CrowdStrike Platform Integration Guide

Overview

The CrowdStrike Platform integration allows your NINA workflows to connect with CrowdStrike Falcon platform for core platform services, administration, automation, and integrations. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 25 resources with 319 operations covering:

Api Integrations: Operations for Api Integrations
Case Files: Operations for Case Files
Case Management: Operations for Case Management
Cases: Operations for Cases
Custom Storage: Operations for Custom Storage
Data Protection Configuration: Operations for Data Protection Configuration
Delivery Settings: Operations for Delivery Settings
Deployments: Operations for Deployments
Downloads Api: Operations for Downloads Api
Event Streams: Operations for Event Streams
Execution: Operations for Execution
Falcon Complete Dashboard: Operations for Falcon Complete Dashboard
Foundry Logscale: Operations for Foundry Logscale
It Automation: Operations for It Automation
Lookup Files: Operations for Lookup Files
Message Center: Operations for Message Center
Mssp: Operations for Mssp
Ngsiem: Operations for Ngsiem
Release Notes: Operations for Release Notes
Releases: Operations for Releases
Report Executions: Operations for Report Executions
Scheduled Reports: Operations for Scheduled Reports
Sensor Usage Api: Operations for Sensor Usage Api
User Management: Operations for User Management
Workflows: Operations for Workflows

Credential Configuration

Before using the CrowdStrike Platform integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

You provide the Client ID and Client Secret when creating a credential
The integration exchanges these for an OAuth2 access token automatically
Tokens are refreshed automatically when they expire
No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	`https://api.crowdstrike.com`	United States (default)
US-2	`https://api.us-2.crowdstrike.com`	United States (secondary)
EU-1	`https://api.eu-1.crowdstrike.com`	European Union
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`	US Government Cloud

How to Obtain API Credentials

Log in to the CrowdStrike Falcon Console
Navigate to Support and resources > API Clients and Keys
Click Add new API client
Configure the API client:
- Client Name: A descriptive name (e.g., "NINA Integration")
- Description: Purpose of this API client
- API Scopes: Select the permissions required for your use case (see Required Scopes below)
Click Add to create the client
Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

Navigate to the Credentials section in NINA
Click Add New Credential
Fill in the credential details:
- Integration Service: Select "CrowdStrike Platform"
- Client ID: Paste your CrowdStrike API Client ID
- Client Secret: Paste your CrowdStrike API Client Secret
- Base URL: Select your CrowdStrike cloud region URL
Click Test Connection to verify the credentials work
Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Api Integrations	Operations for Api Integrations	3
Case Files	Operations for Case Files	10
Case Management	Operations for Case Management	30
Cases	Operations for Cases	8
Custom Storage	Operations for Custom Storage	18
Data Protection Configuration	Operations for Data Protection Configuration	36
Delivery Settings	Operations for Delivery Settings	2
Deployments	Operations for Deployments	1
Downloads Api	Operations for Downloads Api	3
Event Streams	Operations for Event Streams	2
Execution	Operations for Execution	1
Falcon Complete Dashboard	Operations for Falcon Complete Dashboard	21
Foundry Logscale	Operations for Foundry Logscale	14
It Automation	Operations for It Automation	42
Lookup Files	Operations for Lookup Files	2
Message Center	Operations for Message Center	9
Mssp	Operations for Mssp	30
Ngsiem	Operations for Ngsiem	29
Release Notes	Operations for Release Notes	4
Releases	Operations for Releases	1
Report Executions	Operations for Report Executions	4
Scheduled Reports	Operations for Scheduled Reports	3
Sensor Usage Api	Operations for Sensor Usage Api	2
User Management	Operations for User Management	25
Workflows	Operations for Workflows	19

Resource Details

Api Integrations

Operations for Api Integrations

Operations

Operation	Name	Description
`execute_command`	Execute Command	SDK: api_integrations.ExecuteCommand
`execute_command_proxy`	Execute Command Proxy	SDK: api_integrations.ExecuteCommandProxy
`get_combined_plugin_configs`	Get Combined Plugin Configs	SDK: api_integrations.GetCombinedPluginConfigs

Execute Command

SDK: api_integrations.ExecuteCommand

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Execute Command Proxy

SDK: api_integrations.ExecuteCommandProxy

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Get Combined Plugin Configs

SDK: api_integrations.GetCombinedPluginConfigs

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter items using a query in Falcon Query Language (FQL).
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The first item to return, where 0 is the latest item. Use with the limit parameter to manage pagi...
`sort`	string	No	Sort items using their properties.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Case Files

Operations for Case Files

Operations

Operation	Name	Description
`aggregates_file_details_post_`	Aggregates File Details Post	SDK: case_files.AggregatesFileDetailsPostV1
`combined_file_details_get_`	Combined File Details Get	SDK: case_files.CombinedFileDetailsGetV1
`entities_file_details_get_`	Entities File Details Get	SDK: case_files.EntitiesFileDetailsGetV1
`entities_file_details_patch_`	Entities File Details Patch	SDK: case_files.EntitiesFileDetailsPatchV1
`entities_files_bulk_download_post_`	Entities Files Bulk Download Post	SDK: case_files.EntitiesFilesBulkDownloadPostV1
`entities_files_delete_`	Entities Files Delete	SDK: case_files.EntitiesFilesDeleteV1
`entities_files_download_get_`	Entities Files Download Get	SDK: case_files.EntitiesFilesDownloadGetV1
`entities_files_download_post_`	Entities Files Download Post	SDK: case_files.EntitiesFilesDownloadPostV1
`entities_files_upload_post_`	Entities Files Upload Post	SDK: case_files.EntitiesFilesUploadPostV1
`queries_file_details_get_`	Queries File Details Get	SDK: case_files.QueriesFileDetailsGetV1

Aggregates File Details Post

SDK: case_files.AggregatesFileDetailsPostV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	No	FQL filter expression
`ids`	array	No	Resource IDs

Example:

{
  "body": {},
  "filter": "<filter>",
  "ids": ["<ids>"]
}

Combined File Details Get

SDK: case_files.CombinedFileDetailsGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Entities File Details Get

SDK: case_files.EntitiesFileDetailsGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities File Details Patch

SDK: case_files.EntitiesFileDetailsPatchV1

Parameters:

Name	Type	Required	Description
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes

Example:

{
  "description": "<description>",
  "id": "<id>"
}

Entities Files Bulk Download Post

SDK: case_files.EntitiesFilesBulkDownloadPostV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Entities Files Delete

SDK: case_files.EntitiesFilesDeleteV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Files Download Get

SDK: case_files.EntitiesFilesDownloadGetV1

Parameters:

Name	Type	Required	Description
`id`	string	No	Resource ID

Example:

{
  "id": "<id>"
}

Entities Files Download Post

SDK: case_files.EntitiesFilesDownloadPostV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Entities Files Upload Post

SDK: case_files.EntitiesFilesUploadPostV1

This operation has no parameters.

Example:

{
}

Queries File Details Get

SDK: case_files.QueriesFileDetailsGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Case Management

Operations for Case Management

Operations

Operation	Name	Description
`aggregates_notification_groups_post_`	Aggregates Notification Groups Post	SDK: case_management.AggregatesNotificationGroupsPostV1
`aggregates_notification_groups_post_v2`	Aggregates Notification Groups Post V2	SDK: case_management.AggregatesNotificationGroupsPostV2
`aggregates_slas_post_`	Aggregates Slas Post	SDK: case_management.AggregatesSlasPostV1
`aggregates_templates_post_`	Aggregates Templates Post	SDK: case_management.AggregatesTemplatesPostV1
`entities_fields_get_`	Entities Fields Get	SDK: case_management.EntitiesFieldsGetV1
`entities_notification_groups_delete_`	Entities Notification Groups Delete	SDK: case_management.EntitiesNotificationGroupsDeleteV1
`entities_notification_groups_delete_v2`	Entities Notification Groups Delete V2	SDK: case_management.EntitiesNotificationGroupsDeleteV2
`entities_notification_groups_get_`	Entities Notification Groups Get	SDK: case_management.EntitiesNotificationGroupsGetV1
`entities_notification_groups_get_v2`	Entities Notification Groups Get V2	SDK: case_management.EntitiesNotificationGroupsGetV2
`entities_notification_groups_patch_`	Entities Notification Groups Patch	SDK: case_management.EntitiesNotificationGroupsPatchV1
`entities_notification_groups_patch_v2`	Entities Notification Groups Patch V2	SDK: case_management.EntitiesNotificationGroupsPatchV2
`entities_notification_groups_post_`	Entities Notification Groups Post	SDK: case_management.EntitiesNotificationGroupsPostV1
`entities_notification_groups_post_v2`	Entities Notification Groups Post V2	SDK: case_management.EntitiesNotificationGroupsPostV2
`entities_slas_delete_`	Entities Slas Delete	SDK: case_management.EntitiesSlasDeleteV1
`entities_slas_get_`	Entities Slas Get	SDK: case_management.EntitiesSlasGetV1
`entities_slas_patch_`	Entities Slas Patch	SDK: case_management.EntitiesSlasPatchV1
`entities_slas_post_`	Entities Slas Post	SDK: case_management.EntitiesSlasPostV1
`entities_template_snapshots_get_`	Entities Template Snapshots Get	SDK: case_management.EntitiesTemplateSnapshotsGetV1
`entities_templates_delete_`	Entities Templates Delete	SDK: case_management.EntitiesTemplatesDeleteV1
`entities_templates_export_get_`	Entities Templates Export Get	SDK: case_management.EntitiesTemplatesExportGetV1
`entities_templates_get_`	Entities Templates Get	SDK: case_management.EntitiesTemplatesGetV1
`entities_templates_import_post_`	Entities Templates Import Post	SDK: case_management.EntitiesTemplatesImportPostV1
`entities_templates_patch_`	Entities Templates Patch	SDK: case_management.EntitiesTemplatesPatchV1
`entities_templates_post_`	Entities Templates Post	SDK: case_management.EntitiesTemplatesPostV1
`queries_fields_get_`	Queries Fields Get	SDK: case_management.QueriesFieldsGetV1
`queries_notification_groups_get_`	Queries Notification Groups Get	SDK: case_management.QueriesNotificationGroupsGetV1
`queries_notification_groups_get_v2`	Queries Notification Groups Get V2	SDK: case_management.QueriesNotificationGroupsGetV2
`queries_slas_get_`	Queries Slas Get	SDK: case_management.QueriesSlasGetV1
`queries_template_snapshots_get_`	Queries Template Snapshots Get	SDK: case_management.QueriesTemplateSnapshotsGetV1
`queries_templates_get_`	Queries Templates Get	SDK: case_management.QueriesTemplatesGetV1

Aggregates Notification Groups Post

SDK: case_management.AggregatesNotificationGroupsPostV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregates Notification Groups Post V2

SDK: case_management.AggregatesNotificationGroupsPostV2

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregates Slas Post

SDK: case_management.AggregatesSlasPostV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregates Templates Post

SDK: case_management.AggregatesTemplatesPostV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Entities Fields Get

SDK: case_management.EntitiesFieldsGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Notification Groups Delete

SDK: case_management.EntitiesNotificationGroupsDeleteV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Notification Groups Delete V2

SDK: case_management.EntitiesNotificationGroupsDeleteV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Notification Groups Get

SDK: case_management.EntitiesNotificationGroupsGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Notification Groups Get V2

SDK: case_management.EntitiesNotificationGroupsGetV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Notification Groups Patch

SDK: case_management.EntitiesNotificationGroupsPatchV1

Parameters:

Name	Type	Required	Description
`channels`	object	Yes	channels. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "channels": {},
  "description": "<description>",
  "id": "<id>",
  "name": "<name>"
}

Entities Notification Groups Patch V2

SDK: case_management.EntitiesNotificationGroupsPatchV2

Parameters:

Name	Type	Required	Description
`channels`	object	Yes	channels. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "channels": {},
  "description": "<description>",
  "id": "<id>",
  "name": "<name>"
}

Entities Notification Groups Post

SDK: case_management.EntitiesNotificationGroupsPostV1

Parameters:

Name	Type	Required	Description
`channels`	object	Yes	channels. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "channels": {},
  "description": "<description>",
  "name": "<name>"
}

Entities Notification Groups Post V2

SDK: case_management.EntitiesNotificationGroupsPostV2

Parameters:

Name	Type	Required	Description
`channels`	object	Yes	channels. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "channels": {},
  "description": "<description>",
  "name": "<name>"
}

Entities Slas Delete

SDK: case_management.EntitiesSlasDeleteV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Slas Get

SDK: case_management.EntitiesSlasGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Slas Patch

SDK: case_management.EntitiesSlasPatchV1

Parameters:

Name	Type	Required	Description
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`goals`	object	Yes	goals. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "goals": {},
  "id": "<id>",
  "name": "<name>"
}

Entities Slas Post

SDK: case_management.EntitiesSlasPostV1

Parameters:

Name	Type	Required	Description
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`goals`	object	Yes	goals. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "goals": {},
  "name": "<name>"
}

Entities Template Snapshots Get

SDK: case_management.EntitiesTemplateSnapshotsGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Snapshot IDs
`template_ids`	array	No	Retrieves the latest snapshot for all Template IDs
`versions`	array	No	Retrieve a specific version of the template from the parallel array `template_ids`. A value of ze...

Example:

{
  "ids": ["<ids>"],
  "template_ids": ["<template_ids>"],
  "versions": ["<versions>"]
}

Entities Templates Delete

SDK: case_management.EntitiesTemplatesDeleteV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Templates Export Get

SDK: case_management.EntitiesTemplatesExportGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`format`	string	No	Export file format Default: "yaml"
`ids`	array	No	Template IDs

Example:

{
  "filter": "<filter>",
  "format": "<format>",
  "ids": ["<ids>"]
}

Entities Templates Get

SDK: case_management.EntitiesTemplatesGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Resource IDs

Example:

{
  "ids": ["<ids>"]
}

Entities Templates Import Post

SDK: case_management.EntitiesTemplatesImportPostV1

Parameters:

Name	Type	Required	Description
`dry_run`	boolean	No	Run validation only

Example:

{
  "dry_run": true
}

Entities Templates Patch

SDK: case_management.EntitiesTemplatesPatchV1

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`fields`	object	Yes	fields. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sla_id`	string	No	sla id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "fields": {},
  "id": "<id>",
  "name": "<name>",
  "sla_id": "<sla_id>"
}

Entities Templates Post

SDK: case_management.EntitiesTemplatesPostV1

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`fields`	object	Yes	fields. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sla_id`	string	No	sla id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "fields": {},
  "name": "<name>",
  "sla_id": "<sla_id>"
}

Queries Fields Get

SDK: case_management.QueriesFieldsGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Queries Notification Groups Get

SDK: case_management.QueriesNotificationGroupsGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset
`sort`	string	No	Sort expression. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Notification Groups Get V2

SDK: case_management.QueriesNotificationGroupsGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset
`sort`	string	No	Sort expression. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Slas Get

SDK: case_management.QueriesSlasGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset
`sort`	string	No	Sort expression. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Template Snapshots Get

SDK: case_management.QueriesTemplateSnapshotsGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10
}

Queries Templates Get

SDK: case_management.QueriesTemplatesGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter expression
`limit`	number	No	Page size
`offset`	number	No	Page offset
`sort`	string	No	Sort expression. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Cases

Operations for Cases

Operations

Operation	Name	Description
`entities_alert_evidence_post_`	Entities Alert Evidence Post	SDK: cases.EntitiesAlertEvidencePostV1
`entities_case_tags_delete_`	Entities Case Tags Delete	SDK: cases.EntitiesCaseTagsDeleteV1
`entities_case_tags_post_`	Entities Case Tags Post	SDK: cases.EntitiesCaseTagsPostV1
`entities_cases_patch_v2`	Entities Cases Patch V2	SDK: cases.EntitiesCasesPatchV2
`entities_cases_post_v2`	Entities Cases Post V2	SDK: cases.EntitiesCasesPostV2
`entities_cases_put_v2`	Entities Cases Put V2	SDK: cases.EntitiesCasesPutV2
`entities_event_evidence_post_`	Entities Event Evidence Post	SDK: cases.EntitiesEventEvidencePostV1
`queries_cases_get_`	Queries Cases Get	SDK: cases.QueriesCasesGetV1

Entities Alert Evidence Post

SDK: cases.EntitiesAlertEvidencePostV1

Parameters:

Name	Type	Required	Description
`alerts`	object	Yes	alerts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes

Example:

{
  "alerts": {},
  "id": "<id>"
}

Entities Case Tags Delete

SDK: cases.EntitiesCaseTagsDeleteV1

Parameters:

Name	Type	Required	Description
`id`	string	No	The ID of the case to remove tags from.
`tag`	array	No	The tag to remove from the case.

Example:

{
  "id": "<id>",
  "tag": ["<tag>"]
}

Entities Case Tags Post

SDK: cases.EntitiesCaseTagsPostV1

Parameters:

Name	Type	Required	Description
`id`	string	Yes
`tags`	array	Yes	tags. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "id": "<id>",
  "tags": ["<tags>"]
}

Entities Cases Patch V2

SDK: cases.EntitiesCasesPatchV2

Parameters:

Name	Type	Required	Description
`expected_consistency_version`	number	No	expected consistency version
`expected_version`	number	No	expected version. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`fields`	object	Yes	fields. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes

Example:

{
  "expected_consistency_version": 10,
  "expected_version": 10,
  "fields": {},
  "id": "<id>"
}

Entities Cases Post V2

SDK: cases.EntitiesCasesPostV2

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Entities Cases Put V2

SDK: cases.EntitiesCasesPutV2

Parameters:

Name	Type	Required	Description
`assigned_to_user_uuid`	string	Yes	assigned to user uuid
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`evidence`	object	Yes	evidence. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`severity`	number	Yes	severity. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`status`	string	Yes	status. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`tags`	array	Yes	tags. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`template`	object	No	template. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "assigned_to_user_uuid": "<assigned_to_user_uuid>",
  "description": "<description>",
  "evidence": {},
  "name": "<name>",
  "severity": 10,
  "status": "<status>",
  "tags": ["<tags>"],
  "template": {}
}

Entities Event Evidence Post

SDK: cases.EntitiesEventEvidencePostV1

Parameters:

Name	Type	Required	Description
`events`	object	Yes	events. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes

Example:

{
  "events": {},
  "id": "<id>"
}

Queries Cases Get

SDK: cases.QueriesCasesGetV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter Cases using a query in Falcon Query Language (FQL).Filter fields can be any keyword field ...
`limit`	number	No	The maximum number of Cases to return in this response (default: 100; max: 10000). Use this param...
`offset`	number	No	The first case to return, where `0` is the latest case. Use with the `offset` parameter to manage...
`sort`	string	No	Sort parameter takes the form <field

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Custom Storage

Operations for Custom Storage

Operations

Operation	Name	Description
`delete_object`	Delete Object	SDK: custom_storage.DeleteObject
`delete_versioned_object`	Delete Versioned Object	SDK: custom_storage.DeleteVersionedObject
`describe_collection`	Describe Collection	SDK: custom_storage.DescribeCollection
`describe_collections`	Describe Collections	SDK: custom_storage.DescribeCollections
`get_object`	Get Object	SDK: custom_storage.GetObject
`get_object_metadata`	Get Object Metadata	SDK: custom_storage.GetObjectMetadata
`get_schema`	Get Schema	SDK: custom_storage.GetSchema
`get_schema_metadata`	Get Schema Metadata	SDK: custom_storage.GetSchemaMetadata
`get_versioned_object`	Get Versioned Object	SDK: custom_storage.GetVersionedObject
`get_versioned_object_metadata`	Get Versioned Object Metadata	SDK: custom_storage.GetVersionedObjectMetadata
`list_collections`	List Collections	SDK: custom_storage.ListCollections
`list_objects`	List Objects	SDK: custom_storage.ListObjects
`list_objects_by_version`	List Objects By Version	SDK: custom_storage.ListObjectsByVersion
`list_schemas`	List Schemas	SDK: custom_storage.ListSchemas
`put_object`	Put Object	SDK: custom_storage.PutObject
`put_object_by_version`	Put Object By Version	SDK: custom_storage.PutObjectByVersion
`search_objects`	Search Objects	SDK: custom_storage.SearchObjects
`search_objects_by_version`	Search Objects By Version	SDK: custom_storage.SearchObjectsByVersion

Delete Object

SDK: custom_storage.DeleteObject

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`dry_run`	boolean	No	If false, run the operation as normal. If true, validate that the request would succeed, but do...
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "dry_run": true,
  "object_key": "<object_key>"
}

Delete Versioned Object

SDK: custom_storage.DeleteVersionedObject

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`dry_run`	boolean	No	If false, run the operation as normal. If true, validate that the request would succeed, but do...
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "dry_run": true,
  "object_key": "<object_key>"
}

Describe Collection

SDK: custom_storage.DescribeCollection

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection

Example:

{
  "collection_name": "<collection_name>"
}

Describe Collections

SDK: custom_storage.DescribeCollections

Parameters:

Name	Type	Required	Description
`names`	array	No	A set of collection names

Example:

{
  "names": ["<names>"]
}

Get Object

SDK: custom_storage.GetObject

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "object_key": "<object_key>"
}

Get Object Metadata

SDK: custom_storage.GetObjectMetadata

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "object_key": "<object_key>"
}

Get Schema

SDK: custom_storage.GetSchema

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`schema_version`	string	No	The version of the collection schema or 'latest' for the latest version

Example:

{
  "collection_name": "<collection_name>",
  "schema_version": "<schema_version>"
}

Get Schema Metadata

SDK: custom_storage.GetSchemaMetadata

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`schema_version`	string	No	The version of the collection schema or 'latest' for the latest version

Example:

{
  "collection_name": "<collection_name>",
  "schema_version": "<schema_version>"
}

Get Versioned Object

SDK: custom_storage.GetVersionedObject

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "object_key": "<object_key>"
}

Get Versioned Object Metadata

SDK: custom_storage.GetVersionedObjectMetadata

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "object_key": "<object_key>"
}

List Collections

SDK: custom_storage.ListCollections

Parameters:

Name	Type	Required	Description
`end`	string	No	The end key to end listing to
`limit`	number	No	The limit of results to return
`start`	string	No	The start key to start listing from

Example:

{
  "end": "<end>",
  "limit": 10,
  "start": "<start>"
}

List Objects

SDK: custom_storage.ListObjects

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`end`	string	No	The end key to end listing to
`limit`	number	No	The limit of results to return
`start`	string	No	The start key to start listing from

Example:

{
  "collection_name": "<collection_name>",
  "end": "<end>",
  "limit": 10,
  "start": "<start>"
}

List Objects By Version

SDK: custom_storage.ListObjectsByVersion

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`end`	string	No	The end key to end listing to
`limit`	number	No	The limit of results to return
`start`	string	No	The start key to start listing from

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "end": "<end>",
  "limit": 10,
  "start": "<start>"
}

List Schemas

SDK: custom_storage.ListSchemas

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`end`	string	No	The end key to end listing to
`limit`	number	No	The limit of results to return
`start`	string	No	The start key to start listing from

Example:

{
  "collection_name": "<collection_name>",
  "end": "<end>",
  "limit": 10,
  "start": "<start>"
}

Put Object

SDK: custom_storage.PutObject

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`dry_run`	boolean	No	If false, run the operation as normal. If true, validate that the request would succeed, but do...
`object_key`	string	No	The object key
`schema_version`	string	No	The version of the collection schema

Example:

{
  "collection_name": "<collection_name>",
  "dry_run": true,
  "object_key": "<object_key>",
  "schema_version": "<schema_version>"
}

Put Object By Version

SDK: custom_storage.PutObjectByVersion

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`dry_run`	boolean	No	If false, run the operation as normal. If true, validate that the request would succeed, but do...
`object_key`	string	No	The object key

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "dry_run": true,
  "object_key": "<object_key>"
}

Search Objects

SDK: custom_storage.SearchObjects

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`filter`	string	No	The filter to limit the returned results.
`limit`	number	No	The limit of results to return
`offset`	number	No	The offset of results to return
`sort`	string	No	The sort order for the returned results.

Example:

{
  "collection_name": "<collection_name>",
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Search Objects By Version

SDK: custom_storage.SearchObjectsByVersion

Parameters:

Name	Type	Required	Description
`collection_name`	string	No	The name of the collection
`collection_version`	string	No	The version of the collection
`filter`	string	No	The filter to limit the returned results.
`limit`	number	No	The limit of results to return
`offset`	number	No	The offset of results to return
`sort`	string	No	The sort order for the returned results.

Example:

{
  "collection_name": "<collection_name>",
  "collection_version": "<collection_version>",
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Data Protection Configuration

Operations for Data Protection Configuration

Operations

Operation	Name	Description
`entities_classification_delete_v2`	Entities Classification Delete V2	SDK: data_protection_configuration.EntitiesClassificationDeleteV2
`entities_classification_get_v2`	Entities Classification Get V2	SDK: data_protection_configuration.EntitiesClassificationGetV2
`entities_classification_patch_v2`	Entities Classification Patch V2	SDK: data_protection_configuration.EntitiesClassificationPatchV2
`entities_classification_post_v2`	Entities Classification Post V2	SDK: data_protection_configuration.EntitiesClassificationPostV2
`entities_cloud_application_create`	Entities Cloud Application Create	SDK: data_protection_configuration.EntitiesCloudApplicationCreate
`entities_cloud_application_delete`	Entities Cloud Application Delete	SDK: data_protection_configuration.EntitiesCloudApplicationDelete
`entities_cloud_application_get`	Entities Cloud Application Get	SDK: data_protection_configuration.EntitiesCloudApplicationGet
`entities_cloud_application_patch`	Entities Cloud Application Patch	SDK: data_protection_configuration.EntitiesCloudApplicationPatch
`entities_content_pattern_create`	Entities Content Pattern Create	SDK: data_protection_configuration.EntitiesContentPatternCreate
`entities_content_pattern_delete`	Entities Content Pattern Delete	SDK: data_protection_configuration.EntitiesContentPatternDelete
`entities_content_pattern_get`	Entities Content Pattern Get	SDK: data_protection_configuration.EntitiesContentPatternGet
`entities_content_pattern_patch`	Entities Content Pattern Patch	SDK: data_protection_configuration.EntitiesContentPatternPatch
`entities_enterprise_account_create`	Entities Enterprise Account Create	SDK: data_protection_configuration.EntitiesEnterpriseAccountCreate
`entities_enterprise_account_delete`	Entities Enterprise Account Delete	SDK: data_protection_configuration.EntitiesEnterpriseAccountDelete
`entities_enterprise_account_get`	Entities Enterprise Account Get	SDK: data_protection_configuration.EntitiesEnterpriseAccountGet
`entities_enterprise_account_patch`	Entities Enterprise Account Patch	SDK: data_protection_configuration.EntitiesEnterpriseAccountPatch
`entities_file_type_get`	Entities File Type Get	SDK: data_protection_configuration.EntitiesFileTypeGet
`entities_policy_delete_v2`	Entities Policy Delete V2	SDK: data_protection_configuration.EntitiesPolicyDeleteV2
`entities_policy_get_v2`	Entities Policy Get V2	SDK: data_protection_configuration.EntitiesPolicyGetV2
`entities_policy_patch_v2`	Entities Policy Patch V2	SDK: data_protection_configuration.EntitiesPolicyPatchV2
`entities_policy_post_v2`	Entities Policy Post V2	SDK: data_protection_configuration.EntitiesPolicyPostV2
`entities_sensitivity_label_create_v2`	Entities Sensitivity Label Create V2	SDK: data_protection_configuration.EntitiesSensitivityLabelCreateV2
`entities_sensitivity_label_delete_v2`	Entities Sensitivity Label Delete V2	SDK: data_protection_configuration.EntitiesSensitivityLabelDeleteV2
`entities_sensitivity_label_get_v2`	Entities Sensitivity Label Get V2	SDK: data_protection_configuration.EntitiesSensitivityLabelGetV2
`entities_web_location_create_v2`	Entities Web Location Create V2	SDK: data_protection_configuration.EntitiesWebLocationCreateV2
`entities_web_location_delete_v2`	Entities Web Location Delete V2	SDK: data_protection_configuration.EntitiesWebLocationDeleteV2
`entities_web_location_get_v2`	Entities Web Location Get V2	SDK: data_protection_configuration.EntitiesWebLocationGetV2
`entities_web_location_patch_v2`	Entities Web Location Patch V2	SDK: data_protection_configuration.EntitiesWebLocationPatchV2
`queries_classification_get_v2`	Queries Classification Get V2	SDK: data_protection_configuration.QueriesClassificationGetV2
`queries_cloud_application_get_v2`	Queries Cloud Application Get V2	SDK: data_protection_configuration.QueriesCloudApplicationGetV2
`queries_content_pattern_get_v2`	Queries Content Pattern Get V2	SDK: data_protection_configuration.QueriesContentPatternGetV2
`queries_enterprise_account_get_v2`	Queries Enterprise Account Get V2	SDK: data_protection_configuration.QueriesEnterpriseAccountGetV2
`queries_file_type_get_v2`	Queries File Type Get V2	SDK: data_protection_configuration.QueriesFileTypeGetV2
`queries_policy_get_v2`	Queries Policy Get V2	SDK: data_protection_configuration.QueriesPolicyGetV2
`queries_sensitivity_label_get_v2`	Queries Sensitivity Label Get V2	SDK: data_protection_configuration.QueriesSensitivityLabelGetV2
`queries_web_location_get_v2`	Queries Web Location Get V2	SDK: data_protection_configuration.QueriesWebLocationGetV2

Entities Classification Delete V2

SDK: data_protection_configuration.EntitiesClassificationDeleteV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of the classifications to delete

Example:

{
  "ids": ["<ids>"]
}

Entities Classification Get V2

SDK: data_protection_configuration.EntitiesClassificationGetV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of the classifications to get

Example:

{
  "ids": ["<ids>"]
}

Entities Classification Patch V2

SDK: data_protection_configuration.EntitiesClassificationPatchV2

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Entities Classification Post V2

SDK: data_protection_configuration.EntitiesClassificationPostV2

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Entities Cloud Application Create

SDK: data_protection_configuration.EntitiesCloudApplicationCreate

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`urls`	object	Yes	urls. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "name": "<name>",
  "urls": {}
}

Entities Cloud Application Delete

SDK: data_protection_configuration.EntitiesCloudApplicationDelete

Parameters:

Name	Type	Required	Description
`ids`	array	No	The id of the cloud application to delete.

Example:

{
  "ids": ["<ids>"]
}

Entities Cloud Application Get

SDK: data_protection_configuration.EntitiesCloudApplicationGet

Parameters:

Name	Type	Required	Description
`ids`	array	No	The cloud application id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Cloud Application Patch

SDK: data_protection_configuration.EntitiesCloudApplicationPatch

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`urls`	object	Yes	urls. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "name": "<name>",
  "urls": {}
}

Entities Content Pattern Create

SDK: data_protection_configuration.EntitiesContentPatternCreate

Parameters:

Name	Type	Required	Description
`category`	string	Yes	category. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`example`	string	Yes	example. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`min_match_threshold`	number	Yes	min match threshold. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/op...
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`regexes`	array	Yes	regexes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`region`	string	Yes	region. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "category": "<category>",
  "description": "<description>",
  "example": "<example>",
  "min_match_threshold": 10,
  "name": "<name>",
  "regexes": ["<regexes>"],
  "region": "<region>"
}

Entities Content Pattern Delete

SDK: data_protection_configuration.EntitiesContentPatternDelete

Parameters:

Name	Type	Required	Description
`ids`	array	No	The id(s) of the content pattern to delete.

Example:

{
  "ids": ["<ids>"]
}

Entities Content Pattern Get

SDK: data_protection_configuration.EntitiesContentPatternGet

Parameters:

Name	Type	Required	Description
`ids`	array	No	The content-pattern id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Content Pattern Patch

SDK: data_protection_configuration.EntitiesContentPatternPatch

Parameters:

Name	Type	Required	Description
`category`	string	Yes	category. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`example`	string	Yes	example. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`min_match_threshold`	number	Yes	min match threshold. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/op...
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`regexes`	array	Yes	regexes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`region`	string	Yes	region. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "category": "<category>",
  "description": "<description>",
  "example": "<example>",
  "id": "<id>",
  "min_match_threshold": 10,
  "name": "<name>",
  "regexes": ["<regexes>"],
  "region": "<region>"
}

Entities Enterprise Account Create

SDK: data_protection_configuration.EntitiesEnterpriseAccountCreate

Parameters:

Name	Type	Required	Description
`application_group_id`	string	Yes	application group id
`domains`	array	Yes	domains. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`plugin_config_id`	string	Yes	plugin config id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "application_group_id": "<application_group_id>",
  "domains": ["<domains>"],
  "name": "<name>",
  "plugin_config_id": "<plugin_config_id>"
}

Entities Enterprise Account Delete

SDK: data_protection_configuration.EntitiesEnterpriseAccountDelete

Parameters:

Name	Type	Required	Description
`ids`	array	No	The id of the enterprise account to delete.

Example:

{
  "ids": ["<ids>"]
}

Entities Enterprise Account Get

SDK: data_protection_configuration.EntitiesEnterpriseAccountGet

Parameters:

Name	Type	Required	Description
`ids`	array	No	The enterprise-account id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Enterprise Account Patch

SDK: data_protection_configuration.EntitiesEnterpriseAccountPatch

Parameters:

Name	Type	Required	Description
`application_group_id`	string	Yes	application group id
`domains`	array	Yes	domains. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`plugin_config_id`	string	Yes	plugin config id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "application_group_id": "<application_group_id>",
  "domains": ["<domains>"],
  "id": "<id>",
  "name": "<name>",
  "plugin_config_id": "<plugin_config_id>"
}

Entities File Type Get

SDK: data_protection_configuration.EntitiesFileTypeGet

Parameters:

Name	Type	Required	Description
`ids`	array	No	The file-type id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Policy Delete V2

SDK: data_protection_configuration.EntitiesPolicyDeleteV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of the policies to delete
`platform_name`	string	No	platform name of the policies to update, either 'win' or 'mac'

Example:

{
  "ids": ["<ids>"],
  "platform_name": "<platform_name>"
}

Entities Policy Get V2

SDK: data_protection_configuration.EntitiesPolicyGetV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of the policies to get

Example:

{
  "ids": ["<ids>"]
}

Entities Policy Patch V2

SDK: data_protection_configuration.EntitiesPolicyPatchV2

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Entities Policy Post V2

SDK: data_protection_configuration.EntitiesPolicyPostV2

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Entities Sensitivity Label Create V2

SDK: data_protection_configuration.EntitiesSensitivityLabelCreateV2

Parameters:

Name	Type	Required	Description
`co_authoring`	boolean	Yes	co authoring. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`display_name`	string	Yes	display name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`external_id`	string	Yes	external id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`label_provider`	string	Yes	label provider. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`plugins_configuration_id`	string	Yes	plugins configuration id
`synced`	boolean	Yes	synced. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "co_authoring": true,
  "display_name": "<display_name>",
  "external_id": "<external_id>",
  "label_provider": "<label_provider>",
  "name": "<name>",
  "plugins_configuration_id": "<plugins_configuration_id>",
  "synced": true
}

Entities Sensitivity Label Delete V2

SDK: data_protection_configuration.EntitiesSensitivityLabelDeleteV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The sensitivity label entity id(s) to delete.

Example:

{
  "ids": ["<ids>"]
}

Entities Sensitivity Label Get V2

SDK: data_protection_configuration.EntitiesSensitivityLabelGetV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The sensitivity label entity id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Web Location Create V2

SDK: data_protection_configuration.EntitiesWebLocationCreateV2

Parameters:

Name	Type	Required	Description
`web_locations`	object	Yes	web locations. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "web_locations": {}
}

Entities Web Location Delete V2

SDK: data_protection_configuration.EntitiesWebLocationDeleteV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The ids of the web-location to delete.

Example:

{
  "ids": ["<ids>"]
}

Entities Web Location Get V2

SDK: data_protection_configuration.EntitiesWebLocationGetV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The web-location entity id(s) to get.

Example:

{
  "ids": ["<ids>"]
}

Entities Web Location Patch V2

SDK: data_protection_configuration.EntitiesWebLocationPatchV2

Parameters:

Name	Type	Required	Description
`application_id`	string	No	application id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`cid`	string	No	cid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`deleted`	boolean	Yes	deleted. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`enterprise_account_id`	string	No	enterprise account id
`id`	string	Yes
`location_type`	string	Yes	location type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`provider_location_id`	string	No	provider location id
`provider_location_name`	string	No	provider location name
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "application_id": "<application_id>",
  "cid": "<cid>",
  "deleted": true,
  "enterprise_account_id": "<enterprise_account_id>",
  "id": "<id>",
  "location_type": "<location_type>",
  "name": "<name>",
  "provider_location_id": "<provider_location_id>",
  "provider_location_name": "<provider_location_name>",
  "type": "<type>"
}

Queries Classification Get V2

SDK: data_protection_configuration.QueriesClassificationGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter results by specific attributes , allowed attributes are [created_by modified_by modified_a...
`limit`	number	No	The maximum records to return Default: 100
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by, allowed fields are :[name created_at modified_at]

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Cloud Application Get V2

SDK: data_protection_configuration.QueriesCloudApplicationGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter for searching cloud applications. Allowed filters are 'name' (string), 'type' (ar...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`sort`	string	No	The sort instructions to order by on. Allowed values are 'name' (string), 'type' (array of string...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Content Pattern Get V2

SDK: data_protection_configuration.QueriesContentPatternGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter to use when finding content patterns. Allowed filters are 'name', 'type', 'category', ...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`sort`	string	No	The sort instructions to order by on. Allowed values are 'name', 'type', 'category', 'region', 'c...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Enterprise Account Get V2

SDK: data_protection_configuration.QueriesEnterpriseAccountGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter to use when finding enterprise accounts. Allowed filters are 'name', 'application_grou...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`sort`	string	No	The sort instructions to order by on. Allowed values are 'name', 'application_group_id', 'deleted...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries File Type Get V2

SDK: data_protection_configuration.QueriesFileTypeGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter to use when finding file types. Allowed filter is 'name', 'created_at' and 'updated_at'
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`sort`	string	No	The sort instructions to order by on. Allowed values are 'name', 'created_at' and 'updated_at'

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Policy Get V2

SDK: data_protection_configuration.QueriesPolicyGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter results by specific attributes , allowed attributes are [properties.max_file_size_to_inspe...
`limit`	number	No	The maximum records to return Default: 100
`offset`	number	No	The offset to start retrieving records from
`platform_name`	string	No	platform name of the policies to search, either 'win' or 'mac'
`sort`	string	No	The property to sort by, allowed fields are :[name precedence created_at modified_at]

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "platform_name": "<platform_name>",
  "sort": "<sort>"
}

Queries Sensitivity Label Get V2

SDK: data_protection_configuration.QueriesSensitivityLabelGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter to use when finding sensitivity labels. The only allowed filters are 'name', 'display_...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`sort`	string	No	The sort instructions to order by on. Allowed values are 'name', 'display_name', 'deleted', 'crea...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Web Location Get V2

SDK: data_protection_configuration.QueriesWebLocationGetV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter to use when finding web locations. Allowed filters are 'name', 'type', 'deleted', 'app...
`limit`	number	No	The number of items to return in this response (default: 100, max: 500). Use with the offset para...
`offset`	number	No	The offset to start retrieving records from. Use with the limit parameter to manage pagination of...
`type`	string	No	The type of entity to query. Allowed values are 'predefined' and 'custom'

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "type": "<type>"
}

Delivery Settings

Operations for Delivery Settings

Operations

Operation	Name	Description
`get_delivery_settings`	Get Delivery Settings	SDK: delivery_settings.GetDeliverySettings
`post_delivery_settings`	Post Delivery Settings	SDK: delivery_settings.PostDeliverySettings

Get Delivery Settings

SDK: delivery_settings.GetDeliverySettings

This operation has no parameters.

Example:

{
}

Post Delivery Settings

SDK: delivery_settings.PostDeliverySettings

Parameters:

Name	Type	Required	Description
`delivery_settings`	object	Yes	delivery settings. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...

Example:

{
  "delivery_settings": {}
}

Deployments

Operations for Deployments

Operations

Operation	Name	Description
`get_deployments_external_`	Get Deployments External	SDK: deployments.GetDeploymentsExternalV1

Get Deployments External

SDK: deployments.GetDeploymentsExternalV1

Parameters:

Name	Type	Required	Description
`authorization`	string	No	authorization header
`xcsusername`	string	No	user name
`ids`	array	No	release version ids to retrieve deployment details

Example:

{
  "authorization": "<authorization>",
  "xcsusername": "<xcsusername>",
  "ids": ["<ids>"]
}

Downloads Api

Operations for Downloads Api

Operations

Operation	Name	Description
`download_file`	Download File	SDK: downloads_api.DownloadFile
`enumerate_file`	Enumerate File	SDK: downloads_api.EnumerateFile
`fetch_files_download_info`	Fetch Files Download Info	SDK: downloads_api.FetchFilesDownloadInfo

Download File

SDK: downloads_api.DownloadFile

Parameters:

Name	Type	Required	Description
`file_name`	string	No	Name of the file to be downloaded
`file_version`	string	No	Version of the file to be downloaded

Example:

{
  "file_name": "<file_name>",
  "file_version": "<file_version>"
}

Enumerate File

SDK: downloads_api.EnumerateFile

Parameters:

Name	Type	Required	Description
`arch`	string	No	Apply filtering on architecture
`category`	string	No	Apply filtering on file category
`file_name`	string	No	Apply filtering on file name
`file_version`	string	No	Apply filtering on file version
`os`	string	No	Apply filtering on operating system
`platform`	string	No	Apply filtering on file platform

Example:

{
  "arch": "<arch>",
  "category": "<category>",
  "file_name": "<file_name>",
  "file_version": "<file_version>",
  "os": "<os>",
  "platform": "<platform>"
}

Fetch Files Download Info

SDK: downloads_api.FetchFilesDownloadInfo

Parameters:

Name	Type	Required	Description
`filter`	string	No	Search files using various filters using query in Falcon Query Language (FQL). Supported filters:...
`sort`	string	No	The fields to sort records on. Supported columns: - `arch` - `category` - `file_name` - `file_ver...

Example:

{
  "filter": "<filter>",
  "sort": "<sort>"
}

Event Streams

Operations for Event Streams

Operations

Operation	Name	Description
`list_available_streams_oauth2`	List Available Streams Oauth2	SDK: event_streams.ListAvailableStreamsOAuth2
`refresh_active_stream_session`	Refresh Active Stream Session	SDK: event_streams.RefreshActiveStreamSession

List Available Streams Oauth2

SDK: event_streams.ListAvailableStreamsOAuth2

Parameters:

Name	Type	Required	Description
`app_id`	string	No	Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9).
`format`	string	No	Format for streaming events. Valid values: json, flatjson

Example:

{
  "app_id": "<app_id>",
  "format": "<format>"
}

Refresh Active Stream Session

SDK: event_streams.RefreshActiveStreamSession

Parameters:

Name	Type	Required	Description
`action_name`	string	No	Action name. Allowed value is refresh_active_stream_session.
`app_id`	string	No	Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9).
`partition`	number	No	Partition to request data for.

Example:

{
  "action_name": "<action_name>",
  "app_id": "<app_id>",
  "partition": 10
}

Execution

Operations for Execution

Operations

Operation	Name	Description
`read_request_body`	Read Request Body	SDK: execution.ReadRequestBody

Read Request Body

SDK: execution.ReadRequestBody

Parameters:

Name	Type	Required	Description
`filename`	string	No	filename to be retrieved
`fn`	string	No	function ref; form of $fn_id:$fn_version
`id`	string	No	Execution ID
`sha256`	string	No	sha256 checksum for file to be retrieved

Example:

{
  "filename": "<filename>",
  "fn": "<fn>",
  "id": "<id>",
  "sha256": "<sha256>"
}

Falcon Complete Dashboard

Operations for Falcon Complete Dashboard

Operations

Operation	Name	Description
`aggregate_alerts`	Aggregate Alerts	SDK: falcon_complete_dashboard.AggregateAlerts
`aggregate_allow_list`	Aggregate Allow List	SDK: falcon_complete_dashboard.AggregateAllowList
`aggregate_block_list`	Aggregate Block List	SDK: falcon_complete_dashboard.AggregateBlockList
`aggregate_detections`	Aggregate Detections	SDK: falcon_complete_dashboard.AggregateDetections
`aggregate_device_count_collection`	Aggregate Device Count Collection	SDK: falcon_complete_dashboard.AggregateDeviceCountCollection
`aggregate_escalations`	Aggregate Escalations	SDK: falcon_complete_dashboard.AggregateEscalations
`aggregate_fcincidents`	Aggregate Fcincidents	SDK: falcon_complete_dashboard.AggregateFCIncidents
`aggregate_prevention_policy`	Aggregate Prevention Policy	SDK: falcon_complete_dashboard.AggregatePreventionPolicy
`aggregate_remediations`	Aggregate Remediations	SDK: falcon_complete_dashboard.AggregateRemediations
`aggregate_sensor_update_policy`	Aggregate Sensor Update Policy	SDK: falcon_complete_dashboard.AggregateSensorUpdatePolicy
`aggregate_support_issues`	Aggregate Support Issues	SDK: falcon_complete_dashboard.AggregateSupportIssues
`aggregate_total_device_counts`	Aggregate Total Device Counts	SDK: falcon_complete_dashboard.AggregateTotalDeviceCounts
`get_device_count_collection_queries_by_filter`	Get Device Count Collection Queries By Filter	SDK: falcon_complete_dashboard.GetDeviceCountCollectionQueriesByFilter
`list_alert_ids_by_filter`	List Alert Ids By Filter	SDK: falcon_complete_dashboard.QueryAlertIdsByFilter
`list_alert_ids_by_filter_v2`	List Alert Ids By Filter V2	SDK: falcon_complete_dashboard.QueryAlertIdsByFilterV2
`list_allow_list_filter`	List Allow List Filter	SDK: falcon_complete_dashboard.QueryAllowListFilter
`list_block_list_filter`	List Block List Filter	SDK: falcon_complete_dashboard.QueryBlockListFilter
`list_detection_ids_by_filter`	List Detection Ids By Filter	SDK: falcon_complete_dashboard.QueryDetectionIdsByFilter
`list_escalations_filter`	List Escalations Filter	SDK: falcon_complete_dashboard.QueryEscalationsFilter
`list_incident_ids_by_filter`	List Incident Ids By Filter	SDK: falcon_complete_dashboard.QueryIncidentIdsByFilter
`list_remediations_filter`	List Remediations Filter	SDK: falcon_complete_dashboard.QueryRemediationsFilter

Aggregate Alerts

SDK: falcon_complete_dashboard.AggregateAlerts

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Allow List

SDK: falcon_complete_dashboard.AggregateAllowList

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Block List

SDK: falcon_complete_dashboard.AggregateBlockList

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Detections

SDK: falcon_complete_dashboard.AggregateDetections

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Device Count Collection

SDK: falcon_complete_dashboard.AggregateDeviceCountCollection

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Escalations

SDK: falcon_complete_dashboard.AggregateEscalations

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Fcincidents

SDK: falcon_complete_dashboard.AggregateFCIncidents

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Prevention Policy

SDK: falcon_complete_dashboard.AggregatePreventionPolicy

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Remediations

SDK: falcon_complete_dashboard.AggregateRemediations

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Sensor Update Policy

SDK: falcon_complete_dashboard.AggregateSensorUpdatePolicy

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Support Issues

SDK: falcon_complete_dashboard.AggregateSupportIssues

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Total Device Counts

SDK: falcon_complete_dashboard.AggregateTotalDeviceCounts

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Get Device Count Collection Queries By Filter

SDK: falcon_complete_dashboard.GetDeviceCountCollectionQueriesByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Alert Ids By Filter

SDK: falcon_complete_dashboard.QueryAlertIdsByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Alert Ids By Filter V2

SDK: falcon_complete_dashboard.QueryAlertIdsByFilterV2

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Allow List Filter

SDK: falcon_complete_dashboard.QueryAllowListFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Block List Filter

SDK: falcon_complete_dashboard.QueryBlockListFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Detection Ids By Filter

SDK: falcon_complete_dashboard.QueryDetectionIdsByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Escalations Filter

SDK: falcon_complete_dashboard.QueryEscalationsFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Incident Ids By Filter

SDK: falcon_complete_dashboard.QueryIncidentIdsByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Remediations Filter

SDK: falcon_complete_dashboard.QueryRemediationsFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Foundry Logscale

Operations for Foundry Logscale

Operations

Operation	Name	Description
`create_saved_searches_dynamic_execute_alt_`	Create Saved Searches Dynamic Execute Alt	SDK: foundry_logscale.CreateSavedSearchesDynamicExecuteAltV1
`create_saved_searches_execute_alt_`	Create Saved Searches Execute Alt	SDK: foundry_logscale.CreateSavedSearchesExecuteAltV1
`create_saved_searches_ingest_alt_`	Create Saved Searches Ingest Alt	SDK: foundry_logscale.CreateSavedSearchesIngestAltV1
`download_results`	Download Results	SDK: foundry_logscale.DownloadResults
`execute`	Execute	SDK: foundry_logscale.Execute
`execute_dynamic`	Execute Dynamic	SDK: foundry_logscale.ExecuteDynamic
`get_saved_searches_execute_alt_`	Get Saved Searches Execute Alt	SDK: foundry_logscale.GetSavedSearchesExecuteAltV1
`get_saved_searches_job_results_download_alt_`	Get Saved Searches Job Results Download Alt	SDK: foundry_logscale.GetSavedSearchesJobResultsDownloadAltV1
`get_search_results`	Get Search Results	SDK: foundry_logscale.GetSearchResults
`ingest_data`	Ingest Data	SDK: foundry_logscale.IngestData
`ingest_data_async_`	Ingest Data Async	SDK: foundry_logscale.IngestDataAsyncV1
`list_repos`	List Repos	SDK: foundry_logscale.ListRepos
`list_views`	List Views	SDK: foundry_logscale.ListViews
`populate`	Populate	SDK: foundry_logscale.Populate

Create Saved Searches Dynamic Execute Alt

SDK: foundry_logscale.CreateSavedSearchesDynamicExecuteAltV1

Parameters:

Name	Type	Required	Description
`end`	string	No	end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repo_or_view`	string	Yes	repo or view. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`search_query`	string	Yes	search query. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`start`	string	No	start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "end": "<end>",
  "repo_or_view": "<repo_or_view>",
  "search_query": "<search_query>",
  "start": "<start>"
}

Create Saved Searches Execute Alt

SDK: foundry_logscale.CreateSavedSearchesExecuteAltV1

Parameters:

Name	Type	Required	Description
`end`	string	No	end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	No
`mode`	string	No	mode. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`start`	string	No	start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`version`	string	No	version. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_in`	object	No	with in. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_limit`	object	No	with limit. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_renames`	object	Yes	with renames. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_sort`	object	No	with sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "end": "<end>",
  "id": "<id>",
  "mode": "<mode>",
  "name": "<name>",
  "start": "<start>",
  "version": "<version>",
  "with_in": {},
  "with_limit": {},
  "with_renames": {},
  "with_sort": {}
}

Create Saved Searches Ingest Alt

SDK: foundry_logscale.CreateSavedSearchesIngestAltV1

Parameters:

Name	Type	Required	Description
`app_id`	string	No	Application ID.

Example:

{
  "app_id": "<app_id>"
}

Download Results

SDK: foundry_logscale.DownloadResults

Parameters:

Name	Type	Required	Description
`infer_json_types`	boolean	No	Whether to try to infer data types in json event response instead of returning map[string]string
`job_id`	string	No	Job ID for a previously executed async query
`result_format`	string	No	Result Format. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "infer_json_types": true,
  "job_id": "<job_id>",
  "result_format": "<result_format>"
}

Execute

SDK: foundry_logscale.Execute

Parameters:

Name	Type	Required	Description
`end`	string	No	end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	No
`mode`	string	No	mode. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`start`	string	No	start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`version`	string	No	version. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_in`	object	No	with in. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_limit`	object	No	with limit. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_renames`	object	Yes	with renames. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`with_sort`	object	No	with sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "end": "<end>",
  "id": "<id>",
  "mode": "<mode>",
  "name": "<name>",
  "start": "<start>",
  "version": "<version>",
  "with_in": {},
  "with_limit": {},
  "with_renames": {},
  "with_sort": {}
}

Execute Dynamic

SDK: foundry_logscale.ExecuteDynamic

Parameters:

Name	Type	Required	Description
`end`	string	No	end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repo_or_view`	string	Yes	repo or view. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`search_query`	string	Yes	search query. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`start`	string	No	start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "end": "<end>",
  "repo_or_view": "<repo_or_view>",
  "search_query": "<search_query>",
  "start": "<start>"
}

Get Saved Searches Execute Alt

SDK: foundry_logscale.GetSavedSearchesExecuteAltV1

Parameters:

Name	Type	Required	Description
`xcsuseruuid`	string	No	Requester UUID.
`app_id`	string	No	Application ID.
`infer_json_types`	boolean	No	Whether to try to infer data types in json event response instead of returning map[string]string
`job_id`	string	No	Job ID for a previously executed async query
`job_status_only`	boolean	No	If set to true, result rows are dropped from the response and only the job status is returned
`limit`	string	No	Maximum number of records to return.
`match_response_schema`	boolean	No	Whether to validate search results against their schema
`metadata`	boolean	No	Whether to include metadata in the response
`offset`	string	No	Starting pagination offset of records to return.

Example:

{
  "xcsuseruuid": "<xcsuseruuid>",
  "app_id": "<app_id>",
  "infer_json_types": true,
  "job_id": "<job_id>",
  "job_status_only": true,
  "limit": "<limit>",
  "match_response_schema": true,
  "metadata": true,
  "offset": "<offset>"
}

Get Saved Searches Job Results Download Alt

SDK: foundry_logscale.GetSavedSearchesJobResultsDownloadAltV1

Parameters:

Name	Type	Required	Description
`infer_json_types`	boolean	No	Whether to try to infer data types in json event response instead of returning map[string]string
`job_id`	string	No	Job ID for a previously executed async query
`result_format`	string	No	Result Format. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "infer_json_types": true,
  "job_id": "<job_id>",
  "result_format": "<result_format>"
}

Get Search Results

SDK: foundry_logscale.GetSearchResults

Parameters:

Name	Type	Required	Description
`xcsuseruuid`	string	No	Requester UUID.
`app_id`	string	No	Application ID.
`infer_json_types`	boolean	No	Whether to try to infer data types in json event response instead of returning map[string]string
`job_id`	string	No	Job ID for a previously executed async query
`job_status_only`	boolean	No	If set to true, result rows are dropped from the response and only the job status is returned
`limit`	string	No	Maximum number of records to return.
`match_response_schema`	boolean	No	Whether to validate search results against their schema
`metadata`	boolean	No	Whether to include metadata in the response
`offset`	string	No	Starting pagination offset of records to return.

Example:

{
  "xcsuseruuid": "<xcsuseruuid>",
  "app_id": "<app_id>",
  "infer_json_types": true,
  "job_id": "<job_id>",
  "job_status_only": true,
  "limit": "<limit>",
  "match_response_schema": true,
  "metadata": true,
  "offset": "<offset>"
}

Ingest Data

SDK: foundry_logscale.IngestData

Parameters:

Name	Type	Required	Description
`data_content`	string	No	JSON data to ingest
`tag`	array	No	Custom tag for ingested data in the form tag:value
`tag_source`	string	No	Tag the data with the specified source
`test_data`	boolean	No	Tag the data with test-ingest

Example:

{
  "data_content": "<data_content>",
  "tag": ["<tag>"],
  "tag_source": "<tag_source>",
  "test_data": true
}

Ingest Data Async

SDK: foundry_logscale.IngestDataAsyncV1

Parameters:

Name	Type	Required	Description
`data_content`	string	No	JSON data to ingest
`repo`	string	No	Repository name if not part of a foundry app
`tag`	array	No	Custom tag for ingested data in the form tag:value
`tag_source`	string	No	Tag the data with the specified source
`test_data`	boolean	No	Tag the data with test-ingest

Example:

{
  "data_content": "<data_content>",
  "repo": "<repo>",
  "tag": ["<tag>"],
  "tag_source": "<tag_source>",
  "test_data": true
}

List Repos

SDK: foundry_logscale.ListRepos

Parameters:

Name	Type	Required	Description
`check_test_data`	boolean	No	Include whether test data is present in the application repository

Example:

{
  "check_test_data": true
}

List Views

SDK: foundry_logscale.ListViews

Parameters:

Name	Type	Required	Description
`check_test_data`	boolean	No	Include whether test data is present in the application repository

Example:

{
  "check_test_data": true
}

Populate

SDK: foundry_logscale.Populate

Parameters:

Name	Type	Required	Description
`app_id`	string	No	Application ID.

Example:

{
  "app_id": "<app_id>"
}

It Automation

Operations for It Automation

Operations

Operation	Name	Description
`itautomation_cancel_task_execution`	Itautomation Cancel Task Execution	SDK: it_automation.ITAutomationCancelTaskExecution
`itautomation_combined_scheduled_tasks`	Itautomation Combined Scheduled Tasks	SDK: it_automation.ITAutomationCombinedScheduledTasks
`itautomation_create_policy`	Itautomation Create Policy	SDK: it_automation.ITAutomationCreatePolicy
`itautomation_create_scheduled_task`	Itautomation Create Scheduled Task	SDK: it_automation.ITAutomationCreateScheduledTask
`itautomation_create_task`	Itautomation Create Task	SDK: it_automation.ITAutomationCreateTask
`itautomation_create_task_group`	Itautomation Create Task Group	SDK: it_automation.ITAutomationCreateTaskGroup
`itautomation_create_user_group`	Itautomation Create User Group	SDK: it_automation.ITAutomationCreateUserGroup
`itautomation_delete_policy`	Itautomation Delete Policy	SDK: it_automation.ITAutomationDeletePolicy
`itautomation_delete_scheduled_tasks`	Itautomation Delete Scheduled Tasks	SDK: it_automation.ITAutomationDeleteScheduledTasks
`itautomation_delete_task`	Itautomation Delete Task	SDK: it_automation.ITAutomationDeleteTask
`itautomation_delete_task_groups`	Itautomation Delete Task Groups	SDK: it_automation.ITAutomationDeleteTaskGroups
`itautomation_delete_user_group`	Itautomation Delete User Group	SDK: it_automation.ITAutomationDeleteUserGroup
`itautomation_get_associated_tasks`	Itautomation Get Associated Tasks	SDK: it_automation.ITAutomationGetAssociatedTasks
`itautomation_get_execution_results`	Itautomation Get Execution Results	SDK: it_automation.ITAutomationGetExecutionResults
`itautomation_get_execution_results_search_status`	Itautomation Get Execution Results Search Status	SDK: it_automation.ITAutomationGetExecutionResultsSearchStatus
`itautomation_get_policies`	Itautomation Get Policies	SDK: it_automation.ITAutomationGetPolicies
`itautomation_get_scheduled_tasks`	Itautomation Get Scheduled Tasks	SDK: it_automation.ITAutomationGetScheduledTasks
`itautomation_get_task_execution`	Itautomation Get Task Execution	SDK: it_automation.ITAutomationGetTaskExecution
`itautomation_get_task_execution_host_status`	Itautomation Get Task Execution Host Status	SDK: it_automation.ITAutomationGetTaskExecutionHostStatus
`itautomation_get_task_groups`	Itautomation Get Task Groups	SDK: it_automation.ITAutomationGetTaskGroups
`itautomation_get_tasks`	Itautomation Get Tasks	SDK: it_automation.ITAutomationGetTasks
`itautomation_get_user_group`	Itautomation Get User Group	SDK: it_automation.ITAutomationGetUserGroup
`itautomation_rerun_task_execution`	Itautomation Rerun Task Execution	SDK: it_automation.ITAutomationRerunTaskExecution
`itautomation_search_scheduled_tasks`	Itautomation Search Scheduled Tasks	SDK: it_automation.ITAutomationSearchScheduledTasks
`itautomation_search_task_executions`	Itautomation Search Task Executions	SDK: it_automation.ITAutomationSearchTaskExecutions
`itautomation_search_task_groups`	Itautomation Search Task Groups	SDK: it_automation.ITAutomationSearchTaskGroups
`itautomation_search_tasks`	Itautomation Search Tasks	SDK: it_automation.ITAutomationSearchTasks
`itautomation_search_user_group`	Itautomation Search User Group	SDK: it_automation.ITAutomationSearchUserGroup
`itautomation_start_execution_results_search`	Itautomation Start Execution Results Search	SDK: it_automation.ITAutomationStartExecutionResultsSearch
`itautomation_start_task_execution`	Itautomation Start Task Execution	SDK: it_automation.ITAutomationStartTaskExecution
`itautomation_update_policies`	Itautomation Update Policies	SDK: it_automation.ITAutomationUpdatePolicies
`itautomation_update_policies_precedence`	Itautomation Update Policies Precedence	SDK: it_automation.ITAutomationUpdatePoliciesPrecedence
`itautomation_update_policy_host_groups`	Itautomation Update Policy Host Groups	SDK: it_automation.ITAutomationUpdatePolicyHostGroups
`itautomation_update_scheduled_task`	Itautomation Update Scheduled Task	SDK: it_automation.ITAutomationUpdateScheduledTask
`itautomation_update_task`	Itautomation Update Task	SDK: it_automation.ITAutomationUpdateTask
`itautomation_update_task_group`	Itautomation Update Task Group	SDK: it_automation.ITAutomationUpdateTaskGroup
`itautomation_update_user_group`	Itautomation Update User Group	SDK: it_automation.ITAutomationUpdateUserGroup
`list_itautomation_policies`	List Itautomation Policies	SDK: it_automation.ITAutomationQueryPolicies
`list_itautomation_run_live`	List Itautomation Run Live	SDK: it_automation.ITAutomationRunLiveQuery
`list_itautomation_task_executions_by`	List Itautomation Task Executions By	SDK: it_automation.ITAutomationGetTaskExecutionsByQuery
`list_itautomation_task_groups_by`	List Itautomation Task Groups By	SDK: it_automation.ITAutomationGetTaskGroupsByQuery
`list_itautomation_tasks_by`	List Itautomation Tasks By	SDK: it_automation.ITAutomationGetTasksByQuery

Itautomation Cancel Task Execution

SDK: it_automation.ITAutomationCancelTaskExecution

Parameters:

Name	Type	Required	Description
`task_execution_id`	string	Yes	ID of the task execution to cancel. Example: f64b95555ef54ea682619ce880d267cc

Example:

{
  "task_execution_id": "<task_execution_id>"
}

Itautomation Combined Scheduled Tasks

SDK: it_automation.ITAutomationCombinedScheduledTasks

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [created_b...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [created_by, cr...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Create Policy

SDK: it_automation.ITAutomationCreatePolicy

Parameters:

Name	Type	Required	Description
`config`	object	No	Configuration settings for the policy
`description`	string	Yes	Description of the policy
`name`	string	No	The name of the policy
`platform`	string	Yes	The platform for the policy

Example:

{
  "config": {},
  "description": "<description>",
  "name": "<name>",
  "platform": "<platform>"
}

Itautomation Create Scheduled Task

SDK: it_automation.ITAutomationCreateScheduledTask

Parameters:

Name	Type	Required	Description
`discover_new_hosts`	boolean	No	Whether to discover new hosts for the scheduled task. Example: true
`discover_offline_hosts`	boolean	No	Whether to discover offline hosts for the scheduled task. Example: true
`distribute`	boolean	No	Whether to distribute the scheduled task. Example: true
`expiration_interval`	string	No	Duration for which the task stays active. Once expired, new and offline hosts won't be targeted. ...
`guardrails`	object	No	Safety limits for task execution
`is_active`	boolean	Yes	Whether the scheduled task is active. Example: true
`schedule`	object	Yes	Schedule details for the task execution
`scheduled_name`	string	No	Custom name for the scheduled task. Example: Weekly Security Scan
`target`	string	Yes	Filter expression to select target hosts. Example: platform_name:'Windows'
`task_id`	string	Yes	Unique identifier of the task to be scheduled. Example: f64b95555ef54ea682619ce880d267cc
`trigger_condition`	object	Yes	Conditions that trigger remediation actions

Example:

{
  "discover_new_hosts": true,
  "discover_offline_hosts": true,
  "distribute": true,
  "expiration_interval": "<expiration_interval>",
  "guardrails": {},
  "is_active": true,
  "schedule": {},
  "scheduled_name": "<scheduled_name>",
  "target": "<target>",
  "task_id": "<task_id>",
  "trigger_condition": {}
}

Itautomation Create Task

SDK: it_automation.ITAutomationCreateTask

Parameters:

Name	Type	Required	Description
`access_type`	string	Yes	Access type of the task
`assigned_user_group_ids`	array	Yes	Assigned user group IDs of the task, when access_type is Shared. Use GET /it-automation/queries/i...
`assigned_user_ids`	array	Yes	Assigned user IDs of the task, when access_type is Shared. Use GET /user-management/queries/users...
`composite_query`	object	No	Composite query configuration containing task IDs and host attributes for multi-task execution
`description`	string	No	Detailed description of what the task does. Example: User Table Validation Check
`name`	string	Yes	Name of the task. Example: OSQuery Check
`os_query`	string	No	OSQuery to execute. Example: select * from users
`output_parser_config`	object	No	Specifies the columns and delimiter used to parse script execution results
`queries`	object	No	Script queries to run per platform
`remediations`	object	No	Remediation scripts to run per platform
`rows_parser_config`	object	No	Configuration for parsing script output into multiple rows
`target`	string	Yes	Target filter in FQL format. Example: platform_name: 'Windows'
`task_group_id`	string	No	ID of the task group to associate this task with
`task_parameters`	object	Yes	Parameters for the task
`task_type`	string	Yes	Type of task
`trigger_condition`	object	Yes	Conditions that trigger remediation scripts execution
`verification_condition`	object	Yes	Conditions that verify the outcome of the remediation scripts execution

Example:

{
  "access_type": "<access_type>",
  "assigned_user_group_ids": ["<assigned_user_group_ids>"],
  "assigned_user_ids": ["<assigned_user_ids>"],
  "composite_query": {},
  "description": "<description>",
  "name": "<name>",
  "os_query": "<os_query>",
  "output_parser_config": {},
  "queries": {},
  "remediations": {},
  "rows_parser_config": {},
  "target": "<target>",
  "task_group_id": "<task_group_id>",
  "task_parameters": {},
  "task_type": "<task_type>",
  "trigger_condition": {},
  "verification_condition": {}
}

Itautomation Create Task Group

SDK: it_automation.ITAutomationCreateTaskGroup

Parameters:

Name	Type	Required	Description
`access_type`	string	Yes	Access type of the group
`assigned_user_group_ids`	array	Yes	Assigned user group IDs of the group, when access_type is Shared. Use GET /it-automation/queries/...
`assigned_user_ids`	array	Yes	Assigned user IDs of the group, when access_type is Shared. Use GET /user-management/queries/user...
`description`	string	No	Description of the task group
`name`	string	Yes	Name of the task group
`task_ids`	array	Yes	IDs of existing tasks to add to task group upon creation. Use PATCH /it-automation/entities/task-...

Example:

{
  "access_type": "<access_type>",
  "assigned_user_group_ids": ["<assigned_user_group_ids>"],
  "assigned_user_ids": ["<assigned_user_ids>"],
  "description": "<description>",
  "name": "<name>",
  "task_ids": ["<task_ids>"]
}

Itautomation Create User Group

SDK: it_automation.ITAutomationCreateUserGroup

Parameters:

Name	Type	Required	Description
`description`	string	No	Description of the user group
`name`	string	Yes	Name of the user group

Example:

{
  "description": "<description>",
  "name": "<name>"
}

Itautomation Delete Policy

SDK: it_automation.ITAutomationDeletePolicy

Parameters:

Name	Type	Required	Description
`ids`	array	No	list of task ids to delete

Example:

{
  "ids": ["<ids>"]
}

Itautomation Delete Scheduled Tasks

SDK: it_automation.ITAutomationDeleteScheduledTasks

Parameters:

Name	Type	Required	Description
`ids`	array	No	Comma separated values of scheduled task IDs to delete

Example:

{
  "ids": ["<ids>"]
}

Itautomation Delete Task

SDK: it_automation.ITAutomationDeleteTask

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of tasks to delete. Use ITAutomationSearchTasks to fetch IDs

Example:

{
  "ids": ["<ids>"]
}

Itautomation Delete Task Groups

SDK: it_automation.ITAutomationDeleteTaskGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	Comma separated values of task group IDs to delete

Example:

{
  "ids": ["<ids>"]
}

Itautomation Delete User Group

SDK: it_automation.ITAutomationDeleteUserGroup

Parameters:

Name	Type	Required	Description
`ids`	array	No	Comma separated values of user group ids to delete

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get Associated Tasks

SDK: it_automation.ITAutomationGetAssociatedTasks

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [access_ty...
`id`	string	No	The ID of the file to fetch associated tasks for
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [name]. Sort ei...

Example:

{
  "filter": "<filter>",
  "id": "<id>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Get Execution Results

SDK: it_automation.ITAutomationGetExecutionResults

Parameters:

Name	Type	Required	Description
`id`	string	No	The Job ID to fetch. Use the value returned from `ITAutomationStartExecutionResultsSearch`
`limit`	number	No	The maximum number of event results to return Default: 500
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	Sort results by one of the fields in the event results, either asc (ascending) or desc (descendin...

Example:

{
  "id": "<id>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Get Execution Results Search Status

SDK: it_automation.ITAutomationGetExecutionResultsSearchStatus

Parameters:

Name	Type	Required	Description
`id`	string	No	Search Job ID to fetch. UseITAutomationStartExecutionResultsSearch to get the job id

Example:

{
  "id": "<id>"
}

Itautomation Get Policies

SDK: it_automation.ITAutomationGetPolicies

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) policy ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get Scheduled Tasks

SDK: it_automation.ITAutomationGetScheduledTasks

Parameters:

Name	Type	Required	Description
`ids`	array	No	Scheduled task IDs to fetch. Use ITAutomationSearchScheduledTasks to fetch scheduled task IDs

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get Task Execution

SDK: it_automation.ITAutomationGetTaskExecution

Parameters:

Name	Type	Required	Description
`ids`	array	No	Task execution IDs to fetch. Use ITAutomationSearchTaskExecutions to get the execution id

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get Task Execution Host Status

SDK: it_automation.ITAutomationGetTaskExecutionHostStatus

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [end_time,...
`ids`	array	No	Task execution IDs to get statuses for. Use ITAutomationSearchTaskExecutions to fetch execution IDs
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [end_time, star...

Example:

{
  "filter": "<filter>",
  "ids": ["<ids>"],
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Get Task Groups

SDK: it_automation.ITAutomationGetTaskGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	Comma separated values of task group ids to fetch

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get Tasks

SDK: it_automation.ITAutomationGetTasks

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of tasks to fetch. Use ITAutomationSearchTasks to fetch IDs

Example:

{
  "ids": ["<ids>"]
}

Itautomation Get User Group

SDK: it_automation.ITAutomationGetUserGroup

Parameters:

Name	Type	Required	Description
`ids`	array	No	Comma separated values of user group ids to fetch

Example:

{
  "ids": ["<ids>"]
}

Itautomation Rerun Task Execution

SDK: it_automation.ITAutomationRerunTaskExecution

Parameters:

Name	Type	Required	Description
`run_type`	string	Yes	Type of rerun. When set to hosts, re-run on same hosts again. When set to failed, re-run only on ...
`task_execution_id`	string	Yes	ID of the task execution to rerun. Example: f64b95555ef54ea682619ce880d267cc

Example:

{
  "run_type": "<run_type>",
  "task_execution_id": "<task_execution_id>"
}

Itautomation Search Scheduled Tasks

SDK: it_automation.ITAutomationSearchScheduledTasks

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [created_b...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [created_by, cr...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Search Task Executions

SDK: it_automation.ITAutomationSearchTaskExecutions

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [end_time,...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [end_time, run_...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Search Task Groups

SDK: it_automation.ITAutomationSearchTaskGroups

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [access_ty...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [access_type, c...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Search Tasks

SDK: it_automation.ITAutomationSearchTasks

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [access_ty...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [access_type, c...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Search User Group

SDK: it_automation.ITAutomationSearchUserGroup

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [created_b...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [created_by, cr...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Itautomation Start Execution Results Search

SDK: it_automation.ITAutomationStartExecutionResultsSearch

Parameters:

Name	Type	Required	Description
`filter_expressions`	array	Yes	Filter expressions to limit results. Example: ["hostname:prod"]
`group_by_fields`	array	Yes	Fields to group results by. Example: ["hostname", "status"]
`search_end`	string	Yes	End time for the search period. Example: now
`search_start`	string	Yes	Start time for the search period. Example: -1d
`task_execution_id`	string	Yes	Unique identifier of the task execution to search. Example: f64b95555ef54ea682619ce880d267cc

Example:

{
  "filter_expressions": ["<filter_expressions>"],
  "group_by_fields": ["<group_by_fields>"],
  "search_end": "<search_end>",
  "search_start": "<search_start>",
  "task_execution_id": "<task_execution_id>"
}

Itautomation Start Task Execution

SDK: it_automation.ITAutomationStartTaskExecution

Parameters:

Name	Type	Required	Description
`discover_new_hosts`	boolean	No	Whether to discover new hosts for the scheduled task. Example: true
`discover_offline_hosts`	boolean	No	Whether to discover offline hosts for the scheduled task. Example: true
`distribute`	boolean	No	Whether to distribute the scheduled task. Example: true
`expiration_interval`	string	No	Duration for which the task stays active. Once expired, new and offline hosts won't be targeted. ...
`guardrails`	object	No	Execution guardrails and limits
`scheduled_task_id`	string	No	Unique identifier of existing scheduled task. Scheduled task fields override all other request fi...
`target`	string	No	Target filter in FQL format. Example: platform_name: 'Windows'
`task_id`	string	No	Unique identifier of existing saved task. Example: f64b95555ef54ea682619ce880d267cc
`trigger_condition`	object	Yes	Conditions that trigger remediation scripts execution

Example:

{
  "discover_new_hosts": true,
  "discover_offline_hosts": true,
  "distribute": true,
  "expiration_interval": "<expiration_interval>",
  "guardrails": {},
  "scheduled_task_id": "<scheduled_task_id>",
  "target": "<target>",
  "task_id": "<task_id>",
  "trigger_condition": {}
}

Itautomation Update Policies

SDK: it_automation.ITAutomationUpdatePolicies

Parameters:

Name	Type	Required	Description
`config`	object	No	Configuration settings for the policy
`description`	string	No	Description of the policy.Example: windows policy check
`id`	string	No	ID of the policy. Example: f64b95555ef54ea682619ce880d267cc
`is_enabled`	boolean	No	Whether the policy is enabled or disabled
`name`	string	No	Name of the policy. Example: platform_policy

Example:

{
  "config": {},
  "description": "<description>",
  "id": "<id>",
  "is_enabled": true,
  "name": "<name>"
}

Itautomation Update Policies Precedence

SDK: it_automation.ITAutomationUpdatePoliciesPrecedence

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	IDs of all the policy in precedence order for a give platform.

Example:

{
  "ids": ["<ids>"]
}

Itautomation Update Policy Host Groups

SDK: it_automation.ITAutomationUpdatePolicyHostGroups

Parameters:

Name	Type	Required	Description
`action`	string	Yes	The action to perform with the provided ids, must be one of: assign, unassign.
`host_group_ids`	array	Yes	The ids of the host groups on which to perform the action.
`policy_id`	string	Yes	The id of the policy on which to perform the action.

Example:

{
  "action": "<action>",
  "host_group_ids": ["<host_group_ids>"],
  "policy_id": "<policy_id>"
}

Itautomation Update Scheduled Task

SDK: it_automation.ITAutomationUpdateScheduledTask

Parameters:

Name	Type	Required	Description
`discover_new_hosts`	boolean	No	Whether to discover new hosts for the scheduled task. Example: true
`discover_offline_hosts`	boolean	No	Whether to discover offline hosts for the scheduled task. Example: true
`distribute`	boolean	No	Whether to distribute the scheduled task. Example: true
`expiration_interval`	string	No	Duration for which the task stays active. Once expired, new and offline hosts won't be targeted. ...
`guardrails`	object	No	Safety limits for task execution
`is_active`	boolean	No	Whether the scheduled task is active. Example: true
`schedule`	object	No	Schedule details for the task execution
`scheduled_name`	string	No	Custom name for the scheduled task. Example: Weekly Security Scan
`target`	string	No	Filter expression to select target hosts. Example: hostname:prod
`task_id`	string	No	Unique identifier of the task to be scheduled. Example: f64b95555ef54ea682619ce880d267cc
`trigger_condition`	object	Yes	Conditions that trigger remediation actions

Example:

{
  "discover_new_hosts": true,
  "discover_offline_hosts": true,
  "distribute": true,
  "expiration_interval": "<expiration_interval>",
  "guardrails": {},
  "is_active": true,
  "schedule": {},
  "scheduled_name": "<scheduled_name>",
  "target": "<target>",
  "task_id": "<task_id>",
  "trigger_condition": {}
}

Itautomation Update Task

SDK: it_automation.ITAutomationUpdateTask

Parameters:

Name	Type	Required	Description
`access_type`	string	No	Access type of the task
`add_assigned_user_group_ids`	array	Yes	User group IDs to add to the assigned user group IDs of the task, when access_type is Shared. Use...
`add_assigned_user_ids`	array	Yes	User IDs to add to the assigned user IDs of the task, when access_type is Shared. Use GET /user-m...
`composite_query`	object	No	Composite query configuration containing task IDs and host attributes for multi-task execution
`description`	string	No	Detailed description of what the task does. Example: User Table Validation Check
`name`	string	No	Name of the task. Example: OSQuery Check
`os_query`	string	No	OSQuery to execute. Example: select * from users
`output_parser_config`	object	No	Specifies the columns and delimiter used to parse script execution results
`queries`	object	No	Script queries to run per platform
`remediations`	object	No	Remediation scripts to run per platform
`remove_assigned_user_group_ids`	array	Yes	User group IDs to remove from the assigned user group IDs of the task, when access_type is Shared...
`remove_assigned_user_ids`	array	Yes	User IDs to remove from the assigned user IDs of the task, when access_type is Shared. Use GET /u...
`rows_parser_config`	object	No	Configuration for parsing script output into multiple rows
`target`	string	No	Target filter in FQL format. Example: platform_name: 'Windows'
`task_group_id`	string	No	ID of the task group to associate this task with
`task_parameters`	object	Yes	Parameters for the task
`task_type`	string	No	Type of task
`trigger_condition`	object	Yes	Conditions that trigger remediation scripts execution
`verification_condition`	object	Yes	Conditions that verify the outcome of the remediation scripts execution

Example:

{
  "access_type": "<access_type>",
  "add_assigned_user_group_ids": ["<add_assigned_user_group_ids>"],
  "add_assigned_user_ids": ["<add_assigned_user_ids>"],
  "composite_query": {},
  "description": "<description>",
  "name": "<name>",
  "os_query": "<os_query>",
  "output_parser_config": {},
  "queries": {},
  "remediations": {},
  "remove_assigned_user_group_ids": ["<remove_assigned_user_group_ids>"],
  "remove_assigned_user_ids": ["<remove_assigned_user_ids>"],
  "rows_parser_config": {},
  "target": "<target>",
  "task_group_id": "<task_group_id>",
  "task_parameters": {},
  "task_type": "<task_type>",
  "trigger_condition": {},
  "verification_condition": {}
}

Itautomation Update Task Group

SDK: it_automation.ITAutomationUpdateTaskGroup

Parameters:

Name	Type	Required	Description
`access_type`	string	No	Access type of the group
`add_assigned_user_group_ids`	array	Yes	User group IDs to add to the group, when access_type is Shared. Use GET /it-automation/queries/it...
`add_assigned_user_ids`	array	Yes	User IDs to add to the group, when access_type is Shared. Use GET /user-management/queries/users/...
`add_task_ids`	array	Yes	IDs of existing tasks to add to task group. Get task ids via GET /it-automation/queries/task-grou...
`description`	string	No	Description of the task group
`name`	string	No	Name of the task group
`remove_assigned_user_group_ids`	array	Yes	User group IDs to remove from the group, when access_type is Shared. Use GET /it-automation/queri...
`remove_assigned_user_ids`	array	Yes	User IDs to remove from the group, when access_type is Shared. Use GET /user-management/queries/u...
`remove_task_ids`	array	Yes	IDs of existing tasks to remove from task group. Get task ids via GET /it-automation/queries/task...

Example:

{
  "access_type": "<access_type>",
  "add_assigned_user_group_ids": ["<add_assigned_user_group_ids>"],
  "add_assigned_user_ids": ["<add_assigned_user_ids>"],
  "add_task_ids": ["<add_task_ids>"],
  "description": "<description>",
  "name": "<name>",
  "remove_assigned_user_group_ids": ["<remove_assigned_user_group_ids>"],
  "remove_assigned_user_ids": ["<remove_assigned_user_ids>"],
  "remove_task_ids": ["<remove_task_ids>"]
}

Itautomation Update User Group

SDK: it_automation.ITAutomationUpdateUserGroup

Parameters:

Name	Type	Required	Description
`add_user_ids`	array	Yes	IDs of the users being added to the user group
`description`	string	No	Description of the user group
`name`	string	No	Name of the user group
`remove_user_ids`	array	Yes	IDs of the users being removed from the user group

Example:

{
  "add_user_ids": ["<add_user_ids>"],
  "description": "<description>",
  "name": "<name>",
  "remove_user_ids": ["<remove_user_ids>"]
}

List Itautomation Policies

SDK: it_automation.ITAutomationQueryPolicies

Parameters:

Name	Type	Required	Description
`limit`	number	No	The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of resu...
`offset`	number	No	The offset to start retrieving records from. Defaults to 0 if not specified.
`platform`	string	No	The platform of policies to retrieve
`sort`	string	No	Sort the returned ids based on one of the following properties: `precedence`, `created_timestamp`...

Example:

{
  "limit": 10,
  "offset": 10,
  "platform": "<platform>",
  "sort": "<sort>"
}

List Itautomation Run Live

SDK: it_automation.ITAutomationRunLiveQuery

Parameters:

Name	Type	Required	Description
`composite_query`	object	No	Specifies task ids and host attributes for composite querying
`discover_new_hosts`	boolean	No	Whether to discover new hosts for the scheduled task. Example: true
`discover_offline_hosts`	boolean	No	Whether to discover offline hosts for the scheduled task. Example: true
`distribute`	boolean	No	Whether to distribute the scheduled task. Example: true
`expiration_interval`	string	No	Duration for which the task stays active. Once expired, new and offline hosts won't be targeted. ...
`guardrails`	object	No	Execution guardrails and limits
`osquery`	string	No	OSQuery to execute. Example: select * from users
`output_parser_config`	object	No	Specifies columns and delimiter for parsing script execution results
`queries`	object	No	Script queries to run per platform
`rows_parser_config`	object	No	Configuration for parsing script output into multiple rows
`target`	string	Yes	Target filter in FQL format. Example: platform_name: 'Windows'

Example:

{
  "composite_query": {},
  "discover_new_hosts": true,
  "discover_offline_hosts": true,
  "distribute": true,
  "expiration_interval": "<expiration_interval>",
  "guardrails": {},
  "osquery": "<osquery>",
  "output_parser_config": {},
  "queries": {},
  "rows_parser_config": {},
  "target": "<target>"
}

List Itautomation Task Executions By

SDK: it_automation.ITAutomationGetTaskExecutionsByQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [end_time,...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [end_time, run_...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Itautomation Task Groups By

SDK: it_automation.ITAutomationGetTaskGroupsByQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [access_ty...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [access_type, c...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Itautomation Tasks By

SDK: it_automation.ITAutomationGetTasksByQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	The filter expression that should be used to limit the results. Allowed filter fields: [access_ty...
`limit`	number	No	The maximum records to return. Example: 50 Default: 100
`offset`	number	No	Starting index for record retrieval. Example: 100
`sort`	string	No	The sort expression that should be used to sort the results. Allowed sort fields: [access_type, c...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Lookup Files

Operations for Lookup Files

Operations

Operation	Name	Description
`create_file_`	Create File	SDK: lookup_files.CreateFileV1
`update_file_`	Update File	SDK: lookup_files.UpdateFileV1

Create File

SDK: lookup_files.CreateFileV1

Parameters:

Name	Type	Required	Description
`xcsusername`	string	No	Requester Username.
`xcsuseruuid`	string	No	Requester UUID.
`description`	string	No	File description
`id`	string	No	Unique identifier of the file being updated.
`name`	string	No	Name used to identify the file
`repo`	string	No	Name of repository or view to save the file

Example:

{
  "xcsusername": "<xcsusername>",
  "xcsuseruuid": "<xcsuseruuid>",
  "description": "<description>",
  "id": "<id>",
  "name": "<name>",
  "repo": "<repo>"
}

Update File

SDK: lookup_files.UpdateFileV1

Parameters:

Name	Type	Required	Description
`xcsusername`	string	No	Requester Username.
`xcsuseruuid`	string	No	Requester UUID.
`description`	string	No	File description
`id`	string	No	Unique identifier of the file being updated.

Example:

{
  "xcsusername": "<xcsusername>",
  "xcsuseruuid": "<xcsuseruuid>",
  "description": "<description>",
  "id": "<id>"
}

Message Center

Operations for Message Center

Operations

Operation	Name	Description
`aggregate_cases`	Aggregate Cases	SDK: message_center.AggregateCases
`case_add_activity`	Case Add Activity	SDK: message_center.CaseAddActivity
`case_add_attachment`	Case Add Attachment	SDK: message_center.CaseAddAttachment
`case_download_attachment`	Case Download Attachment	SDK: message_center.CaseDownloadAttachment
`create_case_v2`	Create Case V2	SDK: message_center.CreateCaseV2
`get`	Get	SDK: message_center.GetCaseEntitiesByIDs
`get_case_activity_by_ids`	Get Case Activity By Ids	SDK: message_center.GetCaseActivityByIds
`list_activity_by_case_id`	List Activity By Case Id	SDK: message_center.QueryActivityByCaseID
`list_cases_ids_by_filter`	List Cases Ids By Filter	SDK: message_center.QueryCasesIdsByFilter

Aggregate Cases

SDK: message_center.AggregateCases

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Case Add Activity

SDK: message_center.CaseAddActivity

Parameters:

Name	Type	Required	Description
`body`	string	Yes	body. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`case_id`	string	Yes	case id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`user_uuid`	string	Yes	user uuid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": "<body>",
  "case_id": "<case_id>",
  "type": "<type>",
  "user_uuid": "<user_uuid>"
}

Case Add Attachment

SDK: message_center.CaseAddAttachment

Parameters:

Name	Type	Required	Description
`case_id`	string	No	Case ID. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`user_uuid`	string	No	User UUID. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "case_id": "<case_id>",
  "user_uuid": "<user_uuid>"
}

Case Download Attachment

SDK: message_center.CaseDownloadAttachment

Parameters:

Name	Type	Required	Description
`id`	string	No	attachment ID

Example:

{
  "id": "<id>"
}

Create Case V2

SDK: message_center.CreateCaseV2

Parameters:

Name	Type	Required	Description
`body`	string	Yes	body. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`detections`	object	Yes	detections. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`incidents`	object	Yes	incidents. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`malware_submission_id`	string	Yes	malware submission id
`recon_rule_type`	string	Yes	recon rule type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`title`	string	Yes	title. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`user_uuid`	string	No	user uuid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": "<body>",
  "detections": {},
  "incidents": {},
  "malware_submission_id": "<malware_submission_id>",
  "recon_rule_type": "<recon_rule_type>",
  "title": "<title>",
  "type": "<type>",
  "user_uuid": "<user_uuid>"
}

Get

SDK: message_center.GetCaseEntitiesByIDs

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Case Activity By Ids

SDK: message_center.GetCaseActivityByIds

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Activity By Case Id

SDK: message_center.QueryActivityByCaseID

Parameters:

Name	Type	Required	Description
`case_id`	string	No	Case ID. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	No	Optional filter and sort criteria in the form of an FQL query. Allowed filters are: activity.crea...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "case_id": "<case_id>",
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Cases Ids By Filter

SDK: message_center.QueryCasesIdsByFilter

Parameters:

Name	Type	Required	Description
`filter`	string	No	case.assigner.display_name case.assigner.first_name case.assigner.last_name case.assigner.uid cas...
`limit`	number	No	The maximum records to return. [1-500]
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	The property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Mssp

Operations for Mssp

Operations

Operation	Name	Description
`add_cidgroup_members`	Add Cidgroup Members	SDK: mssp.AddCIDGroupMembers
`add_role`	Add Role	SDK: mssp.AddRole
`add_user_group_members`	Add User Group Members	SDK: mssp.AddUserGroupMembers
`create_cidgroups`	Create Cidgroups	SDK: mssp.CreateCIDGroups
`create_user_groups`	Create User Groups	SDK: mssp.CreateUserGroups
`delete_cidgroup_members`	Delete Cidgroup Members	SDK: mssp.DeleteCIDGroupMembers
`delete_cidgroup_members_v2`	Delete Cidgroup Members V2	SDK: mssp.DeleteCIDGroupMembersV2
`delete_cidgroups`	Delete Cidgroups	SDK: mssp.DeleteCIDGroups
`delete_d_roles`	Delete D Roles	SDK: mssp.DeletedRoles
`delete_user_group_members`	Delete User Group Members	SDK: mssp.DeleteUserGroupMembers
`delete_user_groups`	Delete User Groups	SDK: mssp.DeleteUserGroups
`get_children`	Get Children	SDK: mssp.GetChildren
`get_children_v2`	Get Children V2	SDK: mssp.GetChildrenV2
`get_cidgroup_by_id`	Get Cidgroup By Id	SDK: mssp.GetCIDGroupByID
`get_cidgroup_by_idv2`	Get Cidgroup By Idv2	SDK: mssp.GetCIDGroupByIDV2
`get_cidgroup_members_by`	Get Cidgroup Members By	SDK: mssp.GetCIDGroupMembersBy
`get_cidgroup_members_by_v2`	Get Cidgroup Members By V2	SDK: mssp.GetCIDGroupMembersByV2
`get_roles_by_id`	Get Roles By Id	SDK: mssp.GetRolesByID
`get_user_group_members_by_id`	Get User Group Members By Id	SDK: mssp.GetUserGroupMembersByID
`get_user_group_members_by_idv2`	Get User Group Members By Idv2	SDK: mssp.GetUserGroupMembersByIDV2
`get_user_groups_by_id`	Get User Groups By Id	SDK: mssp.GetUserGroupsByID
`get_user_groups_by_idv2`	Get User Groups By Idv2	SDK: mssp.GetUserGroupsByIDV2
`list_children`	List Children	SDK: mssp.QueryChildren
`list_cidgroup_members`	List Cidgroup Members	SDK: mssp.QueryCIDGroupMembers
`list_cidgroups`	List Cidgroups	SDK: mssp.QueryCIDGroups
`list_roles`	List Roles	SDK: mssp.QueryRoles
`list_user_group_members`	List User Group Members	SDK: mssp.QueryUserGroupMembers
`list_user_groups`	List User Groups	SDK: mssp.QueryUserGroups
`update_cidgroups`	Update Cidgroups	SDK: mssp.UpdateCIDGroups
`update_user_groups`	Update User Groups	SDK: mssp.UpdateUserGroups

Add Cidgroup Members

SDK: mssp.AddCIDGroupMembers

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Add Role

SDK: mssp.AddRole

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Add User Group Members

SDK: mssp.AddUserGroupMembers

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Create Cidgroups

SDK: mssp.CreateCIDGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Create User Groups

SDK: mssp.CreateUserGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete Cidgroup Members

SDK: mssp.DeleteCIDGroupMembers

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete Cidgroup Members V2

SDK: mssp.DeleteCIDGroupMembersV2

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete Cidgroups

SDK: mssp.DeleteCIDGroups

Parameters:

Name	Type	Required	Description
`cid_group_ids`	array	No	CID group ids to delete

Example:

{
  "cid_group_ids": ["<cid_group_ids>"]
}

Delete D Roles

SDK: mssp.DeletedRoles

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete User Group Members

SDK: mssp.DeleteUserGroupMembers

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Delete User Groups

SDK: mssp.DeleteUserGroups

Parameters:

Name	Type	Required	Description
`user_group_ids`	array	No	User group IDs to delete

Example:

{
  "user_group_ids": ["<user_group_ids>"]
}

Get Children

SDK: mssp.GetChildren

Parameters:

Name	Type	Required	Description
`ids`	array	No	CID of a child customer

Example:

{
  "ids": ["<ids>"]
}

Get Children V2

SDK: mssp.GetChildrenV2

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Cidgroup By Id

SDK: mssp.GetCIDGroupByID

Parameters:

Name	Type	Required	Description
`cid_group_ids`	array	No	CID group IDs to be searched on

Example:

{
  "cid_group_ids": ["<cid_group_ids>"]
}

Get Cidgroup By Idv2

SDK: mssp.GetCIDGroupByIDV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	CID group IDs to search for

Example:

{
  "ids": ["<ids>"]
}

Get Cidgroup Members By

SDK: mssp.GetCIDGroupMembersBy

Parameters:

Name	Type	Required	Description
`cid_group_ids`	array	No	CID group IDs to search for

Example:

{
  "cid_group_ids": ["<cid_group_ids>"]
}

Get Cidgroup Members By V2

SDK: mssp.GetCIDGroupMembersByV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	CID group IDs search for

Example:

{
  "ids": ["<ids>"]
}

Get Roles By Id

SDK: mssp.GetRolesByID

Parameters:

Name	Type	Required	Description
`ids`	array	No	Link ID is a string consisting of multiple components, but should be treated as opaque.

Example:

{
  "ids": ["<ids>"]
}

Get User Group Members By Id

SDK: mssp.GetUserGroupMembersByID

Parameters:

Name	Type	Required	Description
`user_group_ids`	array	No	User group IDs to search for

Example:

{
  "user_group_ids": ["<user_group_ids>"]
}

Get User Group Members By Idv2

SDK: mssp.GetUserGroupMembersByIDV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	User group IDs to search for

Example:

{
  "ids": ["<ids>"]
}

Get User Groups By Id

SDK: mssp.GetUserGroupsByID

Parameters:

Name	Type	Required	Description
`user_group_ids`	array	No	User Group IDs to search for

Example:

{
  "user_group_ids": ["<user_group_ids>"]
}

Get User Groups By Idv2

SDK: mssp.GetUserGroupsByIDV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	User group IDs to search for

Example:

{
  "ids": ["<ids>"]
}

List Children

SDK: mssp.QueryChildren

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter using a query in Falcon Query Language (FQL). Supported filters: cid
`limit`	number	No	Number of ids to return Default: 10
`offset`	number	No	Starting index of overall result set from which to return ids
`sort`	string	No	The sort expression used to sort the results Default: "last_modified_timestamp

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Cidgroup Members

SDK: mssp.QueryCIDGroupMembers

Parameters:

Name	Type	Required	Description
`cid`	string	No	CID to lookup associated CID group ID
`limit`	number	No	Maximum number of results to return Default: 10
`offset`	number	No	Starting index of overall result set from which to return id
`sort`	string	No	The sort expression used to sort the results Default: "last_modified_timestamp

Example:

{
  "cid": "<cid>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Cidgroups

SDK: mssp.QueryCIDGroups

Parameters:

Name	Type	Required	Description
`limit`	number	No	Maximum number of results to return Default: 10
`name`	string	No	Name to lookup groups for
`offset`	number	No	Starting index of overall result set from which to return ids
`sort`	string	No	The sort expression used to sort the results Default: "name

Example:

{
  "limit": 10,
  "name": "<name>",
  "offset": 10,
  "sort": "<sort>"
}

List Roles

SDK: mssp.QueryRoles

Parameters:

Name	Type	Required	Description
`cid_group_id`	string	No	CID group ID to fetch MSSP role for
`limit`	number	No	Maximum number of results to return Default: 10
`offset`	number	No	Starting index of overall result set from which to return ids
`role_id`	string	No	Role ID to fetch MSSP role for
`sort`	string	No	The sort expression used to sort the results Default: "last_modified_timestamp
`user_group_id`	string	No	User group ID to fetch MSSP role for

Example:

{
  "cid_group_id": "<cid_group_id>",
  "limit": 10,
  "offset": 10,
  "role_id": "<role_id>",
  "sort": "<sort>",
  "user_group_id": "<user_group_id>"
}

List User Group Members

SDK: mssp.QueryUserGroupMembers

Parameters:

Name	Type	Required	Description
`limit`	number	No	Number of ids to return Default: 10
`offset`	number	No	Starting index of overall result set from which to return ids
`sort`	string	No	The sort expression used to sort the results Default: "last_modified_timestamp
`user_uuid`	string	No	User UUID to lookup associated user group ID

Example:

{
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "user_uuid": "<user_uuid>"
}

List User Groups

SDK: mssp.QueryUserGroups

Parameters:

Name	Type	Required	Description
`limit`	number	No	Maximum number of results to return Default: 10
`name`	string	No	Name to lookup groups for
`offset`	number	No	Starting index of overall result set from which to return ids
`sort`	string	No	The sort expression used to sort the results Default: "name

Example:

{
  "limit": 10,
  "name": "<name>",
  "offset": 10,
  "sort": "<sort>"
}

Update Cidgroups

SDK: mssp.UpdateCIDGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Update User Groups

SDK: mssp.UpdateUserGroups

Parameters:

Name	Type	Required	Description
`resources`	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

Ngsiem

Operations for Ngsiem

Operations

Operation	Name	Description
`create_dashboard_from_template`	Create Dashboard From Template	SDK: ngsiem.CreateDashboardFromTemplate
`create_lookup_file`	Create Lookup File	SDK: ngsiem.CreateLookupFile
`create_parser`	Create Parser	SDK: ngsiem.CreateParser
`create_parser_from_template`	Create Parser From Template	SDK: ngsiem.CreateParserFromTemplate
`delete_dashboard`	Delete Dashboard	SDK: ngsiem.DeleteDashboard
`delete_lookup_file`	Delete Lookup File	SDK: ngsiem.DeleteLookupFile
`delete_parser`	Delete Parser	SDK: ngsiem.DeleteParser
`get_dashboard_template`	Get Dashboard Template	SDK: ngsiem.GetDashboardTemplate
`get_lookup_`	Get Lookup	SDK: ngsiem.GetLookupV1
`get_lookup_file`	Get Lookup File	SDK: ngsiem.GetLookupFile
`get_lookup_from_package_`	Get Lookup From Package	SDK: ngsiem.GetLookupFromPackageV1
`get_lookup_from_package_with_namespace_`	Get Lookup From Package With Namespace	SDK: ngsiem.GetLookupFromPackageWithNamespaceV1
`get_parser`	Get Parser	SDK: ngsiem.GetParser
`get_parser_template`	Get Parser Template	SDK: ngsiem.GetParserTemplate
`get_search_status_`	Get Search Status	SDK: ngsiem.GetSearchStatusV1
`list_create_saved`	List Create Saved	SDK: ngsiem.CreateSavedQuery
`list_dashboards`	List Dashboards	SDK: ngsiem.ListDashboards
`list_delete_saved`	List Delete Saved	SDK: ngsiem.DeleteSavedQuery
`list_lookup_files`	List Lookup Files	SDK: ngsiem.ListLookupFiles
`list_parsers`	List Parsers	SDK: ngsiem.ListParsers
`list_saved_queries`	List Saved Queries	SDK: ngsiem.ListSavedQueries
`list_saved_template`	List Saved Template	SDK: ngsiem.GetSavedQueryTemplate
`list_update_saved_from_template`	List Update Saved From Template	SDK: ngsiem.UpdateSavedQueryFromTemplate
`start_search_`	Start Search	SDK: ngsiem.StartSearchV1
`stop_search_`	Stop Search	SDK: ngsiem.StopSearchV1
`update_dashboard_from_template`	Update Dashboard From Template	SDK: ngsiem.UpdateDashboardFromTemplate
`update_lookup_file`	Update Lookup File	SDK: ngsiem.UpdateLookupFile
`update_parser`	Update Parser	SDK: ngsiem.UpdateParser
`upload_lookup_`	Upload Lookup	SDK: ngsiem.UploadLookupV1

Create Dashboard From Template

SDK: ngsiem.CreateDashboardFromTemplate

Parameters:

Name	Type	Required	Description
`name`	string	No	name of the dashboard
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party
`yaml_template`	string	No	LogScale dashboard YAML template content, see schema at https:schemas.humio.com/

Example:

{
  "name": "<name>",
  "search_domain": "<search_domain>",
  "yaml_template": "<yaml_template>"
}

Create Lookup File

SDK: ngsiem.CreateLookupFile

Parameters:

Name	Type	Required	Description
`file`	string	No	file content to upload
`filename`	string	No	Filename of the lookup file to create
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, parsers-repository

Example:

{
  "file": "<file>",
  "filename": "<filename>",
  "search_domain": "<search_domain>"
}

Create Parser

SDK: ngsiem.CreateParser

Parameters:

Name	Type	Required	Description
`fields_to_be_removed_before_parsing`	array	Yes	A list of fields that will be removed from the event before it's parsed. These fields will not be...
`fields_to_tag`	array	Yes	A list of fields that should be used for sharding. See https:library.humio.com/stable/docs/parser...
`name`	string	Yes	The name of parser template
`repository`	string	Yes	The name of the repository where the parser will be created
`script`	string	Yes	The parser script that transforms the input into events. Humio Language v1
`test_cases`	object	Yes	A list of tests that the parser can be tested against

Example:

{
  "fields_to_be_removed_before_parsing": ["<fields_to_be_removed_before_parsing>"],
  "fields_to_tag": ["<fields_to_tag>"],
  "name": "<name>",
  "repository": "<repository>",
  "script": "<script>",
  "test_cases": {}
}

Create Parser From Template

SDK: ngsiem.CreateParserFromTemplate

Parameters:

Name	Type	Required	Description
`name`	string	No	name of the parser. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...
`repository`	string	No	name of repository, options; parsers-repository
`yaml_template`	string	No	LogScale Parser YAML template content, see schema at https:schemas.humio.com/

Example:

{
  "name": "<name>",
  "repository": "<repository>",
  "yaml_template": "<yaml_template>"
}

Delete Dashboard

SDK: ngsiem.DeleteDashboard

Parameters:

Name	Type	Required	Description
`ids`	string	No	dashboard ID value
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>"
}

Delete Lookup File

SDK: ngsiem.DeleteLookupFile

Parameters:

Name	Type	Required	Description
`filename`	string	No	lookup file filename
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, parsers-repository

Example:

{
  "filename": "<filename>",
  "search_domain": "<search_domain>"
}

Delete Parser

SDK: ngsiem.DeleteParser

Parameters:

Name	Type	Required	Description
`ids`	string	No	parser ID value
`repository`	string	No	name of repository, options; parsers-repository

Example:

{
  "ids": "<ids>",
  "repository": "<repository>"
}

Get Dashboard Template

SDK: ngsiem.GetDashboardTemplate

Parameters:

Name	Type	Required	Description
`ids`	string	No	dashboard ID value
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>"
}

Get Lookup

SDK: ngsiem.GetLookupV1

Parameters:

Name	Type	Required	Description
`filename`	string	No	name of lookup file
`repository`	string	No	name of repository

Example:

{
  "filename": "<filename>",
  "repository": "<repository>"
}

Get Lookup File

SDK: ngsiem.GetLookupFile

Parameters:

Name	Type	Required	Description
`filename`	string	No	lookup file filename
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards, parsers-repo...

Example:

{
  "filename": "<filename>",
  "search_domain": "<search_domain>"
}

Get Lookup From Package

SDK: ngsiem.GetLookupFromPackageV1

Parameters:

Name	Type	Required	Description
`filename`	string	No	name of lookup file
`package`	string	No	name of package
`repository`	string	No	name of repository

Example:

{
  "filename": "<filename>",
  "package": "<package>",
  "repository": "<repository>"
}

Get Lookup From Package With Namespace

SDK: ngsiem.GetLookupFromPackageWithNamespaceV1

Parameters:

Name	Type	Required	Description
`filename`	string	No	name of lookup file
`namespace`	string	No	name of namespace
`package`	string	No	name of package
`repository`	string	No	name of repository

Example:

{
  "filename": "<filename>",
  "namespace": "<namespace>",
  "package": "<package>",
  "repository": "<repository>"
}

Get Parser

SDK: ngsiem.GetParser

Parameters:

Name	Type	Required	Description
`ids`	string	No	parser ID value
`repository`	string	No	name of repository, options; parsers-repository

Example:

{
  "ids": "<ids>",
  "repository": "<repository>"
}

Get Parser Template

SDK: ngsiem.GetParserTemplate

Parameters:

Name	Type	Required	Description
`ids`	string	No	parser ID value
`repository`	string	No	name of repository, options; parsers-repository

Example:

{
  "ids": "<ids>",
  "repository": "<repository>"
}

Get Search Status

SDK: ngsiem.GetSearchStatusV1

Parameters:

Name	Type	Required	Description
`id`	string	No	id of query. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repository`	string	No	name of repository

Example:

{
  "id": "<id>",
  "repository": "<repository>"
}

List Create Saved

SDK: ngsiem.CreateSavedQuery

Parameters:

Name	Type	Required	Description
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party
`yaml_template`	string	No	LogScale Saved Query YAML template content, see schema at https:schemas.humio.com/

Example:

{
  "search_domain": "<search_domain>",
  "yaml_template": "<yaml_template>"
}

List Dashboards

SDK: ngsiem.ListDashboards

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter to apply to the name of the content, only currently support text match on name field: ...
`limit`	string	No	maximum number of results to return Default: "50"
`offset`	string	No	number of results to offset the returned results by Default: "0"
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards

Example:

{
  "filter": "<filter>",
  "limit": "<limit>",
  "offset": "<offset>",
  "search_domain": "<search_domain>"
}

List Delete Saved

SDK: ngsiem.DeleteSavedQuery

Parameters:

Name	Type	Required	Description
`ids`	string	No	saved query ID value
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>"
}

List Lookup Files

SDK: ngsiem.ListLookupFiles

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter to apply to the name of the content, only currently support text match on name field: ...
`limit`	string	No	maximum number of results to return Default: "50"
`offset`	string	No	number of results to offset the returned results by Default: "0"
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards, parsers-repo...

Example:

{
  "filter": "<filter>",
  "limit": "<limit>",
  "offset": "<offset>",
  "search_domain": "<search_domain>"
}

List Parsers

SDK: ngsiem.ListParsers

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter to apply to the name of the content, only currently support text match on name field: ...
`limit`	string	No	maximum number of results to return Default: "50"
`offset`	string	No	number of results to offset the returned results by Default: "0"
`repository`	string	No	name of repository, options; parsers-repository

Example:

{
  "filter": "<filter>",
  "limit": "<limit>",
  "offset": "<offset>",
  "repository": "<repository>"
}

List Saved Queries

SDK: ngsiem.ListSavedQueries

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL filter to apply to the name of the content, only currently support text match on name field: ...
`limit`	string	No	maximum number of results to return Default: "50"
`offset`	string	No	number of results to offset the returned results by Default: "0"
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards

Example:

{
  "filter": "<filter>",
  "limit": "<limit>",
  "offset": "<offset>",
  "search_domain": "<search_domain>"
}

List Saved Template

SDK: ngsiem.GetSavedQueryTemplate

Parameters:

Name	Type	Required	Description
`ids`	string	No	saved query ID value
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, dashboards

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>"
}

List Update Saved From Template

SDK: ngsiem.UpdateSavedQueryFromTemplate

Parameters:

Name	Type	Required	Description
`ids`	string	No	id of the dashboard
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party
`yaml_template`	string	No	LogScale Saved Query YAML template content, see schema at https:schemas.humio.com/

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>",
  "yaml_template": "<yaml_template>"
}

Start Search

SDK: ngsiem.StartSearchV1

Parameters:

Name	Type	Required	Description
`allowEventSkipping`	boolean	No	Enables some LogScale functions, such as head() and tail(), to stop processing all data in the se...
`around`	object	No	Find events that occurred around the time of a specific event.
`autobucketCount`	number	No	The number of buckets the system should create during live query searches, when no other explicit...
`end`	string	No	The date and time to use as the ending point of the search results
`ingestEnd`	string	No	The end date and time applied for @ingesttimestamp
`ingestStart`	string	No	The end date and time applied for @ingesttimestamp
`isLive`	boolean	No	Sets whether this query is live. Defaults to false . Live queries are continuously updated.
`queryString`	string	Yes	The CQL query to use for the search
`start`	string	No	The date and time to use as the starting point of the search results
`timeZone`	string	No	The time zone to use if start and end times are not specified in milliseconds. Eg: UTC
`timeZoneOffsetMinutes`	number	No	A positive or negative number representing how many minutes a given time zone is ahead or behind ...
`useIngestTime`	boolean	No	When set to true, the event’s ingestStart and ingestEnd times are used as the basis for the que...

Example:

{
  "allowEventSkipping": true,
  "around": {},
  "autobucketCount": 10,
  "end": "<end>",
  "ingestEnd": "<ingestEnd>",
  "ingestStart": "<ingestStart>",
  "isLive": true,
  "queryString": "<queryString>",
  "start": "<start>",
  "timeZone": "<timeZone>",
  "timeZoneOffsetMinutes": 10,
  "useIngestTime": true
}

Stop Search

SDK: ngsiem.StopSearchV1

Parameters:

Name	Type	Required	Description
`id`	string	No	id of query. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repository`	string	No	name of repository

Example:

{
  "id": "<id>",
  "repository": "<repository>"
}

Update Dashboard From Template

SDK: ngsiem.UpdateDashboardFromTemplate

Parameters:

Name	Type	Required	Description
`ids`	string	No	id of the dashboard
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party
`yaml_template`	string	No	LogScale dashboard YAML template content, see schema at https:schemas.humio.com/

Example:

{
  "ids": "<ids>",
  "search_domain": "<search_domain>",
  "yaml_template": "<yaml_template>"
}

Update Lookup File

SDK: ngsiem.UpdateLookupFile

Parameters:

Name	Type	Required	Description
`file`	string	No	file content to upload
`filename`	string	No	Filename of the lookup file to update
`search_domain`	string	No	name of search domain (view or repo), options; all, falcon, third-party, parsers-repository

Example:

{
  "file": "<file>",
  "filename": "<filename>",
  "search_domain": "<search_domain>"
}

Update Parser

SDK: ngsiem.UpdateParser

Parameters:

Name	Type	Required	Description
`fields_to_be_removed_before_parsing`	array	Yes	A list of fields that will be removed from the event before it's parsed. These fields will not be...
`fields_to_tag`	array	Yes	A list of fields that should be used for sharding. See https:library.humio.com/stable/docs/parser...
`id`	string	Yes	The unique identifier of the parser to update
`repository`	string	Yes	The name of the repository containing the parser
`script`	string	Yes	The parser script that transforms the input into events. Humio Language v1
`test_cases`	object	Yes	A list of tests that the parser can be tested against

Example:

{
  "fields_to_be_removed_before_parsing": ["<fields_to_be_removed_before_parsing>"],
  "fields_to_tag": ["<fields_to_tag>"],
  "id": "<id>",
  "repository": "<repository>",
  "script": "<script>",
  "test_cases": {}
}

Upload Lookup

SDK: ngsiem.UploadLookupV1

Parameters:

Name	Type	Required	Description
`repository`	string	No	name of repository

Example:

{
  "repository": "<repository>"
}

Release Notes

Operations for Release Notes

Operations

Operation	Name	Description
`combined_release_notes_`	Combined Release Notes	SDK: release_notes.CombinedReleaseNotesV1
`list_entity_ids_by_post`	List Entity Ids By Post	SDK: release_notes.GetEntityIDsByQueryPOST
`list_entity_ids_by_postv2`	List Entity Ids By Postv2	SDK: release_notes.GetEntityIDsByQueryPOSTV2
`list_release_notes_`	List Release Notes	SDK: release_notes.QueryReleaseNotesV1

Combined Release Notes

SDK: release_notes.CombinedReleaseNotesV1

Parameters:

Name	Type	Required	Description
`authorization`	string	No	authorization header
`xcsusername`	string	No	user name
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "authorization": "<authorization>",
  "xcsusername": "<xcsusername>",
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Entity Ids By Post

SDK: release_notes.GetEntityIDsByQueryPOST

Parameters:

Name	Type	Required	Description
`IDs`	array	Yes	i ds

Example:

{
  "IDs": ["<IDs>"]
}

List Entity Ids By Postv2

SDK: release_notes.GetEntityIDsByQueryPOSTV2

Parameters:

Name	Type	Required	Description
`IDs`	array	Yes	i ds

Example:

{
  "IDs": ["<IDs>"]
}

List Release Notes

SDK: release_notes.QueryReleaseNotesV1

Parameters:

Name	Type	Required	Description
`authorization`	string	No	authorization header
`xcsusername`	string	No	user name
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "authorization": "<authorization>",
  "xcsusername": "<xcsusername>",
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Releases

Operations for Releases

Operations

Operation	Name	Description
`combined_releases_v1mixin0`	Combined Releases V1Mixin0	SDK: releases.CombinedReleasesV1Mixin0

Combined Releases V1Mixin0

SDK: releases.CombinedReleasesV1Mixin0

Parameters:

Name	Type	Required	Description
`authorization`	string	No	authorization header
`xcsusername`	string	No	user name
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "authorization": "<authorization>",
  "xcsusername": "<xcsusername>",
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Report Executions

Operations for Report Executions

Operations

Operation	Name	Description
`list_report_executions`	List Report Executions	SDK: report_executions.ReportExecutionsQuery
`report_executions_download_get`	Report Executions Download Get	SDK: report_executions.ReportExecutionsDownloadGet
`report_executions_get`	Report Executions Get	SDK: report_executions.ReportExecutionsGet
`report_executions_retry`	Report Executions Retry	SDK: report_executions.ReportExecutionsRetry

List Report Executions

SDK: report_executions.ReportExecutionsQuery

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Filter term criteria: type, scheduled_report_id, stat...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: created_on, last_updated_on

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Report Executions Download Get

SDK: report_executions.ReportExecutionsDownloadGet

Parameters:

Name	Type	Required	Description
`ids`	string	No	The report_execution id to download

Example:

{
  "ids": "<ids>"
}

Report Executions Get

SDK: report_executions.ReportExecutionsGet

Parameters:

Name	Type	Required	Description
`ids`	array	No	The report_execution id to get details about.

Example:

{
  "ids": ["<ids>"]
}

Report Executions Retry

SDK: report_executions.ReportExecutionsRetry

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Scheduled Reports

Operations for Scheduled Reports

Operations

Operation	Name	Description
`execute`	Execute	SDK: scheduled_reports.Execute
`list`	List	SDK: scheduled_reports.Query
`list_by_id`	List By Id	SDK: scheduled_reports.QueryByID

Execute

SDK: scheduled_reports.Execute

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

List

SDK: scheduled_reports.Query

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Filter term criteria: type, trigger_reference, recipi...
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: created_on, last_updated_on, last_execution_on, next_execution_on

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List By Id

SDK: scheduled_reports.QueryByID

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scheduled_report id to get details about.

Example:

{
  "ids": ["<ids>"]
}

Sensor Usage Api

Operations for Sensor Usage Api

Operations

Operation	Name	Description
`get_sensor_usage_hourly`	Get Sensor Usage Hourly	SDK: sensor_usage_api.GetSensorUsageHourly
`get_sensor_usage_weekly`	Get Sensor Usage Weekly	SDK: sensor_usage_api.GetSensorUsageWeekly

Get Sensor Usage Hourly

SDK: sensor_usage_api.GetSensorUsageHourly

Parameters:

Name	Type	Required	Description
`filter`	string	No	The FQL search filter. Allowed fields: "event_date" : A specified date that will be final date of...

Example:

{
  "filter": "<filter>"
}

Get Sensor Usage Weekly

SDK: sensor_usage_api.GetSensorUsageWeekly

Parameters:

Name	Type	Required	Description
`filter`	string	No	The FQL search filter. Allowed fields: "event_date" : A specified date that will be final date of...

Example:

{
  "filter": "<filter>"
}

User Management

Operations for User Management

Operations

Operation	Name	Description
`aggregate_users_`	Aggregate Users	SDK: user_management.AggregateUsersV1
`combined_user_roles_`	Combined User Roles	SDK: user_management.CombinedUserRolesV1
`combined_user_roles_v2`	Combined User Roles V2	SDK: user_management.CombinedUserRolesV2
`create_user`	Create User	SDK: user_management.CreateUser
`create_user_`	Create User	SDK: user_management.CreateUserV1
`delete_user`	Delete User	SDK: user_management.DeleteUser
`delete_user_`	Delete User	SDK: user_management.DeleteUserV1
`entities_roles_`	Entities Roles	SDK: user_management.EntitiesRolesV1
`entities_roles_getv2`	Entities Roles Getv2	SDK: user_management.EntitiesRolesGETV2
`get_available_role_ids`	Get Available Role Ids	SDK: user_management.GetAvailableRoleIds
`get_roles`	Get Roles	SDK: user_management.GetRoles
`get_user_role_ids`	Get User Role Ids	SDK: user_management.GetUserRoleIds
`grant_user_role_ids`	Grant User Role Ids	SDK: user_management.GrantUserRoleIds
`list_user_`	List User	SDK: user_management.QueryUserV1
`queries_roles_`	Queries Roles	SDK: user_management.QueriesRolesV1
`retrieve_emails_by_cid`	Retrieve Emails By Cid	SDK: user_management.RetrieveEmailsByCID
`retrieve_user`	Retrieve User	SDK: user_management.RetrieveUser
`retrieve_user_uuid`	Retrieve User Uuid	SDK: user_management.RetrieveUserUUID
`retrieve_user_uuids_by_cid`	Retrieve User Uuids By Cid	SDK: user_management.RetrieveUserUUIDsByCID
`retrieve_users_getv1`	Retrieve Users Getv1	SDK: user_management.RetrieveUsersGETV1
`revoke_user_role_ids`	Revoke User Role Ids	SDK: user_management.RevokeUserRoleIds
`update_user`	Update User	SDK: user_management.UpdateUser
`update_user_`	Update User	SDK: user_management.UpdateUserV1
`user_action_`	User Action	SDK: user_management.UserActionV1
`user_roles_action_`	User Roles Action	SDK: user_management.UserRolesActionV1

Aggregate Users

SDK: user_management.AggregateUsersV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Combined User Roles

SDK: user_management.CombinedUserRolesV1

Parameters:

Name	Type	Required	Description
`cid`	string	No	Customer ID to get grants for. Empty CID would result in Role IDs for user against current CID in...
`direct_only`	boolean	No	Specifies if to request direct Only role grants or all role grants between user and CID (specifie...
`filter`	string	No	Filter using a query in Falcon Query Language (FQL). Supported filters: expires_at, role_id, role...
`limit`	number	No	The maximum records to return. [1-500] Default: 100
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by Default: "role_name
`user_uuid`	string	No	User UUID to get available roles for.

Example:

{
  "cid": "<cid>",
  "direct_only": true,
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "user_uuid": "<user_uuid>"
}

Combined User Roles V2

SDK: user_management.CombinedUserRolesV2

Parameters:

Name	Type	Required	Description
`cid`	string	No	Customer ID to get grants for. Empty CID would result in Role IDs for user against current CID in...
`direct_only`	boolean	No	Specifies if to request direct Only role grants or all role grants between user and CID (specifie...
`filter`	string	No	Filter using a query in Falcon Query Language (FQL). Supported filters: expires_at, role_id, role...
`limit`	number	No	The maximum records to return. [1-500] Default: 100
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by Default: "role_name
`user_uuid`	string	No	User UUID to get available roles for.

Example:

{
  "cid": "<cid>",
  "direct_only": true,
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "user_uuid": "<user_uuid>"
}

Create User

SDK: user_management.CreateUser

Parameters:

Name	Type	Required	Description
`firstName`	string	No	first name
`lastName`	string	No	last name
`password`	string	No	password. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`uid`	string	No	uid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "firstName": "<firstName>",
  "lastName": "<lastName>",
  "password": "<password>",
  "uid": "<uid>"
}

Create User

SDK: user_management.CreateUserV1

Parameters:

Name	Type	Required	Description
`cid`	string	No	cid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`first_name`	string	No	first name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`last_name`	string	No	last name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`password`	string	No	password. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`uid`	string	No	uid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "cid": "<cid>",
  "first_name": "<first_name>",
  "last_name": "<last_name>",
  "password": "<password>",
  "uid": "<uid>"
}

Delete User

SDK: user_management.DeleteUser

Parameters:

Name	Type	Required	Description
`user_uuid`	string	No	ID of a user. Find a user's ID from `/users/entities/user/v1`.

Example:

{
  "user_uuid": "<user_uuid>"
}

Delete User

SDK: user_management.DeleteUserV1

Parameters:

Name	Type	Required	Description
`user_uuid`	string	No	User UUID.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "user_uuid": "<user_uuid>"
}

Entities Roles

SDK: user_management.EntitiesRolesV1

Parameters:

Name	Type	Required	Description
`cid`	string	No	Customer ID to get available roles for. Empty CID would result in Role IDs for current CID in view.
`ids`	array	No	ID of a role. Find a role ID from `/user-management/queries/roles/v1`.

Example:

{
  "cid": "<cid>",
  "ids": ["<ids>"]
}

Entities Roles Getv2

SDK: user_management.EntitiesRolesGETV2

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Available Role Ids

SDK: user_management.GetAvailableRoleIds

This operation has no parameters.

Example:

{
}

Get Roles

SDK: user_management.GetRoles

Parameters:

Name	Type	Required	Description
`ids`	array	No	ID of a role. Find a role ID from `/customer/queries/roles/v1` or `/users/queries/roles/v1`.

Example:

{
  "ids": ["<ids>"]
}

Get User Role Ids

SDK: user_management.GetUserRoleIds

Parameters:

Name	Type	Required	Description
`user_uuid`	string	No	ID of a user. Find a user's ID from `/users/entities/user/v1`.

Example:

{
  "user_uuid": "<user_uuid>"
}

Grant User Role Ids

SDK: user_management.GrantUserRoleIds

Parameters:

Name	Type	Required	Description
`roleIds`	array	Yes	role ids

Example:

{
  "roleIds": ["<roleIds>"]
}

List User

SDK: user_management.QueryUserV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter using a query in Falcon Query Language (FQL). Supported filters: assigned_cids, cid, direc...
`limit`	number	No	The maximum records to return. [1-500] Default: 100
`offset`	number	No	The offset to start retrieving records from
`sort`	string	No	The property to sort by Default: "uid

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Queries Roles

SDK: user_management.QueriesRolesV1

Parameters:

Name	Type	Required	Description
`action`	string	No	Actionable purpose of the query Default: "grant"
`cid`	string	No	Customer ID to get available roles for. Empty CID would result in Role IDs for current CID in view.
`user_uuid`	string	No	User UUID to get available roles for. Empty User UUID would returns all roles IDs available for c...

Example:

{
  "action": "<action>",
  "cid": "<cid>",
  "user_uuid": "<user_uuid>"
}

Retrieve Emails By Cid

SDK: user_management.RetrieveEmailsByCID

This operation has no parameters.

Example:

{
}

Retrieve User

SDK: user_management.RetrieveUser

Parameters:

Name	Type	Required	Description
`ids`	array	No	ID of a user. Find a user's ID from `/users/entities/user/v1`.

Example:

{
  "ids": ["<ids>"]
}

Retrieve User Uuid

SDK: user_management.RetrieveUserUUID

Parameters:

Name	Type	Required	Description
`uid`	array	No	A username. This is usually the user's email address, but may vary based on your configuration.

Example:

{
  "uid": ["<uid>"]
}

Retrieve User Uuids By Cid

SDK: user_management.RetrieveUserUUIDsByCID

This operation has no parameters.

Example:

{
}

Retrieve Users Getv1

SDK: user_management.RetrieveUsersGETV1

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Revoke User Role Ids

SDK: user_management.RevokeUserRoleIds

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more role IDs to revoke. Find a role's ID from `/users/queries/roles/v1`.
`user_uuid`	string	No	ID of a user. Find a user's ID from `/users/entities/user/v1`.

Example:

{
  "ids": ["<ids>"],
  "user_uuid": "<user_uuid>"
}

Update User

SDK: user_management.UpdateUser

Parameters:

Name	Type	Required	Description
`firstName`	string	No	first name
`lastName`	string	No	last name

Example:

{
  "firstName": "<firstName>",
  "lastName": "<lastName>"
}

Update User

SDK: user_management.UpdateUserV1

Parameters:

Name	Type	Required	Description
`first_name`	string	No	first name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`last_name`	string	No	last name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "first_name": "<first_name>",
  "last_name": "<last_name>"
}

User Action

SDK: user_management.UserActionV1

Parameters:

Name	Type	Required	Description
`action`	object	Yes	action. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`ids`	array	Yes	User ID(s).

Example:

{
  "action": {},
  "ids": ["<ids>"]
}

User Roles Action

SDK: user_management.UserRolesActionV1

Parameters:

Name	Type	Required	Description
`action`	string	No	'grant' or 'revoke'
`cid`	string	No	cid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`expires_at`	string	No	expiration date time of the role in RFC3339 format
`role_ids`	array	Yes	role ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`uuid`	string	No	uuid. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "action": "<action>",
  "cid": "<cid>",
  "expires_at": "<expires_at>",
  "role_ids": ["<role_ids>"],
  "uuid": "<uuid>"
}

Workflows

Operations for Workflows

Operations

Operation	Name	Description
`deprovision`	Deprovision	SDK: workflows.Deprovision
`execute`	Execute	SDK: workflows.Execute
`execution_action`	Execution Action	SDK: workflows.ExecutionAction
`execution_results`	Execution Results	SDK: workflows.ExecutionResults
`promote`	Promote	SDK: workflows.Promote
`provision`	Provision	SDK: workflows.Provision
`workflow_activities_combined`	Workflow Activities Combined	SDK: workflows.WorkflowActivitiesCombined
`workflow_activities_content_combined`	Workflow Activities Content Combined	SDK: workflows.WorkflowActivitiesContentCombined
`workflow_definitions_action`	Workflow Definitions Action	SDK: workflows.WorkflowDefinitionsAction
`workflow_definitions_combined`	Workflow Definitions Combined	SDK: workflows.WorkflowDefinitionsCombined
`workflow_definitions_export`	Workflow Definitions Export	SDK: workflows.WorkflowDefinitionsExport
`workflow_definitions_import`	Workflow Definitions Import	SDK: workflows.WorkflowDefinitionsImport
`workflow_definitions_update`	Workflow Definitions Update	SDK: workflows.WorkflowDefinitionsUpdate
`workflow_execute_internal`	Workflow Execute Internal	SDK: workflows.WorkflowExecuteInternal
`workflow_executions_combined`	Workflow Executions Combined	SDK: workflows.WorkflowExecutionsCombined
`workflow_get_human_input_`	Workflow Get Human Input	SDK: workflows.WorkflowGetHumanInputV1
`workflow_mock_execute`	Workflow Mock Execute	SDK: workflows.WorkflowMockExecute
`workflow_triggers_combined`	Workflow Triggers Combined	SDK: workflows.WorkflowTriggersCombined
`workflow_update_human_input_`	Workflow Update Human Input	SDK: workflows.WorkflowUpdateHumanInputV1

Deprovision

SDK: workflows.Deprovision

Parameters:

Name	Type	Required	Description
`definition_id`	string	Yes	Customer scoped definition ID that is being deprovisioned. This is required when the template is ...
`deprovision_all`	boolean	Yes	When enabled, the CustomerDefinitionID property is ignored and all template workflows are deprovi...
`template_id`	string	Yes	ID of the system definition template that is to be deprovisioned
`template_name`	string	Yes	Name of the system definition template to deprovision

Example:

{
  "definition_id": "<definition_id>",
  "deprovision_all": true,
  "template_id": "<template_id>",
  "template_name": "<template_name>"
}

Execute

SDK: workflows.Execute

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`definition_id`	array	No	Definition ID to execute, either a name or an ID can be specified.
`depth`	number	No	Used to record the execution depth to help limit execution loops when a workflow triggers another...
`execution_cid`	array	No	CID(s) to execute on. This can be a child if this is a flight control enabled definition. If unse...
`key`	string	No	Key used to help deduplicate executions, if unset a new UUID is used
`name`	string	No	Workflow name to execute, either a name or an ID can be specified.
`source_event_url`	string	No	Used to record a URL to the source that led to triggering this workflow

Example:

{
  "body": {},
  "definition_id": ["<definition_id>"],
  "depth": 10,
  "execution_cid": ["<execution_cid>"],
  "key": "<key>",
  "name": "<name>",
  "source_event_url": "<source_event_url>"
}

Execution Action

SDK: workflows.ExecutionAction

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	Execution IDs to perform an action

Example:

{
  "ids": ["<ids>"]
}

Execution Results

SDK: workflows.ExecutionResults

Parameters:

Name	Type	Required	Description
`ids`	array	No	workflow execution id to return results for.

Example:

{
  "ids": ["<ids>"]
}

Promote

SDK: workflows.Promote

Parameters:

Name	Type	Required	Description
`customer_definition_id`	string	Yes	Customer scoped definition ID that is being promoted. This is required when the template is defin...
`name`	string	Yes	Optional name to be set on the customer scope definition. Must be unique within a given CID.
`parameters`	object	Yes	Runtime parameters to be interpolated to template model
`template_id`	string	Yes	ID of the system definition template that was previously created
`template_name`	string	Yes	Name of the system definition template to provision
`template_version`	string	Yes	Version of system definition template that was previously created, if omitted the latest version ...

Example:

{
  "customer_definition_id": "<customer_definition_id>",
  "name": "<name>",
  "parameters": {},
  "template_id": "<template_id>",
  "template_name": "<template_name>",
  "template_version": "<template_version>"
}

Provision

SDK: workflows.Provision

Parameters:

Name	Type	Required	Description
`name`	string	Yes	Optional name to be set on the customer scope definition. Must be unique within a given CID.
`parameters`	object	Yes	Runtime parameters to be interpolated to template model
`template_id`	string	Yes	ID of the system definition template that was previously created
`template_name`	string	Yes	Name of the system definition template to provision
`template_version`	string	Yes	Version of system definition template that was previously created, if omitted the latest version ...

Example:

{
  "name": "<name>",
  "parameters": {},
  "template_id": "<template_id>",
  "template_name": "<template_name>",
  "template_version": "<template_version>"
}

Workflow Activities Combined

SDK: workflows.WorkflowActivitiesCombined

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Workflow Activities Content Combined

SDK: workflows.WorkflowActivitiesContentCombined

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Workflow Definitions Action

SDK: workflows.WorkflowDefinitionsAction

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	Execution IDs to perform an action

Example:

{
  "ids": ["<ids>"]
}

Workflow Definitions Combined

SDK: workflows.WorkflowDefinitionsCombined

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Workflow Definitions Export

SDK: workflows.WorkflowDefinitionsExport

Parameters:

Name	Type	Required	Description
`id`	string	No	ID of workflow definitions to return details for
`sanitize`	boolean	No	whether or not to sanitize PII from workflow before it's exported Default: true

Example:

{
  "id": "<id>",
  "sanitize": true
}

Workflow Definitions Import

SDK: workflows.WorkflowDefinitionsImport

Parameters:

Name	Type	Required	Description
`name`	string	No	Workflow name to override
`validate_only`	boolean	No	When enabled, prevents saving workflow after validating

Example:

{
  "name": "<name>",
  "validate_only": true
}

Workflow Definitions Update

SDK: workflows.WorkflowDefinitionsUpdate

Parameters:

Name	Type	Required	Description
`Definition`	object	Yes	definition. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`change_log`	string	No	Optional user provided description to outline the changes made as part of the update. Maximum of ...
`enabled`	boolean	Yes	Specifies whether a new definition should be enabled when created, always set to false if it's im...
`flight_control`	object	No	Child CID selection parameters for flight control aware workflows
`id`	string	Yes	Used to identify documents across versions

Example:

{
  "Definition": {},
  "change_log": "<change_log>",
  "enabled": true,
  "flight_control": {},
  "id": "<id>"
}

Workflow Execute Internal

SDK: workflows.WorkflowExecuteInternal

Parameters:

Name	Type	Required	Description
`batch_size`	number	No	Used to set the batchSize, if unset the default batchSize is used
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`definition_id`	array	No	Definition ID to execute, either a name or an ID can be specified.
`depth`	number	No	Used to record the execution depth to help limit execution loops when a workflow triggers another...
`execution_cid`	array	No	CID(s) to execute on. This can be a child if this is a flight control enabled definition. If unse...
`key`	string	No	Key used to help deduplicate executions, if unset a new UUID is used
`name`	string	No	Workflow name to execute, either a name or an ID can be specified.
`source_event_url`	string	No	Used to record a URL to the source that led to triggering this workflow

Example:

{
  "batch_size": 10,
  "body": {},
  "definition_id": ["<definition_id>"],
  "depth": 10,
  "execution_cid": ["<execution_cid>"],
  "key": "<key>",
  "name": "<name>",
  "source_event_url": "<source_event_url>"
}

Workflow Executions Combined

SDK: workflows.WorkflowExecutionsCombined

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying filter parameters.
`limit`	number	No	Maximum number of records to return.
`offset`	string	No	Starting pagination offset of records to return.
`sort`	string	No	Sort items by providing a comma separated list of property and direction (eg name.desc,time.asc)....

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Workflow Get Human Input

SDK: workflows.WorkflowGetHumanInputV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of human inputs to read

Example:

{
  "ids": ["<ids>"]
}

Workflow Mock Execute

SDK: workflows.WorkflowMockExecute

Parameters:

Name	Type	Required	Description
`definition`	object	No	definition to be executed with provided mock results and on-demand trigger data
`mocks`	string	Yes	Mock activity data and trigger data for non-on-demand executions, keyed by node ID, may include t...
`on_demand_trigger`	string	No	Trigger data for on-demand executions

Example:

{
  "definition": {},
  "mocks": "<mocks>",
  "on_demand_trigger": "<on_demand_trigger>"
}

Workflow Triggers Combined

SDK: workflows.WorkflowTriggersCombined

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying filter parameters.

Example:

{
  "filter": "<filter>"
}

Workflow Update Human Input

SDK: workflows.WorkflowUpdateHumanInputV1

Parameters:

Name	Type	Required	Description
`input`	string	Yes	input to provide to the user input activity
`note`	string	Yes	note added to user input at the time an input is provided

Example:

{
  "input": "<input>",
  "note": "<note>"
}

Best Practices

Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.
Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.
Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.
Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.
Use Specific Scopes: When creating API clients, only request the minimum required API scopes.
Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.
Validate IDs: Always validate resource IDs before using them in update or delete operations.
Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

The operation you were attempting
Any error messages received
The parameters used (excluding sensitive data)
Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05

Overview​

Capabilities​

Credential Configuration​

Authentication Method​

How It Works​

CrowdStrike Cloud Regions​

How to Obtain API Credentials​

Required API Scopes​

Creating a CrowdStrike Credential in NINA​

Supported Resources​

Resource Details​

Api Integrations​

Operations​

Execute Command​

Execute Command Proxy​

Get Combined Plugin Configs​

Case Files​

Operations​

Aggregates File Details Post​

Combined File Details Get​

Entities File Details Get​

Entities File Details Patch​

Entities Files Bulk Download Post​

Entities Files Delete​

Entities Files Download Get​

Entities Files Download Post​

Entities Files Upload Post​

Queries File Details Get​

Case Management​

Operations​

Aggregates Notification Groups Post​

Aggregates Notification Groups Post V2​

Aggregates Slas Post​

Aggregates Templates Post​

Entities Fields Get​

Entities Notification Groups Delete​

Entities Notification Groups Delete V2​

Entities Notification Groups Get​

Entities Notification Groups Get V2​

Entities Notification Groups Patch​

Entities Notification Groups Patch V2​

Entities Notification Groups Post​

Entities Notification Groups Post V2​

Entities Slas Delete​

Entities Slas Get​

Entities Slas Patch​

Entities Slas Post​

Entities Template Snapshots Get​

Entities Templates Delete​

Entities Templates Export Get​

Entities Templates Get​

Entities Templates Import Post​

Entities Templates Patch​

Entities Templates Post​

Queries Fields Get​

Queries Notification Groups Get​

Queries Notification Groups Get V2​

Queries Slas Get​

Queries Template Snapshots Get​

Queries Templates Get​

Cases​

Operations​

Entities Alert Evidence Post​

Entities Case Tags Delete​

Entities Case Tags Post​

Entities Cases Patch V2​

Entities Cases Post V2​

Entities Cases Put V2​

Entities Event Evidence Post​

Queries Cases Get​

Custom Storage​

Operations​

Delete Object​

Delete Versioned Object​

Describe Collection​

Describe Collections​

Get Object​

Get Object Metadata​

Get Schema​

Get Schema Metadata​

Overview

Capabilities

Credential Configuration

Authentication Method

How It Works

CrowdStrike Cloud Regions

How to Obtain API Credentials

Required API Scopes

Creating a CrowdStrike Credential in NINA

Supported Resources

Resource Details

Api Integrations

Operations

Execute Command

Execute Command Proxy

Get Combined Plugin Configs

Case Files

Operations

Aggregates File Details Post

Combined File Details Get

Entities File Details Get

Entities File Details Patch

Entities Files Bulk Download Post

Entities Files Delete

Entities Files Download Get

Entities Files Download Post

Entities Files Upload Post

Queries File Details Get

Case Management

Operations

Aggregates Notification Groups Post

Aggregates Notification Groups Post V2

Aggregates Slas Post

Aggregates Templates Post

Entities Fields Get

Entities Notification Groups Delete

Entities Notification Groups Delete V2

Entities Notification Groups Get

Entities Notification Groups Get V2

Entities Notification Groups Patch

Entities Notification Groups Patch V2

Entities Notification Groups Post

Entities Notification Groups Post V2

Entities Slas Delete

Entities Slas Get

Entities Slas Patch

Entities Slas Post

Entities Template Snapshots Get

Entities Templates Delete

Entities Templates Export Get

Entities Templates Get

Entities Templates Import Post

Entities Templates Patch

Entities Templates Post

Queries Fields Get

Queries Notification Groups Get

Queries Notification Groups Get V2

Queries Slas Get

Queries Template Snapshots Get

Queries Templates Get

Cases

Operations

Entities Alert Evidence Post

Entities Case Tags Delete

Entities Case Tags Post

Entities Cases Patch V2

Entities Cases Post V2

Entities Cases Put V2

Entities Event Evidence Post

Queries Cases Get

Custom Storage

Operations

Delete Object

Delete Versioned Object

Describe Collection

Describe Collections

Get Object

Get Object Metadata

Get Schema

Get Schema Metadata