vulnerabilities Publication Date	SDK: container_vulnerabilities.ReadVulnerabilitiesPublicationDate
read_vulnerability_count	Read Vulnerability Count	SDK: container_vulnerabilities.ReadVulnerabilityCount
read_vulnerability_count_by_actively_exploited	Read Vulnerability Count By Actively Exploited	SDK: container_vulnerabilities.ReadVulnerabilityCountByActivelyExploited
read_vulnerability_count_by_cpsrating	Read Vulnerability Count By Cpsrating	SDK: container_vulnerabilities.ReadVulnerabilityCountByCPSRating
read_vulnerability_count_by_cvssscore	Read Vulnerability Count By Cvssscore	SDK: container_vulnerabilities.ReadVulnerabilityCountByCVSSScore
read_vulnerability_count_by_severity	Read Vulnerability Count By Severity	SDK: container_vulnerabilities.ReadVulnerabilityCountBySeverity

Read Combined Vulnerabilities

SDK: container_vulnerabilities.ReadCombinedVulnerabilities

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on. Supported columns: - cps_current_rating - cve_id - `cvss_s...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Read Combined Vulnerabilities Details

SDK: container_vulnerabilities.ReadCombinedVulnerabilitiesDetails

Parameters:

Name	Type	Required	Description
filter	string	No	Filter the vulnerabilities using a query in Falcon Query Language (FQL). Supported vulnerability ...
id	string	No	Image UUID
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 5000. Default: 5000
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "id": "<id>",
  "limit": 10,
  "offset": 10
}

Read Combined Vulnerabilities Info

SDK: container_vulnerabilities.ReadCombinedVulnerabilitiesInfo

Parameters:

Name	Type	Required	Description
cve_id	string	No	Vulnerability CVE ID
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "cve_id": "<cve_id>",
  "limit": 10,
  "offset": 10
}

Read Vulnerabilities By Image Count

SDK: container_vulnerabilities.ReadVulnerabilitiesByImageCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported filter fields: - `...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerabilities Publication Date

SDK: container_vulnerabilities.ReadVulnerabilitiesPublicationDate

Parameters:

Name	Type	Required	Description
filter	string	No	Filter vulnerabilities using a query in Falcon Query Language (FQL). Supported filter fields: - `...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerability Count

SDK: container_vulnerabilities.ReadVulnerabilityCount

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerability Count By Actively Exploited

SDK: container_vulnerabilities.ReadVulnerabilityCountByActivelyExploited

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerability Count By Cpsrating

SDK: container_vulnerabilities.ReadVulnerabilityCountByCPSRating

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerability Count By Cvssscore

SDK: container_vulnerabilities.ReadVulnerabilityCountByCVSSScore

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Read Vulnerability Count By Severity

SDK: container_vulnerabilities.ReadVulnerabilityCountBySeverity

Parameters:

Name	Type	Required	Description
filter	string	No	- container_running_status - containers_impacted_range - cps_rating - cve_id - `cvss_scor...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Falcon Container

Operations for Falcon Container

Operations

Operation	Name	Description
get_credentials	Get Credentials	SDK: falcon_container.GetCredentials

Get Credentials

SDK: falcon_container.GetCredentials

This operation has no parameters.

Example:

{
}

Falcon Container Cli

Operations for Falcon Container Cli

Operations

Operation	Name	Description
read_image_vulnerabilities	Read Image Vulnerabilities	SDK: falcon_container_cli.ReadImageVulnerabilities

Read Image Vulnerabilities

SDK: falcon_container_cli.ReadImageVulnerabilities

Parameters:

Name	Type	Required	Description
applicationPackages	object	Yes	application packages
osversion	string	Yes	osversion. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
packages	object	Yes	packages. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "applicationPackages": {},
  "osversion": "<osversion>",
  "packages": {}
}

Falcon Container Image

Operations for Falcon Container Image

Operations

Operation	Name	Description
create_registry_entities	Create Registry Entities	SDK: falcon_container_image.CreateRegistryEntities
delete_registry_entities	Delete Registry Entities	SDK: falcon_container_image.DeleteRegistryEntities
download_export_file	Download Export File	SDK: falcon_container_image.DownloadExportFile
get_report_by_reference	Get Report By Reference	SDK: falcon_container_image.GetReportByReference
get_report_by_scan_id	Get Report By Scan Id	SDK: falcon_container_image.GetReportByScanID
head_image_scan_inventory	Head Image Scan Inventory	SDK: falcon_container_image.HeadImageScanInventory
launch_export_job	Launch Export Job	SDK: falcon_container_image.LaunchExportJob
list_export_jobs	List Export Jobs	SDK: falcon_container_image.QueryExportJobs
policy_checks	Policy Checks	SDK: falcon_container_image.PolicyChecks
post_image_scan_inventory	Post Image Scan Inventory	SDK: falcon_container_image.PostImageScanInventory
read_export_jobs	Read Export Jobs	SDK: falcon_container_image.ReadExportJobs
read_registry_entities	Read Registry Entities	SDK: falcon_container_image.ReadRegistryEntities
read_registry_entities_by_uuid	Read Registry Entities By Uuid	SDK: falcon_container_image.ReadRegistryEntitiesByUUID
update_registry_entities	Update Registry Entities	SDK: falcon_container_image.UpdateRegistryEntities

Create Registry Entities

SDK: falcon_container_image.CreateRegistryEntities

Parameters:

Name	Type	Required	Description
credential	object	Yes	credential. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
type	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
url	string	Yes	url. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
url_uniqueness_key	string	No	url uniqueness key. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...
user_defined_alias	string	No	user defined alias. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...

Example:

{
  "credential": {},
  "type": "<type>",
  "url": "<url>",
  "url_uniqueness_key": "<url_uniqueness_key>",
  "user_defined_alias": "<user_defined_alias>"
}

Delete Registry Entities

SDK: falcon_container_image.DeleteRegistryEntities

Parameters:

Name	Type	Required	Description
ids	string	No	Registry entity UUID

Example:

{
  "ids": "<ids>"
}

Download Export File

SDK: falcon_container_image.DownloadExportFile

Parameters:

Name	Type	Required	Description
id	string	No	Export job ID.

Example:

{
  "id": "<id>"
}

Get Report By Reference

SDK: falcon_container_image.GetReportByReference

Parameters:

Name	Type	Required	Description
digest	string	No	Digest. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
image_id	string	No	Image ID. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
registry	string	No	Registry. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
report_format	string	No	Specify image-assessment scan report format. Supported formats: - cyclonedx-json - json - `sa...
repository	string	No	Repository. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
tag	string	No	Tag. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "digest": "<digest>",
  "image_id": "<image_id>",
  "registry": "<registry>",
  "report_format": "<report_format>",
  "repository": "<repository>",
  "tag": "<tag>"
}

Get Report By Scan Id

SDK: falcon_container_image.GetReportByScanID

Parameters:

Name	Type	Required	Description
report_format	string	No	Specify image-assessment scan report format. Supported formats: - cyclonedx-json - json - `sa...
uuid	string	No	Scan UUID

Example:

{
  "report_format": "<report_format>",
  "uuid": "<uuid>"
}

Head Image Scan Inventory

SDK: falcon_container_image.HeadImageScanInventory

This operation has no parameters.

Example:

{
}

Launch Export Job

SDK: falcon_container_image.LaunchExportJob

Parameters:

Name	Type	Required	Description
format	string	Yes	Format of the export file. One of: csv, json
fql	string	No	Falcon Query Language string to filter documents
resource	string	Yes	Resource to export. Refer to API docs for the possible values
sort	string	Yes	Sort value to apply to documents. Note: not all resources support sorting

Example:

{
  "format": "<format>",
  "fql": "<fql>",
  "resource": "<resource>",
  "sort": "<sort>"
}

List Export Jobs

SDK: falcon_container_image.QueryExportJobs

Parameters:

Name	Type	Required	Description
filter	string	No	Filter exports using a query in Falcon Query Language (FQL). Only the last 100 jobs are returned....

Example:

{
  "filter": "<filter>"
}

Policy Checks

SDK: falcon_container_image.PolicyChecks

Parameters:

Name	Type	Required	Description
registry	string	No	Registry. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
repository	string	No	Repository. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
tag	string	No	Tag. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "registry": "<registry>",
  "repository": "<repository>",
  "tag": "<tag>"
}

Post Image Scan Inventory

SDK: falcon_container_image.PostImageScanInventory

Parameters:

Name	Type	Required	Description
agent_uuid	string	Yes	agent uuid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
agent_version	string	Yes	agent version. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
agent_version_hash	string	Yes	agent version hash. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...
cluster_id	string	Yes	cluster id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
cluster_name	string	Yes	cluster name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
container_id	string	No	container id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
ephemeral_scan	boolean	No	ephemeral scan. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
helm_version	string	Yes	helm version. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
high_entropy_strings	object	Yes	high entropy strings
host_ip	string	Yes	host ip. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
host_name	string	Yes	host name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
inventory	object	Yes	inventory. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
original_image_name	string	Yes	original image name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/op...
pod_id	string	No	pod id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
pod_name	string	No	pod name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
pod_namespace	string	No	pod namespace. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
runmode	string	Yes	runmode. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
runtime_type	string	No	runtime type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
scan_request	object	Yes	scan request. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "agent_uuid": "<agent_uuid>",
  "agent_version": "<agent_version>",
  "agent_version_hash": "<agent_version_hash>",
  "cluster_id": "<cluster_id>",
  "cluster_name": "<cluster_name>",
  "container_id": "<container_id>",
  "ephemeral_scan": true,
  "helm_version": "<helm_version>",
  "high_entropy_strings": {},
  "host_ip": "<host_ip>",
  "host_name": "<host_name>",
  "inventory": {},
  "original_image_name": "<original_image_name>",
  "pod_id": "<pod_id>",
  "pod_name": "<pod_name>",
  "pod_namespace": "<pod_namespace>",
  "runmode": "<runmode>",
  "runtime_type": "<runtime_type>",
  "scan_request": {}
}

Read Export Jobs

SDK: falcon_container_image.ReadExportJobs

Parameters:

Name	Type	Required	Description
ids	array	No	Export Job IDs to read. Allowed up to 100 IDs per request.

Example:

{
  "ids": ["<ids>"]
}

Read Registry Entities

SDK: falcon_container_image.ReadRegistryEntities

Parameters:

Name	Type	Required	Description
limit	number	No	The upper-bound on the number of records to retrieve.
offset	number	No	The offset from where to begin.
sort	string	No	The fields to sort the records on.

Example:

{
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Read Registry Entities By Uuid

SDK: falcon_container_image.ReadRegistryEntitiesByUUID

Parameters:

Name	Type	Required	Description
ids	string	No	Registry entity UUID

Example:

{
  "ids": "<ids>"
}

Update Registry Entities

SDK: falcon_container_image.UpdateRegistryEntities

Parameters:

Name	Type	Required	Description
credential	object	Yes	credential. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
state	string	No	state. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
user_defined_alias	string	No	user defined alias. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...

Example:

{
  "credential": {},
  "state": "<state>",
  "user_defined_alias": "<user_defined_alias>"
}

Kubernetes Container Compliance

Operations for Kubernetes Container Compliance

Operations

Operation	Name	Description
aggregate_assessments_grouped_by_clusters_v2	Aggregate Assessments Grouped By Clusters V2	SDK: kubernetes_container_compliance.AggregateAssessmentsGroupedByClustersV2
aggregate_assessments_grouped_by_rules_v2	Aggregate Assessments Grouped By Rules V2	SDK: kubernetes_container_compliance.AggregateAssessmentsGroupedByRulesV2
aggregate_compliance_by_asset_type	Aggregate Compliance By Asset Type	SDK: kubernetes_container_compliance.AggregateComplianceByAssetType
aggregate_compliance_by_cluster_type	Aggregate Compliance By Cluster Type	SDK: kubernetes_container_compliance.AggregateComplianceByClusterType
aggregate_compliance_by_framework	Aggregate Compliance By Framework	SDK: kubernetes_container_compliance.AggregateComplianceByFramework
aggregate_failed_rules_by_clusters_v3	Aggregate Failed Rules By Clusters V3	SDK: kubernetes_container_compliance.AggregateFailedRulesByClustersV3
aggregate_top_failed_images	Aggregate Top Failed Images	SDK: kubernetes_container_compliance.AggregateTopFailedImages
combined_images_findings	Combined Images Findings	SDK: kubernetes_container_compliance.CombinedImagesFindings
combined_nodes_findings	Combined Nodes Findings	SDK: kubernetes_container_compliance.CombinedNodesFindings
get_rules_metadata_by_id	Get Rules Metadata By Id	SDK: kubernetes_container_compliance.GetRulesMetadataByID

Aggregate Assessments Grouped By Clusters V2

SDK: kubernetes_container_compliance.AggregateAssessmentsGroupedByClustersV2

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of records to return. (1-500) Default is 20.
offset	number	No	The zero-based position of the first record to return.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Aggregate Assessments Grouped By Rules V2

SDK: kubernetes_container_compliance.AggregateAssessmentsGroupedByRulesV2

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of records to return. (1-500) Default is 20.
offset	number	No	The zero-based position of the first record to return.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Aggregate Compliance By Asset Type

SDK: kubernetes_container_compliance.AggregateComplianceByAssetType

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...

Example:

{
  "filter": "<filter>"
}

Aggregate Compliance By Cluster Type

SDK: kubernetes_container_compliance.AggregateComplianceByClusterType

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...

Example:

{
  "filter": "<filter>"
}

Aggregate Compliance By Framework

SDK: kubernetes_container_compliance.AggregateComplianceByFramework

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...

Example:

{
  "filter": "<filter>"
}

Aggregate Failed Rules By Clusters V3

SDK: kubernetes_container_compliance.AggregateFailedRulesByClustersV3

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of records to return. (1-100) Default is 10.

Example:

{
  "filter": "<filter>",
  "limit": 10
}

Aggregate Top Failed Images

SDK: kubernetes_container_compliance.AggregateTopFailedImages

Parameters:

Name	Type	Required	Description
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of records to return. (1-100) Default is 10.

Example:

{
  "filter": "<filter>",
  "limit": 10
}

Combined Images Findings

SDK: kubernetes_container_compliance.CombinedImagesFindings

Parameters:

Name	Type	Required	Description
after	string	No	A pagination token used with the limit parameter to manage pagination of results. On your first...
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of images for which assessments are to be returned: 1-100. Default is 100. Use...

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "limit": 10
}

Combined Nodes Findings

SDK: kubernetes_container_compliance.CombinedNodesFindings

Parameters:

Name	Type	Required	Description
after	string	No	A pagination token used with the limit parameter to manage pagination of results. On your first...
filter	string	No	FQL filter expression used to limit the results. Filter fields include: cid, cloud_info.cloud_acc...
limit	number	No	The maximum number of nodes for which assessments are to be returned: 1-100. Default is 100. Use ...

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "limit": 10
}

Get Rules Metadata By Id

SDK: kubernetes_container_compliance.GetRulesMetadataByID

Parameters:

Name	Type	Required	Description
ids	array	No	comma separated list of rule ids

Example:

{
  "ids": ["<ids>"]
}

Kubernetes Protection

Operations for Kubernetes Protection

Operations

Operation	Name	Description
cluster_combined	Cluster Combined	SDK: kubernetes_protection.ClusterCombined
cluster_count	Cluster Count	SDK: kubernetes_protection.ClusterCount
cluster_enrichment	Cluster Enrichment	SDK: kubernetes_protection.ClusterEnrichment
clusters_by_date_range_count	Clusters By Date Range Count	SDK: kubernetes_protection.ClustersByDateRangeCount
clusters_by_kubernetes_version_count	Clusters By Kubernetes Version Count	SDK: kubernetes_protection.ClustersByKubernetesVersionCount
clusters_by_status_count	Clusters By Status Count	SDK: kubernetes_protection.ClustersByStatusCount
container_combined	Container Combined	SDK: kubernetes_protection.ContainerCombined
container_count	Container Count	SDK: kubernetes_protection.ContainerCount
container_count_by_registry	Container Count By Registry	SDK: kubernetes_protection.ContainerCountByRegistry
container_enrichment	Container Enrichment	SDK: kubernetes_protection.ContainerEnrichment
container_image_detections_count_by_date	Container Image Detections Count By Date	SDK: kubernetes_protection.ContainerImageDetectionsCountByDate
container_images_by_most_used	Container Images By Most Used	SDK: kubernetes_protection.ContainerImagesByMostUsed
container_images_by_state	Container Images By State	SDK: kubernetes_protection.ContainerImagesByState
container_vulnerabilities_by_severity_count	Container Vulnerabilities By Severity Count	SDK: kubernetes_protection.ContainerVulnerabilitiesBySeverityCount
containers_by_date_range_count	Containers By Date Range Count	SDK: kubernetes_protection.ContainersByDateRangeCount
containers_sensor_coverage	Containers Sensor Coverage	SDK: kubernetes_protection.ContainersSensorCoverage
create_awsaccount	Create Awsaccount	SDK: kubernetes_protection.CreateAWSAccount
create_azure_subscription	Create Azure Subscription	SDK: kubernetes_protection.CreateAzureSubscription
delete_awsaccounts_mixin0	Delete Awsaccounts Mixin0	SDK: kubernetes_protection.DeleteAWSAccountsMixin0
delete_azure_subscription	Delete Azure Subscription	SDK: kubernetes_protection.DeleteAzureSubscription
deployment_combined	Deployment Combined	SDK: kubernetes_protection.DeploymentCombined
deployment_count	Deployment Count	SDK: kubernetes_protection.DeploymentCount
deployment_enrichment	Deployment Enrichment	SDK: kubernetes_protection.DeploymentEnrichment
deployments_by_date_range_count	Deployments By Date Range Count	SDK: kubernetes_protection.DeploymentsByDateRangeCount
distinct_container_image_count	Distinct Container Image Count	SDK: kubernetes_protection.DistinctContainerImageCount
find_containers_by_container_run_time_version	Find Containers By Container Run Time Version	SDK: kubernetes_protection.FindContainersByContainerRunTimeVersion
find_containers_count_affected_by_zero_day_vulnerabilities	Find Containers Count Affected By Zero Day Vulnerabilities	SDK: kubernetes_protection.FindContainersCountAffectedByZeroDayVulnerabilities
get	Get	SDK: kubernetes_protection.PostSearchKubernetesIOMEntities
get_awsaccounts_mixin0	Get Awsaccounts Mixin0	SDK: kubernetes_protection.GetAWSAccountsMixin0
get_azure_install_script	Get Azure Install Script	SDK: kubernetes_protection.GetAzureInstallScript
get_azure_tenant_config	Get Azure Tenant Config	SDK: kubernetes_protection.GetAzureTenantConfig
get_azure_tenant_ids	Get Azure Tenant Ids	SDK: kubernetes_protection.GetAzureTenantIDs
get_clusters	Get Clusters	SDK: kubernetes_protection.GetClusters
get_combined_cloud_clusters	Get Combined Cloud Clusters	SDK: kubernetes_protection.GetCombinedCloudClusters
get_helm_values_yaml	Get Helm Values Yaml	SDK: kubernetes_protection.GetHelmValuesYaml
get_locations	Get Locations	SDK: kubernetes_protection.GetLocations
get_static_scripts	Get Static Scripts	SDK: kubernetes_protection.GetStaticScripts
group_containers_by_managed	Group Containers By Managed	SDK: kubernetes_protection.GroupContainersByManaged
kubernetes_iom_by_date_range	Kubernetes Iom By Date Range	SDK: kubernetes_protection.KubernetesIomByDateRange
kubernetes_iom_count	Kubernetes Iom Count	SDK: kubernetes_protection.KubernetesIomCount
kubernetes_iom_entities	Kubernetes Iom Entities	SDK: kubernetes_protection.KubernetesIomEntities
kubernetes_iom_entities_combined	Kubernetes Iom Entities Combined	SDK: kubernetes_protection.KubernetesIomEntitiesCombined
list_azure_accounts	List Azure Accounts	SDK: kubernetes_protection.ListAzureAccounts
list_kubernetes_ioms	List Kubernetes Ioms	SDK: kubernetes_protection.QueryKubernetesIoms
node_combined	Node Combined	SDK: kubernetes_protection.NodeCombined
node_count	Node Count	SDK: kubernetes_protection.NodeCount
node_enrichment	Node Enrichment	SDK: kubernetes_protection.NodeEnrichment
nodes_by_cloud_count	Nodes By Cloud Count	SDK: kubernetes_protection.NodesByCloudCount
nodes_by_container_engine_version_count	Nodes By Container Engine Version Count	SDK: kubernetes_protection.NodesByContainerEngineVersionCount
nodes_by_date_range_count	Nodes By Date Range Count	SDK: kubernetes_protection.NodesByDateRangeCount
pod_combined	Pod Combined	SDK: kubernetes_protection.PodCombined
pod_count	Pod Count	SDK: kubernetes_protection.PodCount
pod_enrichment	Pod Enrichment	SDK: kubernetes_protection.PodEnrichment
pods_by_date_range_count	Pods By Date Range Count	SDK: kubernetes_protection.PodsByDateRangeCount
read_cluster_combined_v2	Read Cluster Combined V2	SDK: kubernetes_protection.ReadClusterCombinedV2
read_namespace_count	Read Namespace Count	SDK: kubernetes_protection.ReadNamespaceCount
read_namespaces_by_date_range_count	Read Namespaces By Date Range Count	SDK: kubernetes_protection.ReadNamespacesByDateRangeCount
regenerate_apikey	Regenerate Apikey	SDK: kubernetes_protection.RegenerateAPIKey
running_container_images	Running Container Images	SDK: kubernetes_protection.RunningContainerImages
trigger_scan	Trigger Scan	SDK: kubernetes_protection.TriggerScan
update_awsaccount	Update Awsaccount	SDK: kubernetes_protection.UpdateAWSAccount
update_azure_service_principal	Update Azure Service Principal	SDK: kubernetes_protection.PatchAzureServicePrincipal
vulnerable_container_image_count	Vulnerable Container Image Count	SDK: kubernetes_protection.VulnerableContainerImageCount

Cluster Combined

SDK: kubernetes_protection.ClusterCombined

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Cluster Count

SDK: kubernetes_protection.ClusterCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Cluster Enrichment

SDK: kubernetes_protection.ClusterEnrichment

Parameters:

Name	Type	Required	Description
cluster_id	array	No	One or more cluster ids for which to retrieve enrichment info
filter	string	No	Supported filter fields: - last_seen

Example:

{
  "cluster_id": ["<cluster_id>"],
  "filter": "<filter>"
}

Clusters By Date Range Count

SDK: kubernetes_protection.ClustersByDateRangeCount

This operation has no parameters.

Example:

{
}

Clusters By Kubernetes Version Count

SDK: kubernetes_protection.ClustersByKubernetesVersionCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Clusters By Status Count

SDK: kubernetes_protection.ClustersByStatusCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Container Combined

SDK: kubernetes_protection.ContainerCombined

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Container Count

SDK: kubernetes_protection.ContainerCount

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Container Count By Registry

SDK: kubernetes_protection.ContainerCountByRegistry

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...
limit	number	No	The upper-bound on the number of records to retrieve.
under_assessment	boolean	No	(true/false) whether to return registries under assessment or not under assessment. If not provid...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "under_assessment": true
}

Container Enrichment

SDK: kubernetes_protection.ContainerEnrichment

Parameters:

Name	Type	Required	Description
container_id	array	No	One or more container ids for which to retrieve enrichment info
filter	string	No	Supported filter fields: - last_seen

Example:

{
  "container_id": ["<container_id>"],
  "filter": "<filter>"
}

Container Image Detections Count By Date

SDK: kubernetes_protection.ContainerImageDetectionsCountByDate

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Container Images By Most Used

SDK: kubernetes_protection.ContainerImagesByMostUsed

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Container Images By State

SDK: kubernetes_protection.ContainerImagesByState

Parameters:

Name	Type	Required	Description
filter	string	No	Filter using a query in Falcon Query Language (FQL). Supported filter fields: - cid

Example:

{
  "filter": "<filter>"
}

Container Vulnerabilities By Severity Count

SDK: kubernetes_protection.ContainerVulnerabilitiesBySeverityCount

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Containers By Date Range Count

SDK: kubernetes_protection.ContainersByDateRangeCount

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Containers Sensor Coverage

SDK: kubernetes_protection.ContainersSensorCoverage

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Create Awsaccount

SDK: kubernetes_protection.CreateAWSAccount

Parameters:

Name	Type	Required	Description
resources	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Create Azure Subscription

SDK: kubernetes_protection.CreateAzureSubscription

Parameters:

Name	Type	Required	Description
resources	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete Awsaccounts Mixin0

SDK: kubernetes_protection.DeleteAWSAccountsMixin0

Parameters:

Name	Type	Required	Description
ids	array	No	AWS Account IDs

Example:

{
  "ids": ["<ids>"]
}

Delete Azure Subscription

SDK: kubernetes_protection.DeleteAzureSubscription

Parameters:

Name	Type	Required	Description
ids	array	No	Azure Subscription IDs

Example:

{
  "ids": ["<ids>"]
}

Deployment Combined

SDK: kubernetes_protection.DeploymentCombined

Parameters:

Name	Type	Required	Description
filter	string	No	- agent_type - annotations_list - cid - cloud_account_id - cloud_name - cloud_region ...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Deployment Count

SDK: kubernetes_protection.DeploymentCount

Parameters:

Name	Type	Required	Description
filter	string	No	- agent_type - annotations_list - cid - cloud_account_id - cloud_name - cloud_region ...

Example:

{
  "filter": "<filter>"
}

Deployment Enrichment

SDK: kubernetes_protection.DeploymentEnrichment

Parameters:

Name	Type	Required	Description
deployment_id	array	No	One or more deployment ids for which to retrieve enrichment info
filter	string	No	Supported filter fields: - last_seen

Example:

{
  "deployment_id": ["<deployment_id>"],
  "filter": "<filter>"
}

Deployments By Date Range Count

SDK: kubernetes_protection.DeploymentsByDateRangeCount

This operation has no parameters.

Example:

{
}

Distinct Container Image Count

SDK: kubernetes_protection.DistinctContainerImageCount

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Find Containers By Container Run Time Version

SDK: kubernetes_protection.FindContainersByContainerRunTimeVersion

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Find Containers Count Affected By Zero Day Vulnerabilities

SDK: kubernetes_protection.FindContainersCountAffectedByZeroDayVulnerabilities

This operation has no parameters.

Example:

{
}

Get

SDK: kubernetes_protection.PostSearchKubernetesIOMEntities

Parameters:

Name	Type	Required	Description
pit	string	Yes	Elasticsearch Point in Time ID used to paginate
search_after	object	Yes	Sort value to continue the pagination from

Example:

{
  "pit": "<pit>",
  "search_after": {}
}

Get Awsaccounts Mixin0

SDK: kubernetes_protection.GetAWSAccountsMixin0

Parameters:

Name	Type	Required	Description
ids	array	No	AWS Account IDs
is_horizon_acct	string	No	Filter by whether an account originates from Horizon or not
limit	number	No	Limit returned accounts
offset	number	No	Offset returned accounts
status	string	No	Filter by account status

Example:

{
  "ids": ["<ids>"],
  "is_horizon_acct": "<is_horizon_acct>",
  "limit": 10,
  "offset": 10,
  "status": "<status>"
}

Get Azure Install Script

SDK: kubernetes_protection.GetAzureInstallScript

Parameters:

Name	Type	Required	Description
id	string	No	Azure Tenant ID
subscription_id	array	No	Azure Subscription IDs

Example:

{
  "id": "<id>",
  "subscription_id": ["<subscription_id>"]
}

Get Azure Tenant Config

SDK: kubernetes_protection.GetAzureTenantConfig

Parameters:

Name	Type	Required	Description
ids	array	No	Azure Tenant IDs
limit	number	No	Limit returned accounts
offset	number	No	Offset returned accounts

Example:

{
  "ids": ["<ids>"],
  "limit": 10,
  "offset": 10
}

Get Azure Tenant Ids

SDK: kubernetes_protection.GetAzureTenantIDs

Parameters:

Name	Type	Required	Description
ids	array	No	Azure Tenant IDs
limit	number	No	Limit returned accounts
offset	number	No	Offset returned accounts
status	string	No	Cluster Status

Example:

{
  "ids": ["<ids>"],
  "limit": 10,
  "offset": 10,
  "status": "<status>"
}

Get Clusters

SDK: kubernetes_protection.GetClusters

Parameters:

Name	Type	Required	Description
account_ids	array	No	Cluster Account id. For EKS it will be AWS account ID.
cluster_names	array	No	Cluster name. For EKS it will be cluster ARN.
cluster_service	string	No	Cluster Service. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
limit	number	No	Limit returned accounts
locations	array	No	Cloud location
offset	number	No	Offset returned accounts
status	array	No	Cluster Status

Example:

{
  "account_ids": ["<account_ids>"],
  "cluster_names": ["<cluster_names>"],
  "cluster_service": "<cluster_service>",
  "limit": 10,
  "locations": ["<locations>"],
  "offset": 10,
  "status": ["<status>"]
}

Get Combined Cloud Clusters

SDK: kubernetes_protection.GetCombinedCloudClusters

Parameters:

Name	Type	Required	Description
cluster_service	array	No	Cluster Service. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
cluster_status	array	No	Cluster Status. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
ids	array	No	Cloud Account IDs
limit	number	No	Limit returned accounts
locations	array	No	Cloud location
offset	number	No	Offset returned accounts

Example:

{
  "cluster_service": ["<cluster_service>"],
  "cluster_status": ["<cluster_status>"],
  "ids": ["<ids>"],
  "limit": 10,
  "locations": ["<locations>"],
  "offset": 10
}

Get Helm Values Yaml

SDK: kubernetes_protection.GetHelmValuesYaml

Parameters:

Name	Type	Required	Description
cluster_name	string	No	Cluster name. For EKS it will be cluster ARN.
is_self_managed_cluster	boolean	No	Set to true if the cluster is not managed by a cloud provider, false if it is.

Example:

{
  "cluster_name": "<cluster_name>",
  "is_self_managed_cluster": true
}

Get Locations

SDK: kubernetes_protection.GetLocations

Parameters:

Name	Type	Required	Description
clouds	array	No	Cloud Provider

Example:

{
  "clouds": ["<clouds>"]
}

Get Static Scripts

SDK: kubernetes_protection.GetStaticScripts

This operation has no parameters.

Example:

{
}

Group Containers By Managed

SDK: kubernetes_protection.GroupContainersByManaged

Parameters:

Name	Type	Required	Description
filter	string	No	- insecure_propagation_mode - interactive_mode - ipv4 - ipv6 - kac_agent_id - labels ...

Example:

{
  "filter": "<filter>"
}

Kubernetes Iom By Date Range

SDK: kubernetes_protection.KubernetesIomByDateRange

Parameters:

Name	Type	Required	Description
filter	string	No	Filter Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported filter fields: - `...

Example:

{
  "filter": "<filter>"
}

Kubernetes Iom Count

SDK: kubernetes_protection.KubernetesIomCount

Parameters:

Name	Type	Required	Description
filter	string	No	Filter Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported filter fields: - `...

Example:

{
  "filter": "<filter>"
}

Kubernetes Iom Entities

SDK: kubernetes_protection.KubernetesIomEntities

Parameters:

Name	Type	Required	Description
ids	array	No	Search Kubernetes IOMs by ids - The maximum amount is 100 IDs

Example:

{
  "ids": ["<ids>"]
}

Kubernetes Iom Entities Combined

SDK: kubernetes_protection.KubernetesIomEntitiesCombined

Parameters:

Name	Type	Required	Description
filter	string	No	Search Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported filter fields: - `...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Azure Accounts

SDK: kubernetes_protection.ListAzureAccounts

Parameters:

Name	Type	Required	Description
ids	array	No	Azure Tenant IDs
is_horizon_acct	string	No	Filter by whether an account originates from Horizon or not
limit	number	No	Limit returned accounts
offset	number	No	Offset returned accounts
status	string	No	Filter by account status
subscription_id	array	No	Azure Subscription IDs

Example:

{
  "ids": ["<ids>"],
  "is_horizon_acct": "<is_horizon_acct>",
  "limit": 10,
  "offset": 10,
  "status": "<status>",
  "subscription_id": ["<subscription_id>"]
}

List Kubernetes Ioms

SDK: kubernetes_protection.QueryKubernetesIoms

Parameters:

Name	Type	Required	Description
filter	string	No	Search Kubernetes IOMs using a query in Falcon Query Language (FQL). Supported filter fields: - `...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Node Combined

SDK: kubernetes_protection.NodeCombined

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Node Count

SDK: kubernetes_protection.NodeCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Node Enrichment

SDK: kubernetes_protection.NodeEnrichment

Parameters:

Name	Type	Required	Description
filter	string	No	Supported filter fields: - last_seen
node_name	array	No	One or more node names for which to retrieve enrichment info

Example:

{
  "filter": "<filter>",
  "node_name": ["<node_name>"]
}

Nodes By Cloud Count

SDK: kubernetes_protection.NodesByCloudCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Nodes By Container Engine Version Count

SDK: kubernetes_protection.NodesByContainerEngineVersionCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Nodes By Date Range Count

SDK: kubernetes_protection.NodesByDateRangeCount

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...

Example:

{
  "filter": "<filter>"
}

Pod Combined

SDK: kubernetes_protection.PodCombined

Parameters:

Name	Type	Required	Description
filter	string	No	- ipv6 - kac_agent_id - labels - last_seen - namespace - node_name - node_uid - `ow...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Pod Count

SDK: kubernetes_protection.PodCount

Parameters:

Name	Type	Required	Description
filter	string	No	- ipv6 - kac_agent_id - labels - last_seen - namespace - node_name - node_uid - `ow...

Example:

{
  "filter": "<filter>"
}

Pod Enrichment

SDK: kubernetes_protection.PodEnrichment

Parameters:

Name	Type	Required	Description
filter	string	No	Supported filter fields: - last_seen
pod_id	array	No	One or more pod ids for which to retrieve enrichment info

Example:

{
  "filter": "<filter>",
  "pod_id": ["<pod_id>"]
}

Pods By Date Range Count

SDK: kubernetes_protection.PodsByDateRangeCount

This operation has no parameters.

Example:

{
}

Read Cluster Combined V2

SDK: kubernetes_protection.ReadClusterCombinedV2

Parameters:

Name	Type	Required	Description
filter	string	No	- cloud_account_id - cloud_name - cloud_region - cloud_service - cluster_id - `cluster_...
include_counts	boolean	No	Flag to include node, pod and container counts in the response
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "include_counts": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Read Namespace Count

SDK: kubernetes_protection.ReadNamespaceCount

Parameters:

Name	Type	Required	Description
filter	string	No	Retrieve count of Kubernetes namespaces that match a query in Falcon Query Language (FQL). Suppor...

Example:

{
  "filter": "<filter>"
}

Read Namespaces By Date Range Count

SDK: kubernetes_protection.ReadNamespacesByDateRangeCount

This operation has no parameters.

Example:

{
}

Regenerate Apikey

SDK: kubernetes_protection.RegenerateAPIKey

This operation has no parameters.

Example:

{
}

Running Container Images

SDK: kubernetes_protection.RunningContainerImages

Parameters:

Name	Type	Required	Description
filter	string	No	Retrieve list of images on running containers using a query in Falcon Query Language (FQL). Suppo...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 200. Default: 200
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Trigger Scan

SDK: kubernetes_protection.TriggerScan

Parameters:

Name	Type	Required	Description
scan_type	string	No	Scan Type to do Default: "dry-run"

Example:

{
  "scan_type": "<scan_type>"
}

Update Awsaccount

SDK: kubernetes_protection.UpdateAWSAccount

Parameters:

Name	Type	Required	Description
ids	array	No	AWS Account ID
region	string	No	Default Region for Account Automation

Example:

{
  "ids": ["<ids>"],
  "region": "<region>"
}

Update Azure Service Principal

SDK: kubernetes_protection.PatchAzureServicePrincipal

Parameters:

Name	Type	Required	Description
client_id	string	No	Azure Client ID
id	string	No	Azure Tenant ID

Example:

{
  "client_id": "<client_id>",
  "id": "<id>"
}

Vulnerable Container Image Count

SDK: kubernetes_protection.VulnerableContainerImageCount

Parameters:

Name	Type	Required	Description
filter	string	No	- interactive_mode - ipv4 - ipv6 - kac_agent_id - labels - last_seen - namespace - ...

Example:

{
  "filter": "<filter>"
}

Runtime Detections

Operations for Runtime Detections

Operations

Operation	Name	Description
get_runtime_detections_combined_v2	Get Runtime Detections Combined V2	SDK: runtime_detections.GetRuntimeDetectionsCombinedV2

Get Runtime Detections Combined V2

SDK: runtime_detections.GetRuntimeDetectionsCombinedV2

Parameters:

Name	Type	Required	Description
filter	string	No	Filter Container Runtime Detections using a query in Falcon Query Language (FQL). Supported filte...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Serverless Vulnerabilities

Operations for Serverless Vulnerabilities

Operations

Operation	Name	Description
get_combined_vulnerabilities_sarif	Get Combined Vulnerabilities Sarif	SDK: serverless_vulnerabilities.GetCombinedVulnerabilitiesSARIF

Get Combined Vulnerabilities Sarif

SDK: serverless_vulnerabilities.GetCombinedVulnerabilitiesSARIF

Parameters:

Name	Type	Required	Description
filter	string	No	Filter lambda vulnerabilities using a query in Falcon Query Language (FQL).Supported filters: app...
limit	number	No	The upper-bound on the number of records to retrieve.
offset	number	No	The offset from where to begin.
sort	string	No	The fields to sort the records on. Supported columns: [application_name application_name_version ...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Unidentified Containers

Operations for Unidentified Containers

Operations

Operation	Name	Description
count	Count	SDK: unidentified_containers.Count
count_by_date_range	Count By Date Range	SDK: unidentified_containers.CountByDateRange
search	Search	SDK: unidentified_containers.Search

Count

SDK: unidentified_containers.Count

Parameters:

Name	Type	Required	Description
filter	string	No	Search Unidentified Containers using a query in Falcon Query Language (FQL). Supported filter fie...

Example:

{
  "filter": "<filter>"
}

Count By Date Range

SDK: unidentified_containers.CountByDateRange

Parameters:

Name	Type	Required	Description
filter	string	No	Search Unidentified Containers using a query in Falcon Query Language (FQL). Supported filter fie...

Example:

{
  "filter": "<filter>"
}

Search

SDK: unidentified_containers.Search

Parameters:

Name	Type	Required	Description
filter	string	No	Search Unidentified Containers using a query in Falcon Query Language (FQL). Supported filter fie...
limit	number	No	The upper-bound on the number of records to retrieve. Maximum limit: 100. Default: 100
offset	number	No	The offset from where to begin. Maximum offset = 10000 - limit.
sort	string	No	The fields to sort the records on.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Best Practices

1. Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.

2. Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.

3. Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.

4. Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.

5. Use Specific Scopes: When creating API clients, only request the minimum required API scopes.

6. Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.

7. Validate IDs: Always validate resource IDs before using them in update or delete operations.

8. Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

• The operation you were attempting
• Any error messages received
• The parameters used (excluding sensitive data)
• Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05