CrowdStrike EDR Integration Guide

Overview

The CrowdStrike EDR integration allows your NINA workflows to connect with CrowdStrike Falcon platform for endpoint detection and response capabilities for threat detection and incident response. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 14 resources with 120 operations covering:

Alerts: Operations for Alerts
Detects: Operations for Detects
Device Content: Operations for Device Content
Host Group: Operations for Host Group
Host Migration: Operations for Host Migration
Hosts: Operations for Hosts
Incidents: Operations for Incidents
Installation Tokens: Operations for Installation Tokens
Mobile Enrollment: Operations for Mobile Enrollment
Quarantine: Operations for Quarantine
Real Time Response: Operations for Real Time Response
Real Time Response Admin: Operations for Real Time Response Admin
Real Time Response Audit: Operations for Real Time Response Audit
Sensor Download: Operations for Sensor Download

Credential Configuration

Before using the CrowdStrike EDR integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

You provide the Client ID and Client Secret when creating a credential
The integration exchanges these for an OAuth2 access token automatically
Tokens are refreshed automatically when they expire
No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	`https://api.crowdstrike.com`	United States (default)
US-2	`https://api.us-2.crowdstrike.com`	United States (secondary)
EU-1	`https://api.eu-1.crowdstrike.com`	European Union
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`	US Government Cloud

How to Obtain API Credentials

Log in to the CrowdStrike Falcon Console
Navigate to Support and resources > API Clients and Keys
Click Add new API client
Configure the API client:
- Client Name: A descriptive name (e.g., "NINA Integration")
- Description: Purpose of this API client
- API Scopes: Select the permissions required for your use case (see Required Scopes below)
Click Add to create the client
Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

Navigate to the Credentials section in NINA
Click Add New Credential
Fill in the credential details:
- Integration Service: Select "CrowdStrike EDR"
- Client ID: Paste your CrowdStrike API Client ID
- Client Secret: Paste your CrowdStrike API Client Secret
- Base URL: Select your CrowdStrike cloud region URL
Click Test Connection to verify the credentials work
Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Alerts	Operations for Alerts	9
Detects	Operations for Detects	4
Device Content	Operations for Device Content	2
Host Group	Operations for Host Group	9
Host Migration	Operations for Host Migration	10
Hosts	Operations for Hosts	14
Incidents	Operations for Incidents	6
Installation Tokens	Operations for Installation Tokens	8
Mobile Enrollment	Operations for Mobile Enrollment	2
Quarantine	Operations for Quarantine	6
Real Time Response	Operations for Real Time Response	23
Real Time Response Admin	Operations for Real Time Response Admin	17
Real Time Response Audit	Operations for Real Time Response Audit	1
Sensor Download	Operations for Sensor Download	9

Resource Details

Alerts

Operations for Alerts

Operations

Operation	Name	Description
`get_aggregate_v2`	Get Aggregate V2	SDK: alerts.GetAggregateV2
`get_queries_alerts_`	Get Queries Alerts	SDK: alerts.GetQueriesAlertsV1
`get_v2`	Get V2	SDK: alerts.GetV2
`list_v2`	List V2	SDK: alerts.QueryV2
`post_aggregates_alerts_`	Post Aggregates Alerts	SDK: alerts.PostAggregatesAlertsV1
`post_combined_alerts_`	Post Combined Alerts	SDK: alerts.PostCombinedAlertsV1
`post_entities_alerts_`	Post Entities Alerts	SDK: alerts.PostEntitiesAlertsV1
`update_entities_alerts_v2`	Update Entities Alerts V2	SDK: alerts.PatchEntitiesAlertsV2
`update_v3`	Update V3	SDK: alerts.UpdateV3

Get Aggregate V2

SDK: alerts.GetAggregateV2

Parameters:

Name	Type	Required	Description
`body`	object	No	request body takes a list of aggregate-alert query requests
`include_hidden`	boolean	No	allows previously hidden alerts to be retrieved Default: true

Example:

{
  "body": {},
  "include_hidden": true
}

Get Queries Alerts

SDK: alerts.GetQueriesAlertsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter Alerts using a query in Falcon Query Language (FQL).Filter fields can be any keyword field...
`limit`	number	No	The maximum number of detections to return in this response (default: 100; max: 10000). Use this ...
`offset`	number	No	The first detection to return, where `0` is the latest detection. Use with the `offset` parameter...
`sort`	string	No	Sort parameter takes the form <field

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Get V2

SDK: alerts.GetV2

Parameters:

Name	Type	Required	Description
`composite_ids`	array	Yes	CompositeIDs represent the slice of Alert CompositeIDs that would be looked up

Example:

{
  "composite_ids": ["<composite_ids>"]
}

List V2

SDK: alerts.QueryV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter Alerts using a query in Falcon Query Language (FQL).Filter fields can be any keyword field...
`include_hidden`	boolean	No	allows previously hidden alerts to be retrieved Default: true
`limit`	number	No	The maximum number of detections to return in this response (default: 100; max: 10000). Use this ...
`offset`	number	No	The first detection to return, where `0` is the latest detection. Use with the `offset` parameter...
`sort`	string	No	Sort parameter takes the form <field

Example:

{
  "filter": "<filter>",
  "include_hidden": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Post Aggregates Alerts

SDK: alerts.PostAggregatesAlertsV1

Parameters:

Name	Type	Required	Description
`body`	object	No	request body takes a list of aggregate-alert query requests

Example:

{
  "body": {}
}

Post Combined Alerts

SDK: alerts.PostCombinedAlertsV1

Parameters:

Name	Type	Required	Description
`after`	string	No	after. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	No	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`limit`	number	No	limit. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sort`	string	No	sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "limit": 10,
  "sort": "<sort>"
}

Post Entities Alerts

SDK: alerts.PostEntitiesAlertsV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	IDs represent the slice of Alert IDs that would be looked up

Example:

{
  "ids": ["<ids>"]
}

Update Entities Alerts V2

SDK: alerts.PatchEntitiesAlertsV2

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "ids": ["<ids>"]
}

Update V3

SDK: alerts.UpdateV3

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`composite_ids`	array	Yes	composite ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "composite_ids": ["<composite_ids>"]
}

Detects

Operations for Detects

Operations

Operation	Name	Description
`get_aggregate_detects`	Get Aggregate Detects	SDK: detects.GetAggregateDetects
`get_detect_summaries`	Get Detect Summaries	SDK: detects.GetDetectSummaries
`list_detects`	List Detects	SDK: detects.QueryDetects
`update_detects_by_ids_v2`	Update Detects By Ids V2	SDK: detects.UpdateDetectsByIdsV2

Get Aggregate Detects

SDK: detects.GetAggregateDetects

Parameters:

Name	Type	Required	Description
`body`	object	No	Query criteria and settings

Example:

{
  "body": {}
}

Get Detect Summaries

SDK: detects.GetDetectSummaries

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Detects

SDK: detects.QueryDetects

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard `*` includes ...
`limit`	number	No	The maximum number of detections to return in this response (default: 9999; max: 9999). Use with ...
`offset`	number	No	The first detection to return, where `0` is the latest detection. Use with the `limit` parameter ...
`sort`	string	No	Sort detections using these options: - `first_behavior`: Timestamp of the first behavior associat...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Update Detects By Ids V2

SDK: detects.UpdateDetectsByIdsV2

Parameters:

Name	Type	Required	Description
`assigned_to_uuid`	string	No	assigned to uuid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`new_behaviors_processed`	array	Yes	new behaviors processed
`show_in_ui`	boolean	No	show in ui. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`status`	string	No	status. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "assigned_to_uuid": "<assigned_to_uuid>",
  "comment": "<comment>",
  "ids": ["<ids>"],
  "new_behaviors_processed": ["<new_behaviors_processed>"],
  "show_in_ui": true,
  "status": "<status>"
}

Device Content

Operations for Device Content

Operations

Operation	Name	Description
`entities_states_`	Entities States	SDK: device_content.EntitiesStatesV1
`queries_states_`	Queries States	SDK: device_content.QueriesStatesV1

Entities States

SDK: device_content.EntitiesStatesV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	The ids of the devices to fetch the content state of.

Example:

{
  "ids": ["<ids>"]
}

Queries States

SDK: device_content.QueriesStatesV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	The FQL search filter
`limit`	number	No	The max number of resource ids to return. Default: 100
`offset`	number	No	The offset token returned from the previous query. If none was returned, there are no more pages ...
`sort`	string	No	What field to sort the results on. Default: "last_seen.desc"

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Host Group

Operations for Host Group

Operations

Operation	Name	Description
`create_host_groups`	Create Host Groups	SDK: host_group.CreateHostGroups
`delete_host_groups`	Delete Host Groups	SDK: host_group.DeleteHostGroups
`get_host_groups`	Get Host Groups	SDK: host_group.GetHostGroups
`list_combined_group_members`	List Combined Group Members	SDK: host_group.QueryCombinedGroupMembers
`list_combined_host_groups`	List Combined Host Groups	SDK: host_group.QueryCombinedHostGroups
`list_group_members`	List Group Members	SDK: host_group.QueryGroupMembers
`list_host_groups`	List Host Groups	SDK: host_group.QueryHostGroups
`perform_group_action`	Perform Group Action	SDK: host_group.PerformGroupAction
`update_host_groups`	Update Host Groups	SDK: host_group.UpdateHostGroups

Create Host Groups

SDK: host_group.CreateHostGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete Host Groups

SDK: host_group.DeleteHostGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	The IDs of the Host Groups to delete

Example:

{
  "ids": ["<ids>"]
}

Get Host Groups

SDK: host_group.GetHostGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	The IDs of the Host Groups to return

Example:

{
  "ids": ["<ids>"]
}

List Combined Group Members

SDK: host_group.QueryCombinedGroupMembers

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`id`	string	No	The ID of the Host Group to search for members of
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by

Example:

{
  "filter": "<filter>",
  "id": "<id>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Combined Host Groups

SDK: host_group.QueryCombinedHostGroups

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Group Members

SDK: host_group.QueryGroupMembers

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`id`	string	No	The ID of the Host Group to search for members of
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by

Example:

{
  "filter": "<filter>",
  "id": "<id>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Host Groups

SDK: host_group.QueryHostGroups

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Perform Group Action

SDK: host_group.PerformGroupAction

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "ids": ["<ids>"]
}

Update Host Groups

SDK: host_group.UpdateHostGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Host Migration

Operations for Host Migration

Operations

Operation	Name	Description
`create_migration_`	Create Migration	SDK: host_migration.CreateMigrationV1
`get_host_migration_ids_`	Get Host Migration Ids	SDK: host_migration.GetHostMigrationIDsV1
`get_host_migrations_`	Get Host Migrations	SDK: host_migration.GetHostMigrationsV1
`get_migration_destinations_`	Get Migration Destinations	SDK: host_migration.GetMigrationDestinationsV1
`get_migration_ids_`	Get Migration Ids	SDK: host_migration.GetMigrationIDsV1
`get_migrations_`	Get Migrations	SDK: host_migration.GetMigrationsV1
`host_migration_aggregates_`	Host Migration Aggregates	SDK: host_migration.HostMigrationAggregatesV1
`host_migrations_actions_`	Host Migrations Actions	SDK: host_migration.HostMigrationsActionsV1
`migration_aggregates_`	Migration Aggregates	SDK: host_migration.MigrationAggregatesV1
`migrations_actions_`	Migrations Actions	SDK: host_migration.MigrationsActionsV1

Create Migration

SDK: host_migration.CreateMigrationV1

Parameters:

Name	Type	Required	Description
`device_ids`	array	Yes	device ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`target_cid`	string	Yes	target cid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "device_ids": ["<device_ids>"],
  "filter": "<filter>",
  "name": "<name>",
  "target_cid": "<target_cid>"
}

Get Host Migration Ids

SDK: host_migration.GetHostMigrationIDsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Valid fields: static_host_groups,...
`id`	string	No	The migration job to query
`limit`	number	No	The maximum records to return. [1-10000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by.

Example:

{
  "filter": "<filter>",
  "id": "<id>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Get Host Migrations

SDK: host_migration.GetHostMigrationsV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Migration Destinations

SDK: host_migration.GetMigrationDestinationsV1

Parameters:

Name	Type	Required	Description
`device_ids`	array	Yes	device ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "device_ids": ["<device_ids>"],
  "filter": "<filter>"
}

Get Migration Ids

SDK: host_migration.GetMigrationIDsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Valid fields: id, migration_id, t...
`limit`	number	No	The maximum records to return. [1-10000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Get Migrations

SDK: host_migration.GetMigrationsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	The migration jobs of interest.

Example:

{
  "ids": ["<ids>"]
}

Host Migration Aggregates

SDK: host_migration.HostMigrationAggregatesV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Host Migrations Actions

SDK: host_migration.HostMigrationsActionsV1

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "filter": "<filter>",
  "ids": ["<ids>"]
}

Migration Aggregates

SDK: host_migration.MigrationAggregatesV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Migrations Actions

SDK: host_migration.MigrationsActionsV1

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "filter": "<filter>",
  "ids": ["<ids>"]
}

Hosts

Operations for Hosts

Operations

Operation	Name	Description
`combined_devices_by_filter`	Combined Devices By Filter	SDK: hosts.CombinedDevicesByFilter
`combined_hidden_devices_by_filter`	Combined Hidden Devices By Filter	SDK: hosts.CombinedHiddenDevicesByFilter
`entities_perform_action`	Entities Perform Action	SDK: hosts.EntitiesPerformAction
`get_device_details_v2`	Get Device Details V2	SDK: hosts.GetDeviceDetailsV2
`get_online_state_`	Get Online State	SDK: hosts.GetOnlineStateV1
`list_device_login_history`	List Device Login History	SDK: hosts.QueryDeviceLoginHistory
`list_device_login_history_v2`	List Device Login History V2	SDK: hosts.QueryDeviceLoginHistoryV2
`list_devices_by_filter`	List Devices By Filter	SDK: hosts.QueryDevicesByFilter
`list_devices_by_filter_scroll`	List Devices By Filter Scroll	SDK: hosts.QueryDevicesByFilterScroll
`list_hidden_devices`	List Hidden Devices	SDK: hosts.QueryHiddenDevices
`list_network_address_history_`	List Network Address History	SDK: hosts.QueryGetNetworkAddressHistoryV1
`perform_action_v2`	Perform Action V2	SDK: hosts.PerformActionV2
`post_device_details_v2`	Post Device Details V2	SDK: hosts.PostDeviceDetailsV2
`update_device_tags`	Update Device Tags	SDK: hosts.UpdateDeviceTags

Combined Devices By Filter

SDK: hosts.CombinedDevicesByFilter

Parameters:

Name	Type	Required	Description
`fields`	string	No	The fields to return, comma delimited if specifying more than one field. For example: fields=host...
`filter`	string	No	The filter expression that should be used to limit the results. This should be supplied for each ...
`limit`	number	No	The maximum records to return. [1-10000] Default: 100
`offset`	string	No	The offset to page from, provided from the previous call as the "next" value, for the next result...
`sort`	string	No	The property to sort by (e.g. status.desc or hostname.asc). If not specified, the default sort wi...

Example:

{
  "fields": "<fields>",
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Combined Hidden Devices By Filter

SDK: hosts.CombinedHiddenDevicesByFilter

Parameters:

Name	Type	Required	Description
`fields`	string	No	The fields to return, comma delimited if specifying more than one field. For example: fields=host...
`filter`	string	No	The filter expression that should be used to limit the results. This should be supplied for each ...
`limit`	number	No	The maximum records to return. [1-10000] Default: 100
`offset`	string	No	The offset to page from, provided from the previous call as the "next" value, for the next result...
`sort`	string	No	The property to sort by (e.g. status.desc or hostname.asc). If not specified, the default sort wi...

Example:

{
  "fields": "<fields>",
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Entities Perform Action

SDK: hosts.EntitiesPerformAction

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...

Example:

{
  "action_parameters": {}
}

Get Device Details V2

SDK: hosts.GetDeviceDetailsV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The host agentIDs used to get details on

Example:

{
  "ids": ["<ids>"]
}

Get Online State

SDK: hosts.GetOnlineStateV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	The unique ID of the host to get the online status of.

Example:

{
  "ids": ["<ids>"]
}

SDK: hosts.QueryDeviceLoginHistory

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

SDK: hosts.QueryDeviceLoginHistoryV2

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Devices By Filter

SDK: hosts.QueryDevicesByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by (e.g. status.desc or hostname.asc)

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Devices By Filter Scroll

SDK: hosts.QueryDevicesByFilterScroll

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`limit`	number	No	The maximum records to return. [1-10000]
`offset`	string	No	The offset to page from, provided from the previous scroll call, for the next result set. For the...
`sort`	string	No	The property to sort by (e.g. status.desc or hostname.asc)

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Hidden Devices

SDK: hosts.QueryHiddenDevices

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results
`limit`	number	No	The maximum records to return. [1-5000]
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by (e.g. status.desc or hostname.asc)

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Network Address History

SDK: hosts.QueryGetNetworkAddressHistoryV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Perform Action V2

SDK: hosts.PerformActionV2

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	action parameters. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action_parameters": {},
  "ids": ["<ids>"]
}

Post Device Details V2

SDK: hosts.PostDeviceDetailsV2

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Update Device Tags

SDK: hosts.UpdateDeviceTags

Parameters:

Name	Type	Required	Description
`action`	string	Yes	action. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`device_ids`	array	Yes	device ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`tags`	array	Yes	tags. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action": "<action>",
  "device_ids": ["<device_ids>"],
  "tags": ["<tags>"]
}

Incidents

Operations for Incidents

Operations

Operation	Name	Description
`crowd_score`	Crowd Score	SDK: incidents.CrowdScore
`get_behaviors`	Get Behaviors	SDK: incidents.GetBehaviors
`get_incidents`	Get Incidents	SDK: incidents.GetIncidents
`list_behaviors`	List Behaviors	SDK: incidents.QueryBehaviors
`list_incidents`	List Incidents	SDK: incidents.QueryIncidents
`perform_incident_action`	Perform Incident Action	SDK: incidents.PerformIncidentAction

Crowd Score

SDK: incidents.CrowdScore

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-2500]
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Get Behaviors

SDK: incidents.GetBehaviors

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Incidents

SDK: incidents.GetIncidents

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Behaviors

SDK: incidents.QueryBehaviors

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Incidents

SDK: incidents.QueryIncidents

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Perform Incident Action

SDK: incidents.PerformIncidentAction

Parameters:

Name	Type	Required	Description
`action_parameters`	object	Yes	Collection of Action Parameter(s).
`ids`	array	Yes	Incident ID(s).

Example:

{
  "action_parameters": {},
  "ids": ["<ids>"]
}

Installation Tokens

Operations for Installation Tokens

Operations

Operation	Name	Description
`audit_events_read`	Audit Events Read	SDK: installation_tokens.AuditEventsRead
`customer_settings_read`	Customer Settings Read	SDK: installation_tokens.CustomerSettingsRead
`list_audit_events`	List Audit Events	SDK: installation_tokens.AuditEventsQuery
`list_tokens`	List Tokens	SDK: installation_tokens.TokensQuery
`tokens_create`	Tokens Create	SDK: installation_tokens.TokensCreate
`tokens_delete`	Tokens Delete	SDK: installation_tokens.TokensDelete
`tokens_read`	Tokens Read	SDK: installation_tokens.TokensRead
`tokens_update`	Tokens Update	SDK: installation_tokens.TokensUpdate

Audit Events Read

SDK: installation_tokens.AuditEventsRead

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of audit events to retrieve details for

Example:

{
  "ids": ["<ids>"]
}

Customer Settings Read

SDK: installation_tokens.CustomerSettingsRead

This operation has no parameters.

Example:

{
}

List Audit Events

SDK: installation_tokens.AuditEventsQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results (e.g., `action:'token_create'`).
`limit`	number	No	The maximum records to return. [1-1000]. Defaults to 50.
`offset`	number	No	The offset to start retrieving records from.
`sort`	string	No	The property to sort by (e.g. timestamp.desc).

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Tokens

SDK: installation_tokens.TokensQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results (e.g., `status:'valid'`).
`limit`	number	No	The maximum records to return. [1-1000]. Defaults to 50.
`offset`	number	No	The offset to start retrieving records from.
`sort`	string	No	The property to sort by (e.g. created_timestamp.desc).

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Tokens Create

SDK: installation_tokens.TokensCreate

Parameters:

Name	Type	Required	Description
`label`	string	No	The token label.
`type`	string	No	The token type.

Example:

{
  "label": "<label>",
  "type": "<type>"
}

Tokens Delete

SDK: installation_tokens.TokensDelete

Parameters:

Name	Type	Required	Description
`ids`	array	No	The token ids to delete.

Example:

{
  "ids": ["<ids>"]
}

Tokens Read

SDK: installation_tokens.TokensRead

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of tokens to retrieve details for

Example:

{
  "ids": ["<ids>"]
}

Tokens Update

SDK: installation_tokens.TokensUpdate

Parameters:

Name	Type	Required	Description
`label`	string	No	The token label.
`revoked`	boolean	No	Set to true to revoke the token, false to un-revoked it.

Example:

{
  "label": "<label>",
  "revoked": true
}

Mobile Enrollment

Operations for Mobile Enrollment

Operations

Operation	Name	Description
`request_device_enrollment_v3`	Request Device Enrollment V3	SDK: mobile_enrollment.RequestDeviceEnrollmentV3
`request_device_enrollment_v4`	Request Device Enrollment V4	SDK: mobile_enrollment.RequestDeviceEnrollmentV4

Request Device Enrollment V3

SDK: mobile_enrollment.RequestDeviceEnrollmentV3

Parameters:

Name	Type	Required	Description
`email_addresses`	array	Yes	email addresses. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "email_addresses": ["<email_addresses>"]
}

Request Device Enrollment V4

SDK: mobile_enrollment.RequestDeviceEnrollmentV4

Parameters:

Name	Type	Required	Description
`email_addresses`	array	Yes	email addresses. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`enrollment_type`	string	Yes	enrollment type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "email_addresses": ["<email_addresses>"],
  "enrollment_type": "<enrollment_type>"
}

Quarantine

Operations for Quarantine

Operations

Operation	Name	Description
`action_update_count`	Action Update Count	SDK: quarantine.ActionUpdateCount
`get_aggregate_files`	Get Aggregate Files	SDK: quarantine.GetAggregateFiles
`get_quarantine_files`	Get Quarantine Files	SDK: quarantine.GetQuarantineFiles
`list_quarantine_files`	List Quarantine Files	SDK: quarantine.QueryQuarantineFiles
`list_update_qf_by`	List Update Qf By	SDK: quarantine.UpdateQfByQuery
`update_quarantined_detects_by_ids`	Update Quarantined Detects By Ids	SDK: quarantine.UpdateQuarantinedDetectsByIds

Action Update Count

SDK: quarantine.ActionUpdateCount

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL specifying filter parameters.

Example:

{
  "filter": "<filter>"
}

Get Aggregate Files

SDK: quarantine.GetAggregateFiles

Parameters:

Name	Type	Required	Description
`date_ranges`	object	Yes	date ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`exclude`	string	Yes	exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`extended_bounds`	object	No	extended bounds. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`field`	string	Yes	field. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`from`	number	Yes	from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`include`	string	Yes	include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`interval`	string	Yes	interval. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`max_doc_count`	number	No	max doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`min_doc_count`	number	No	min doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`missing`	string	Yes	missing. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`q`	string	Yes
`ranges`	object	Yes	ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`size`	number	Yes	size. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sort`	string	Yes	sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sub_aggregates`	object	Yes	sub aggregates. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`time_zone`	string	Yes	time zone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "date_ranges": {},
  "exclude": "<exclude>",
  "extended_bounds": {},
  "field": "<field>",
  "filter": "<filter>",
  "from": 10,
  "include": "<include>",
  "interval": "<interval>",
  "max_doc_count": 10,
  "min_doc_count": 10,
  "missing": "<missing>",
  "name": "<name>",
  "q": "<q>",
  "ranges": {},
  "size": 10,
  "sort": "<sort>",
  "sub_aggregates": {},
  "time_zone": "<time_zone>",
  "type": "<type>"
}

Get Quarantine Files

SDK: quarantine.GetQuarantineFiles

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Quarantine Files

SDK: quarantine.QueryQuarantineFiles

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Special value '*' means to not filter on anything. Fi...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: hostname, username, date_updated, date_created, paths.path, state, path...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Update Qf By

SDK: quarantine.UpdateQfByQuery

Parameters:

Name	Type	Required	Description
`action`	string	No	action. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	No	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`q`	string	No

Example:

{
  "action": "<action>",
  "comment": "<comment>",
  "filter": "<filter>",
  "q": "<q>"
}

Update Quarantined Detects By Ids

SDK: quarantine.UpdateQuarantinedDetectsByIds

Parameters:

Name	Type	Required	Description
`action`	string	No	action. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action": "<action>",
  "comment": "<comment>",
  "ids": ["<ids>"]
}

Real Time Response

Operations for Real Time Response

Operations

Operation	Name	Description
`batch_active_responder_cmd`	Batch Active Responder Cmd	SDK: real_time_response.BatchActiveResponderCmd
`batch_cmd`	Batch Cmd	SDK: real_time_response.BatchCmd
`batch_get_cmd`	Batch Get Cmd	SDK: real_time_response.BatchGetCmd
`batch_get_cmd_status`	Batch Get Cmd Status	SDK: real_time_response.BatchGetCmdStatus
`batch_init_sessions`	Batch Init Sessions	SDK: real_time_response.BatchInitSessions
`batch_refresh_sessions`	Batch Refresh Sessions	SDK: real_time_response.BatchRefreshSessions
`rtraggregate_sessions`	Rtraggregate Sessions	SDK: real_time_response.RTRAggregateSessions
`rtrcheck_active_responder_command_status`	Rtrcheck Active Responder Command Status	SDK: real_time_response.RTRCheckActiveResponderCommandStatus
`rtrcheck_command_status`	Rtrcheck Command Status	SDK: real_time_response.RTRCheckCommandStatus
`rtrdelete_file`	Rtrdelete File	SDK: real_time_response.RTRDeleteFile
`rtrdelete_file_v2`	Rtrdelete File V2	SDK: real_time_response.RTRDeleteFileV2
`rtrdelete_queued_session`	Rtrdelete Queued Session	SDK: real_time_response.RTRDeleteQueuedSession
`rtrdelete_session`	Rtrdelete Session	SDK: real_time_response.RTRDeleteSession
`rtrexecute_active_responder_command`	Rtrexecute Active Responder Command	SDK: real_time_response.RTRExecuteActiveResponderCommand
`rtrexecute_command`	Rtrexecute Command	SDK: real_time_response.RTRExecuteCommand
`rtrget_extracted_file_contents`	Rtrget Extracted File Contents	SDK: real_time_response.RTRGetExtractedFileContents
`rtrinit_session`	Rtrinit Session	SDK: real_time_response.RTRInitSession
`rtrlist_all_sessions`	Rtrlist All Sessions	SDK: real_time_response.RTRListAllSessions
`rtrlist_files`	Rtrlist Files	SDK: real_time_response.RTRListFiles
`rtrlist_files_v2`	Rtrlist Files V2	SDK: real_time_response.RTRListFilesV2
`rtrlist_queued_sessions`	Rtrlist Queued Sessions	SDK: real_time_response.RTRListQueuedSessions
`rtrlist_sessions`	Rtrlist Sessions	SDK: real_time_response.RTRListSessions
`rtrpulse_session`	Rtrpulse Session	SDK: real_time_response.RTRPulseSession

Batch Active Responder Cmd

SDK: real_time_response.BatchActiveResponderCmd

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`batch_id`	string	Yes	batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`optional_hosts`	array	Yes	optional hosts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`persist_all`	boolean	Yes	persist all. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "batch_id": "<batch_id>",
  "command_string": "<command_string>",
  "optional_hosts": ["<optional_hosts>"],
  "persist_all": true
}

Batch Cmd

SDK: real_time_response.BatchCmd

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`batch_id`	string	Yes	batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`optional_hosts`	array	Yes	optional hosts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`persist_all`	boolean	Yes	persist all. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "batch_id": "<batch_id>",
  "command_string": "<command_string>",
  "optional_hosts": ["<optional_hosts>"],
  "persist_all": true
}

Batch Get Cmd

SDK: real_time_response.BatchGetCmd

Parameters:

Name	Type	Required	Description
`batch_id`	string	Yes	batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`file_path`	string	Yes	file path. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`optional_hosts`	array	Yes	optional hosts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "batch_id": "<batch_id>",
  "file_path": "<file_path>",
  "optional_hosts": ["<optional_hosts>"]
}

Batch Get Cmd Status

SDK: real_time_response.BatchGetCmdStatus

Parameters:

Name	Type	Required	Description
`batch_get_cmd_req_id`	string	No	Batch Get Command Request ID received from `/real-time-response/combined/get-command/v1`
`timeout`	number	No	Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum i...
`timeout_duration`	string	No	Timeout duration for how long to wait for the request in duration syntax. Example, `10s`. Valid u...

Example:

{
  "batch_get_cmd_req_id": "<batch_get_cmd_req_id>",
  "timeout": 10,
  "timeout_duration": "<timeout_duration>"
}

Batch Init Sessions

SDK: real_time_response.BatchInitSessions

Parameters:

Name	Type	Required	Description
`existing_batch_id`	string	Yes	existing batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`host_ids`	array	Yes	host ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`queue_offline`	boolean	Yes	queue offline. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "existing_batch_id": "<existing_batch_id>",
  "host_ids": ["<host_ids>"],
  "queue_offline": true
}

Batch Refresh Sessions

SDK: real_time_response.BatchRefreshSessions

Parameters:

Name	Type	Required	Description
`batch_id`	string	Yes	batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`hosts_to_remove`	array	Yes	hosts to remove. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "batch_id": "<batch_id>",
  "hosts_to_remove": ["<hosts_to_remove>"]
}

Rtraggregate Sessions

SDK: real_time_response.RTRAggregateSessions

Parameters:

Name	Type	Required	Description
`body`	object	No	Supported aggregations: - `term` - `date_range` Supported aggregation members: `date_ranges` ...

Example:

{
  "body": {}
}

Rtrcheck Active Responder Command Status

SDK: real_time_response.RTRCheckActiveResponderCommandStatus

Parameters:

Name	Type	Required	Description
`cloud_request_id`	string	No	Cloud Request ID of the executed command to query
`sequence_id`	number	No	Sequence ID that we want to retrieve. Command responses are chunked across sequences

Example:

{
  "cloud_request_id": "<cloud_request_id>",
  "sequence_id": 10
}

Rtrcheck Command Status

SDK: real_time_response.RTRCheckCommandStatus

Parameters:

Name	Type	Required	Description
`cloud_request_id`	string	No	Cloud Request ID of the executed command to query
`sequence_id`	number	No	Sequence ID that we want to retrieve. Command responses are chunked across sequences

Example:

{
  "cloud_request_id": "<cloud_request_id>",
  "sequence_id": 10
}

Rtrdelete File

SDK: real_time_response.RTRDeleteFile

Parameters:

Name	Type	Required	Description
`ids`	string	No	RTR Session file id
`session_id`	string	No	RTR Session id

Example:

{
  "ids": "<ids>",
  "session_id": "<session_id>"
}

Rtrdelete File V2

SDK: real_time_response.RTRDeleteFileV2

Parameters:

Name	Type	Required	Description
`ids`	string	No	RTR Session file id
`session_id`	string	No	RTR Session id

Example:

{
  "ids": "<ids>",
  "session_id": "<session_id>"
}

Rtrdelete Queued Session

SDK: real_time_response.RTRDeleteQueuedSession

Parameters:

Name	Type	Required	Description
`cloud_request_id`	string	No	Cloud Request ID of the executed command to query
`session_id`	string	No	RTR Session id

Example:

{
  "cloud_request_id": "<cloud_request_id>",
  "session_id": "<session_id>"
}

Rtrdelete Session

SDK: real_time_response.RTRDeleteSession

Parameters:

Name	Type	Required	Description
`session_id`	string	No	RTR Session id

Example:

{
  "session_id": "<session_id>"
}

Rtrexecute Active Responder Command

SDK: real_time_response.RTRExecuteActiveResponderCommand

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`device_id`	string	Yes	device id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	number	Yes
`persist`	boolean	Yes	persist. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`session_id`	string	Yes	session id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "command_string": "<command_string>",
  "device_id": "<device_id>",
  "id": 10,
  "persist": true,
  "session_id": "<session_id>"
}

Rtrexecute Command

SDK: real_time_response.RTRExecuteCommand

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`device_id`	string	Yes	device id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	number	Yes
`persist`	boolean	Yes	persist. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`session_id`	string	Yes	session id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "command_string": "<command_string>",
  "device_id": "<device_id>",
  "id": 10,
  "persist": true,
  "session_id": "<session_id>"
}

Rtrget Extracted File Contents

SDK: real_time_response.RTRGetExtractedFileContents

Parameters:

Name	Type	Required	Description
`filename`	string	No	Filename to use for the archive name and the file within the archive.
`session_id`	string	No	RTR Session id
`sha256`	string	No	Extracted SHA256 (e.g. 'efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b')

Example:

{
  "filename": "<filename>",
  "session_id": "<session_id>",
  "sha256": "<sha256>"
}

Rtrinit Session

SDK: real_time_response.RTRInitSession

Parameters:

Name	Type	Required	Description
`device_id`	string	Yes	device id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`origin`	string	Yes	origin. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`queue_offline`	boolean	Yes	queue offline. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "device_id": "<device_id>",
  "origin": "<origin>",
  "queue_offline": true
}

Rtrlist All Sessions

SDK: real_time_response.RTRListAllSessions

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter criteria in the form of an FQL query. For more information about FQL queries, see...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Sort by spec. Ex: 'date_created

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Rtrlist Files

SDK: real_time_response.RTRListFiles

Parameters:

Name	Type	Required	Description
`session_id`	string	No	RTR Session id

Example:

{
  "session_id": "<session_id>"
}

Rtrlist Files V2

SDK: real_time_response.RTRListFilesV2

Parameters:

Name	Type	Required	Description
`session_id`	string	No	RTR Session id

Example:

{
  "session_id": "<session_id>"
}

Rtrlist Queued Sessions

SDK: real_time_response.RTRListQueuedSessions

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Rtrlist Sessions

SDK: real_time_response.RTRListSessions

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Rtrpulse Session

SDK: real_time_response.RTRPulseSession

Parameters:

Name	Type	Required	Description
`device_id`	string	Yes	device id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`origin`	string	Yes	origin. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`queue_offline`	boolean	Yes	queue offline. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "device_id": "<device_id>",
  "origin": "<origin>",
  "queue_offline": true
}

Real Time Response Admin

Operations for Real Time Response Admin

Operations

Operation	Name	Description
`batch_admin_cmd`	Batch Admin Cmd	SDK: real_time_response_admin.BatchAdminCmd
`rtrcheck_admin_command_status`	Rtrcheck Admin Command Status	SDK: real_time_response_admin.RTRCheckAdminCommandStatus
`rtrcreate_put_files`	Rtrcreate Put Files	SDK: real_time_response_admin.RTRCreatePutFiles
`rtrcreate_scripts`	Rtrcreate Scripts	SDK: real_time_response_admin.RTRCreateScripts
`rtrdelete_put_files`	Rtrdelete Put Files	SDK: real_time_response_admin.RTRDeletePutFiles
`rtrdelete_scripts`	Rtrdelete Scripts	SDK: real_time_response_admin.RTRDeleteScripts
`rtrexecute_admin_command`	Rtrexecute Admin Command	SDK: real_time_response_admin.RTRExecuteAdminCommand
`rtrget_falcon_scripts`	Rtrget Falcon Scripts	SDK: real_time_response_admin.RTRGetFalconScripts
`rtrget_put_file_contents`	Rtrget Put File Contents	SDK: real_time_response_admin.RTRGetPutFileContents
`rtrget_put_files`	Rtrget Put Files	SDK: real_time_response_admin.RTRGetPutFiles
`rtrget_put_files_v2`	Rtrget Put Files V2	SDK: real_time_response_admin.RTRGetPutFilesV2
`rtrget_scripts`	Rtrget Scripts	SDK: real_time_response_admin.RTRGetScripts
`rtrget_scripts_v2`	Rtrget Scripts V2	SDK: real_time_response_admin.RTRGetScriptsV2
`rtrlist_falcon_scripts`	Rtrlist Falcon Scripts	SDK: real_time_response_admin.RTRListFalconScripts
`rtrlist_put_files`	Rtrlist Put Files	SDK: real_time_response_admin.RTRListPutFiles
`rtrlist_scripts`	Rtrlist Scripts	SDK: real_time_response_admin.RTRListScripts
`rtrupdate_scripts`	Rtrupdate Scripts	SDK: real_time_response_admin.RTRUpdateScripts

Batch Admin Cmd

SDK: real_time_response_admin.BatchAdminCmd

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`batch_id`	string	Yes	batch id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`optional_hosts`	array	Yes	optional hosts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`persist_all`	boolean	Yes	persist all. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "batch_id": "<batch_id>",
  "command_string": "<command_string>",
  "optional_hosts": ["<optional_hosts>"],
  "persist_all": true
}

Rtrcheck Admin Command Status

SDK: real_time_response_admin.RTRCheckAdminCommandStatus

Parameters:

Name	Type	Required	Description
`cloud_request_id`	string	No	Cloud Request ID of the executed command to query
`sequence_id`	number	No	Sequence ID that we want to retrieve. Command responses are chunked across sequences

Example:

{
  "cloud_request_id": "<cloud_request_id>",
  "sequence_id": 10
}

Rtrcreate Put Files

SDK: real_time_response_admin.RTRCreatePutFiles

Parameters:

Name	Type	Required	Description
`comments_for_audit_log`	string	No	The audit log comment
`description`	string	No	File description
`name`	string	No	File name (if different than actual file name)

Example:

{
  "comments_for_audit_log": "<comments_for_audit_log>",
  "description": "<description>",
  "name": "<name>"
}

Rtrcreate Scripts

SDK: real_time_response_admin.RTRCreateScripts

Parameters:

Name	Type	Required	Description
`comments_for_audit_log`	string	No	The audit log comment
`content`	string	No	The script text that you want to use to upload
`description`	string	No	File description
`name`	string	No	File name (if different than actual file name)
`permission_type`	string	No	Permission for the custom-script. Valid permission values: - `private`, usable by only the user w...
`platform`	array	No	Platforms for the file. Currently supports: windows, mac, linux, . If no platform is provided, it...

Example:

{
  "comments_for_audit_log": "<comments_for_audit_log>",
  "content": "<content>",
  "description": "<description>",
  "name": "<name>",
  "permission_type": "<permission_type>",
  "platform": ["<platform>"]
}

Rtrdelete Put Files

SDK: real_time_response_admin.RTRDeletePutFiles

Parameters:

Name	Type	Required	Description
`ids`	string	No	File id

Example:

{
  "ids": "<ids>"
}

Rtrdelete Scripts

SDK: real_time_response_admin.RTRDeleteScripts

Parameters:

Name	Type	Required	Description
`ids`	string	No	File id

Example:

{
  "ids": "<ids>"
}

Rtrexecute Admin Command

SDK: real_time_response_admin.RTRExecuteAdminCommand

Parameters:

Name	Type	Required	Description
`base_command`	string	Yes	base command. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`command_string`	string	Yes	command string. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`device_id`	string	Yes	device id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	number	Yes
`persist`	boolean	Yes	persist. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`session_id`	string	Yes	session id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "base_command": "<base_command>",
  "command_string": "<command_string>",
  "device_id": "<device_id>",
  "id": 10,
  "persist": true,
  "session_id": "<session_id>"
}

Rtrget Falcon Scripts

SDK: real_time_response_admin.RTRGetFalconScripts

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of the Falcon scripts you want to retrieve

Example:

{
  "ids": ["<ids>"]
}

Rtrget Put File Contents

SDK: real_time_response_admin.RTRGetPutFileContents

Parameters:

Name	Type	Required	Description
`id`	string	No	put file ID

Example:

{
  "id": "<id>"
}

Rtrget Put Files

SDK: real_time_response_admin.RTRGetPutFiles

Parameters:

Name	Type	Required	Description
`ids`	array	No	File IDs

Example:

{
  "ids": ["<ids>"]
}

Rtrget Put Files V2

SDK: real_time_response_admin.RTRGetPutFilesV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	File IDs

Example:

{
  "ids": ["<ids>"]
}

Rtrget Scripts

SDK: real_time_response_admin.RTRGetScripts

Parameters:

Name	Type	Required	Description
`ids`	array	No	File IDs

Example:

{
  "ids": ["<ids>"]
}

Rtrget Scripts V2

SDK: real_time_response_admin.RTRGetScriptsV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	File IDs

Example:

{
  "ids": ["<ids>"]
}

Rtrlist Falcon Scripts

SDK: real_time_response_admin.RTRListFalconScripts

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter criteria in the form of an FQL query. For more information about FQL queries, see...
`limit`	number	No	Number of ids to return.
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Sort by spec. Ex: 'created_at

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Rtrlist Put Files

SDK: real_time_response_admin.RTRListPutFiles

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter criteria in the form of an FQL query. For more information about FQL queries, see...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Sort by spec. Ex: 'created_at

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Rtrlist Scripts

SDK: real_time_response_admin.RTRListScripts

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter criteria in the form of an FQL query. For more information about FQL queries, see...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Sort by spec. Ex: 'created_at

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Rtrupdate Scripts

SDK: real_time_response_admin.RTRUpdateScripts

Parameters:

Name	Type	Required	Description
`comments_for_audit_log`	string	No	The audit log comment
`content`	string	No	The script text that you want to use to upload
`description`	string	No	File description
`id`	string	No	ID to update. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	File name (if different than actual file name)
`permission_type`	string	No	Permission for the custom-script. Valid permission values: - `private`, usable by only the user w...
`platform`	array	No	Platforms for the file. Currently supports: windows, mac, linux,

Example:

{
  "comments_for_audit_log": "<comments_for_audit_log>",
  "content": "<content>",
  "description": "<description>",
  "id": "<id>",
  "name": "<name>",
  "permission_type": "<permission_type>",
  "platform": ["<platform>"]
}

Real Time Response Audit

Operations for Real Time Response Audit

Operations

Operation	Name	Description
`rtraudit_sessions`	Rtraudit Sessions	SDK: real_time_response_audit.RTRAuditSessions

Rtraudit Sessions

SDK: real_time_response_audit.RTRAuditSessions

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter criteria in the form of an FQL query. For more information about FQL queries, see...
`limit`	string	No	number of sessions to be returned
`offset`	string	No	offset value to be used for paginated results
`sort`	string	No	how to sort the session IDs. e.g. sort=created_at
`with_command_info`	boolean	No	get sessions with command info included; by default sessions are returned without command info wh...

Example:

{
  "filter": "<filter>",
  "limit": "<limit>",
  "offset": "<offset>",
  "sort": "<sort>",
  "with_command_info": true
}

Sensor Download

Operations for Sensor Download

Operations

Operation	Name	Description
`download_sensor_installer_by_id`	Download Sensor Installer By Id	SDK: sensor_download.DownloadSensorInstallerByID
`download_sensor_installer_by_idv2`	Download Sensor Installer By Idv2	SDK: sensor_download.DownloadSensorInstallerByIDV2
`get_sensor_installers_entities`	Get Sensor Installers Entities	SDK: sensor_download.GetSensorInstallersEntities
`get_sensor_installers_entities_v2`	Get Sensor Installers Entities V2	SDK: sensor_download.GetSensorInstallersEntitiesV2
`list_combined_sensor_installers_by`	List Combined Sensor Installers By	SDK: sensor_download.GetCombinedSensorInstallersByQuery
`list_combined_sensor_installers_by_v2`	List Combined Sensor Installers By V2	SDK: sensor_download.GetCombinedSensorInstallersByQueryV2
`list_sensor_installers_by`	List Sensor Installers By	SDK: sensor_download.GetSensorInstallersByQuery
`list_sensor_installers_by_v2`	List Sensor Installers By V2	SDK: sensor_download.GetSensorInstallersByQueryV2
`list_sensor_installers_ccidby`	List Sensor Installers Ccidby	SDK: sensor_download.GetSensorInstallersCCIDByQuery

Download Sensor Installer By Id

SDK: sensor_download.DownloadSensorInstallerByID

Parameters:

Name	Type	Required	Description
`id`	string	No	SHA256 of the installer to download

Example:

{
  "id": "<id>"
}

Download Sensor Installer By Idv2

SDK: sensor_download.DownloadSensorInstallerByIDV2

Parameters:

Name	Type	Required	Description
`id`	string	No	SHA256 of the installer to download

Example:

{
  "id": "<id>"
}

Get Sensor Installers Entities

SDK: sensor_download.GetSensorInstallersEntities

Parameters:

Name	Type	Required	Description
`ids`	array	No	The IDs of the installers

Example:

{
  "ids": ["<ids>"]
}

Get Sensor Installers Entities V2

SDK: sensor_download.GetSensorInstallersEntitiesV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The IDs of the installers

Example:

{
  "ids": ["<ids>"]
}

List Combined Sensor Installers By

SDK: sensor_download.GetCombinedSensorInstallersByQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all re...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The first item to return, where 0 is the latest item. Use with the limit parameter to manage pagi...
`sort`	string	No	Sort items using their properties. Common sort options include: <ul><li>version

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Combined Sensor Installers By V2

SDK: sensor_download.GetCombinedSensorInstallersByQueryV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all re...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The first item to return, where 0 is the latest item. Use with the limit parameter to manage pagi...
`sort`	string	No	Sort items using their properties. Common sort options include: <ul><li>version

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Sensor Installers By

SDK: sensor_download.GetSensorInstallersByQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all re...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The first item to return, where 0 is the latest item. Use with the limit parameter to manage pagi...
`sort`	string	No	Sort items using their properties. Common sort options include: <ul><li>version

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Sensor Installers By V2

SDK: sensor_download.GetSensorInstallersByQueryV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all re...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The first item to return, where 0 is the latest item. Use with the limit parameter to manage pagi...
`sort`	string	No	Sort items using their properties. Common sort options include: <ul><li>version

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Sensor Installers Ccidby

SDK: sensor_download.GetSensorInstallersCCIDByQuery

This operation has no parameters.

Example:

{
}

Best Practices

Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.
Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.
Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.
Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.
Use Specific Scopes: When creating API clients, only request the minimum required API scopes.
Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.
Validate IDs: Always validate resource IDs before using them in update or delete operations.
Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

The operation you were attempting
Any error messages received
The parameters used (excluding sensitive data)
Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05

Overview​

Capabilities​

Credential Configuration​

Authentication Method​

How It Works​

CrowdStrike Cloud Regions​

How to Obtain API Credentials​

Required API Scopes​

Creating a CrowdStrike Credential in NINA​

Supported Resources​

Resource Details​

Alerts​

Operations​

Get Aggregate V2​

Get Queries Alerts​

Get V2​

List V2​

Post Aggregates Alerts​

Post Combined Alerts​

Post Entities Alerts​

Update Entities Alerts V2​

Update V3​

Detects​

Operations​

Get Aggregate Detects​

Get Detect Summaries​

List Detects​

Update Detects By Ids V2​

Device Content​

Operations​

Entities States​

Queries States​

Host Group​

Operations​

Create Host Groups​

Delete Host Groups​

Get Host Groups​

List Combined Group Members​

List Combined Host Groups​

List Group Members​

List Host Groups​

Perform Group Action​

Update Host Groups​

Host Migration​

Operations​

Create Migration​

Get Host Migration Ids​

Get Host Migrations​

Get Migration Destinations​

Get Migration Ids​

Get Migrations​

Host Migration Aggregates​

Host Migrations Actions​

Migration Aggregates​

Migrations Actions​

Hosts​

Operations​

Combined Devices By Filter​

Combined Hidden Devices By Filter​

Entities Perform Action​

Get Device Details V2​

Get Online State​

List Device Login History​

List Device Login History V2​

List Devices By Filter​

List Devices By Filter Scroll​

List Hidden Devices​

List Network Address History​

Perform Action V2​

Post Device Details V2​

Update Device Tags​

Incidents​

Operations​

Crowd Score​

Get Behaviors​

Get Incidents​

List Behaviors​

List Incidents​

Perform Incident Action​

Installation Tokens​

Overview

Capabilities

Credential Configuration

Authentication Method

How It Works

CrowdStrike Cloud Regions

How to Obtain API Credentials

Required API Scopes

Creating a CrowdStrike Credential in NINA

Supported Resources

Resource Details

Alerts

Operations

Get Aggregate V2

Get Queries Alerts

Get V2

List V2

Post Aggregates Alerts

Post Combined Alerts

Post Entities Alerts

Update Entities Alerts V2

Update V3

Detects

Operations

Get Aggregate Detects

Get Detect Summaries

List Detects

Update Detects By Ids V2

Device Content

Operations

Entities States

Queries States

Host Group

Operations

Create Host Groups

Delete Host Groups

Get Host Groups

List Combined Group Members

List Combined Host Groups

List Group Members

List Host Groups

Perform Group Action

Update Host Groups

Host Migration

Operations

Create Migration

Get Host Migration Ids

Get Host Migrations

Get Migration Destinations

Get Migration Ids

Get Migrations

Host Migration Aggregates

Host Migrations Actions

Migration Aggregates

Migrations Actions

Hosts

Operations

Combined Devices By Filter

Combined Hidden Devices By Filter

Entities Perform Action

Get Device Details V2

Get Online State

List Device Login History

List Device Login History V2

List Devices By Filter

List Devices By Filter Scroll

List Hidden Devices

List Network Address History

Perform Action V2

Post Device Details V2

Update Device Tags

Incidents

Operations

Crowd Score

Get Behaviors

Get Incidents

List Behaviors

List Incidents

Perform Incident Action

Installation Tokens